Page 1
8e6
R3000
R
| Enterprise Filter
USER
GUIDE
for Authentication
Model: R3000
Release 1.10.10 / Version No.: 1.01
Page 2
ii 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 3
R3000 ENTERPRISE FILTER
A
UTHENTICATION USER GUIDE
© 2006 8e6 Technologies
All rights reserved.
828 W. Taft Ave., Orange, CA 92865, USA
Version 1.01, published September 2006
To be used with R3000 User Guide version 1.01 for software
release 1.10.10
Printed in the United States of America
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine readable form without prior written consent from 8e6 Technologies.
Every effort has been made to ensure the accuracy of this
document. However, 8e6 Technologies makes no warranties
with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose. 8e6 Technologies shall not be liable for any error or for
incidental or consequential damages in connection with the
furnishing, performance, or use of this manual or the examples herein. Due to future enhancements and modifications of
this product, the information described in this documentation
is subject to change without notice.
The latest version of this document can be obtained from
http://www.8e6.com/docs/r3000_auth_ug.pdf.
Trademarks
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies
and are the sole property of their respective manufacturers.
Part# R3.10_AUG_v1.01-0609
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE iii
Page 4
iv 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 5
CONTENTS
CHAPTER 1: INTRODUCTION ..........................................1
About this User Guide ................................................................1
How to Use this User Guide ....................................................... 2
Conventions ...................................................................................... 2
Terminology ...................................................................................... 3
Filtering Elements ....................................................................... 8
Group Types ..................................................................................... 8
Global Group .............................................................................. 8
IP Groups . .................................................................................. 9
NT Domain Groups ................................................................... 10
LDAP Domain Groups .............................................................. 11
Filtering Profile Types ..................................................................... 12
Static Filtering Profiles .............................................................. 13
Master IP Group Filtering Profile......................................... 13
IP Sub-Group Filtering Profile ............................................. 13
Individual IP Member Filtering Profile ................................. 13
Active Filtering Profiles . ............................................................ 14
Global Filtering Profile......................................................... 14
NT/LDAP Group Filtering Profile ......................................... 14
NT/LDAP Member Filtering Profile...................................... 14
Override Account Profile .................................................... 15
Time Profile ......................................................................... 15
Lock Profile ......................................................................... 15
Filtering Profile Components ........................................................... 16
Library Categories . ................................................................... 17
8e6 Supplied Categories..................................................... 17
Custom Categories ............................................................. 17
Service Ports . ........................................................................... 18
Rules ........................................................................................ 18
Minimum Filtering Level ............................................................ 18
Filter Settings ............................................................................ 19
Filtering Rules ................................................................................. 20
Authentication Operations ....................................................... 23
R3000 Authentication Protocols ...................................................... 23
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE V
Page 6
CONTENTS
R3000 Authentication Tiers ............................................................. 23
Tier 1: Single Sign-On Authentication ............................................. 25
Net use based authentication process ..................................... 25
Re-authentication process .................................................. 26
Authentication methods ............................................................ 27
SMB protocol....................................................................... 27
SMB Signing................................................................. 27
LDAP protocol ..................................................................... 28
Name resolution methods ......................................................... 29
Authentication setup procedures . ............................................. 30
Server setup types .............................................................. 30
Tier 1: Net use based authentication ............................ 30
Tier 2 and Tier 3: Web-based authentication................ 30
Configuring the authentication server . ...................................... 31
Login scripts ....................................................................... 32
Enter net use syntax in the login script......................... 32
View login script on the server console ........................ 33
Block page authentication login scripts......................... 34
LDAP server setup rules ........................................................... 35
Tier 2: Time-based, Web Authentication ......................................... 36
Tier 2 implementation in an environment .................................. 37
Tier 2 Script ........................................................................ 38
Tier 1 and Tier 2 Script ....................................................... 39
Tier 3: Session-based, Web Authentication .................................... 41
8e6 Authenticator ............................................................................ 42
Environment requirements ....................................................... 42
Minimum system requirements ........................................... 42
Recommended system requirements ................................ 43
Workstation requirements ......................................................... 43
Work flow in a Windows environment ....................................... 44
8e6 Authenticator configuration priority .............................. 45
8e6 Authenticator configuration syntax .............................. 46
Sample command line parameters ............................... 46
Table of parameters ............................................................ 47
Novell eDirectory Agent .................................................................. 50
Environment requirements ....................................................... 50
Novell eDirectory servers .................................................... 50
Client workstations ............................................................. 51
Novell clients ....................................................................... 51
Novell eDirectory setup ............................................................ 51
R3000 setup and event logs . .................................................... 52
vi 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 7
Authentication Solution Compatibility .............................................. 53
Configuring the R3000 for Authentication ....................................... 54
Configuration procedures ......................................................... 54
System section.................................................................... 54
Group section ..................................................................... 57
CHAPTER 2: NETWORK SETUP ....................................58
Environment Requirements .....................................................58
Workstation Requirements .............................................................. 58
Administrator ............................................................................ 58
End User ................................................................................... 58
Network Requirements .................................................................... 59
Set up the Network for Authentication ....................................60
Specify the operation mode ............................................................ 60
Specify the subnet mask, IP address(es) ........................................ 62
Invisible mode ........................................................................... 63
Router or firewall mode ............................................................ 63
Enable authentication, specify criteria ............................................. 64
Net use based authentication ................................................... 66
Web-based authentication . ....................................................... 67
Enter network settings for authentication ........................................ 70
Create an SSL certificate ................................................................ 72
Create, Download a Self-Signed Certificate . ............................ 73
Create, Upload a Third Party Certificate ................................... 74
Create a Third Party Certificate........................................... 74
Upload a Third Party Certificate ......................................... 76
Download a Third Party Certificate .................................... 77
View log results ............................................................................... 78
Specify block page settings ............................................................. 81
Block Page Authentication ........................................................ 82
Block page ......................................................................... 83
User/Machine frame ..................................................... 84
Standard Links.............................................................. 84
Optional Links............................................................... 85
Options page ...................................................................... 86
Option 1 ........................................................................ 87
Option 2 ........................................................................ 88
Option 3 ........................................................................ 89
Common Customization ........................................................... 90
CONTENTS
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE vii
Page 8
CONTENTS
Enable, Disable Features.................................................... 91
Authentication Form Customization .......................................... 93
Preview Sample Authentication Request Form .................. 95
Block Page Customization ........................................................ 97
Preview Sample Block Page .............................................. 99
CHAPTER 3: NT AUTHENTICATION SETUP ..................101
Join the NT Domain ................................................................101
Create an NT Domain ..............................................................103
Add an NT domain ........................................................................ 103
Refresh the NT branch .................................................................. 104
View or modify NT domain details ................................................. 105
Domain Settings ..................................................................... 105
Default Rule ............................................................................ 107
Delete an NT domain .................................................................... 108
Set up NT Domain Groups, Members ....................................109
Add NT groups, members to the tree ............................................ 109
Specify a group’s filtering profile priority ....................................... 111
Manually add a user’s name to the tree ........................................ 113
Manually add a group’s name to the tree ...................................... 114
Upload a file of filtering profiles to the tree .................................... 115
Create and Maintain NT Profiles ............................................ 118
Add an NT group, member to the tree list ..................................... 118
Add or maintain an entity’s profile ................................................. 120
Category Profile ...................................................................... 121
Redirect URL .......................................................................... 122
Filter Options .......................................................................... 123
Remove an entity’s profile from the tree ....................................... 124
CHAPTER 4: LDAP AUTHENTICATION SETUP .............125
Create an LDAP Domain .........................................................125
Add the LDAP domain ................................................................... 125
Refresh the LDAP branch ............................................................. 126
View, modify, enter LDAP domain details ..................................... 126
LDAP Server Type .................................................................. 127
Group Objects ........................................................................ 128
viii 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 9
User Objects ........................................................................... 130
Address Info ........................................................................... 131
Account Info ............................................................................ 134
SSL Settings ........................................................................... 135
Alias List . ................................................................................ 137
Default Rule ............................................................................ 139
Default Rule for Novell eDirectory .................................... 141
Configure a backup server.......................................... 141
Modify a backup server’s configuration ...................... 145
Delete a backup server’s configuration....................... 145
Delete a domain ............................................................................ 145
Set up LDAP Domain Groups, Members ...............................146
Add LDAP groups, users to the tree ............................................. 146
Perform a basic search ........................................................... 147
Options for search results ....................................................... 147
Apply a filtering rule to a profile .............................................. 148
Delete a rule . .......................................................................... 149
Specify a group’s filtering profile priority ....................................... 149
Manually add a user’s name to the tree ........................................ 150
Manually add a group’s name to the tree ...................................... 151
Upload a file of filtering profiles to the tree .................................... 152
CONTENTS
Create, Maintain LDAP Profiles .............................................155
Add an LDAP group, member to the tree ...................................... 155
Add or maintain an entity’s profile ................................................. 157
Category Profile ...................................................................... 158
Redirect URL .......................................................................... 159
Filter Options .......................................................................... 160
Remove an entity’s profile from the tree ....................................... 161
CHAPTER 5: AUTHENTICATION DEPLOYMENT .............162
Test Authentication Settings .................................................162
Test Web-based authentication settings ....................................... 164
Step 1: Create an IP Group, “test” .......................................... 164
Step 2: Create a Sub-Group, “workstation” . ........................... 165
Step 3: Set up “test” with a 32-bit net mask ............................ 166
Step 4: Give “workstation” a 32-bit net mask .......................... 167
Step 5: Block everything for the Sub-Group . .......................... 168
Step 6: Use Authentication Request Page for redirect URL ... 169
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE ix
Page 10
CONTENTS
Step 7: Disable filter options . .................................................. 170
Step 8: Attempt to access Web content . ................................ 171
Test net use based authentication settings ................................... 173
Activate Authentication on the Network ............................... 174
Activate Web-based authentication for an IP Group .....................175
Step 1: Create a new IP Group, “webauth” ............................ 175
Step 2: Set “webauth” to cover users in range . ...................... 176
Step 3: Create an IP Sub-Group . ........................................... 177
Step 4: Block everything for the Sub-Group . .......................... 179
Step 5: Use Authentication Request Page for redirect URL ... 180
Step 6: Disable filter options ................................................... 181
Step 7: Set Global Group to filter unknown traffic . ................. 182
Activate Web-based authentication for the Global Group .............187
Step 1: Exclude filtering critical equipment ............................. 187
Step 1A: Block Web access, logging via Range to Detect . .... 188
Range to Detect Settings .................................................. 188
Range to Detect Setup Wizard ......................................... 190
Step 1B: Block Web access via IP Sub-Group profile . ...........196
Step 2: Modify the Global Group Profile . ................................ 199
Activate NT authentication ............................................................ 203
Step 1: Modify the 3-try login script ........................................ 203
Step 2: Modify the Global Group Profile ................................. 204
CHAPTER 6: TECHNICAL SUPPORT ............................206
Hours ........................................................................................206
Contact Information ................................................................ 206
Domestic (United States) .............................................................. 206
International .................................................................................. 206
E-Mail ............................................................................................ 206
Office Locations and Phone Numbers .......................................... 207
8e6 Corporate Headquarters (USA) ....................................... 207
8e6 Taiwan ............................................................................. 207
8e6 China ............................................................................... 207
Support Procedures ................................................................208
APPENDIX A ..............................................................209
x 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 11
User/Group File Format and Rules ........................................ 209
Username Formats ....................................................................... 209
Rule Criteria .................................................................................. 210
File Format: Rules and Examples ................................................. 212
NT User List Format and Rules . ............................................. 213
NT Group List Format and Rules ............................................ 214
LDAP User List Format and Rules .......................................... 215
LDAP Group List Format and Rules . ...................................... 217
APPENDIX B ..............................................................218
Ports for Authentication System Access ..............................218
APPENDIX C ..............................................................219
LDAP Server Customizations ................................................219
OpenLDAP Server Scenario ......................................................... 219
Not all users returned in User/Group Browser ........................ 219
APPENDIX D ..............................................................220
CONTENTS
Disable SMB Signing Requirements .....................................220
SMB Signing Compatibility ............................................................ 220
Disable SMB Signing Requirements in Windows 2003 ................. 221
APPENDIX E ..............................................................226
Obtain or Export an SSL Certificate ...................................... 226
Export an Active Directory SSL Certificate .................................... 226
Verify certificate authority has been installed ......................... 226
Locate Certificates folder ........................................................ 227
Export the master certificate for the domain ........................... 230
Export a Novell SSL Certficate ...................................................... 234
Obtain a Sun ONE SSL Certificate ............................................... 235
APPENDIX F ..............................................................236
Override Pop-up Blockers ...................................................... 236
Yahoo! Toolbar Pop-up Blocker .................................................... 237
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE xi
Page 12
CONTENTS
If pop-up blocking is enabled .................................................. 237
Add override account to the white list ..................................... 237
Google Toolbar Pop-up Blocker .................................................... 239
If pop-up blocking is enabled .................................................. 239
Add override account to the white list ..................................... 239
AdwareSafe Pop-up Blocker ......................................................... 240
If pop-up blocking is enabled .................................................. 240
Temporarily disable pop-up blocking ...................................... 240
Mozilla Firefox Pop-up Blocker ..................................................... 241
Add override account to the white list ..................................... 241
Windows XP SP2 Pop-up Blocker ................................................ 242
Set up pop-up blocking ........................................................... 242
Use the Internet Options dialog box.................................. 242
Use the IE toolbar ............................................................ 243
Temporarily disable pop-up blocking ...................................... 243
Add override account to the white list . .................................... 244
Use the IE toolbar ............................................................. 244
Use the Information Bar ................................................... 245
Set up the Information Bar.......................................... 245
Access your override account..................................... 245
APPENDIX G .............................................................247
Glossary ...................................................................................247
INDEX .......................................................................255
xii 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 13
CHAPTER 1: INTRODUCTION ABOUT THIS USER GUIDE
CHAPTER 1: INTRODUCTION
The R3000 Authentication User Guide contains information
about setting up authentication on the network.
About this User Guide
This user guide addresses the network administrator designated to configure and manage the R3000 server on the
network.
Chapter 1 provides information on how to use this user
guide, and also includes an overview of filtering components and authentication operations.
Chapters 2, 3, and 4 describe the R3000 Administrator
console entries that must be made in order to prepare the
network for using authentication for NT and/or LDAP
domains.
NOTE: Refer to the R3000 Quick Start Guide for information on
installing the unit on the network. This document also provides
information on how to access the R3000 console to perform the
initial installation setup defined in Chapter 2: Network Setup.
After all settings have been made, authentication is ready to
be used on the network. Chapter 5 outlines the step you
need to take to test and to activate your settings before
deploying authentication on the network.
Chapter 6 provides support information. Appendices at the
end of this user guide feature instructions on filtering profile
file components and setup; a chart of ports used for authentication system access; notes on customizations to make on
specified LDAP servers; steps to modify the SMB protocol
to disable SMB Signing requirements; information on how to
obtain or export an SSL certificate and upload it to the
R3000; tips on how to override pop-up windows with pop-up
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 1
Page 14
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
blocker software installed; a glossary on authentication
terms, and an index.
How to Use this User Guide
Conventions
The following icons are used throughout this user guide:
NOTE: The “note” icon is followed by italicized text providing
additional information about the current subject.
TIP: The “tip” icon is followed by italicized text giving you hints on
how to execute a task more efficiently.
WARNING: The “warning” icon is followed by italicized text
cautioning you about making entries in the application, executing
certain processes or procedures, or the outcome of specified
actions.
2 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 15
Terminology
The following terms are used throughout this user guide.
Sample images (not to scale) are included for each item.
• alert box - a message box
that opens in response to
an entry you made in a
dialog box, window, or
screen. This box often
contains a button (usually
labeled “OK”) for you to click in order to confirm or
execute a command.
• button - an object in a dialog box,
window, or screen that can be clicked
with your mouse to execute a command.
• checkbox - a small square in a dialog
box, window, or screen used for indicating whether or not you wish to select an option. This
object allows you to toggle between two choices. By
clicking in this box, a check mark or an “X” is placed, indicating that you selected the option. When this box is not
checked, the option is not selected.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• control panel - the panel that displays at
the left of a screen. This panel can
contain links that can be clicked to open
windows or dialog boxes at the right of
the screen. One or more tree lists also
can display in this panel. When an item
in the tree list is double-clicked, the tree
list opens to reveal items that can be
selected.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 3
Page 16
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• dialog box - a box that
opens in response to a
command made in a
window or screen, and
requires your input. You
must choose an option by
clicking a button (such as “Yes” or “No”, or “Next” or
“Cancel”) to execute your command. As dictated by this
box, you also might need to make one or more entries or
selections prior to clicking a button.
• field - an area in a dialog box,
window, or screen that either
accommodates your data
entry, or displays pertinent information. A text box is a
type of field.
• frame - a boxed-in area in a dialog
box, window, or screen that
includes a group of objects such as
fields, text boxes, list boxes,
buttons, radio buttons, checkboxes, and/or tables. Objects within a frame belong to a
specific function or group. A frame often is labeled to indicate its function or purpose.
• grid - an area in
a frame that
displays rows
and columns of
data, as a result of various processes. This data can be
reorganized in the R3000 console, by changing the order
of the columns.
• list box - an area in a dialog box,
window, or screen that accommodates and/or displays entries of
items that can be added or removed.
4 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 17
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• pop-up box or pop-up
window - a box or window
that opens after you click a
button in a dialog box,
window, or screen. This box
or window may display information, or may require you to make one or more entries.
Unlike a dialog box, you do not need to choose between
options.
• pull-down menu - a field in a
dialog box, window, or screen
that contains a down-arrow to the right. When you click
the arrow, a menu of items displays from which you make
a selection.
• radio button - a small, circular object
in a dialog box, window, or screen
used for selecting an option. This object allows you to
toggle between two choices. By clicking a radio button, a
dot is placed in the circle, indicating that you selected the
option. When the circle is empty, the option is not
selected.
• screen - a main
object of an application that
displays across
your monitor. A
screen can
contain panels,
windows, frames,
fields, tables, text
boxes, list boxes,
icons, buttons,
and radio buttons.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 5
Page 18
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• sub-topic - a
subset of a main
topic that displays
as a menu item for
the topic. The menu
of subtopics opens
when a pertinent topic link in the left panel—the control
panel—of a screen is clicked. If a sub-topic is selected,
the window for that sub-topic displays in the right panel of
the screen, or a pop-up window or an alert box opens, as
appropriate.
• text box - an area in a dialog box, window, or screen that
accommodates your data entry. A text box is a type of
field. (See “field”.)
• topic - a topic
displays as a
link in the left
panel—the
control panel—
of a screen. By
clicking the link
for a topic, the
window for that
topic displays in
the right panel
of the screen, or
a menu of subtopics opens.
6 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 19
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• tree - a tree displays in the control
panel of a screen, and is comprised
of a hierarchical list of items. An
entity associated with a branch of the
tree is preceded by a plus (+) sign
when the branch is collapsed. By
double-clicking the item, a minus (-)
sign replaces the plus sign, and any
entity within that branch of the tree
displays. An item in the tree is
selected by clicking it.
• window - a window
displays on a screen,
and can contain
frames, fields, text
boxes, list boxes,
buttons, checkboxes,
and radio buttons. A
window for a topic or
sub-topic displays in
the right panel of the
screen. Other types
of windows include pop-up windows, login windows, or
ones from the system such as the Save As or Choose file
windows.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 7
Page 20
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Elements
Filtering operations include the following elements: groups,
filtering profiles and their components, and rules for filtering.
Group Types
In the Group section of the Administrator console, group
types are structured in a tree format in the control panel.
There are four group types in the tree list:
• Global Group
• IP groups
• NT domain groups
• LDAP domain groups
NOTE: If authentication is enabled, the global administrator—
who has all rights and permissions on the R3000 server—will see
all branches of the tree: Global Group, IP, NT, and LDAP. If
authentication is disabled, only the Global Group and IP
branches will be seen.
Global Group
The first group that must be set up is the global group,
represented in the tree structure by the global icon .
The filtering profile created for the global group represents
the default profile to be used by all groups that do not have
a filtering profile, and all users who do not belong to a group.
8 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 21
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
IP Groups
The IP group type is represented in the tree by the IP icon
. A master IP group is comprised of sub-group members
and/or individual IP members .
The global administrator adds master IP groups, adds and
maintains override accounts at the global level, and establishes and maintains the minimum filtering level.
The group administrator of a master IP group adds subgroup and individual IP members, override account and
time profiles, and maintains filtering profiles of all members
in the master IP group.
Fig. 1-1 IP diagram with a sample master IP group and its members
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 9
Page 22
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
NT Domain Groups
An NT domain on a network server is comprised of
Windows NT groups and their associated members (users),
derived from profiles on the network’s domain controller.
The NT group type is represented in the tree by the NT icon
. This branch will only display if authentication is
enabled. Using the tree menu, the global administrator adds
and maintains NT domains , and profiles of NT groups
and members within the domain.
Filtering profiles can be created for a specified group or
user . If users belong to more than one group, the global
administrator sets the priority for group filtering.
Fig. 1-2 NT domain diagram, with sample groups and members
10 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 23
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
LDAP Domain Groups
An LDAP (Lightweight Directory Access Protocol) domain
on a network server is comprised of LDAP groups and their
associated members (users), derived from profiles on the
network’s authentication server.
The LDAP group type is represented in the tree by the
LDAP icon . This branch will only display if authentication is enabled. Using the tree menu, the global adminis-
trator adds and maintains LDAP domains , and profiles
of LDAP groups and members within the domain.
Filtering profiles can be created for a specified group or
user . If users belong to more than one group, the global
administrator sets the priority for group filtering.
Fig. 1-3 LDAP domain diagram, with sample groups and members
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 11
Page 24
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Profile Types
A filtering profile is used by all users who are set up to be
filtered on the network. This profile consists of rules that
dictate whether a user has access to a specified Web site or
service on the Internet.
The following types of filtering profiles can be created,
based on the set up in the tree menu of the Group section of
the console:
Global Group
• global filtering profile - the default filtering profile posi-
tioned at the base of the hierarchical tree structure, used
by end users who do not belong to a group.
IP group (Master Group)
• master group filtering profile - used by end users who
belong to the master group.
• master time profile - used by master group users at a
specified time.
IP group member
• sub-group filtering profile - used by a sub-group
member.
• individual filtering profile - used by an individual IP
group member.
• time profile - used by a sub-group/individual IP group
member at a specified time.
Authentication filtering profiles
• NT/LDAP group filtering profile - used by an NT or
LDAP group.
• NT/LDAP member filtering profile - used by an NT or
LDAP group member.
12 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 25
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Other filtering profiles
• override account profile - set up in either the global
group section or the master group section of the console.
NOTE: An override account set up in the master IP group section
of the R3000 console takes precedence over an override account
set up in the global group section of the console.
• lock profile - set up under X Strikes Blocking in the Filter
Options section of the profile.
Static Filtering Profiles
Static filtering profiles are based on fixed IP addresses and
include profiles for master IP groups and their members.
Master IP Group Filtering Profile
The master IP group filtering profile is created by the global
administrator and is maintained by the group administrator.
This filtering profile is used by members of the group—
including sub-group and individual IP group members—and
is customized to allow/deny users access to URLs, to redirect users to another URL instead of having a block page
display, and to specify usage of appropriate filter options.
IP Sub-Group Filtering Profile
An IP sub-group filtering profile is created by the group
administrator. This filtering profile applies to end users in an
IP sub-group and is customized for sub-group members.
Individual IP Member Filtering Profile
An individual IP member filtering profile is created by the
group administrator.This filtering profile applies to a specified end user in a master IP group.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 13
Page 26
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Active Filtering Profiles
Active filtering profiles include the global group profile, NT/
LDAP authentication profile, override account profile, time
profile, and lock profile.
Global Filtering Profile
The global filtering profile is created by the global administrator. This profile is used as the default filtering profile. The
global filtering profile consists of a customized profile that
contains a list of library categories to block, open, or add to
a white list, and service ports that are configured to be
blocked. A URL can be specified for use instead of the standard block page when users attempt to access material set
up to be blocked. Various filter options can be enabled.
NT/LDAP Group Filtering Profile
An NT or LDAP group filtering profile is created by the global
administrator. This profile can be customized to allow/deny
group users access to URLs, to redirect users to another
URL instead of having the standard block page display, and
to specify usage of appropriate filter options.
If users belong to more than one group, all groups to which
they belong must be ranked to determine the priority each
filtering profile takes over another.
NT/LDAP Member Filtering Profile
An NT or LDAP member filtering profile is created by the
global administrator. This profile can be customized to
allow/deny a user access to URLs, to redirect the user to
another URL instead of the standard block page, and to
specify usage of appropriate filter options.
14 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 27
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Override Account Profile
If any user needs access to a specified URL that is set up to
be blocked, the global administrator or group administrator
can create an override account for that user. This account
grants the user access to areas set up to be blocked on the
Internet.
Time Profile
A time profile is a customized filtering profile set up to be
effective at a specified time period for designated users.
Lock Profile
This filtering profile blocks the end user from Internet access
for a set period of time, if the end user’s profile has the X
Strikes Blocking filter option enabled and he/she has
received the maximum number of strikes for inappropriate
Internet usage.
NOTE: Refer to the R3000 User Guide for additional information
on the Override Account Profile, Time Profile, and Lock Profile.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 15
Page 28
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Profile Components
Filtering profiles are comprised of the following components:
• library categories - used when creating a rule, minimum
filtering level, or filtering profile for the global group or any
entity
• service ports - used when setting up filter segments on
the network, creating the global group (default) filtering
profile, or establishing the minimum filtering level
• rules - specify which library categories should be
blocked, left open, or white listed
• filter options - specify which features will be enabled: X
Strikes Blocking, Google/Yahoo! Safe Search Enforcement, Search Engine Keyword Filter Control, URL
Keyword Filter Control
• minimum filtering level - takes precedence over
filtering profiles of entities who are using a filtering profile
other than the global (default) filtering profile
• filter settings - used by service ports, filtering profiles,
rules, and the minimum filtering level to indicate whether
users should be granted or denied access to specified
Internet content
16 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 29
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Library Categories
A library category contains a list of Web site addresses and
keywords for search engines and URLs that have been set
up to be blocked or white listed. Library categories are used
when creating a rule, the minimum filtering level, or a
filtering profile.
8e6 Supplied Categories
8e6 furnishes a collection of library categories, grouped
under the heading “8e6 Supplied Categories.” Updates to
these categories are provided by 8e6 on an ongoing basis,
and global administrators also can add or delete individual
URLs within a specified library category.
Custom Categories
Custom library categories can be added by either global or
group administrators. As with 8e6 supplied categories, additions and deletions can be made within a custom category.
However, unlike 8e6 supplied categories, a custom category can be deleted.
NOTE: 8e6 cannot provide updates to custom categories. Maintaining the list of URLs and keywords is the responsibility of the
global or group administrator.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 17
Page 30
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Service Ports
Service ports are used when setting up filter segments on
the network (the range of IP addresses/netmasks to be
detected by the R3000), the global (default) filtering profile,
and the minimum filtering level.
When setting up the range of IP addresses/netmasks to be
detected, service ports can be set up to be open (ignored).
When creating the global filtering profile and the minimum
filtering level, service ports can be set up to be blocked or
filtered.
Examples of service ports that can be set up include File
Transfer Protocol (FTP), Hyper Text Transfer Protocol
(HTTP), Network News Transfer Protocol (NNTP), Secured
HTTP Transmission (HTTPS), and Secure Shell (SSH).
Rules
A rule is comprised of library categories to block, leave
open, or include in a white list. Each rule that is created by
the global administrator is assigned a number. A rule is
selected when creating a filtering profile for an entity.
Minimum Filtering Level
The minimum filtering level consists of library categories set
up at the global level to be blocked or opened, and service
ports set up to be blocked or filtered. If the minimum filtering
level is created, it applies to all users in IP, NT, and LDAP
groups, and takes precedence over filtering settings made
for group and member filtering profiles.
The minimum filtering level does not apply to any user who
does not belong to a group, and to groups that do not have
a filtering profile established.
18 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 31
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
NOTE: If the minimum filtering level is not set up, global (default)
filtering settings will apply instead.
Filter Settings
Categories and service ports use the following settings to
specify how filtering will be executed:
• block - if a category or a service port is given a block
setting, users will be denied access to the item set up as
“blocked”
• open - if a category or the filter segment detected on the
network is given an open (pass) setting, users will be
allowed access to the item set up as “opened”
• always allowed - if a category is given an always
allowed setting, the category is included in the user’s
white list and takes precedence over blocked categories
• filter - if a service port is given a filter setting, that port will
use filter settings created for library categories (block or
open settings) to determine whether users should be
denied or allowed access to that port
• ignore - if the filter segment detected on the network has
a service port set up to be ignored, that service port will
be bypassed
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 19
Page 32
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Rules
Individual User Profiles - A user in an NT or LDAP domain
can have only one individual profile set up per domain.
Filtering Levels Applied:
1. The global (default) filtering profile applies to any user
under the following circumstances:
• the user does not belong to a master IP group
• the user has not been assigned a domain default
profile from an NT or LDAP authentication domain
2. If a minimum filtering level is defined, it applies to all
master IP groups (and their members) and NT/LDAP
groups who have been assigned filtering profiles after
authenticating. The minimum filtering level combines
with the user’s profile to guarantee that categories
blocked in the minimum filtering level are blocked in the
user’s profile.
3. For master IP group members:
a. A master IP group filtering profile takes precedence
over the global profile.
b. A master IP group time profile takes precedence over
the master IP group profile.
4. For IP sub-group members:
a. An IP sub-group filtering profile takes precedence over
the master IP group’s time profile.
b. An IP sub-group time profile takes precedence over
the IP sub-group profile.
5. For individual IP members:
a. An individual IP member filtering profile takes prece-
dence over the IP sub-group’s time profile.
b. An individual IP member time profile takes precedence
over the individual IP member profile.
20 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 33
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
6. For NT/LDAP users, if a user is authenticated, settings
for the user’s group or individual profile from the NT/
LDAP domain are applied and take precedence over any
IP profile.
a. If the user belongs to more than one group in an
authentication domain, the profile for the user is determined by the order in which the groups are listed in the
Group Priority list set by the global administrator. The
user is assigned the profile for the group highest in the
Group Priority list.
b. If a user has an individual profile set up, that profile
supercedes all other profile levels for that user. The
user can have only one individual profile in each
domain.
7. An override account profile takes precedence over an
authentication profile. This account may override the
minimum filtering level—if the override account was set
up in the master IP group tree, and the global administrator allows override accounts to bypass the minimum
filtering level, or if the override account was set up in the
global group tree.
NOTE: An override account set up in the master IP group section
of the R3000 console takes precedence over an override account
set up in the global group section of the console.
8. A lock profile takes precedence over all filtering profiles.
This profile is set up under Filter Options, by enabling the
X Strikes Blocking feature.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 21
Page 34
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Fig. 1-4 Sample filtering hierarchy diagram
22 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 35
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Authentication Operations
R3000 Authentication Protocols
The R3000 supports two types of authentication protocols:
Windows NT LAN Manager (NTLM), and Lightweight Directory Access Protocol (LDAP).
• NTLM authentication supports NTLM authentication
running on any of the following servers: Windows NT 4.0,
Windows 2000 Mixed Mode, and Windows 2003 Mixed
Mode.
• LDAP authentication supports all versions of LDAP, such
as Microsoft Active Directory, Novell eDirectory, Sun
ONE, and OpenLDAP.
R3000 Authentication Tiers
The R3000 authentication architecture for NTLM and LDAP
authentication protocols is comprised of three tiers. When
using NT and/or LDAP authentication with the R3000, one
of these three tiers is selected for use on the network,
depending on the server(s) used on the network and the
preferred authentication method(s) to be employed.
• Tier 1: Single sign-on, net use based authentication for
NT or Active Directory domains.
• Tier 2: Time-based, Web authentication for NT and LDAP
authentication methods.
• Tier 3: Session-based, Web authentication for NT or
LDAP authentication method.
When using Tier 2 or Tier 3, the 8e6 Authenticator should be
enabled to ensure the end user is authenticated when
logging into his/her workstation. Or if using a Novell eDirec-
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 23
Page 36
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
tory server, the Novell eDirectory Agent can be used instead
to authenticate end users.
NOTE: See 8e6 Authenticator and Novell eDirectory Agent for
information on setting up these types of authentication on the
network.
24 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 37
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Tier 1: Single Sign-On Authentication
Net use based authentication process
The following diagram and steps describe the operations of
the net use based user authentication process:
Fig. 1-5 Net use based authentication module diagram
1. The user logs on the network from a Windows workstation (also known as “client” or “machine”).
2. The authentication server on the network sends the
user’s workstation a login script containing a net use
command.
3. The execution of this net use command causes the
Windows workstation to create an “IPC share”
(command exchange) with the R3000 filter box as a
shared network device.
NOTE: When the IPC share is created, no drives are mapped in
this share.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 25
Page 38
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
4. Upon creating the IPC share, the software in the R3000
queries the network authentication server with the user's
login name and password sent by the workstation.
5. Once the user is successfully authenticated, the R3000
matches the user’s login name or group name with a
stored list of profile settings in the R3000. As a result of
this process, the user is assigned the appropriate level of
filtering.
6. The matched profile is set for the user's IP address. The
IPC connection is completed and maintained with periodic “keep-alives.”
7. When the user logs off, changes IP addresses, loses the
network connection, or in any way causes the IPC
connection to be altered or deactivated, the R3000
senses this change and returns the IP address to the
configured global filtering level.
WARNING: Authentication will fail if a Network Address Translation (NAT) device is set up between the authentication server and
end user clients. Authentication may also fail if network connections are overloaded, causing a severe delay in the transportation
of SMB traffic. This can be a problem in any network, but is most
prevalent in WAN links, or in trunk links that are overloaded.
Re-authentication process
1. The user loses his/her user profile after one of the
following incidences occurs:
• the server is rebooted, or
• the connection from the user’s machine to the server is
dropped (as with a faulty network cable)
2. A block page displays for the user.
3. In order to re-access the Internet, the user must reauthenticate him/herself by clicking a link in the block
page to generate a login script that re-authenticates the
user’s profile.
26 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 39
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Authentication methods
Tier 1 supports two server authentication methods: Server
Message Block (SMB) and LDAP.
SMB protocol
SMB is a client/server protocol that requires the client to
send a request to the server and receive an authentication
response from the server, in order for the client to access
resources on the network.
As the default protocol for NT 4.0 and earlier operating
systems, SMB is supported by Windows 2000 and later OS
versions.
SMB Signing
SMB Signing is a Windows security feature that prevents an
active network session between a client and server from
being tapped. While Microsoft has made this feature available since Windows NT 4.0, it was not a default setting.
However, in Windows 2003, this feature is enabled by
default.
Since SMB Signing is not currently supported by the R3000,
8e6 recommends disabling the requirement for this feature.
This does not disable SMB Signing for machines that
support it, but allows devices that do not support SMB
Signing to connect. To disable the default setting that
requires SMB Signing for all connections, follow the instructions in Appendix D: Disable SMB Signing Requirements.
Alternately, if you have an available Windows 2000
Server—or an earlier Windows NT 4.0 Server—and are
willing to establish the necessary trust relationships with the
Windows 2003 Server, this earlier Windows server can be
used as the primary authentication server for the R3000
instead of the Windows 2003 Server.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 27
Page 40
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
NOTE: For information on SMB Signing compatibility with the
R3000, refer to the chart in Appendix D: Disable SMB Signing
Requirements.
LDAP protocol
LDAP is a directory service protocol that stores entries
(Distinguished Names) in a domain’s directory using a hierarchical tree structure. The LDAP directory service is based
on a client/server model protocol to give the client access to
resources on the network.
When a client connects to a server and asks it a question,
the server responds with an answer and/or with a pointer to
the server that stores the requested information (typically,
another LDAP server). No matter which LDAP server the
client accesses, the same view of the directory is “seen.”
The LDAP specification defines both the communication
protocol and the structure, or schema, to a lesser degree.
There is an Internet Assigned Network Authority (IANA)
standard set that all LDAP directories should contain. Novell
and Microsoft both have additional schema definitions that
extend the default setups.
Most server operating systems now support some implementations of LDAP authentication. The Microsoft Active
Directory LDAP-based model became available with the
release of Windows 2000.
28 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 41
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Name resolution methods
The name resolution process occurs when the R3000
attempts to resolve the IP address of the authentication
server with the machine name of that server. This continuous and regulated automated procedure ensures the
connection between the two servers is maintained.
When using an NT server with SMB, the name resolution
process occurs when a valid Windows Internet Name
Service (WINS) Server IP address is entered or a broadcast
query is made.
When using an LDAP server, the name resolution process
occurs when a Domain Name Service (DNS) entry is made.
In order to accommodate this request, the LDAP server
must have a valid DNS entry or the IP address must be
added to the R3000 hosts file.
NOTE: If LDAP is used, client machines will still use the SMB
authentication method to communicate with the R3000 server for
Tier 1 authentication. LDAP communication only occurs between
the R3000 server and the LDAP server.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 29
Page 42
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Authentication setup procedures
Server setup types
R3000 authentication is designed to support the following
server types for the specified tier(s):
Tier 1: Net use based authentication
NOTE: Login scripts must be used for net use based authentica-
tion.
Using SMB/NetBIOS:
• Windows NT 4.0, SP4 or later
• Windows 2000 or 2003 Server in mixed/legacy mode
NOTE: SMB Signing must not be required.
Using LDAP:
• Microsoft Active Directory Mixed Mode
• Microsoft Active Directory Native Mode
Tier 2 and Tier 3: Web-based authentication
Using an NT authentication domain:
• Windows NT 4.0, SP4 or later
• Windows 2000 or 2003 Server in mixed/legacy mode
NOTE: SMB Signing must not be required.
Using an LDAP domain:
• Windows Active Directory 2002 and 2003
• Novell eDirectory
• SunONE directory server
30 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 43
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Configuring the authentication server
When configuring authentication, you must first go to the
authentication server and make all necessary entries before
configuring the R3000.
The following authentication components must be set up or
entered on the console of the authentication server:
• domain name
• usernames and passwords
• user groups
• login scripts
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 31
Page 44
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Login scripts
Login (or logon) scripts are used by the R3000 server for
reauthenticating users on the network.
The following syntax must be entered in the appropriate
directory on the authentication server console:
Enter net use syntax in the login script
The virtual IP address is used by the R3000 to communicate
with all users who log on to that server. This address must
be in the same subnet as the one used by the transmitting
interface of the R3000.
• For testing, user information can be specified on the
command line as follows:
NET USE \\virtualip\R3000$ /user:DOMAINNAME\username password
Example: NET USE \\192.168.0.20\R3000$/
user:LOGO\jsmith xyz579
• The command to disconnect a session is:
NET USE \\virtualip\R3000$ /delete
32 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 45
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
View login script on the server console
The login script can be viewed on the authentication server
console. This script resides in a different location on the
server, depending on the version of the server:
• Windows 2000 or Windows 2003 Server
\\servername.suffix\sysvol\domainname.suffix\
policies\{guid}\user\scripts\logon
c:\winnt\sysvol\sysvol\domainname.suffix\scripts
c:\winnt\sysvol\domainname\scripts
• Windows NT 4.0 Server
\\servername\netlogon
\\ipaddress\netlogon
c:\winnt\system32\repl\import\scripts
The login script must be specified either in the user’s
domain account or in the Active Directory Group Policy
Object so that it runs when the user logs into the domain.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 33
Page 46
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Block page authentication login scripts
In addition to the use of login scripts in the console of the
authentication server, a login script path must be entered in
the Block Page window of the R3000 Administrator console.
This script is used for reauthenticating users on the network.
The following syntax must be used:
\\SERVERNAME\netlogon
or
\\IPaddress\netlogon
NOTE: See Block Page Authentication for more information
about these entries.
34 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 47
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
LDAP server setup rules
WARNING: The instructions in this user guide have been documented based on standard default settings in LDAP for Microsoft
Active Directory Services. The use of other server types, or any
changes made to these default settings, must be considered
when configuring the R3000 server for authentication.
If LDAP will be used, the following items should be considered:
• The administrator in charge of the LDAP server should
create a user for the R3000 in order to give that user full
read access to the groups and users in the directory.
• Since the LDAP directory is structured as a tree, data
needs to be retrieved the same way. Additionally, the
order of the syntax is reversed compared to how it
appears in normal file system folders. The deepest layer
is listed first, in a similar manner as a DNS domain name:
e.g. “engineering.company.net”. In LDAP, a directory
entry would look like this: “cn=engineering,dc=company,
dc=net”.
• Make sure all network configuration settings are correct
(such as DNS, IP, etc.) before configuring LDAP settings.
NOTE: All filtering profiles are stored on the R3000 server.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 35
Page 48
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Tier 2: Time-based, Web Authentication
The following diagram and steps describe the operations of
the time-based authentication process:
Fig. 1-6 Web-based authentication module diagram
1. The user makes a Web request by entering a URL in his/
her browser window.
2. The R3000 intercepts this request and sends the user
the Authentication Request Form, requesting the user to
log in with his/her login ID and password.
3. The R3000 verifies the user’s information with the
authentication server (Domain Controller, Active Directory, LDAP, etc.).
4. The authenticated user is allowed to access the
requested URL for the time period specified by the
administrator.
36 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 49
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Tier 2 implementation in an environment
In an environment where Tier 2 time-based profiles have
been implemented, end users receive filtering profiles after
correctly entering their credentials into a Web-based
Authentication Request Form. A profile remains active for a
configurable amount of time even if the user logs out of the
workstation, changes IP addresses, etc.
Tier 2 time-based profiles do not call for the R3000 to maintain a connection with the client machine, so the R3000
cannot detect when the user logs off of a workstation. In
order to remove the end user’s profile, one of two scripts
detailed in this sub-section should be inserted into the
network’s login and/or logoff script.
The Tier 2 Script should be used if Tier 2 is the only tier
implemented in an environment. The Tier 1 and Tier 2 Script
should be used if Tier 2 is implemented along with Tier 1 in
an environment. Since both sets of scripts use the NET USE
command, the client machine must already have the ability
to connect to the R3000 via NET USE in order for the profile
to be removed in either environment.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 37
Page 50
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Tier 2 Script
If using Tier 2 only, this script should be inserted into the
network’s login script. If the network also uses a logoff
script, 8e6’s script should be inserted there as well. The
inclusion of this script ensures that the previous end user’s
profile is completely removed, in the event the end user did
not log out successfully.
echo off
:start
cls
net use \\10.10.10.10\LOGOFF$ /delete
:try1
NET USE \\10.10.10.10\LOGOFF$
if errorlevel 1 goto :try2
if errorlevel 0 echo code 0: Success
goto :end
:try2
NET USE \\10.10.10.10\LOGOFF$
if errorlevel 1 goto :try3
if errorlevel 0 echo code 0: Success
goto :end
:try3
NET USE \\10.10.10.10\LOGOFF$
if errorlevel 1 goto :error
if errorlevel 0 echo code 0: Success
goto :end
:error
if errorlevel 1 echo code 1: Failed!
:end
net use \\10.10.10.10\LOGOFF$ /delete
38 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 51
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Tier 1 and Tier 2 Script
In an environment in which both Tier 1 and Tier 2 are used,
this version of 8e6’s script should be inserted into the
network’s login script. 8e6’s script attempts to remove the
previous end user’s profile, and then lets the new user log in
with his/her assigned profile.
echo off
:startremove
cls
NET USE \\10.10.10.10\LOGOFF$ /delete
:tryremove1
NET USE \\10.10.10.10\LOGOFF$
if errorlevel 1 goto :tryremove2
if errorlevel 0 echo code 0: Success
goto :endremove
:tryremove2
NET USE \\10.10.10.10\LOGOFF$
if errorlevel 1 goto :tryremove3
if errorlevel 0 echo code 0: Success
goto :endremove
:tryremove3
NET USE \\10.10.10.10\LOGOFF$
if errorlevel 1 goto :removalerror
if errorlevel 0 echo code 0: Success
goto :endremove
:removalerror
if errorlevel 1 echo code 1: Failed to send removal
request!
:endremove
net use \\10.10.10.10\LOGOFF$ /delete
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 39
Page 52
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
:try1
NET USE \\10.10.10.10\R3000$
if errorlevel 1 goto :try2
if errorlevel 0 echo code 0: Success
goto :end
:try2
NET USE \\10.10.10.10\R3000$
if errorlevel 1 goto :try3
if errorlevel 0 echo code 0: Success
goto :end
:try3
NET USE \\10.10.10.10\R3000$
if errorlevel 1 goto :error
if errorlevel 0 echo code 0: Success
goto :end
:error
if errorlevel 1 echo code 1: Failed!
:end
in environments that use both Tier 1 and Tier 2, if a logoff
script is used on the network, the Tier 2 Script should be
inserted into the network’s logoff script.
40 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 53
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Tier 3: Session-based, Web Authentication
The diagram on the previous page (Fig. 1-6) and steps
below describe the operations of the session-based authentication process:
1. The user makes a Web request by entering a URL in his/
her browser window.
2. The R3000 intercepts this request and sends the user
the Authentication Request Form, requesting the user to
log in with his/her login ID and password.
3. The R3000 verifies the user’s information with the
authentication server (Domain Controller, Active Directory, LDAP, etc.).
4. A pop-up window opens on the user’s workstation while
the original window loads the requested URL. The user
will continue to be authenticated as long as the pop-up
window remains open.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 41
Page 54
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
8e6 Authenticator
The 8e6 Authenticator ensures the end user is authenticated on his/her workstation, via an executable file that
launches during the login process. To use this option, the
8e6 Authenticator client (authenticat.exe) should be placed
in a network share accessible by the domain controller or a
Novell eDirectory server such as NetWare eDirectory server
6.5.
NOTE: The 8e6 Authenticator client (authenticat.exe) can be
downloaded from the Enable/Disable Authentication window.
(See the Enable authentication, specify criteria sub-section in
Chapter 2: Network Setup.)
Environment requirements
Minimum system requirements
The following minimum server components are required
when using NetWare eDirectory server 6.5:
• Server-class PC with a Pentium II or AMD K7 processor
• 512 MB of RAM
• Super VGA display adapter
• DOS partition of at least 200 MB and 200 MB available
space
• 2 GB of available, unpartitioned disk space outside the
DOS partition for volume sys:
• One network board
• CD drive
42 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 55
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Recommended system requirements
The following server components are recommended for
optimal performance when using NetWare eDirectory server
6.5:
• Server-class PC with two-way Pentium III, IV, or Xeon
700 MHz or higher processors
• 1 GB of RAM
• VESA compliant 1.2 or higher display adapter
• DOS partition with 1 GB of available space
• 4 GB of available, unpartitioned disk space outside the
DOS partition for volume sys:
• One or more network boards
• Bootable CD drive that supports the El Torito specification
• USB or PS/2* mouse
Workstation requirements
The 8e6 Authenticator client works with the following operating systems:
• Windows XP Pro SP1 and 2
• Windows 2000 Pro SP4
• Windows XP and Windows 2000 with Novell client v4.91
NOTE: Any non-domain supported Windows operating system,
such as ME or XP Home Edition, will not work with the 8e6
Authenticator unless the Novell eDirectory client is installed for
login and deployment of the 8e6 Authenticator client using a
Novell server.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 43
Page 56
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Work flow in a Windows environment
1. The administrator stores the 8e6 Authenticator client
(authenticat.exe) in a network-shared location that a
login script can access.
2. Using a Windows machine, an end user logs on the
domain, or logs on the eDirectory tree via a Novell client.
3. The end user’s login script evokes authenticat.exe.
4. The 8e6 Authenticator client determines the authentication environment by examining the Windows registry,
then retrieves the username and domain name using
either Windows or Novell APIs, and sends this information (LOGON event) to the R3000.
5. The R3000 looks up the groups to which the end user
belongs (Windows AD, PDC, or eDirectory through
LDAP or NTLM/Samba), and determines the profile
assignment.
6. The R3000 sets the profile for the end user with username (including the group name, if it is available) and IP.
7. The 8e6 Authenticator client continually sends a “heartbeat” to the R3000—with a specified interval of seconds
between each “heartbeat”—until the end user logs off.
8. The end user logs off, and the 8e6 Authenticator client
sends a LOGOFF event to the R3000. The R3000
removes the user's profile.
44 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 57
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
8e6 Authenticator configuration priority
The source and order in which parameters are received and
override one another are described below.
NOTE: Any parameter set at the end of the list will override any
parameter that was previously set.
1. Compiled Defaults: Given no parameters at all, the
client will try to execute using the default compilation.
2. Configuration File (optional): The default location of the
configuration file is the same path/name as the authenticat.exe client, but with a “.cfg” extension instead of
“.exe”. The full path/name can be specified on the
command line with the CF[] parameter. Review the ++
comment following Table 1 for more information.
3. Command Line (optional): Options on the command line
will override compiled defaults and the configuration file.
The command line can be left blank.
4. R3000 Configuration Packet (optional): The R3000
may send a configuration packet that will override all
other settings, including the command line. If the R3000
changes the IP address or port used by authenticat.exe,
then when authenticat.exe reconnects, authenticat.exe
will use the new IP address and port.
NOTE: The R3000 can force authenticat.exe to reconnect with a
re-logon event packet.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 45
Page 58
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
8e6 Authenticator configuration syntax
All configuration parameters, regardless of their source, will
use the following format/syntax:
wAA[B]w{C}w
{Parameter ‘AA’ with Data ‘B’, and Comment ‘C’ ignored.}
w;DD[E]w{C}w
{The semicolon causes ‘DD[E]’ to be ignored, ‘C’ is also ignored.}
Whereas ‘AA’ is a two-letter, case-insensitive parameter
name, ‘B’ is the value for this parameter wrapped in
brackets ( [ ] ), and ‘w’ is zero or more white spaces
(space, tab, carriage return, line feed). ‘C’ is completely
ignored, and anything wrapped in braces ( { } ) is considered a comment. A ‘;’ immediately preceding a parameter will cause that parameter and its data to be ignored,
which is convenient for temporarily reverting a parameter
to default values during testing.
Sample command line parameters
authenticat.exe LF[c:\] ra[192.168.0.43]Rr[40000]
Sample configuration file
RA[100.10.101.30] { R3000 Virtual IP address }
RP[139] { R3000 Port }
RH[30000] { Heartbeat timer (30 seconds) }
RR[30000] { Reconnect time (before connecting again) }
RC[10000] { Connect Timeout (how long to wait for a connection
response) }
LE[0]
LF[\\100.10.101.117\publogs\] { Where to put logs }
Sample R3000 configuration update packet ‘PCFG’
After decryption, with protocol headers removed:
RH[30000]RC[1000]LE[1]
46 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 59
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
You only need to change the options you do not wish to
remain as default. Often the IP address of the R3000 (RA)
and the log file (LF) are the most desired options to change.
Note that full network paths are allowed.
Table of parameters
The following table contains the different parameters, their
meanings, and possible values.
Param IDParameter
Meaning
UT+ User’s Logon
Environment
RA # * R3000 Virtual IP
Address
RV # R3000 VPN Sup-
port Table
RP R3000 Port 1-65535 139 139
RH R3000 Heartbeat
Timer MS
RR R3000 Reconnect
Time MS
RC R3000 Connect
Timeout MS
LE Log using Event
Viewer
LD Logging Detail 1, 2, 3, or 4 1 (light) 0 (errors
Values
1-256 (0 = Win32, 1 = Novell)
255.255.255.255:PORT;… 0.0.0.0 0.0.0.0
(IP-IP;IP:PORT;…),…
1-4 billion (milliseconds) 30000 30000 (30
1-4 billion (milliseconds) 30000 30000 (30
1-4 billion (milliseconds) 10000 10000 (10
1 or 0 (event view or log
file)
Dbg
Default
255
(auto)
0 (log
file)
Release
Default
255 (auto)
sec)
sec)
sec)
1 (event
view)
only)
LF * Path-ONLY to out-
put log file
CF ++ Full path/name of
Configuration File
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 47
1-1000 alphanum C:\ C:\
1-1000 alphanum
––
Page 60
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
+ If UT[0] is set, then the Novell environment will be
ignored, if present, and only the Windows environment
information will be retrieved and sent to the R3000. If
UT[1] is set and the Novell environment is invalid or the
user is not authenticated with its Novell server, then the
results sent to the R3000 are invalid (probably empty
values). The default UT[255] auto detects Novell vs.
Win32 and will automatically favor Novell authentication
over Windows, if possible.
* Special Interest. Values most likely to change during
testing, configuration, and production implementation.
++ Alternate configuration file is only valid when specified on
the command line. It will be ignored in any other context.
If the configuration file cannot be loaded from the alternate location, an error will be logged and an attempt will
be made to load the default configuration file. If the alternate configuration file is specified and is blank ( CF[] ),
the 8e6 Authenticator will not attempt to load any configuration file; this can minimally speed up execution time.
The compiled default value of CF[-] causes the default
configuration file loading to be attempted, which has the
same full path and filename of the current, loaded 8e6
Authenticator executable, but with an extension of “.cfg”
instead of “.exe”. That is, if the 8e6 Authenticator client is
“\\example\authenticat.exe”, the search for the default
configuration file would be “\\example\authenticat.cfg”. It
is not an error if the default configuration file does not
exist. It is an error if the default configuration file exists
but cannot be read or parsed correctly. Unknown parameters are ignored. Format/syntax errors will abort the
reading and report an error, but the 8e6 Authenticator will
attempt to continue running.
• For each IP address where “:PORT” is omitted from the
address, the RP[] port value is used. For example, if
RA[1.1.1.1:5555] is set, the RP[] parameter is ignored.
48 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 61
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
RP[] affects port-less addresses specified in the RV[]
command as well.
• For RA[], each IP address is separated by a semi-colon
‘;’ and the first IP address will be tried for each new
connection attempt. When the main IP address fails to
respond, the next IP address in the list will be tried, and
so on, if it fails. After the last IP address is tried, the logic
will continue from the first IP address again. A retry
attempt on the main IP address is subject to the RR[]
Reconnect time. After any disconnection, the logic will
always begin with the main IP address as its first attempt.
• For RV[], sets of R3000 addresses are specified based
on an IP range that matches the client’s IP address;
multiple destination R3000 addresses may be used in
each set and will have the same functionality as multiple
destinations specified in the RA[] parameter. Each set is
surrounded by parentheses ‘( )’s, and sets are separated
by commas ‘,’. Any local client IP address that does not
match any set will use the RA[] address. Sample format:
RV[(102.108.1.0-102.108.1.255;1.1.1.1;2.2.2.2),(102.108.2.0-
102.108.2.255;3.3.3.3:222)]
In this example, a client with an IP address of
102.108.1.5 would try to connect to 1.1.1.1 using the
RP[] port (2.2.2.2 as the backup). A client with
192.168.2.15 would try to connect to 3.3.3.3 port 222,
which has no backup.
• Any local address that would end up connecting to
0.0.0.0 will not be observed by the 8e6 Authenticator.
This allows RV[] to allow only specified ranges of IP
addresses to be observed by the 8e6 Authenticator.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 49
Page 62
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Novell eDirectory Agent
Novell eDirectory Agent provides Single Sign-On (SSO)
authentication for an R3000 set up in a Novell eDirectory
environment. Using Novell eDirectory Agent, the R3000 is
notified by the eDirectory server when an end user logs on
or off the network, and adds/removes his/her network IP
address, thus setting the end user’s filtering profile accordingly.
Environment requirements
Novell eDirectory servers
The following eDirectory versions 8.7 or higher with Master,
Read/Write, Read replicas have been tested:
• eDirectory 8.7 in RedHat Linux 9.0
• eDirectory 8.7 in NetWare 6.5 SP5
NOTE: See 8e6 Authenticator: Environment requirements for
Minimum and Recommended system requirements. These
requirements also apply to eDirectory 8.7 in RedHat Linux 9.0.
50 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 63
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Client workstations
To use this option, all end users must log in the network. The
following OS have been tested:
• Windows 2000 Professional
• Windows XP
•Macintosh
Novell clients
The following Novell clients have been tested:
• Windows: Version 4.91 SP2
• Macintosh: Prosoft NetWare client Version 2.0
Novell eDirectory setup
The eDirectory Agent uses the LDAP eDirectory domain
configuration setup in the R3000 Administrator console. The
eDirectory Agent receives notification from the eDirectory
server regarding logon and logoff events by end users. The
Novell client must be installed on each end user’s workstation in order to handle logons to the eDirectory network. In
this setup, the Novell client replaces the Windows logon
application.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 51
Page 64
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
R3000 setup and event logs
When using a Novell eDirectory server and choosing to use
the Novell eDirectory Agent option in the R3000:
• Enable Novell eDirectory Agent in the Enable/Disable
Authentication window.
NOTES: If using an SSO authentication solution, Tier 2 or Tier 3
should be selected as a fallback authentication operation.
When choosing the Novell eDirectory Agent option, the 8e6
Authenticator option must be disabled.
• If applicable, a back up server can be specified in the
LDAP domain setup wizard, in the event of a connection
failure to the primary Novell eDirectory server. Email
alerts are sent to the administrator in such events.
NOTE: Back up server settings are made in the Default Rule tab
of the LDAP Domain Details window, described in Chapter 4:
LDAP Authentication Setup.
• Once the Novell eDirectory Agent option is set up, the
View Log File window can be used to view end user
logon/logoff events and the debug log.
NOTE: After the Novell eDirectory Agent is enabled, an individual's username will not display in the event log until he/she
logs in again. Until that time, the user will be logged by his/her
current filtering profile, which most likely would be IPGROUP or
DEFAULT user.
52 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 65
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Authentication Solution Compatibility
Below is a chart representing the authentication solution
compatibility for a single user:
Tier 1
Tier 2
Tier 3
8e6
Authenticator
eDirectory
Agent
Tier1
net
use
-- Yes Yes N/R N/A
Yes -- N /A Ye s Yes
Yes N/ A -- Yes Ye s
N/R Yes Yes -- N/R
N/A Yes Yes N/R --
Tier 2
time
based
Tier 3
session
based
8e6
Authenticator
KEY:
• N/A = Not Applicable
• N/R = Not Recommended
eDirectory
Agent
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 53
Page 66
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Configuring the R3000 for Authentication
Configuration procedures
When configuring the R3000 server for authentication,
settings must be made in System and Group windows in the
Administrator console.
NOTES: If the network has more than one domain, the first one
you add should be the domain on which the R3000 resides.
The entries described in this section represent entries to be made
on a typical network.
System section
The first settings for authentication must be made in the
System section of the Administrator console in the following
windows: Operation Mode, LAN Settings, Enable/Disable
Authentication, Authentication Settings, Authentication SSL
Certificate (if Web-based authentication will be used), and
Block Page Authentication.
1. Select “Mode” from the control panel, and then select
“Operation Mode” from the pop-up menu.
The entries made in the Operation Mode window will vary
depending on whether you will be using the invisible
mode, or the router or firewall mode.
In the Listening Device frame, set the Listening Device to
“eth0”.
In the Block Page Device frame:
• If using the invisible mode, select “eth1”.
• If using the router or firewall mode, select “eth0”.
2. Select “Network” from the control panel, and then select
“LAN Settings” from the pop-up menu.
54 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 67
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
The entries made in this window will vary depending on
whether you are using the invisible mode, or the router or
firewall mode. The LAN 1 and LAN 2 IP addresses
should usually be in a different subnet.
• If using the invisible mode: For the LAN1 IP (eth0)
address, select 255.255.255.255 for the subnet mask.
• If using the router or firewall mode: Specify the appro-
priate IP address and subnet mask in the applicable
fields.
3. Select “Authentication” from the control panel, and then
select Enable/Disable Authentication from the pop-up
menu.
Enable authentication, and then select one of three tiers
in the Web-based Authentication frame:
• Tier 1: Choose this option if you will only be using net
use based authentication for NT or Active Directory
servers.
• Tier 2: Choose this option if you wish to use timed
Web-based authentication for NT and LDAP domains.
This option gives the user a timed session for his/her
Internet access. After the timed profile expires, the
user will have to log in again if he/she wants to
continue to have Internet access.
• Tier 3: Choose this option if you wish to use persistent
Web-based authentication for NT and LDAP domains.
This option gives the user a persistent network
connection via a pop-up window that keeps the user’s
session open until the window is closed, so the user
does not have to log in repeatedly.
If choosing Tier 2 or Tier 3, enable either 8e6 Authenticator or Novell eDirectory Agent, as appropriate to
your environment.
4. Select “Authentication” from the control panel, and then
select “Authentication Settings” from the pop-up menu.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 55
Page 68
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
In the Settings frame, enter general configuration
settings for the R3000 server such as IP address entries.
In the NIC Device to Use for Authentication field:
• If using the invisible mode: Enter eth1 (Ethernet 1) as
the device to send traffic on the network.
• If using the router or firewall mode: Enter eth0
(Ethernet 0).
Information should only be entered in the NT Authentication Server Details frame if the R3000 will use the NT
Authentication method to authenticate users.
5. Select “Authentication” from the control panel, and then
select Authentication SSL Certificate from the pop-up
menu. This option should be used if Web-based authentication will be deployed on the R3000 server.
Using this option, you create either a self-signed certificate or a Certificate Request (CSR) for use by the
Secure Sockets Layer (SSL). The certificate should be
placed on client machines so that these machines will
recognize the R3000 as a valid server with which they
can communicate.
6. Select “Control” from the control panel, and then select
“Block Page Authentication” from the pop-up menu.
In the Block Page Authentication window, select the Reauthentication Options to be used. The items you select
will be listed as options for re-authentication on the
Options page, accessible from the standard block page.
If the “Re-authentication” (NET USE) option is selected,
enter the login script path to be used by the R3000 for reauthentication purposes.
56 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 69
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS
Group section
In the Group section of the Administrator console, choose
NT or LDAP, and then do the following:
1. Add a domain from the network to the list of domains that
will have users authenticated by the R3000.
NOTE: If the network has more than one domain, the first one
you add should be the domain on which the R3000 resides.
2. Create filtering profiles for each group within that domain.
3. Set the group priority by designating which group profile
will be assigned to a user when he/she logs in. If a user is
a member of multiple groups, the group that is positioned
highest in the list is applied.
4. Create unique filtering profiles for individual users.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 57
Page 70
CHAPTER 2: NETWORK SETUP ENVIRONMENT REQUIREMENTS
CHAPTER 2: NETWORK SETUP
Environment Requirements
Workstation Requirements
Administrator
Minimum system requirements for the administrator include
the following:
• Windows 98 or later operating system (not compatible
with Windows server 2003)
• Internet Explorer (IE) 5.5 or later
• JavaScript enabled
• Java Virtual Machine
• Java Plug-in (use the version specified for the R3000
software version)
• Java Runtime Environment, if using Tier 3 authentication
End User
• Windows 98 or later operating system (not compatible
with WIndows server 2003)
• Internet Explorer (IE) 5.5 or later
• JavaScript enabled
• Java Runtime Environment, if using Tier 3 authentication
• Pop-up blocking software, if installed, must be disabled
58 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 71
CHAPTER 2: NETWORK SETUP ENVIRONMENT REQUIREMENTS
Network Requirements
• High speed connection from the R3000 server to the
client workstations
• FTP or HTTPS connection to 8e6’s patch server
• Internet connectivity for downloading Java Virtual
Machine—and Java Runtime Environment, if necessary—if not already installed
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 59
Page 72
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Set up the Network for Authentication
The first settings for authentication must be made in the
System section of the console in the following windows:
Operation Mode, LAN Settings, Enable/Disable Authentication, Authentication Settings, Authentication SSL Certificate
(if Web-based authentication will be used), View Log File
(for troubleshooting authentication setup), and Block Page
Authentication. Entries for customizing the block page and/
or authentication request form are made in the Common
Customization, Authentication Form Customization, and
Block Page Customization windows.
Specify the operation mode
Click Mode and select Operation Mode from the pop-up
menu to display the Operation Mode window:
Fig. 2-1 Operation Mode window
60 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 73
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
The entries made in this window will vary depending on
whether you will be using the invisible mode, or the router or
firewall mode.
1. In the Mode frame, select the mode to be used: “Invisible”, “Router”, or “Firewall”.
2. In the Listening Device frame, set the Device to “eth0”.
3. In the Block Page Device frame:
• If using the invisible mode, select “eth1”.
• If using the router or firewall mode, select “eth0”.
If using the invisible mode, the Block Page Delivery
Method frame displays. Choose from either of the two
Protocol Methods:
• “Send Block Page via ARP Table” - this option uses the
Address Resolution Protocol method to find the best
possible destination MAC address of a specified host,
usually the R3000 gateway.
• “Send Block to Specified Host MAC Address” - using
this preferred method, the block page will always be
sent to the MAC address of a specified host, usually
the R3000 gateway.
Choose from either of the two Block Page Route To
selections:
• “Default Gateway” - this option indicates that the
default gateway on your network will be used for
sending block pages.
• “Alternate IP Address” - this option should be used
if block pages are not being served.
Enter the IP address of the router or device that will
serve block pages.
4. Click Apply.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 61
Page 74
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Specify the subnet mask, IP address(es)
Click Network and select LAN Settings from the pop-up
menu to display the LAN Settings window:
Fig. 2-2 LAN Settings window
The entries made in this window will vary depending on
whether you are using the invisible mode, or the router or
firewall mode.
NOTE: If the gateway IP address on the network changes, be
sure to update the Gateway IP address in this window.
62 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 75
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Invisible mode
For the LAN1 IP (eth0) address, select 255.255.255.255 for
the subnet mask, and click Apply.
Router or firewall mode
1. Enter the following information:
• In the LAN1 IP (eth0) field of the IP/Mask Setting
frame, enter the IP address and specify the corresponding subnet of the “eth0” network interface card to
be used on the network.
• In the LAN2 IP (eth1) field, enter the IP address and
specify the corresponding subnet of the “eth1” network
interface card to be used on the network.
TIP: The LAN1 and LAN2 IP addresses should usually be placed
in different subnets.
• In the Primary IP field of the DNS frame, enter the IP
address of the first DNS server to be used for resolving
the IP address of the authentication server with the
machine name of that server.
• In the Secondary IP field of the DNS frame, enter the
IP address of the second DNS server to be used for
resolving the IP address of the authentication server
with the machine name of that server.
• In the Gateway IP field of the Gateway frame, enter
the IP address of the default router to be used for the
entire network segment.
2. Click Apply to apply your settings.
NOTE: Whenever modifications are made in this window, the
server must be restarted in order for the changes to take effect.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 63
Page 76
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Enable authentication, specify criteria
1. Click Authentication and select Enable/Disable Authentication from the pop-up menu to display the Enable/
Disable Authentication window:
2. Click Enable to enable authentication.
3. Select one of three tiers in the Web-based Authentication
frame:
Fig. 2-3 Enable/Disable Authentication window
NOTE: See the information on the next pages for details about
each of the tiers, and for the steps that must be executed to
enable your tier selection.
64 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 77
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
4. In the 8e6 Authenticator frame, be sure the 8e6 Authenticator is “On”—unless the Novell eDirectory Agent
option will be used instead. When enabling the 8e6
Authenticator option, and then downloading and
installing the 8e6 Authenticator (authenticat.exe) on a
network share accessible by the domain controller or a
Novell eDirectory server, the 8e6 Authenticator automatically authenticates the end user when he/she logs into
his/her workstation.
5. If you have a Novell eDirectory server and the 8e6
Authenticator will not be used, turning “On” Novell
eDirectory Agent will enable end user logon and logoff
events to be logged. To use this option, the LDAP domain
must be set up and activated in the Group tree.
WARNING: When enabling Novell eDirectory Agent, the agent
will immediately begin scanning Novell eDirectory-based domain
labels.
6. If using Tier 1, in the Sending Keep Alive frame, click
"On" to specify that keep alives should be sent on a
connection to verify whether it is still active. Click "Off" to
specify that the end user's session will be kept alive
based on the number of minutes entered in the text box.
7. Click Apply.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 65
Page 78
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Net use based authentication
Tier 1: Web-based Authentication disabled (Net Use
enabled) – Choose this option if you will be using net use
based authentication for NT or Active Directory.
1. Click “Tier 1”.
2. In the Sending Keep Alive frame, click the radio button
corresponding to the option to be used:
• “On” - This option specifies that keep alives should be
sent on a connection to verify whether it is still active.
• “Off” - This option specifies that the end user's session
will be kept alive based on the number of minutes
entered in the text box.
In the Inactive session lifetime (in minutes) field,
enter the number of minutes the end user’s session will
be kept alive.
3. Click Apply to open the alert box that confirms your
selection.
66 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 79
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Web-based authentication
Choose either Tier 2 or Tier 3 if Web-based authentication
will be used.
NOTE: If selecting either Tier 2 or Tier 3, please be informed that
in an organization with more than 5000 users, slowness may be
experienced during the authentication process. In this scenario,
8e6 recommends using an R3000 Filter with an SSL accelerator
card installed. Please contact 8e6 for more information.
Tier 2: Use time-based profiles, with time-out (in
minutes) – Choose this option if using NT and/or LDAP
authentication, and you want the user to have a time limit on
his/her Internet connection. This option uses an authentication servlet that lets the user log into either domain with no
persistent connection between the client PC and the R3000.
1. Click “Tier 2”.
2. Enter a whole number for the duration of time the user
will retain his/her Internet connection.
3. Click Apply to open the alert box that confirms your
selection.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 67
Page 80
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Tier 3: Use persistent logins via a Java Applet – Choose
this option if using NT and/or LDAP authentication, and you
want the user to maintain a persistent network connection.
This option—the preferred method for NT authentication—
opens a profile window that uses a Java applet:
Fig. 2-4 Java applet
The profile window must be kept open during the user’s
session in order for the user to have continued access to the
Internet.
NOTE: Tier 3 Authentication requires a current version of Java
Runtime Environment (JRE) on end-users' PCs. In some cases, a
JRE will need to be downloaded and installed on workstations
and the R3000 will allow the JRE download at the time of login.
However some operating systems may require this action to be
performed manually.
1. Click “Tier 3”.
2. Click Apply to open the dialog box that informs you
about the requirement of a current Java Runtime Environment (JRE) to be installed on each end user’s workstation:
68 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 81
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Fig. 2-5 Tier 3 dialog box
3. To ensure that end-users are using the most current
version of JRE, choose the method for distributing the
current version to their workstations: “8e6 automatically
distributes JRE during user login” or the default selection,
“Administrator manually distributes JRE to user workstations”.
4. Click Continue to open the alert box that confirms your
selection.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 69
Page 82
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Enter network settings for authentication
1. Click Authentication and select Authentication Settings
from the pop-up menu to display the Authentication
Settings window:
Fig. 2-6 Authentication Settings window
In the Settings frame, at the R3000 NetBIOS Name field
the NetBIOS name of the R3000 displays. This information comes from the entry made in the Host Name field of
the LAN Settings window.
2. In the IP Address of WINS Server field, if using a WINS
server for name resolution, enter the IP address of each
Windows DNS server to be filtered by this R3000, with a
space between each IP address.
70 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 83
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
3. In the Virtual IP Address to Use for Authentication
field,1.2.3.5 displays by default. If using Tier 1 or Tier 3,
enter the IP address that from now on will be used for
communicating authentication information between the
R3000 and the PDC. This must be an IP address that is
not being used, on the same segment of the network as
the R3000.
WARNING: If the IP address entered here is not in the same
subnet as this R3000, the net use connection will fail.
4. In the NIC Device to Use for Authentication field:
• if using the invisible mode, enter eth1 (Ethernet 1) for
sending traffic on the network—in particular, for transferring authentication data.
• if using the router or firewall mode, enter eth0
(Ethernet 0).
5. Click Apply to apply your settings.
NOTE: If using the NT authentication method, you will later return
to this window to join the domain. See the section on Join the NT
domain in Chapter 3: NT Authentication Setup for information
about these procedures.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 71
Page 84
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Create an SSL certificate
Authentication SSL Certificate should be used if Web-based
authentication will be deployed on the R3000 server. Using
this feature, a Secured Sockets Layer (SSL) self-signed
certificate is created and placed on client machines so that
the R3000 will be recognized as a valid server with which
they can communicate.
Click Authentication and select Authentication SSL Certificate from the pop-up menu to display the Authentication
SSL Certificate window:
Fig. 2-7 Authentication SSL Certificate window
This window is comprised of three tabs: Self Signed Certificate, Third Party Certificate, and Download/View/Delete
Certificate. These tabs are used to create, view, and/or
delete self-signed or third party SSL certificates.
72 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 85
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Create, Download a Self-Signed Certificate
1. On the Self Signed Certificate tab, click Create Self
Signed Certificate to generate the SSL certificate.
2. Click the Download/View/Delete Certificate tab:
Fig. 2-8 Download/View/Delete Certificate tab
3. Click Download/View Certificate to open the File Down-
load dialog box where you indicate whether you wish to
Open and view the file, or open the Save As window so
that you can Save the SSL certificate to a specified folder
on your workstation.
NOTE: While the SSL certificate can be downloaded on a Macintosh computer, the best method to import the certificate is via the
Authentication Request Form, when prompted by the Security
Alert warning message to add the certificate to the trusted certificate store.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 73
Page 86
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Once the certificate is saved to your workstation, it can
be distributed to client workstations for users who need
to be authenticated.
TIP: Click Delete Certificate to remove the certificate from the
server.
Create, Upload a Third Party Certificate
Create a Third Party Certificate
1. Click the Third Party Certificate tab:
Fig. 2-9 Third Party Certificate tab
NOTE: If a third party certificate has not yet been created, the
Create CSR button is the only button activated on this tab.
74 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 87
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
2. Click Create CSR to open the Create CSR pop-up
window:
Fig. 2-10 Create CSR pop-up window
The Common Name (Host Name) field should automatically be populated with the host name. This field can be
edited, if necessary.
3. Enter your Email Address.
4. Enter the name of your Organization, such as 8e6
Technologies.
5. Enter an Organizational Unit code set up on your
server, such as Corp.
6. Enter Locality information such as the name of your city
or principality.
7. Enter the State or Province name in its entirety, such as
California.
8. Enter the two-character Country code, such as US.
9. Click Create to generate the Certificate Signing Request.
NOTE: Once the third party certificate has been created, the
Create CSR button displays greyed-out and the Download/View
CSR, Upload Certificate, Delete CSR buttons are now activated.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 75
Page 88
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Upload a Third Party Certificate
1. Click Upload Certificate to open the Upload Signed SSL
Certificate for R3000 pop-up window:
Fig. 2-11 Upload Signed SSL Certificate box
The Message dialog box also opens with the message:
"Click OK when upload completes."
TIP: Click Cancel in the dialog box to cancel the procedure.
2. In the Upload Signed SSL Certficate for R3000 pop-up
window, click Browse to open the Choose file window.
3. Select the file to be uploaded.
4. Click Upload File to upload this file to the R3000.
5. Click OK in the Message dialog box to confirm the upload
and to close the dialog box.
76 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 89
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Download a Third Party Certificate
1. In the Authentication SSL Certificate window, click
Download/View CSR to open a pop-up window
containing the contents of the certificate request:
Fig. 2-12 Download CSR pop-up window
2. Click the “X” in the upper right corner of the window to
close it.
TIP: Click Delete CSR to remove the certificate from the server.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 77
Page 90
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
View log results
Use the View Log File window if you need to troubleshoot
any problems with the authentication setup process.
1. Click Diagnostics and select View Log File from the popup menu to display the View Log File window:
Fig. 2-13 View Log File window
NOTE: In this user guide, only authentication options will be
addressed. For information about all other options, see the View
Log File window in the R3000 User Guide.
2. In the Log File Details frame, select the type of Log File
to view:
• “User Name Log (usage.log)” - used for viewing the
time and date a user logged on and off the network,
along with the user's profile information.
78 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 91
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
• “Wbwatch Log (wbwatch.log)” - used for viewing
messages on attempts to join the domain via the
Authentication Settings window.
• “Authentication Log (AuthenticationServer.log)” - used
for viewing information about the authentication
process for users, including SEVERE and WARNING
error messages.
• “Admin GUI Server Log (AdminGUIServer.log)” - used
for viewing information on entries made by the administrator in the console.
• “eDirectory Agent Debug Log (edirAgent.log)” - used
for viewing the debug log, if using eDirectory LDAP
authentication.
• “eDirectory Agent Event Log (edirEvent.log)” - used for
viewing the event log, if using eDirectory LDAP
authentication.
3. Choose the Last Number of Lines to view (100-500)
from that file.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 79
Page 92
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
4. Click View to display results in the Result pop-up
window:
Fig. 2-14 View Log File Result pop-up window
5. Click the “X” in the upper right corner of the pop-up
window to close it.
80 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 93
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Specify block page settings
Click Control and select Block Page Authentication from the
pop-up menu to display the Block Page Authentication
window:
Fig. 2-15 Block Page Authentication window
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 81
Page 94
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Block Page Authentication
1. In the Re-authentication Options field of the Details
frame, all block page options are selected by default,
except for Web-based Authentication. Choose from the
following options by clicking your selection:
• Web-based Authentication - select this option if
using Web authentication with time-based profiles or
persistent login connections for NT or LDAP authentication methods.
• Re-authentication - select this option for the re-
authentication option. The user can restore his/her
profile and NET USE connection by clicking an icon in
a window to run a NET USE script.
• Override Account - select this option if any user has
an Override Account, allowing him/her to access URLs
set up to be blocked at the global or IP group level.
TIP: Multiple options can be selected by clicking each option
while pressing the Ctrl key on your keyboard.
NOTE: See the R3000 User Guide for information about the
Override Account feature.
2. If the “Re-authentication” option was selected, in the
Logon Script Path field, \\PDCSHARE\scripts displays
by default. In this field, enter the path of the logon script
that the R3000 will use when re-authenticating users on
the network, in the event that a user's machine loses its
connection with the server, or if the server is rebooted.
This format requires the entry of two backslashes, the
authentication server’s computer name (or computer IP
address) in capital letters, a backslash, and name of the
share path.
3. Click Apply to apply your settings.
82 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 95
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Block page
When a user attempts to access Internet content set up to
be blocked, the block page displays on the user’s screen:
Fig. 2-16 Block page
NOTES: See Block Page Customization for information on
adding free form text and a hyperlink at the top of the block page.
Appendix D: Create a Custom Block Page from the R3000 User
Guide for information on creating a customized block page using
your own design.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 83
Page 96
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
User/Machine frame
By default, the following data displays in the User/Machine
frame:
• User/Machine field - The username displays for the NT/
LDAP user. This field is blank for the IP group user.
• IP field - The user’s IP address displays.
• Category field - The name of the library category that
blocked the user’s access to the URL displays. If the
content the user attempted to access is blocked by an
Exception URL, “Exception” displays instead of the
library category name.
• Blocked URL field - The URL the user attempted to
access displays.
Standard Links
By default, the following standard links are included in the
block page:
• HELP - Clicking this link takes the user to 8e6’s Technical
Support page that explains why access to the site or
service may have been denied.
• 8e6 Technologies - Clicking this link takes the user to
8e6’s Web site.
84 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 97
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Optional Links
By default, these links are included in the block page under
the following conditions:
• For further options, click here
. - This phrase and link is
included if any option was selected at the Re-authentication Options field in the Block Page Authentication
window. Clicking this link takes the user to the Options
window, described in the Options page sub-section that
follows.
• To submit this blocked site for review, click here
This phrase and link is included if an email address was
entered in the Submission Email Address field in the
Common Customization window. Clicking this link
launches the user’s default email client. In the composition window, the email address from the Submission
Email Address field populates the “To” field. The user’s
message is submitted to the global administrator.
. -
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 85
Page 98
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Options page
The Options page displays when the user clicks the
following link in the block page: For further options, click
here.
Fig. 2-17 Options page
The following items previously described for the Block page
display in the upper half of the Options page:
• BACK and HELP links
• User/Machine frame contents
The frame beneath the User/Machine frame includes information for options (1, 2, and/or 3) based on settings made in
the Block Page Authentication window.
86 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Page 99
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Option 1
Option 1 is included in the Options page if “Web-based
Authentication” was selected at the Re-authentication
Options field in the Block Page Authentication window. The
following phrase/link displays:
Click here
for secure Web-based authentication.
When the user clicks the link, the Authentication Request
Form opens:
Fig. 2-18 Authentication Request Form
NOTE: See Authentication Form Customization for information
on adding free form text and a hyperlink at the top of the Authentication Request Form.
8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 87
Page 100
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Option 2
The following phrase/link displays, based on options
selected at the Re-authentication Options field in the Block
Page Authentication window:
• Re-start your system and re-login - This phrase
displays for Option 1, whether or not either of the Reauthentication Options (Re-authentication, or Webbased Authentication) was selected in the Block Page
Authentication window. If the user believes he/she was
incorrectly blocked from a specified site or service, he/
she should re-start his/her machine and log back in.
• Try re-authenticating your user profile
- This link
displays if “Re-authentication” was selected at the Reauthentication Options field, and an entry was made in
the Logon Script Path field. When the user clicks this link,
a window opens:
Fig. 2-19 Re-authentication option
The user should click the logon.bat icon to run a script
that will re-authenticate his/her profile on the network.
88 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
Loading...