Page 1
Sophos Web Appliance
User Guide
Product Version 4.3.2
Sophos Limited 2017
Page 2
ii | Contents | Sophos Web Appliance
Contents
Chapter 1: About Your Appliance....................................................................................8
1.1 Sophos Web Appliance Features...................................................................8
1.2 Sophos Management Appliance Features......................................................9
1.3 Common Features..........................................................................................9
Chapter 2: Getting Started............................................................................................11
2.1 Appliance Hardware......................................................................................11
2.1.1 Replacing an SM5000 or WS5000 Hard Drive.................................15
2.1.2 Replacing an SM5000 Power Supply...............................................18
2.1.3 Replacing a WS5000 Power Supply................................................20
2.2 Virtual Appliances.........................................................................................22
2.2.1 Replacing Hardware Appliances with Vir tual Appliances.................22
2.3 Network Deployment.....................................................................................23
2.3.1 Explicit Deployment..........................................................................25
2.3.2 Transparent Deployment..................................................................29
2.3.3 Bridged Deployment.........................................................................31
2.3.4 Bypassing for Internal Servers.........................................................33
2.3.5 Existing Cache Deployment.............................................................35
2.3.6 Upstream ISA/TMG Server Deployment..........................................36
2.3.7 Integrating with Sophos Email Products..........................................37
2.3.8 Grouping Web Appliances...............................................................39
2.3.9 Network Deployment Troubleshooting..............................................42
2.4 Understanding Mode and Model Differences................................................43
2.5 Platforms and User Interface........................................................................46
2.6 Policy............................................................................................................48
2.7 Endpoint Web Control...................................................................................50
2.7.1 Appliance Features Not Supported by Endpoint Web Control.........54
2.8 Updates........................................................................................................54
2.9 Getting Support.............................................................................................55
Page 3
Sophos Web Appliance | Contents | iii
2.10 Product Documentation..............................................................................56
Chapter 3: Dashboard..................................................................................................57
Chapter 4: Configuration...............................................................................................60
4.1 Accounts.......................................................................................................61
4.1.1 Administrators..................................................................................61
4.1.2 Notification Page Options.................................................................65
4.2 Group Policy.................................................................................................74
4.2.1 Default Policy...................................................................................75
4.2.2 Default Groups.................................................................................84
4.2.3 Special Hours...................................................................................87
4.2.4 Additional Policies............................................................................89
4.2.5 Configuring the Local Site List.........................................................97
4.2.6 Testing Policy Applied to a URL.....................................................100
4.2.7 Quota Status..................................................................................101
4.3 Global Policy...............................................................................................101
4.3.1 Configuring Security Filtering.........................................................102
4.3.2 Configuring Sandstorm..................................................................103
4.3.3 Configuring Dynamic Categorization.............................................104
4.3.4 Configuring Data Leakage Prevention...........................................104
4.3.5 Configuring HTTPS Scanning........................................................105
4.3.6 Configuring Certificate Validation...................................................108
4.3.7 Setting Download Options..............................................................110
4.3.8 Setting General Options.................................................................111
4.4 System........................................................................................................113
4.4.1 Updates..........................................................................................113
4.4.2 Alerts & Monitoring........................................................................115
4.4.3 Backup...........................................................................................120
4.4.4 Restore..........................................................................................122
4.4.5 Active Directory..............................................................................123
4.4.6 eDirectory.......................................................................................128
4.4.7 Authentication................................................................................131
4.4.8 Connection Profiles........................................................................139
Page 4
iv | Contents | Sophos Web Appliance
4.4.9 Time Zone......................................................................................141
4.4.10 Central Management....................................................................141
4.4.11 Certificates...................................................................................144
4.4.12 Endpoint Web Control..................................................................144
4.5 Network.......................................................................................................146
4.5.1 Configuring the Network Interface..................................................147
4.5.2 Hostname and Other Network Settings.........................................150
4.5.3 Configuring WCCP.........................................................................153
4.5.4 Load Balancing with the Management Appliance..........................155
4.5.5 Testing Network Connectivity.........................................................155
4.5.6 Running the Diagnostic Tools.........................................................156
Chapter 5: Reports.....................................................................................................157
5.1 Available Reports........................................................................................157
5.1.1 Traffic & Performance: Volume ......................................................157
5.1.2 Traffic & Performance: Latency .....................................................157
5.1.3 Traffic & Performance: Throughput ................................................158
5.1.4 Users:Virus Downloaders .............................................................158
5.1.5 Users: Sandstorm Users ...............................................................158
5.1.6 Users: PUA Downloaders ..............................................................159
5.1.7 Users: High Risk Site Visitors ........................................................159
5.1.8 Users: Policy Violators ...................................................................160
5.1.9 Users:Top Users By Quota ...........................................................160
5.1.10 Users:Top Bandwidth Users .......................................................160
5.1.11 Users:Top Users By Browse Time ..............................................161
5.1.12 Users: Browse Time By User ......................................................161
5.1.13 Users: Browse Summary By User ...............................................162
5.1.14 Users:Top Users By Categor y ....................................................162
5.1.15 Users: Category Visits By User ...................................................163
5.1.16 Users: Site Visits By User ...........................................................163
5.1.17 Users: Users By Search Queries ................................................164
5.1.18 Users:Top Web Application Users ..............................................164
5.1.19 Policy & Content: Allowed Sites ..................................................164
Page 5
Sophos Web Appliance | Contents | v
5.1.20 Policy & Content:Warned Sites ..................................................165
5.1.21 Policy & Content: Blocked Sites ..................................................165
5.1.22 Policy & Content: Categories ......................................................165
5.1.23 Policy & Content: Downloads ......................................................166
5.1.24 Policy & Content: Sandstorm Usage ...........................................166
5.1.25 Policy & Content: Advanced Threat Protection ............................166
5.1.26 Policy & Content:Web Application Usage ...................................167
5.2 Modifying Reports.......................................................................................167
5.3 Printing Reports..........................................................................................169
5.4 Exporting Repor ts.......................................................................................170
5.5 Options.......................................................................................................170
5.5.1 Reporting Groups...........................................................................170
5.5.2 Report Scheduler...........................................................................173
5.5.3 Report Exemptions........................................................................177
5.5.4 Search Terms.................................................................................178
Chapter 6: Search.......................................................................................................181
6.1 Searching Recent Activity...........................................................................181
6.1.1 Exporting Search Results..............................................................183
6.2 Searching Sandstorm.................................................................................183
6.3 Searching User Submissions......................................................................184
6.3.1 Viewing a User Submission Search...............................................185
6.3.2 Allowing a User’s Request.............................................................185
6.3.3 Deleting a User’s Request.............................................................187
Chapter 7: System Status...........................................................................................188
7.1 System Status on the Management Appliance...........................................191
Chapter 8: Using Help................................................................................................193
8.1 Searching the Documentation....................................................................193
8.2 Using the Table of Contents........................................................................193
8.3 Sophos Support..........................................................................................194
8.3.1 Filing a Support Request By Email................................................194
8.3.2 Opening a Remote Assistance Session.........................................194
8.4 About..........................................................................................................195
Page 6
vi | Contents | Sophos Web Appliance
Appendix A: Configuring Ports....................................................................................196
Appendix B: Configuring Your Browser.......................................................................198
B.1 Adding the Sophos Root Certificate...........................................................198
B.1.1 Adding the Sophos Root Certificate in Internet Explorer...............198
B.1.2 Adding the Sophos Root Certificate in Firefox...............................199
B.2 Configuring Proxy Settings.........................................................................199
B.2.1 Internet Explorer Proxy Configuration............................................200
B.2.2 Firefox Proxy Configuration............................................................200
B.2.3 Apple Safari Proxy Configuration...................................................201
B.3 Other Internet Explorer Settings.................................................................202
B.3.1 Increasing the Number of Concurrent Connections in Internet
Explorer..............................................................................................202
B.3.2 Enabling PDF Access in Internet Explorer.....................................202
B.4 Other Firefox Settings.................................................................................202
B.4.1 Configuring Firefox for Active Directory in Transparent mode or
Bridged mode.....................................................................................202
Appendix C: Appliance Behavior and Troubleshooting...............................................204
C.1 Network Deployment Troubleshooting........................................................204
C.2 Active Directory Troubleshooting................................................................205
C.2.1 Appliance and AD Domain have the same name..........................205
C.2.2 Clock skew is too large..................................................................205
C.2.3 Could not auto-detect settings.......................................................205
C.2.4 Could not connect to Domain Controller........................................205
C.2.5 Could not join the domain..............................................................206
C.2.6 Could not test Kerberos settings....................................................206
C.2.7 Could not test LDAP settings.........................................................206
C.2.8 Domain could not be found............................................................206
C.2.9 Hostname is too long.....................................................................206
C.2.10 Invalid credentials........................................................................206
C.2.11 LDAP search query timeout.........................................................206
C.2.12 No IPC share found.....................................................................207
C.2.13 No NETLOGON share found.......................................................207
C.2.14 Server appears to be in wrong domain........................................207
Page 7
Sophos Web Appliance | Contents | vii
C.2.15 Server error.................................................................................207
C.2.16 Subdomain failed to authenticate................................................208
C.2.17 Could not join the Secondary Domain Controller........................208
C.3 eDirectory Troubleshooting.........................................................................208
C.3.1 Invalid credentials..........................................................................209
C.3.2 Could not connect to server...........................................................209
C.3.3 Unable to establish Secure LDAP connection...............................209
C.3.4 No users or groups returned from LDAP server............................209
C.3.5 Could not sync users from LDAP server........................................209
C.3.6 Invalid authentication DN...............................................................209
C.3.7 Unable to bind to LDAP server......................................................209
C.3.8 Server error...................................................................................210
C.3.9 Network is unreachable.................................................................210
C.3.10 Could not resolve hostname........................................................210
C.4 Grouped Appliance Troubleshooting..........................................................210
C.5 HTTPS Compatibility..................................................................................213
C.6 Images Display as Gray.............................................................................216
Appendix D: Interpreting Log Files.............................................................................217
Appendix E: Copyrights and Trademarks....................................................................225
E.1 OpenLDAP Public License.........................................................................227
Appendix F: Contacting Sophos.................................................................................229
Appendix G: Glossary.................................................................................................230
Page 8
8 | About Your Appliance | Sophos Web Appliance
1 About Your Appliance
The Sophos Web Appliances and Sophos Management Appliances include a powerful, highly
effective, and easy-to-use administrative web interface that provides configuration and reporting
tools, automated software updates, and self-monitoring to minimize the administrator’ s day-to-da y
involvement in web security and control maintenance.You can customize the appliances’ default
URL-handling policy and message pages, and accept or reject end user requests for changes to
the handling of blocked URLs submitted via an end user feedback system.
Organizations typically expend considerable resources and effort preventing virus, worm, and
T rojan inf ections from entering their networks via email.These threats, as well as spyware, adware,
and phishing scams are increasingly infiltrating organizations’ networks via web browsing.
Inappropriate web browsing by employees is also a significant legal liability and productivity
concern for many organizations.The Sophos Web Appliance provides extensive URL categorization
data that allows you to set acceptable web access policies for your organization that are highly
customizable and enforceable.These policies can allow user access, warn users that they will
be violating policy if they continue to a requested site, or block user access based on over fifty
categories of URLs. In addition to your default acceptable web access policy, group-based
exceptions are available as differentiated “Special Hours” policies.There is also the potential to
create numerous additional policies that can be used as per-user or per-group exceptions to the
default and Special Hours web access policies.
The Web Appliances use the prov en Sophos Anti-Virus engine, regularly updated with the latest
internet threats every 5 to 30 minutes by SophosLabs™, our global threat detection network.
SophosLabs has more than 20 years’ experience in protecting businesses from known and
emerging threats. URL categorization data is similarly updated every 5 to 30 minutes, and the
enhanced categorization data is updated hourly.
The Web Appliance is easy to install, configure, and maintain.
1.1 Sophos Web Appliance Features
The Web Appliance is an enterprise solution for organizations of various sizes.
Fast, full-spectrum protection and control
Page 9
Sophos Web Appliance | About Your Appliance | 9
The Web Appliance provides protection against all web-based threats, while controlling access
to undesirable content.The Web Appliance:
■
is a highly efficient unified scanner that guarantees accurate detection with low system impact
and negligible latency.
■
inspects and secures web traffic against spyware, viruses, adware, potentially unwanted
applications, and other malicious threats.
■
prevents access to known malicious websites, hidden malicious code, phishing sites, and
undesirable content.
■
provides extensiv e, regularly updated URL categorization data upon which customizable web
access policies can be based.
1.2 Sophos Management Appliance Features
The Management Appliance works with multiple Web Appliances to provide:
■
centralized management of up to 50 Web Appliances
■
centralized policy configuration
■
centralized reporting and activity searches
■
a centralized dashboard that provides a status overview for any joined Web Appliances
■
storage for as many as 2,000 users (on the SM2000) or 10,000 users (on the SM5000).Three
years of reporting data is available.
1.3 Common Features
Easy to use
The appliances reduce administrative effort by providing quick access to relevant information.
The appliances offer:
■
an intuitive management console that enables optimal control with minimal time and effort.
■
a unified security policy that eliminates the complexity of administering effective web security.
■
powerful reports that deliver unprecedented insight on inbound and outbound web traffic.
Dependable
The appliances offer a complete infrastructure built to replace customers’ concerns about security
with the assurance of protection.The appliances provide:
■
dynamic threat response with instant protection against new web-based threats ev ery 5 minutes.
■
remote "heartbeat" monitoring that proactively ensures up-to-date protection and optimal
hardware and software performance.
■
industry-leading 24/7/365 live support directly from Sophos.
■
on-demand remote assistance that provides easy , direct access to SophosT echnical Support.
Page 10
■
a robust hardware platform designed specifically to Sophos specifications.
■
a hardened Linux operating system optimized for Sophos software.
Page 11
Sophos Web Appliance | Getting Started | 11
2 Getting Started
The Sophos Web Appliance is designed to function as a web proxy that provides HTTP security
at the gateway. Potentially risky content is scanned for various forms of malware. URL requests
are compared to the Sophos site list, in which sites are assigned a risk class and a site category.
Access to sites can be blocked on the basis of degree of risk or by site category.
Instead of blocking access to URLs that violate your organization’s acceptable browsing policy,
you can, as the administrator , allo w access or allo w access after a w arning is display ed to users ,
which they can acknowledge and continue or cancel the request to view. User access to such
URLs is recorded. Also, as the administrator, you can extend or override the Sophos site list by
adding URLs to a local site list. In the case of sites already in the Sophos site list, y ou can override
the default handling by changing the risk class or site category.
Only approved and scanned content is passed to users. It ma y be cached to increase performance.
If users attempt to access blocked URLs or download blocked content, message pages are
displayed, informing users of the problem and optionally providing a user-feedback form that
allows them to request changes to the handling of the block ed URL or file type. Similarly, requests
for large files can cause the Web Appliance to display a patience page (if you have chosen to
enable this option), advising the user that downloading and scanning is in progress and will take
some time.
This section introduces the role of the Sophos Web Appliance and the Sophos Management
Appliance in your network. It describes the compatible platforms and the administrative web
interface. It provides an overview of the appliance’s major capabilities and configurable behavior
and a general description of the appliances’ softw are and security data updating features . Finally,
this section provides information on contacting SophosTechnical Support .
2.1 Appliance Hardware
There are certain hardware differences between the various appliance models, which are
summarized in the following table or discussed in the sections below.
Processors
following note
dual-core,
light
capacity
See
dual-core,
medium-capacity
dual-core,
high-capacity
quad-core,
high-capacity
quad-core,
high-capacity
quad-core,
high-capacity
SM5000SM2000WS5000WS1100WS1000WS500WS100Feature
quad-core,
high-capacity
8 GB8 GB16 GB8 GB4 GB2 GB2 GBMemory (RAM)
NoNoYesOptionalYesOptionalNoBridge card
Power Supply
YesNoYesNoNoNoNoReplaceable
Page 12
12 | Getting Started | Sophos Web Appliance
Drives
Note: Operating in bridged mode is only possible on a Web Appliance with a bridge card installed.
The Sophos Web Appliance is a high-performance appliance designed to handle web proxy
access for organizations of various sizes .The Web Appliance is scalable to m uch larger numbers
of users by grouping multiple W eb Appliances by joining them to a single Management Appliance.
The appliances raise alerts via the administrative web interface and via email if any hardware
components are not functioning optimally.
This section describes the front and back panel LEDs, powering the appliances down gracefully,
and hardware-related alerts.The Sophos Management Appliance provides centralized policy
configuration and centralized reporting for grouped appliances, thus minimizing system
administration work while providing organization-wide information without sacrificing security or
customizable web use control.
SM5000SM2000WS5000WS1100WS1000WS500WS100Feature
4No4NoNoNoNoReplaceable Hard
The appliances have a number of w ays to alert you if there is a problem with one of their hardware
components. In addition to status indicators in the administrative web interface and alerts sent
via email, the appliances have LED indicators and audible alarms.
Front Panel LEDs
Indicators on the front of each appliance provide status information and warnings.The arrangement
of the front panel LEDs are the same for the WS100, WS500, WS1000, WS1100, and the SM2000.
The indicators on the front of the SM5000 are slightly different, and the indicators on the front of
the WS5000 are also slightly different. Each variant is shown in the following diagrams.
WS500,WS1000,WS1100, & SM2000WS100
WS5000SM5000
Page 13
Sophos Web Appliance | Getting Started | 13
IndicatesStateColorLEDKey
System OverheatedOnRedTemp. Sensor
System NormalOff
Shows rack location front and backOffBlueUnit ID LED (SM5000 only)
LinkedOnGreenNIC1 (config)
Config connection establishedBlink
DisconnectedOff
LinkedOnGreenNIC2 (non-bridged only)
Config connection establishedBlink
DisconnectedOff
HDD ActivityBlinkAmberHDD LED
No ActivityOff
System OnOnGreenPower LED
System OffOff
The front panel LEDs are on the upper-right corner of the front panel, to the left of the reset
and power buttons (and to the right of the Unit ID button on the SM5000).
Important: Sophos strongly suggests that you use the software shutdown and restart options
as documented on the System Status on page 188 page. Although a quick press and release of
the appliance’s power button will perform an elegant shutdown, if the power button is held down
for four seconds or more, an inelegant, immediate shutdown is performed. Also, the reset button
on the appliance always triggers an inelegant, immediate restart, so again the software option is
preferred.Using the appliance’s power and reset buttons may lead to file corruption and data
loss.
Rear Panel LEDs
Indicators on the rear of each appliance provide status information and warnings.The arrangement
of the rear panel LEDs depend upon whether the appliance is configured with a bridge card.There
Page 14
14 | Getting Started | Sophos Web Appliance
is always a bridge card in a WS1000. Bridge cards are optional for the WS500 and WS1100.
There is never a bridge card in a WS100, SM2000, or SM5000.
For appliances with no bridge card:
There are two RJ45 network ports along the bottom of the appliance to the right of the middle:
■
The Config port : This is the port to which you connect your laptop or PC to run the setup
wizard.
■
The Network port : This is the port to which you make your LAN connection after the setup
wizard has been completed.
The two LEDs at the top of these ports indicate the following:
IndicatesColorLED Position
100 MbpsGreenLeft
1 GbpsAmberLeft
Port activeBlinking YellowRight
For appliances with a bridge card:
There is one RJ45 network port along the bottom of the appliance to the right of the middle, the
Configuration port . This is the port to which you connect your laptop or PC to run the setup
wizard.
The two LEDs at the top of this port indicate the following:
Page 15
Sophos Web Appliance | Getting Started | 15
IndicatesColorLED Position
100 MbpsGreenLeft
1 GbpsAmberLeft
Port activeBlinking YellowRight
There is also a group of six LEDs to the left of the WAN and LAN ports on the bridge card,
which is located in the upper right corner on the back of the appliance.The LEDs are arranged
in two columns of three lights, with the left and right columns being indicators for the LAN and
WAN connections, respectively.The rows of LEDs are interpreted as follows:
■
Bypass: If all of the top four indicator lights are on, the appliance is in bypass mode.
— 1000 (top): On indicates a 1000Mbps connection is established; blinking shows traffic; off
indicates no connection.
— 100 (middle): On indicates a 100Mbps connection is established; blinking shows traffic;
off indicates no connection.
■
Act/Link (bottom): On indicates a connection at any speed is established; blinking shows
traffic; off indicates no connection.
Hardware Alerts
Depending on the severity of the issue, the appliances will raise an alert in the administrative w eb
interface or via email, or both. Alerts advise that devices are not working normally or draw attention
to potential problems. In most cases, the alert will instruct you to contact Sophos Technical
Support.
Powering Down the Appliances Gracefully
Power down the appliance gracefully by either pressing the power button briefly, or by clicking
Shutdown on the System Status page.The appliance will safely shut down its software, and
the fans will stop. Remove the power cord before servicing the unit.
Note: You can also power down by holding the power button for four or more seconds, which
will force an immediate shutdown of the appliance; however, this may cause a corruption of the
file system. Avoid immediate shutdown except in cases when graceful shutdown is not possible.
2.1.1 Replacing an SM5000 or WS5000 Hard Drive
The SM5000 and WS5000 have four hot-swappable redundant SCSI hard disk drives in a RAID
10 configuration. If a single hard drive fails, the other disk in the RAID mirror takes over, and the
appliance continues to function normally.The failed drive can be removed and a replacement
drive installed without removing these appliances from the rack, powering down or even exiting
the administrative web interface.The appliance automatically detects the removal of a failed or
defective drive and the installation of its replacement. After replacement, the RAID controller
automatically begins rebuilding the new drive.
Page 16
16 | Getting Started | Sophos Web Appliance
SM5000, front view showing the four hard disk drive bays
Hardware Configuration
On the SM5000 and WS5000, the disks are mirrored using RAID 10, so only one disk can be
replaced or not be working at a time.
Failure Identification
Remove the front bezel to expose the disk drives. On a failed disk drive, the red LED on the front
of the drive is illuminated (the bottom LED of the two drive-specific LEDs) and the appliance’s
audible alarm is sounding.
Static-Sensitive Devices
CAUTION:
Electrostatic discharge (ESD) can damage electronic components.To prevent damage to any
printed circuit boards, it is important to handle them very carefully.The following measures are
generally sufficient to protect your equipment from ESD damage.
■
Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure
frame.
■
Touch a grounded metal object before removing the drive from the antistatic bag.
■
Put on the grounding wrist strap, handle the drive by its edges only, and do not touch
components on the bottom.
Single Hard Drive Replacement Procedure
As the disks are mirrored using RAID 10, only one disk can be replaced or not be working at a
time.
CAUTION: Disk drives are static-sensitive devices. Please make proper use of the wrist strap
included in the disk field-replaceable unit (FRU) ship kit.
CAUTION: Removal of the other drive during this procedure or during the rebuild of the RAID
10 mirror will result in system failure.
Page 17
Sophos Web Appliance | Getting Started | 17
1. Press the colored release button beside the drive’s LEDs on the failed drive to unlatch the
handle.
2. Swing the handle fully out to disengage the drive.
3. Slide the drive halfway out of the drive bay and wait for it to spin down. Allow 10-20 seconds
before removing the drive from the drive bay.
4. While the system is running, insert the replacement disk in the empty slot. Insert the replacement
drive into the disk bay and slide the disk straight to the back of the bay.
5. Swing the handle in toward the appliance. Contin ue pushing the handle in until y ou f eel it loc k
in place.
Page 18
18 | Getting Started | Sophos Web Appliance
6. Press firmly on the both the left and right edges of the drive with both thumbs. Applying this
pressure ensures that the drive is fully engaged, even if no movement of the drive is felt.
7. After the failed disk is replaced, the green and red LEDs on the new disk start to blink and the
audible alarm is silenced, indicating that the mirror is rebuilding. Once the rebuild is complete ,
the red LED goes off.The front bezel can then be replaced.
2.1.2 Replacing an SM5000 Power Supply
The SM5000 has two hot-swappable redundant power supplies. If a single power supply fails,
the redundant feature allows the other module to take over the full load, and the system runs
without interruption.The failed power supply can be removed and a replacement power supply
installed without removing the SM5000 from the rack, pow ering down, or even e xiting the SM5000’ s
administrative web interface.
Hardware Configuration
On the SM5000, the two power supplies are located on the left side of the rear of the appliance.
In normal operation, the "Power Indicator" LED on the front panel is green , as are the "Power
Supply Status" LEDs on the back of the SM5000 for each power supply , which are shown in
the graphics below.
Page 19
Sophos Web Appliance | Getting Started | 19
Failure Identification
Case 1: If either of the two po wer supplies completely f ails, the "P ower Indicator" LED on the front
panel turns yellow, and an alarm sounds until the power supply is replaced. On the back of the
unit, the "Power Supply Status" LED for the unit that has failed is either off or yellow.This is the
power supply to replace.
Case 2: If either of the two power supplies partially fails, the "Power Indicator" LED on the front
panel is green and no alarm sounds. On the back of the unit, the "Power Supply Status" LED for
the unit that has partially failed is yellow.This is the power supply to replace.
Static-Sensitive Devices
CAUTION:
Electrostatic discharge (ESD) can damage electronic components.To prevent damage to any
printed circuit boards, it is important to handle them very carefully.The following measures are
generally sufficient to protect your equipment from ESD damage.
■
Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure
frame.
■
Touch a grounded metal object before removing the power supply from the anti-static bag.
■
Put on the grounding wrist strap, handle the power supply by its edges only, and do not touch
components on the bottom.
Single Power Supply Replacement
1. Ensure that the power cord is unplugged from the failed power supply module.Then, while
holding onto the handle, press the green locking tab on the bottom right of the power supply
in toward the handle.This will disengage the power supply.
2. Pull the power supply module straight out. Check to make sure that the replacement power
supply module is the same type as the one previously removed.
Page 20
20 | Getting Started | Sophos Web Appliance
3. Carefully push the replacement power supply module straight into the appliance until you hear
the release tab click into place.
4. Plug the AC power cord back into the new power supply module.The "Power Supply Status"
LED on the new module should now be green.
2.1.3 Replacing a WS5000 Power Supply
The WS5000 has two hot-swappable redundant power supplies. If a single power supply fails,
the redundant feature allows the other module to take over the full load, and the system runs
without interruption.The failed power supply can be removed and a replacement power supply
installed without removing the WS5000 from the rack, powering down, or exiting the WS5000’s
administrative web interface.
Hardware Configuration
On the WS5000, the two power supplies are located on the left side of the rear of the appliance.
In normal operation, the "Power Indicator" LED on the front panel is green , as are the "Power
Supply Status" LEDs on the back of the WS5000 for each power supply , which are shown in
the graphics below.
Failure Identification
Case 1: If either of the two po wer supplies completely f ails, the "P ower Indicator" LED on the front
panel turns yellow, and an alarm sounds until the power supply is replaced. On the back of the
unit, the "Power Supply Status" LED for the unit that has failed is either off or yellow.This is the
power supply to replace.
Page 21
Sophos Web Appliance | Getting Started | 21
Case 2: If either of the two power supplies partially fails, the "Power Indicator" LED on the front
panel is green and no alarm sounds. On the back of the unit, the "Power Supply Status" LED for
the unit that has partially failed is yellow.This is the power supply to replace.
Static-Sensitive Devices
CAUTION:
Electrostatic discharge (ESD) can damage electronic components.To prevent damage to any
printed circuit boards, it is important to handle them very carefully.The following measures are
generally sufficient to protect your equipment from ESD damage.
■
Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure
frame.
■
Touch a grounded metal object before removing the power supply from the anti-static bag.
■
Put on the grounding wrist strap, handle the power supply by its edges only, and do not touch
components on the bottom.
Single Power Supply Replacement
1. Ensure that the power cord is unplugged from the failed power supply module.Then, while
holding onto the handle, press the red locking tab on the bottom right of the power supply in
toward the handle.This will disengage the power supply.
2. Pull the power supply module straight out. Check to make sure that the replacement power
supply module is the same type as the one previously removed.
3. Carefully push the replacement power supply module straight into the appliance until you hear
the release tab click into place.
Page 22
22 | Getting Started | Sophos Web Appliance
4. Plug the AC power cord back into the new power supply module.The "Power Supply Status"
LED on the new module should now be green.
2.2 Virtual Appliances
As an alternative to the hardware-based version of the Sophos Web Appliance, you can deploy
appliances as virtual machines using VMware.These appliances can be grouped with other virtual
appliances or with hardware-based appliances. Once deployed, they operate in the same way
as a hardware-based appliance.
Sophos virtual appliances provide a cost-effective web-filtering solution that is easy to set up.
Virtual appliances occupy less rack space, are energy-efficient, and require less hardware.
To learn more about configuring a virtual web appliance, see the Sophos Virtual Web Appliance
Setup Guide or the Sophos Virtual Management Appliance Setup Guide.
Note: Virtual appliances do not support Bridged Deployment, which requires a bridge card.
Related concepts
Understanding Mode and Model Differences on page 43
Grouping Web Appliances on page 39
2.2.1 Replacing Hardware Appliances with Virtual Appliances
At some point, you may decide to replace one or more of your hardware-based appliances.
Replacing either a Web Appliance or Management Appliance with a virtual appliance should be
done by following the steps in the order described below.
Note: These procedures only cover the replacement of existing hardw are-based appliances with
virtual appliances. If, instead, you want to add virtual appliances to use in conjunction with your
existing hardware-based appliances, see the instructions in “Grouping Web Appliances” and
“Central Management”.Virtual appliances integrate seamlessly with hardware-based appliances
as well as other virtual appliances.
Replacing a Stand-Alone Web Appliance
If you have a single hardw are-based Sophos W eb Appliance that you want to replace with a virtual
Web Appliance:
Page 23
Sophos Web Appliance | Getting Started | 23
1. Configure the virtual appliance according to the instructions in the Virtual Web Appliance Setup
Guide.Take care when configuring the network settings to assign a network address that is
different from the hardware-based appliance it is replacing.
2. If your hardware appliance is not configured to perform automated backups, on the
Configuration > System > Backup page, click Download Now. Or, if automated backups
are configured, transfer the backed up archive file from the FTP site to the system on which
you will be performing the restoration.
3. On the virtual appliance, select Configuration > System > Restore. Follow the instructions
in Restoring a Backup on page 122.
Note: If your hardware-based appliance was configured to use Web Cache Communication
Protocol, you must reconfigure those settings manually on the virtual appliance.WCCP settings
cannot be restored from a backup.
4. When restoration is complete, power off and decommission the hardware-based appliance.
Replacing a Management Appliance
If you have a hardware-based Sophos Management Appliance that you want to replace with a
virtual Management Appliance:
1. Configure the virtual appliance according to the instructions in the Virtual Management Appliance
Setup Guide.Take care when configuring the network settings to assign a network address
that is different from the hardware-based appliance it is replacing.
2. Join the newly configured Management Appliance to a functioning Web Appliance in your
deployment (not the hardware-based Management Appliance) and cop y its configuration data
to the virtual Management Appliance. On the Management Appliance, ensure that these chec k
boxes are selected:Allow Web Appliances to join this Management Appliance and Copy
configuration and policy data from the first web appliance to join. F or complete instructions,
see On a Stand-Alone Web Appliance: Joining a Management Appliance on page 141.
3. When the join is complete, power off and decommission the hardware-based Management
Appliance.
Related concepts
Central Management on page 141
Related tasks
Backup on page 120
Restore on page 122
Configuring WCCP on page 153
2.3 Network Deployment
You can deploy the Sophos Web Appliance in a variety of configurations, depending on the
requirements of your organization and your existing network architecture.
Page 24
24 | Getting Started | Sophos Web Appliance
Basic Deployment Options
Three basic network deployments are possible for the Sophos Web Appliance:
■
Explicit Deployment: All client web browsers are explicitly configured to use the appliance,
although this can be done centrally by using distributed Active Directory Group P olicy Objects
(GPO). Explicit Deployment also supports FTP over HTTP.
■
T ransparent Deployment:The firewall or router is configured to redirect port 80 and port 443
traffic through the Web Appliance. In this mode, web traffic filtering is transparent to users,
who only see evidence of the Web Appliance if they attempt to connect to certain URLs and
are presented with a notification page.
■
Bridged Deployment: All outbound network traffic is routed through the Web Appliance’s
bridge card, but only port 80 and port 443 traffic is examined.This deployment requires the
optional bridge card included with some appliance models.With a Bridged Deployment, network
traffic continues to flow in the event of an appliance failure.
Alternative Deployment Options
There are three additional deployments that allow the W eb Appliance to work with some common
network topologies.You may want to use one of the f ollo wing, depending on the structure of y our
existing network.
■
Bypass for Internal Servers: Allows clients to access specific internal servers directly.This
is recommended for use with Explicit Deployment.
■
Use with an Existing Cache: Allows the Web Appliance to work in conjunction with a
pre-existing investment in a web-caching server in any one of the three basic network
deployments (Explicit, Transparent, or Bridged).
■
Use with an ISA/TMG Server: Allows the Web Appliance to work with a downstream or
upstream Microsoft Internet Security and Acceleration (ISA) or Microsoft Forefront Threat
Management Gateway (TMG) Server in any one of the three basic network deployments
(Explicit, Transparent, or Bridged).
Network Deployment Recommendations
It may be necessary to make additional adjustments to accommodate the requirements of your
network.
Important: If Active Directory integration is not enabled, the Web Appliance allows connections
from any user or computer that can access it.This means that it could allow people from outside
of your organization to use your Web Appliance as a proxy, consuming your bandwidth and
creating traffic that appears to come from your organization.Sophos strongly advises that you
take the following steps to prevent this:
1. Configure your firewall to prevent inbound connections to the Web Appliance from outside
your network.The Web Appliance does not require that any inbound ports be open for external
traffic.
2. Configure the Web Appliance to accept requests only from your own network.To do this:
a. Select Configuration > Group Policy > Default Groups.
b. Create a custom user group consisting of all your internal subnets and add this group to
the Selected groups list.
c. Select the Only the users/groups selected below option, and click Apply.
Page 25
Sophos Web Appliance | Getting Started | 25
Configure your firewall to allow email with attachments from the Web Appliance to
wsasupport@sophos.com.This is necessary information for Sophos, which uses system status
snapshots that you submit as email attachments to ensure that your W eb Appliance is operating
within acceptable thresholds.
Network Deployments Comparison Table
The following table presents the k ey characteristics of each basic supported deployment scenario.
For details of each, see the sections that follow.
Bridged DeploymentTransparent DeploymentExplicit Deployment
n\aYesNoWCCP Integration
Performance
Configure all clientsNetwork Configuration
Configure all clientsPost-Failure
Reconfiguration
Note: If you use the Transparent or Bridged deployment, see Switching from Transparent Mode
to Explicit Mode on page 31 or Switching from Bridged Mode to Explicit Mode on page 33 to learn
about making the transition to Explicit Deployment.
Related tasks
Configuring Authentication on page 133
Hostname and Other Network Settings on page 150
Configuring the Network Interface on page 147
Load Balancing with the Management Appliance on page 155
2.3.1 Explicit Deployment
This deployment inv olv es e xplicitly configuring all client web browsers to use the Web Appliance,
although you can also do this centrally by using distributed Activ e Directory Group P olicy Objects
(GPO).
■
Inspects HTTP, HTTPS, and FTP over HTTP traffic.
■
All clients require configuration (may be done centrally; see the “Configuration” section below).
■
If the deployment fails, all clients must be reconfigured (may be done centrally; see the
“Configuration” section below).
Only carries web trafficOnly carries web trafficWeb ApplianceTraffic
Configure firewall or
router
Configure the firewall or
router
Carries all outbound
traffic
Configure only Web
Appliance
Power down Web
Appliance
Operation
Page 26
26 | Getting Started | Sophos Web Appliance
■
Users’ HTTP, HTTPS, and FTP over HTTP requests are passed to the Web Appliance .
■
The Web Appliance assesses URLs, blocks disallowed requests, checks if allowed URL
requests are currently cached, and passes URL requests that are not cached through the
firewall to retrieve them from the internet .
Note: Port 80, port 443, port 20, and port 21 requests from users are blocked at the firewall
; URLs are only accepted by the firewall if they are from the Web Appliance .
■
The Web Appliance receives any new pages or files and caches them; it passes the pages
or files of allowed requests back to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Configuration
1. Connect your organization’s LAN to the Web Appliance’s LAN port.
2. Configure each user’s web browser to use the Web Appliance via port 8080 as their web proxy
for HTTP, HTTPS, and FTP. (Ports 3128 and 8081 are also supported, but their use is only
suggested if the Web Appliance is replacing a previous proxy configuration that used one of
these ports.)
Note: For information about adding support for HTTPS applications that use non-standard
ports, see “Using the Local Site List Editor” in the Group Policy section of the documentation.
Note: Configuring all users’ bro wsers to use the Web Appliance as a web proxy can be done
centrally in Windows networks by using any of the methods described in the Sophos Web
Appliance: Configuring your network for Explicit Deployment Knowledgebase article, which
also includes links to the following:
■
Creating, Testing, and Deploying a proxy.pac File
■
Publishing Proxy Information as a wpad.dat File
■
Creating a GPO
Page 27
Sophos Web Appliance | Getting Started | 27
3. In the Web Appliance’s administrative web interface, on the Configuration > Network >
Network Interface page, set the Deployment Mode to Explicit proxy.
Related concepts
Configuring Your Browser on page 198
Related tasks
Using the Local Site List Editor on page 99
Specifying an Upstream Proxy on page 151
Bypassing for Internal Servers on page 33
Upstream ISA/TMG Server Deployment on page 36
Related information
Windows Server Group Policy
2.3.1.1 Downstream ISA/TMG Server Deployment
This option, which uses either a Microsoft Internet Security and Acceleration (ISA) server or a
Microsoft Forefront Threat Management Gateway (TMG) server, is based on the Explicit
Deployment.This deployment is different in that it includes an ISA/TMG server (and optionally
an Active Directory server) between users and the Web Appliance.
■
Allows the Web Appliance to work with an ISA/TMG Server.
■
If the Sophos ISA/TMG plug-in is installed, and an Active Directory server is on the network
side of the ISA or TMG server, then clients (users) can be seen as usernames.
■
Allows you to use multiple Web Appliances in a simple load-balancing deployment.
■
If the Sophos ISA/TMG plug-in is not installed, all traffic will be identified as coming from one
user: the ISA/TMG server.
■
If the Sophos ISA/TMG plug-in is not installed or an Active Directory server is not on the
network side of the ISA/TMG server, then clients (users) will appear as IP addresses only.
■
Does not support individual user opt-out, although with the ISA/TMG plug-in installed custom
policy can be applied to an individual user or group.
Operation
Page 28
28 | Getting Started | Sophos Web Appliance
■
Users’ HTTP and HTTPS requests are passed through an ISA/TMG server that uses
NTLM or IWA Authentication.
■
The ISA/TMG server passes URL requests to the Web Appliance .
■
The Web Appliance assesses the URL.
■
The Web Appliance blocks disallowed requests, chec ks if allowed URL requests are currently
cached, and passes URL requests that are not cached through to the firewall .
Note: Port 80 and 443 requests from users are blocked at the firewall , which retrieves
the URL’s material from the internet ; URLs are only accepted by the firewall if they are
from the Web Appliance .
■
The Web Appliance receives new pages or files, caches them, and passes the page or file
on to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Note: If the Sophos ISA/TMG plug-in is installed, clients (users) are identified individually;
otherwise, all traffic is identified as coming from one user: the ISA/TMG server .
Note: If the Sophos ISA/TMG plug-in is installed, and an Active Directory server is on the
network side of the ISA/TMG server , then clients (users) can be seen as usernames; if the
Active Directory server is not appropriately located, clients (users) appear only as IP addresses
in reports and user activity logs.
The ISA/TMG plug-in can be downloaded from the Configuration > Network > Hostname page.
The ISA/TMG plug-in is compatible with Microsoft ISA Server 2004 and 2006, and Microsoft
Forefront TMG 2010.
Configuration
Important: The Web Appliance may not catch malware stored in the ISA/TMG server’s cache.
To avoid this risk, be sure to clear the ISA/TMG cache prior to enabling this network deplo yment.
Page 29
Sophos Web Appliance | Getting Started | 29
Follow the configuration instructions for the Explicit Deployment scenario, but with the following
differences:
■
Ensure that your ISA/TMG server is between the clients and your Web Appliance.
■
Ensure that your ISA/TMG server is configured to pass traffic through the Web Appliance if it
is configured in an Explicit Deployment.
■
Ensure that your Active Directory server, if you are using one, is located on the network side,
between your clients (users) and your ISA/TMG server.The ISA/TMG server must also be
configured to allow communications between your Web Appliance and your Active Directory
server.
Note: Web Appliance policy will be applied to users authenticated by the Active Directory
server using the pre-Windows 2000 format DOMAIN\username only.
■
If the ISA/TMG plug-in is installed, enter the IP address of the downstream ISA/TMG server
in the Accept authentication from downstream ISA/TMG servers section on the
Configuration > Network > Hostname page.
Note: A simple way to set up load balancing amongst multiple Web Appliances is to set up a
DNS round robin scheme. If you do this, y ou should disable DNS caching because Windows DNS
caching can mask the round robin effect.To disable Windows DNS caching, see the Microsoft
Support article http://support.microsoft.com/kb/318803.You must ensure that you ha ve a firewall
with network address translation (NAT), but not an ISA or TMG server in firewall mode, between
the Web Appliances and the internet.This firewall must be configured to present a single IP for
the Web Appliances to the sites on the internet.The NAT, or IP masquerading, prevents sites
that check and record the IP address of visitors in cookies from encountering multiple IP addresses.
Note: Explaining how to configure an ISA/TMG Server is beyond the scope of this documentation.
For details on ISA/TMG Server configuration, see the Microsoft ISA Server Deployment page or
the Microsoft Forefront TMG Deployment page.
Related tasks
Existing Cache Deployment on page 35
Related information
Disabling Client-Side DNS Caching
Microsoft ISA Server Deployment
Microsoft Forefront TMG Deployment
2.3.2 Transparent Deployment
This deployment inv olves configuring the firewall or router to route all port 80 and port 443 traffic
to the Web Appliance. In this mode, web traffic filtering is transparent to users. Unlike Explicit
Deployment, you are not required to configure end user browsers.
■
Inspects HTTP and HTTPS traffic.
■
Only the firewall and/or the router requires configuration.
■
If it fails, only the firewall and/or the router must be reconfigured.
Operation
Page 30
30 | Getting Started | Sophos Web Appliance
■
Users make HTTP/HTTPS requests from their clients that are sent out to the LAN.
■
The router receives all network traffic and bounces all HTTP/HTTPS requests to the Web
Appliance .
■
The Web Appliance assesses URLs, blocks disallowed requests, checks if allowed URL
requests are currently cached, and passes URL requests that are not cached out to the LAN.
■
The router passes all HTTP/HTTPS requests from the Web Appliance out through the
firewall to retrieve the URLs from the internet .
■
The Web Appliance receives the new pages or files and caches them; it passes the pages
or files of allowed requests back to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Configuration
1. Connect the Web Appliance’s LAN port to your organization’s LAN.
2. In the Web Appliance’s administrative web interface, on the Configuration > Network >
Network Interface page, set the Deployment mode to Transparent.
3. Configure your router so that it redirects all port 80 traffic to port 80 and port 443 traffic to port
443 on the Web Appliance. In this case , the destination of each pac ket remains unaltered, b ut
the packets are sent by the router to the Web Appliance.
Traffic on port 80 and 443 from the Web Appliance should be passed to the firewall. All other
port traffic is passed as usual.
Note: With Active Directory enabled in Transparent mode, a Windows issue causes Internet
Explorer to be repeatedly prompted for authentication.When deploying in Transparent mode, all
workstations must be able to resolve the hostname of the W eb Appliance into a FQDN (for instance
http://ws1000 must resolve to http://ws1000.example.com). For more information,
please see http://support.microsoft.com/kb/303650. Firefo x users may need to type their pass word
repeatedly unless browser settings are reconfigured.
Page 31
Sophos Web Appliance | Getting Started | 31
Related tasks
Configuring Firefox for Active Directory in Transparent mode or Bridged mode on page 202
Configuring WCCP on page 153
2.3.2.1 Switching from Transparent Mode to Explicit Mode
This page describes the steps required to make the transition from a Transparent Deployment to
an Explicit Deployment.
To transition from a Transparent to an Explicit deployment:
1. Ensure the Web Appliance’s LAN port is connected to an area of your network that is accessible
to your client systems. Also ensure that your router or firewall does not redirect any traffic to
your Web Appliance.
2. On the Configuration > Network > Network Interface page, change the Deployment mode
from Transparent to Explicit proxy.
3. Configure each user’s web browser to use the Web Appliance via port 8080 as their web proxy
for HTTP, HTTPS, and FTP. (Ports 3128 and 8081 are also supported, but their use is only
suggested if the Web Appliance is replacing a previous proxy configuration that used one of
these ports.)
Note: To add support for HTTPS applications that use non-standard ports, see Add Local
Classification.
Note: Configuring all users’ bro wsers to use the Web Appliance as a web proxy can be done
centrally in Windows networks by using one of several methods. See the Sophos
Knowledgebase pages for instructions on how to do this by:
■
Creating, Testing, and Deploying a proxy.pac File
■
Publishing Proxy Info as a wpad.dat File
■
Creating a GPO
2.3.3 Bridged Deployment
This deployment is similar to Transparent Deployment in that all outbound network traffic flows
through the Web Appliance. Bridged Deployment, however, requires the optional bridge card
included with some appliance models.
■
Inspects HTTP and HTTPS traffic.
■
Only the Web Appliance requires configuration.
■
If it fails, you must power down the Web Appliance, but network traffic will continue to flow.
Operation
This deployment uses the Web Appliance’s bridge card, with the Network Interface page’s
Deployment mode set to Bridged. In this configuration, the Configuration port to which you
connect your laptop or PC to run the setup wizard still appears along the bottom of the appliance,
as illustrated in the diagram below (to the right of the middle on the back of the appliance ), but
this is the only RJ45 port at that location.
Page 32
32 | Getting Started | Sophos Web Appliance
There are two ports on the bridge card in the upper-right corner of the back of the appliance.
Immediately to the left of these is a small group of six LEDs that indicate LAN connection status,
as described in the "Appliance Hardware" page. Of the two RJ45 ports on this card, the one to
the left is the WAN port, which you connect to your firewall for WAN or internet access ; the
port to the right is the LAN port , which you connect to your LAN.
All outbound and inbound traffic passes through the Web Appliance, which filters all port 80 and
443 traffic, allowing only secure and permissable web content to be accessed by y our users, while
non-web network traffic is passed through.
If the Web Appliance shuts down, the bridge card will be shut down with the LAN circuit closed,
meaning that all LAN traffic will pass through.
■
All outbound network traffic passes through the Web Appliance . Users’ URL requests
are intercepted by the Web Appliance on their way to the firewall . All other traffic passes
through.
■
The Web Appliance assesses all URL requests, blocks disallowed requests, checks if
allowed URL requests are currently cached and passes uncached URL requests through the
firewall and retrieves them from the internet .
■
The Web Appliance receives any new pages or files and caches them; it passes the pages
or files of allowed requests back to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Page 33
Sophos Web Appliance | Getting Started | 33
Configuration
1. Connect the Web Appliance’s LAN port to your organization’s LAN.
2. Connect the Web Appliance’s WAN port to your organization’s firewall.
3. In the Web Appliance’s administrative web interface, on the Configuration > Network >
Network Interface page, set the Deployment mode to Bridged, and click Configure to create
a list of IP addresses or IP ranges for internal web servers that are exempted from handling
by the Web Appliance.
Note: You are not required to configure users’ web browsers.
2.3.3.1 Switching from Bridged Mode to Explicit Mode
This page describes the steps required to convert your Web Appliance from a Bridged Deployment
to an Explicit Deployment.
To transition from a Bridged to an Explicit deployment:
1. Leave the Web Appliance’s LAN port connection to your organization’s LAN unchanged.
2. Remove the connection between the Web Appliance’s WAN port and your organization’s
firewall.
3. On the Configuration > Network > Network Interface page, change the Deployment mode
from Bridged to Explicit.
4. Configure each user’s web browser to use the Web Appliance via port 8080 as their web proxy
for HTTP, HTTPS, and FTP. (Ports 3128 and 8081 are also supported, but their use is only
suggested if the Web Appliance is replacing a previous proxy configuration that used one of
these ports.)
Note: To add support for HTTPS applications that use non-standard ports, see Add Local
Classification.
Note: Configuring all user’s browsers to use the W eb Appliance as a w eb proxy can be done
centrally in Windows networks by using one of several methods. See the Sophos
Knowledgebase pages for instructions on how to do this by:
■
Creating, Testing, and Deploying a proxy.pac File
■
Publishing Proxy Info as a wpad.dat File
■
Creating a GPO
2.3.4 Bypassing for Internal Servers
This option allows clients to access specific internal servers directly.Y ou might choose this setup
if you want to let users access internal web pages without routing requests through the appliance.
When based on the Explicit Deployment, this option does the following:
■
Inspects HTTP, HTTPS, and FTP over HTTP traffic.
■
Supports individual user opt-outs.
■
Requires configuration for all clients.
Page 34
34 | Getting Started | Sophos Web Appliance
■
If it fails, all clients must be reconfigured, although clients can be configured to bypass the
Web Appliance should it fail.
Operation
■
Users’ HTTP, HTTPS, and FTP requests are examined by the PAC script or similar
configuration and forwarded to the appropriate server: the W eb Appliance or another server
.
■
When requests are forwarded to the W eb Appliance, it assesses the URLs, blocks disallowed
requests, checks if allowed URL requests are currently cached, and passes URL requests
that are not cached through the firewall to retrieve them from the internet .
Note: Port 80, port 443, and port 21 requests from users are blocked at the firewall ;
URLs are only accepted by the firewall if they are from the Web Appliance .
■
The Web Appliance receives any new pages or files and caches them; it passes the pages
or files of allowed requests back to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Configuration
1. Connect your organization’s LAN to the Web Appliance’s LAN port.
2. Configure each client with either a PAC file (the more flexible method) or by distributing the
configuration to users via Active Directory Group Policy (the easier method).
Note: When using .pac files with Internet Explorer, we highly recommend disabling automatic
proxy caching. Specific instructions can be found in this Microsoft Support article:
http://support.microsoft.com/kb/271361.
3. In the Web Appliance’s administrative web interface, on the Configuration > Network >
Network Interface page, set the Deployment mode to Explicit proxy.
Related tasks
Explicit Deployment on page 25
Page 35
Related information
Disabling Automatic Proxy Caching
2.3.5 Existing Cache Deployment
This option allows the Web Appliance to work in conjunction with an e xisting web-caching server .
Operation
Sophos Web Appliance | Getting Started | 35
The operation will vary according to the deployment scenario that you choose. As an example,
the deployment shown in the diagram above and described in the points below is based on a
Bridged Deployment.
■
Users’ URL requests are passed to the Web Appliance .
■
The Web Appliance passes allowed requests to the cache server .
■
If the cache server does not have the pages or files cached, it passes the request through
the firewall ; if it has the requested pages or files cached or when the request is returned
through the firewall, the cache server passes the requested pages or files back to the Web
Appliance .
Note: Even with the presence of a cache server, the Web Appliance will cache static content.
Note: This configuration is not intended to work with Microsoft Internet Security and
Acceleration (ISA) servers or Microsoft Forefront Threat Management Gatewa y (TMG) servers.
If you want a network deployment that will work effectively with ISA/TMG servers, try either
the Downstream ISA/TMG Server Deployment or the Upstream ISA/TMG Server Deployment.
■
The Web Appliance scans the pages or files and passes allowed requests back to the users
.
■
The users receive only safe and allowed pages and file or a notification page.
Configuration
Page 36
36 | Getting Started | Sophos Web Appliance
Follow the configuration instructions for the basic network deployment scenario that you want to
use (Explicit Deployment, Transparent Deployment, or Bridged Deployment), but with the follo wing
differences:
■
Ensure that your existing cache server is between your Web Appliance and your firewall.
■
Ensure that your cache server is configured to be transparent to the Web Appliance.
Related tasks
Downstream ISA/TMG Server Deployment on page 27
Upstream ISA/TMG Server Deployment on page 36
2.3.6 Upstream ISA/TMG Server Deployment
This option is similar to the Downstream ISA/TMG Server Deployment. It can be used with any
of the basic deployment options. It allows the Web Appliance to work with an ISA/TMG server,
although in this case, one that is upstream in the network from the Web Appliance (see diagram
below).
■
Allows the Web Appliance to work with an ISA/TMG server.
■
Allows you to use multiple Web Appliances in a simple load-balancing deployment.
■
Does not support individual user opt-out.
Operation
The operation varies according to the basic deployment scenario that you choose . As an e xample,
this option is shown in the diagram above and described in the points below as a Bridged
Deployment.
■
Users’ HTTP and HTTPS requests are passed through the Web Appliance .
■
The Web Appliance assesses URLs.
■
The Web Appliance blocks disallowed requests, chec ks if allowed URL requests are currently
cached, and passes URL requests that are not cached through to the ISA/TMG server .
Page 37
Sophos Web Appliance | Getting Started | 37
■
The ISA/TMG server retrieves new pages or files from the internet , and passes them
back to the Web Appliance .
■
The Web Appliance receives the allo wed pages or files , caches them, and passes them on
to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Configuration
Follow the configuration instructions for the basic network deployment scenario that you want to
use—Explicit Deployment, Transparent Deployment, or Bridged Deployment—but locate your
Web Appliance between the ISA/TMG server and your users.
Note: Even if you have an upstream pro xy (a proxy betw een the Web Appliance and the internet)
configured, you still need to configure the Web Appliance with access to y our organization’ s DNS
server, which is set on the Configuration > Network > Network Interface page.
Note: A simple way to set up load balancing amongst multiple Web Appliances is to set up a
DNS round robin scheme. If you do this, y ou should disable DNS caching because Windows DNS
caching can mask the round robin effect. Also, you must ensure that you have a firewall with
network address translation (NAT), but not an ISA/TMG server in firewall mode , between the Web
Appliances and the internet.This firewall must be configured to present a single IP for the Web
Appliances to external sites.The NAT, or IP masquerading, prevents sites that check and record
the IP address of visitors in cookies from encountering multiple IP addresses.T o disable Windows
DNS caching, see the Microsoft support article http://support.microsoft.com/kb/318803.
Note: Explaining how to configure an ISA/TMG server is beyond the scope of this documentation.
For details on ISA/TMG server configuration, see Microsoft’ s ISA Server Deplo yment page or the
Microsoft Forefront TMG Deployment page.
Related tasks
Existing Cache Deployment on page 35
Explicit Deployment on page 25
Related information
Disabling Client-Side DNS Caching
Microsoft ISA Server Deployment
Microsoft Forefront TMG Deployment
2.3.7 Integrating with Sophos Email Products
The appliance can be configured to work with Sophos’s email products, such as the Sophos Email
Appliances or PureMessage for UNIX.The instructions for doing so are listed below.
■
To configure your SophosWeb or Management Appliance to route email via your Sophos
Email Appliance:
a) On your Sophos Web or Management Appliance, on the Configuration > Network >
Hostname page, enter the IP address of your Email Appliance in the Outgoing SMTP
mail server text box.
b) On your Sophos Email Appliance, on the Configuration > Routing > Internal Mail Hosts
page, enter the IP address of your Web or Management Appliance in the Internal hosts
and networks text box, and click Add.
Page 38
38 | Getting Started | Sophos Web Appliance
■
To configure your SophosWeb or Management Appliance to route email via your Sophos
PureMessage for UNIX server:
a) On your Sophos Web or Management Appliance, on the Configuration > Network >
Hostname page, enter the IP address of your PureMessage server in the Outgoing SMTP
mail server text box.
b) On your Sophos PureMessage server, on the Policy > Internal Hosts page, enter the IP
address of your Web or Management Appliance.
■
To configure your Sophos Email Appliance to access the internet via your SophosWeb
Appliance:
If you are using Active Directory, you must e xclude your Email Appliance from authentication.
a) On your Sophos Web Appliance, on the Configuration > System > Connection Profiles
page, create a connection profile that includes the IP address of your Email Appliance.
b) On your Sophos Web Appliance, on the Configuration > System > Authentication page ,
use the Profiles tab to create an authentication profile that applies to the connection profile
for the Email Appliance that you created in the previous step.
For more information on creating authentication profiles, see “Authentication” in the Web
Appliance’s main documentation.
c) On your Sophos Email Appliance, on the Configuration > Network > Hostname and
Proxy page, enter the following information in the Proxy server configuration section:
— Server address: enter the IP address of your Web Appliance
— Port: 8080
— Username and Password: leave these blank
d) Click Apply.
■
T o configure y our Sophos PureMessage for UNIX server to access the internet via your Sophos
Web Appliance:
If you are using Active Directory, you must exclude your PureMessage server from
authentication.
a) On your Sophos Web Appliance, on the Configuration > System > Connection Profiles
page, create a connection profile that includes the IP address of your PureMessage for
UNIX server.
b) On your Sophos Web Appliance, on the Configuration > System > Authentication page ,
use the Profiles tab to create an authentication profile that applies to the connection profile
for the PureMessage server that you created in the previous step.
For more information on creating authentication profiles, see “Authentication” in the Web
Appliance’s main documentation.
c) On your Sophos PureMessage server, configure the IP address of your Web Appliance
using the HTTP_proxy environment variable. Specify port 8080. Do not specify a username
or password.
Page 39
Related information
Sophos Email Security and Control site
2.3.8 Grouping Web Appliances
The Sophos Web Appliance is available in a variety of models, each capable of providing web
browsing security and control features for diff erent numbers of end users. As indicated in the tab le
below, appliances differ in their processing capacity and memory.
Larger organizations and those with multiple locations can use multiple Sophos Web Appliances
grouped together by a common Sophos Management Appliance to provide web security and
control for their various locales and a large number of end users. Management appliances centr alize
control of policy and configuration data and consolidate reports. In order to group two or more
appliances together, you must purchase a Sophos Management Appliance.
Web Appliances and Management Appliances can also be purchased as virtual machines that
run on VMware.Their capacity depends on how much CPU, memory , and disk space you allocate .
For more information, see “Virtual Appliances” in the product documentation.
For detailed instructions on joining and disconnecting appliances, see “Central Management” in
the System section of the product documentation.
Sophos Web Appliance | Getting Started | 39
Memory (RAM)ProcessorsModel
2 GBdual-core, light-capacityWS100
2 GBdual-core, medium-capacityWS500
4 GBdual-core, high-capacityWS1000
8 GBquad-core, high-capacityWS1100
8 GBquad-core, high-capacitySM2000
8 GBquad-core, high-capacitySM5000
16 GBquad-core, high-capacityWS5000
Note: The number of end users that an appliance can handle is determined by the frequency at
which your organization’s users browse the web throughout the day and the volume and nature
of the files that they download and access.The number of users that a grouped deployment
supports depends on the number of joined appliances.
Scaling and Deployment
Your organization can either grow to require more than one appliance, or—if your organization
is a new Sophos appliance user that is a large, multi-site organization—you can begin by using
multiple, grouped appliances. In a grouped Web Appliance deployment, configuration and policy
data is distributed from the Management Appliance. If y ou hav e an existing standalone appliance ,
Page 40
40 | Getting Started | Sophos Web Appliance
there is also the option of the Management Appliance extracting configuration and policy data
from the first Web Appliance to join.
Scenario 1: Your growing organization now requires more than one
appliance
If your organization begins with a single standalone Web Appliance and then grows to require a
multiple Web Appliances, the deployment of the additional appliances would be as follows:
Preparing to Join a Management Appliance
Before you join an existing Web Appliance to a Management Appliance, take the following steps
to ensure that building your group is a smooth and successful process.
1. Be sure that you perform a backup that includes system configuration data and system logs.
2. If you want to use the policy and configuration data from an established Web Appliance that
you plan to join to a Management Appliance, on the Configuration > System > Central
Management page on the Management Appliance, be sure to select the Copy configuration
and policy data from the first web appliance to join before joining the established Web
Appliance. Ensure that the estab lished W eb Appliance is the first Web Appliance that you join
to the Management Appliance.
Joining a Management Appliance and Other Appliances
1. Join your organization’s original, already-configured Web Appliance to the Management
Appliance .
The original Web Appliance’s configuration and policy data are copied to the Management
Appliance (shown with blue dotted line).
2. Join the new Web Appliances to the Management Appliance .This can be done in any order,
whether the new Web Appliances are in the same location or in remote locations ( and
).
The new Web Appliances that are joined— , , and —then receive their configuration and
policy data from the Management Appliance.
Page 41
Sophos Web Appliance | Getting Started | 41
Scenario 2: Your large or multi-site organization’s deployment starts
with multiple appliances
If your organization begins with multiple appliances that are deploy ed at the same time, the setup
is as follows:
1. Unconfigured Web Appliances, whether they are in the same location and or in remote
locations and , are joined (in any order) to the Management Appliance (joins must be
performed from each new Web Appliance).
2. The configuration is done on the Management Appliance, which then distributes this
configuration data to the joined Web Appliances (shown with blue dotted lines).
Note: Follow the steps in Scenario 1 if you prefer to configure one of y our new Web Appliances
for testing purposes first, join it to the Management Appliance, and then distribute the
configuration data to the other Web Appliances.
Joined Appliances (Scenarios 1 and 2)
In both scenarios, once all of the appliances are joined, ongoing configuration changes are done
on the Management Appliance and distributed to the Web Appliances— , , , —thus
providing centralized configuration (blue dashed lines). Also, report data is sent from the Web
Appliances to the Management Appliance, providing centralized reporting (red smooth lines).
Appliance Mode and Model Differences
Sophos Web Appliances can operate in standalone or joined mode.You can also join a Sophos
Management Appliance to one or more Web Appliances for centralized management.
There are differences in the administrative user interf ace, depending on which mode the appliance
is in or if it is a Management Appliance. For a detailed breakdown of these variations, see “Mode
and Model Differences.”
Related concepts
Central Management on page 141
Understanding Mode and Model Differences on page 43
Grouped Appliance Troubleshooting on page 210
Page 42
42 | Getting Started | Sophos Web Appliance
Virtual Appliances on page 22
Related tasks
Backup on page 120
2.3.9 Network Deployment Troubleshooting
The following is a list of known Web Appliance network deployment issues and their solutions.
"Blocked" Notification Page Lacks Graphics and a Stylesheet
Problem: If the "Blocked" notification page is displayed without any graphics and as raw HTML
without the formatting of a stylesheet, the problem can result from the following combination of
conditions in your network deployment:
■
Your browser is configured to bypass use of the Web Appliance for your internal sites (for
example, the domain name of your Web Appliance would normally be bypassed).
■
Your browser is configured with the Web Appliance’s IP address instead of its fully qualified
hostname.
■
Your DNS server cannot resolve the Web Appliance’s IP address.
Solution:The best solution is to add the Web Appliance to your DNS server.
Firewall reports attachments stripped from Web
Appliance-generated email
Background:The Web Appliance provides a managed appliance experience that is enabled in
part by sending system status snapshots as email attachments to Sophos to ensure that your
Web Appliance is operating within acceptable thresholds.
Problem: Firewalls can strip attachments from Web Appliance-generated email.
Solution:To enable the Sophos managed appliance experience, configure your firewall to allow
email with attachments from the Web Appliance to wsasupport@sophos.com.
Long delays when loading web pages
Problem: If latency is significantly increased when browsing through the appliance, the problem
may be due to an inappropriate Speed and duplex setting forced by enabling the auto-detect
option.
Solution:To test if this is the case , set one of the manual options in the Speed and duplex option
on the Configuration > Network > Network Interface page. If this change does not remedy the
high latency problem, reinstate the automatic option and contact SophosTechnical Support .
RealPlayer Content Appears to be Blocked
Problem: RealPlayer content fails to play.This is typically a firewall configuration issue and not
an Web Appliance problem. RealPla yer uses port 554, which is typically block ed in default fire wall
configurations.
Note: The remote site can force the use of a non-HTTP port, which will result in users not being
able to view the content if the firewall is blocking the port being used.
Solution:To enable access to RealPlayer content, open port 554 on your firewall.
Page 43
Sophos Web Appliance | Getting Started | 43
2.4 Understanding Mode and Model Differences
The Sophos Web Appliance is available in a variety of models, each capable of providing web
browsing security and control features for different numbers of end users.
Larger and multi-location organizations can use multiple SophosWeb Appliances grouped together
by a common Sophos Management Appliance to provide web security and control support for
their various locales and a large number of end users. Management appliances centr alize control
of policy and configuration data and consolidate reports. In order to group two or more appliances
together, you must purchase a Sophos Management Appliance.
Sophos Web Appliances can operate in standalone or joined mode.The Management Appliance
(purchased separately) can be joined to one or more W eb Appliances for centraliz ed management.
The user interface options differ, depending on whether it is a Standalone Web Appliance, a
Joined Web Appliance, or a Management Appliance.
■
Standalone Web Appliance:The default mode for a Web Appliance. It can be joined to a
Sophos Management Appliance with Central Management options.
■
Joined Web Appliance: A standalone web appliance that has been joined to a Sophos
Management Appliance with Central Management options.
■
Sophos Management Appliance: An appliance with the dedicated purpose of central
management.When joined to other appliances, it is used for centralized reporting as well as
centralization of configuration and policy data.
Modes and Models in the Documentation
The administrative user interface varies slightly, depending on the mode or if you are managing
grouped appliances from a Management Appliance.
Many administrative interf ace pages described in this documentation are not availab le on a Joined
Web Appliance; the functionality is shifted to the Management Appliance so that you can configure
settings for multiple appliances from a single location.
The Reports and Search tabs are gray ed out, and most of the Configuration tab’ s options seen
on the sidebar of a Management Appliance or Standalone Appliance do not appear on a Joined
Web Appliance.The documentation notes all instances where options are available but differ
from one appliance mode to another.
Throughout the documentation, you will see notes containing this “grouped appliance” icon.These
notes describe which user interface options are available for which modes and models.
The availability of pages of the administrative web interface are outlined in the table below.
Page 44
44 | Getting Started | Sophos Web Appliance
administrative
web interface
page(s)
Landing Page
Administrators
Notification
Pages
Web
Appliance
YesConfiguration
YesAccounts >
YesGlobal Policy
Yes, but no report linksYesDashboard
the only quick task is
Configure Central
Management
the local system only
page, which has only
"Cache settings"
Sophos Management ApplianceJoined Web ApplianceStandalone
Yes; additional Select Vie w option to see only information
for a specific appliance; for All appliances option,
numbers are totals or averages
Yesno post-installation tasks;
YesYes, but accounts are for
YesNoneYesAccounts >
YesPolicy Test onlyYesGroup Policy
Yes; the General Options page has no "Cache settings"Only General Options
Updates
Backup
Restore
Alerts &
Monitoring
Active
Directory
Zone
YesSystem >
only
YesSystem >
options (LDAP data is
downloaded from the
Management Appliance)
YesStatus inf o & Update button
Yes; added Report data backup optionNoneYesSystem >
YesNoneYesSystem >
YesSyslog onlyYesSystem >
YesYes; no LDAP access
YesYesYesSystem > Time
Page 45
Sophos Web Appliance | Getting Started | 45
administrative
web interface
page(s)
System >
Central
Management
(each unique)
Network
Interface
Hostname
Network
Connectivity
Diagnostic
Tools
Web
Appliance
Management
Appliance
Sophos Management ApplianceJoined Web ApplianceStandalone
Set "Join" optionsRevert to standaloneJoin
Yes; no Deployment mode menu, no Configure buttonYesYesNetwork >
YesYesNetwork >
Yes; no DNS search suffixes or Accept authentication
from downstream ISA/TMG servers options
YesYesYesNetwork >
YesYesYesNetwork >
NoneYesReports
YesYesSystem Status
Yes; per appliance reports available for Volume, Latency
and Throughput
YesNoneYesSearches
Yes; a Remove button is available in the Web Appliance
view on the Management Appliance for breaking the
connection with that appliance
Related concepts
Grouped Appliance Troubleshooting on page 210
Grouping Web Appliances on page 39
Central Management on page 141
Virtual Appliances on page 22
Page 46
46 | Getting Started | Sophos Web Appliance
2.5 Platforms and User Interface
Supported Platforms
Internet Explorer 8.0 and newer, recent versions of Chrome and FirefoxEnd-User Browser
Internet Explorer 8.0 and newer, recent versions of FirefoxAdministrator
Browser
Active Directory 2000, 2003, 2008, 2008R2 and 2012R2Directory Services
eDirectory 8.73 and 8.8 on Netware 6.5 SP3eDirectory
eDirectory 8.8 on SUSE
eDirectory 8.8 on Windows Server 2003
Page 47
Sophos Web Appliance | Getting Started | 47
Appliance Administrative Web Interface
The appliances’ s administrative web interface includes the following components:
The System Information bar shows the following (from left to right):
■
Remote Assistance session established is displayed while an outbound SSH connection
to Sophos Technical Support is open.
■
Sophos proactive monitoring is off is display ed when the Activ ate appliance support alerts
are turned off on the System: Alerts page.
■
v#.#.# shows the version number of the current appliance software. Click the version number
to open the release notes in a new window.
■
Logged in as <username> is displayed, indicating the username of the current user.To
change the current user’s password, click on this.
■
Log out can be clicked to exit from the appliances’ administrative web interface.
■
The current time in 12-hour format.
Page 48
48 | Getting Started | Sophos Web Appliance
Click the items on the Navigation bar to view:
■
The Dashboard tab
■
The Configuration tab
■
The Reports tab (not available on a joined Web Appliance)
■
The Search tab (not available on a joined Web Appliance)
■
The Appliance Help window
■
The System Status tab
Most of these tabs contain multiple pages, which can be accessed from the Navigation sidebar .
The Content pane displays the pages of the appliance’s administrative web interface.
Near the top of the Content pane on the Configuration and Search pages is a short explanation of
the purpose of the page, which is marked with an information icon, as shown to the left.
The Navigation sidebar only appears on the Configuration, Reports, and Search tabs. Click
the links on this sidebar to view the various Configuration, Reports, and Search options in the
Content pane.
The Content pane displays the pages of the administrative web interface.
Note: At the bottom edge of the Content pane on each of the Configuration, Reports and
Search pages is a status bar that displays the response to actions perf ormed in the adminstrative
web interface.
The Quick Tasks sidebar only appears on the Configuration tab. Click any of these links to
perform common configuration tasks.
The Parameters sidebar (not shown) appears on the Reports tab and the Search tab. Use this
area to set date and display options.
2.6 Policy
The Sophos Web Appliance provides security and control for your users’ web browsing by
preventing the loading of viruses, Trojans, worms, other malware, and potentially unwanted
applications (PUAs).
The Web Appliance does this by using site lists.Sophos provides a basic and an enhanced list
of URLs—the Sophos Basic Categorization Data and the Sophos Enhanced Categorization
Data—each of which assigns a risk classification (high, medium, low, or trusted) and a site category
(business, education, sports, gambling, illegal drugs, weapons, etc) to the listed URLs.
You can extend these Sophos lists, or override the risk classification or the site category of the
URLs by adding custom entries. In addition to URLs, you can set whether requests for various
downloadable file types are allowed, warned, or blocked. "Block" or "warn" pages are displayed
in response to inappropriate user requests, and you can give users the ability to ask for a
Page 49
Sophos Web Appliance | Getting Started | 49
reclassification or re-categorization of the site.The message that users see on these pages can
also be modified.
Default actions are as follows:
■
Content from sites classified as being high-risk is always blocked
■
Content from low-risk sites is always scanned
■
Content from trusted sites is always allowed
Additionally, you can set whether content from medium-risk sites is blocked or scanned and
whether content from unclassified sites is handled in the same way as content from low, medium,
or high-risk sites.
HTTPS
This security protection can be extended to HTTPS (encrypted) sites, which can also contain
security threats.You configure your Web Appliance to handle certificate validation, thus deciding
for your users about which HTTPS sites to trust.
HTTPS Scanning
To provide secure sessions between your users and commercial or banking sites, HTTPS can
encrypt web content between the website server and the user’s browser.To scan encrypted
content for malware, it must first be decrypted, then scanned, then re-encrypted for delivery to
the requesting end user’s browser. Doing this maintains the privacy of the encrypted content, as
the process takes place automatically without human eyes viewing the content.
Active Directory
The Web Appliance allows you to view lists of user groups imported from your organization’s
Active Directory server and define custom groups. On this page, you either apply the def ault policy
to a select list of groups, or you apply the default policy to all groups except those in the select
list.
Acceptable Use Policies
The Web Appliance protects your organization and y our users from visiting sites that violate your
organization’s browsing policy, including sites that violate inappropriate browsing legislation. Site
categories can also be used to provide productivity control by disallowing access to entertainment
sites and other diversions.
Custom Policies
You can define a Special Hours policy, consisting of modified access settings that will apply to
the same set of users as the default policy, but that provides, for example, a more relaxed web
browsing policy during the lunch hour and after business hours.
You can also create as many as 80 Additional Policies, overriding the default policy and the
Special Hours policy.These can be applied to select users or groups and can also be set to take
effect only during a scheduled period. Additional policies can be turned on and off as required,
and they can be set to automatically deactivate at a specified date and time.
Page 50
50 | Getting Started | Sophos Web Appliance
Applying tags lets you set policy rules more simply and flexibly than is possible by using other
policy features.Y ou can use the Local Site List to apply one or more tags to a URL.With Additional
Policies, you can set what action is taken in response to a tag.
Dynamic Categorization
Sophos provides the ability to block attempts by your users to evade policy controls through
anonymizing proxies and caching websites b y automatically detecting such sites with the Dynamic
Categorization feature.
Data Leakage Prevention
You can secure your users against leaking vital data through web use by using the Data Leakage
Prevention features to selectively block them from sending webmail messages and posting on
blogs.
Related concepts
Group Policy on page 74
Global Policy on page 101
2.7 Endpoint Web Control
Sophos Web Appliances can perform filtering for URLs and file types at the network gateway.
Sophos Enterprise Console allows you to extend some of this same capability via Sophos Endpoint
Security and Control, filtering 14 essential site categories on endpoint machines.
By combining a Sophos Web Appliance with Sophos Enterprise Console, however, your
organization can take advantage of features that both products have to offer. Once you have
configured them to work together, you can apply a full web control policy with more than 50 site
categories to each user machine by way of Endpoint Security and Control.
Endpoint machines then communicate with the designated W eb Appliance or Sophos Management
Appliance, receiving policy updates and sending back web activity reports to the appliance and
web events to Enterprise Console. Optionally, you can grant users the ability to receive policy
updates and send web activity reports through a cloud service during periods when users are
disconnected from the your corporate network.
As illustrated below, Enterprise Console can enable endpoint web control using three different
methods.
Page 51
Sophos Web Appliance | Getting Started | 51
Method 1: Enterprise Console (standalone mode)
Even without a Web Appliance or Management appliance, Enterprise Console offers basic web
filtering.When a web control policy is configured and enabled solely through Enterprise Console,
rules for 14 essential categories are applied for each user through Sophos Endpoint Security and
Control.The policy, defined on Enterprise Console as “Potentially Unwanted Website Control,”
is published to users. Users’ w eb activity data is sent bac k to Enterprise Console, where they are
displayed as “web events.”
If necessary , the endpoint software perf orms URL classifications via SXL queries to Sophos. SXL
is the infrastructure that Sophos uses to submit real-time, DNS-based queries to SophosLabs
regarding IP addresses, URIs within messages, and image fingerprints.
Page 52
52 | Getting Started | Sophos Web Appliance
Method 2: Enterprise Console and Appliance
When a full web control policy is applied using either a Sophos Web Appliance or Sophos
Management Appliance, Enterprise Console supplies the hostname of the corresponding appliance
so that endpoints can communicate with it.The users’ endpoint software connects to that appliance
and obtains a complete web-filtering policy . Users’ web activity data is sent bac k to the designated
appliance, while web ev ent data (websites scanned and assessed by the liv e URL-filtering feature)
is sent to Enterprise Console.
If necessary , the endpoint software perf orms URL classifications via SXL queries to Sophos. SXL
is the infrastructure that Sophos uses to submit real-time, DNS-based queries to SophosLabs
regarding IP addresses, URIs within messages, and image fingerprints.
Page 53
Sophos Web Appliance | Getting Started | 53
Method 3: Enterprise Console and Appliance with LiveConnect
Optionally, you can deploy full web control with LiveConnect enabled. Data is exchanged exactly
as it is in Method 2, except that users hav e access to a cloud service that allows roaming endpoints
to connect with the designated W eb Appliance without you having to gr ant special access through
your organization’s firewall or reconfigure any externally facing network services.
It does so by providing a bridge between outbound HTTP connections made by the endpoint and
its managing Appliance (as shown above).This allows the endpoint to apply the same web-filtering
rules for roaming users as they would get when protected by a gateway appliance.
Benefits of Endpoint Web Control
While the Sophos Web Appliance provides security and productivity protection for systems
browsing the web from within your corporate network, Endpoint W eb Control extends this protection
to users’ machines.This provides protection, control, and reporting for endpoint machines that
are located, or roam, outside your corporate network.
Enterprise Console can deliver Web Control policies to your endpoint machines that provide
malware protection and productivity rules based on common site categorizations.With the
combination of Sophos Enterprise Console and a Sophos Web Appliance it is possible to e xtend
your Full W eb Policy to endpoint machines, providing more than 50 site categories, highly flexib le
policy configuration, and detailed reporting on threats and usage.
Related concepts
eDirectory on page 128
Related tasks
Endpoint Web Control on page 144
Page 54
54 | Getting Started | Sophos Web Appliance
Viewing Connected Endpoints on page 145
2.7.1 Appliance Features Not Supported by Endpoint Web Control
While there are many benefits to extending full Web Control to the endpoint, some features are
only available from behind a Web Appliance.The following features are supported on the Web
Appliance but not Endpoint Web Control:
■
Dynamic categorization
■
Data leakage prevention (webmail and blogs)
■
HTTPS scanning
■
Certificate validation
■
Download options
■
Google feature controls
■
Sandstorm
■
Download-type controls for Windows system files, Windo ws scripts, and Windows HTML App
files
Related tasks
Configuring Dynamic Categorization on page 104
Configuring Data Leakage Prevention on page 104
Configuring HTTPS Scanning on page 105
Configuring Certificate Validation on page 108
Setting Download Options on page 110
2.8 Updates
New threats are constantly ev olving on the internet: viruses, spyware, and other security attacks.
To ensure that your appliance is able to deal with these changes , it automatically do wnloads and
installs updated information from SophosLabs.Website URL categorization data is also updated:
every 5 to 30 minutes for the standard categorization data and every hour for the enhanced
categorization data.
SophosLabs is a global network of highly skilled analysts with more than 20 years’ experience in
protecting businesses from known and emerging threats.SophosLabs sites around the world
provide rapid response to evolving threats like viruses, spam, phishing, spyware, and other
malware, 24 hours a day, seven days a week.
The appliance constantly updates anti-virus definitions and Sophos website categorization data
throughout the day. It also downloads "Critical" and "Maintenance" software updates. Critical
updates are security-related and protect against anything that can compromise the appliance.
Maintenance updates contain the latest non-critical software updates and bug-fixes. Maintenance
updates can be installed on a configurable schedule to avoid slowdowns at peak periods.
Related concepts
About Appliance Versions on page 114
Page 55
2.9 Getting Support
Sophos Appliances are equipped with advanced monitoring and assistance technologies that
deliver a superior customer support experience. Every installed appliance is kept up to date and
at its operational peak with minimal administrative inv olv ement.Sophos appliances communicate
with Sophos Technical Support every five minutes, automatically receiving anti-virus and URL
classification updates and reporting on hardware health and protection status.
You can send a support request directly from the appliance help system. Click the Sophos
Support icon in the online help’s titlebar to access this feature.
Sophos appliances also feature optional Remote Assistance via a secure reverse-tunnel SSH
connection.This lets you grant SophosTechnical Support direct remote access to your appliance
for faster problem resolution. Contact SophosTechnical Support before enabling Remote
Assistance.
Active Monitoring also delivers automatic alerts on the protection status and license validity.
Sophos Appliances with Active Monitoring deliver a new height of gateway protection, offering
the control and efficiency of an appliance and the simplicity of a managed service.
Sophos Web Appliance | Getting Started | 55
To contact your local Sophos office, see:http://sophos.com/companyinfo/contacting/
Product Warranty
Each unit comes with a three-year advanced replacement warr anty to help keep networks up and
running even in the e vent of hardware f ailure. If a hardware component or entire appliance requires
replacement at any time during the first three years, Sophos will cover the costs of the new
appliance and delivery.The customer is responsible for returned unit delivery charges.
Hardware Support
All appliances carry a standard Advanced Replacement Warranty. Sophos will initiate the
replacement within two hours of a confirmed failure. Next-day delivery (not including delays from
international Customs clearing, if required) will occur according to the following cut-offs, Monday
through Friday:
Local Cut-off TimeCustomer Region
12:00 (Boston, USA)United States, Canada
12:00 (London, UK)United Kingdom, EMEA
13:00 (Paris, FR)France and Spain
13:00 (Frankfurt, DE)Germany, Switzerland and Austria
13:00 (Milan, IT)Italy
16:00 (Sydney, AU)Asia Pacific
Page 56
Hardware replacement requests received after the times shown above will be fulfilled on the
second subsequent business day.
2.10 Product Documentation
In addition to the online help, the following product documentation and support resources are
available from the Web Appliance Documentation page:
■
Release notes
■
Setup guides
■
Configuration guides
The Knowledge Base is a collection of articles that address the following issues:
■
Common questions received by Sophos Support about the appliance.
■
Technical issues that are not commonly encountered by appliance administrators.
■
Technical issues that involve third-party hardware or software products that affect Web
Appliance and Management Appliance deployment or operations.
Local Cut-off TimeCustomer Region
14:00 (Yokohama, JP)Japan
16:00 (Sydney, AU)Australia, New Zealand
Page 57
Sophos Web Appliance | Dashboard | 57
3 Dashboard
The Dashboard tab provides a quick overview of Web Appliance activity and status in several
panels: Select View, Summary Statistics Today, URL Test, Virus Updates, Web Traffic, Blocked
Sites, Viruses and Malware, and Traffic Patterns.
The Select View section of this page is only available on a Management Appliance.When All
appliances is selected in the Select View section, the numbers displayed are totals or averages of
all managed Web Appliances. Also, the links to reports in the Blocked Sites,Viruses and Malware
panel are not available on joined Web Appliances.
Select View
This panel allows you to select from which appliances the Dashboard draws its information.You
can select any joined Web Appliance, or you can select All appliances.
Note: When viewing the information for All appliances, the time period covered is based on the
Management Appliance’s time zone .When viewing the information for a specific Web Appliance,
the time period covered is based on the viewed appliance’s time zone.
Summary Statistics Today
The Summary Statistics Today panel displays the following information:
■
Unique users (since 12AM): The total number of users that have used the Web Appliance’s
services since midnight.
■
Concurrent users: The number of concurrent users in the last minute.
■
Concurrent users peak: The peak number of concurrent users during the busiest minute
today.
■
Connected endpoints: The total number of active Sophos Endpoint Security and Control
users whose web activity is currently filtered by an appliance-based policy.You must use
Sophos Enterprise Console together with an appliance to deploy web filtering by way of
Endpoint Security and Control. Click to vie w details of an y connected endpoints. If you are not
filtering at the endpoints, the number shown is always zero.
■
Page latency:The average time in milliseconds per page that was added to page loads by
the Web Appliance in the last minute.
■
Page latency peak:The peak time in milliseconds that has been added to page loads by the
Web Appliance during the busiest minute today.This peak value may be due to a large or
complex download and should not be interpreted as aver age page latency, which is shown in
the preceding Page latency value.
■
Bytes downloaded: The total number of bytes (expressed in kB, MB, or GB) of content
downloaded through the Web Appliance toda y since midnight.This is a comprehensive measure
of the bytes downloaded.
Page 58
58 | Dashboard | Sophos Web Appliance
Note: If the domain name or the time zone of the Web Appliance is changed, the count for the
number of Concurrent Users is set to zero, potentially causing an inaccurately low number to
be displayed for the rest of the day on which the change was made.
The lower part of the Summary Statistics Today panel displays the following information:
■
Bandwidth consumption: The bandwidth usage today, both in terms of bytes (expressed in
KB, MB, or GB) and as a percentage of today’s total bandwidth use for:
— Page views:The bandwidth consumed by loading all pages that show HTML content,
including graphics, style sheets, and JavaScript.
— Downloads:The bandwidth consumed by loading all other (non-HTML page) content.
■
Download requests:The file download requests today, both in terms of the number of requests
and as a percentage of the total for:
— Allowed (download requests)
— Denied (download requests)
■
Page requests:The web page view requests today, both in terms of the number of requests
and as a percentage of the total for:
— Allowed (web page requests)
— Denied (web page requests)
■
Throughput:The number of kilobits or megabits per second of data passed to users throughout
the current day (in white), and the same information over the preceding day (in red).
Test URL/Submit to Sandstorm
To test the category and security risk of a URL, click the Test URL tab , type a URL or IP address,
and click Test.
To send a file to Sandstorm for analysis, click the Submit to Sandstorm tab, select a file or type
the URL of a file, and click Submit.To view the progress of the test, click Search and go to
Sandstorm > Sandbox Activity.
Note: This option is available only to licensed users of Sophos Sandstorm.
Advanced Threat Protection
Information on the number of machines on your network that are potentially infected. If no threats
have been detected f or a given time interval, a green chec kmark will be displayed. If any potentially
infected machines hav e been detected, a red circle with an X will be displayed. Clic k the infected
hosts count to show the Advanced Threat Protection report on page 166 with details for the indicated
time interval.
Web Traffic
The Web Traffic panel displays two gauges:
■
Throughput (kbps/Mbps):The total kilobits or megabits per second of data passed to users.
■
Added latency (ms): The time in milliseconds that is added to page loads by the Web
Appliance.
Page 59
Sophos Web Appliance | Dashboard | 59
Blocked Web Traffic
The Blocked Web Traffic panel displays the following information:
■
Viruses:The total number of viruses blocked. Click to vie w the full Users:Virus Downloaders
report.
■
PUAs:The total number of PUAs blocked. Click to view the full Users: PUA Downloaders
report.
■
High risk sites: The number of block ed URL requests for high-risk sites. Clic k to view the full
Users: High Risk Site Visitors report.
■
Policy violations:The total number of policy violations. Click to view the full Users: Policy
Violators report.
■
App Control Violations: The total number of web application violations. Click to view the full
Users:Top Web Application Users report.
Note: These are not available on a joined Web Appliance. All numbers reset at midnight.
Sophos Sandstorm
Sophos Sandstorm is a cloud-based service that provides enhanced protection against new and
targeted attacks.You can configure the appliance to send suspicious files to Sandstorm for
analysis or submit suspicious files on an individual basis.Sandstorm detonates the file to check
for malware and sends the results to you. Because the analysis takes place in the cloud, your
system is never exposed to potential threats.
The Sophos Sandstorm panel displays the following information:
■
Suspicious Downloads:The total number of downloads that hav e been flagged as suspicious.
Depending on how you have configured Sandstorm, some of these may not be sent to the
Sophos Active Sandbox for analysis.
■
Sent for Analysis:The total number of downloaded items sent to the Sophos Active Sandbo x
today.
■
Awaiting result:The number of downloaded items that were sent to the Sophos Active
Sandbox, and that are currently waiting to be analyzed.
■
Malicious: The total number of suspicious items users attempted to download that exhibited
unwanted or risky behavior when executed.
■
Clean: The total number of suspicious items users downloaded that did not pose a threat.
■
Average Analysis Time: The average amount of time it takes to process an item submitted
for analysis.
Note: If you have a trial license, this will display the number of days left in your trial.
■
Malicious/Suspicious gauge: displays information about the number of downloaded items
that were categorized as malicious (red), and the total number of items flagged as suspicious
(blue) during the last seven days.
Note: This information is available only to licensed users of Sophos Sandstorm.
Page 60
60 | Configuration | Sophos Web Appliance
4 Configuration
The Configuration tab provides an interface f or setting w eb security, browsing policy options, and
performing appliance network configuration and administrative tasks.
Note
The post-installation tasks do not appear on a Web Appliance that is joined to a Management
Appliance, and the only item on the Quick Tasks sidebar is Configure Central Management
The Configuration tab sidebar lists all of the available configuration pages.They are as follows:
■
Use the Accounts pages to create and manage appliance administrator accounts and to set
user notification page preferences.
■
Use the Group Policy pages to set specialized URL filtering for groups and individuals,
including setting modified URL web access policy during specific times or additional policies
for specific purposes.
■
Use the Global Policy pages to change the Web Appliance URL filtering behavior.
■
Use the System pages to update, back up . and restore the appliance’s system and to change
its configuration.
■
Use the Network pages to change the configuration of the appliance’s connection to, and
identity within, your organization’s network and to check network connectivity.
After installation or a major upgrade, the Configuration Homepage displays a list of
post-installation tasks that you should perform to ensure that the appliance performs optimally in
your environment.The title of each task links to the configuration page where these configuration
tasks should be performed.The post-installation tasks are:
■
Set up Default Policy on page 75: Use this page to configure how URL requests to sites
categorized by content type and download types are handled by the appliance.
■
Set up Default Groups on page 84: Use this page to choose whether the default policy is
applied to everyone or to selected groups of users.
■
Create Additional Policies on page 89: Use this page to set additional policies that can be
used as exceptions to the Default Policy and the Special Hours Policy and which are e x ecuted
as part of the Web Appliance’s application of acceptable browsing policy.
■
Set up Active Directory on page 123: Use this page to configure the appliance’ s access to your
Active Directory server.
■
Set up eDirectory on page 128: Use this page to configure the appliance’s access to your
eDirectory server.
■
Certificate Validation on page 108: Use this page to configure the Web Appliance to examine
HTTPS certificates and automatically accept valid, known certificates.
■
User Notification Options on page 65: Use this page to modify the appearance of the notification
pages that the Web Appliance displays to users when they try to access virus-infected files,
Page 61
malware, bloc ked sites, when they do wnload large files that take a long time to scan, or warning
pages that are displayed when users attempt to access a URL that violates policy.
When the above changes are made, or if no changes are desired, these items can be removed
by clicking the Remove button to the right of each link.
A Quick Tasks sidebar on the right of the Configuration Homepage provides easy access to
the following main administrative tasks and commonly adjusted settings:
■
Check for Software Updates on page 113: Use this page to check the update status, manually
initiate queued software updates, and to set the scheduled times and days for automatic
software updates.
■
Add/Edit Local Site List Entry on page 97: Use this page to view, add, edit, or delete URLs
from the Local Site List.
■
Backup Current Configuration on page 120: Use this page to configure the appliance to perform
automated backups of system configuration and log data to an FTP site or to manually download
configuration data to your current (browsing) system’s hard disk.
4.1 Accounts
Sophos Web Appliance | Configuration | 61
Use the Accounts pages to create and manage appliance administrator accounts, set end user
notification page preferences, modify notification page messages, or add logos.
■
Use the Administrators page to create, modify, and delete appliance administrator accounts.
■
Use the Notification Page Options page to configure the look, text, and behavior of the
various notification pages that the Web Appliance shows to end users.
Note:The Notification Page Options page is not available on a joined Web Appliance, as this
functionality has been shifted to the Management Appliance.The Administrators page is renamed
Local Administrators on a joined Web Appliance, as accounts created on a joined system are
available only on that system.
4.1.1 Administrators
On a joined Web Appliance this page is named Local Administrators, as accounts created on a
joined system are available only on the local system. An account created on a Management Appliance,
including Limited Access Administrator accounts, is referred to as a “global account”. Global
accounts can access the same features on any W eb Appliance for which their role or roles grant them
permission.
The Configuration > Accounts > Administrators page allows you to create, modify, and delete
appliance administrator accounts. New appliance Administrators can be either Full Access
Administrators, who have access to all system management tasks or Limited Access
Administrators, who can only access the system management tasks for which they have been
granted permission.
Page 62
62 | Configuration | Sophos Web Appliance
The default administrator account cannot be deleted and only its password can be changed. If
you need to reset a forgotten password for the default administrator, you can do so by following
the instructions provided when you click the Reset password for default administrator link on
the main login page.
Note: To reset the default administrator’s password, you will need the product activation code
that you received when you purchased y our appliance.This allows you to enable Sophos Remote
Assistance, after which Sophos Technical Support is able to reset the password.
Related concepts
Reporting Groups on page 170
4.1.1.1 Creating a New Administrator Account
In the Administrators table, clic k the Ad d button to open the Administrator Accounts Wizard.
Use the Previous and Next buttons to move between pages of the wizard or the Cancel button
to close the wizard and discard the entry.
To add a new administrator:
1. On the Details page of the wizard, enter the Full name, Username and Password, and then
Confirm password for that user.
2. On the Roles page of the wizard, select whether the user should be a Full Access
Administrator, or a Limited Access Administrator.
For a Limited Access Administrator, select one or more of the following roles:
■
Helpdesk: Approv es user submissions, tests the policies, and v erifies network connectivity
■
Policy: Configures and tests global and group web browsing policies.
■
Reporting:Views or schedules reports.
■
User Activity: Has access to detailed web activity data.
Note: The comment section of new entries in the Local Site List will include which Helpdesk
administrator approved a user submission.
3. The Reporting Groups page is enabled when a Limited Access Administrator is being
created with one or both of the Reporting or User Activity roles.
■
Select Include all reporting groups if you want the new administrator to have access to
all existing groups.
■
Select Include only selected reporting groups if you want to restrict the administrator’s
access to specific groups.Then, in the Reporting Groups table, select the specific groups
to which the administrator should have access.
4. On the Description page of the wizard, enter a description for the administrator.
5. Click Save.
The Administrator Accounts Wizard is closed, and the new administrator account appears
in the Administrators list.
Page 63
4.1.1.1.1 Administrator Access Rights
Access rights for Full Access and Limited Access Administrators
Administrators may have different access rights, depending on what Roles they have been
granted.The following table provides a summary of what each role is able to access.
Sophos Web Appliance | Configuration | 63
Page
Dashboard > Endpoints
counts
Admin
Yes
(read-only)
YesConfig > Landing
YesConfig > Quicktasks
YesConfig > Group Policy
YesConfig > Global Policy
Yes
(read-only)
Yes
(read-only)
Yes
(read-only)
(read-only)
(read-only)
Yes
(read-only)
(read-only)
(read-only)
Yes
(read-only)
User ActivityReportingPolicyHelpdeskFull Access
Yes
(read-only)
NoNoNoNoYesDashboard > Block
NoNoYes
NoNoYes
NoNoYesYes
NoNoYesYes
NoNoNoNoYesConfig > System
except Network
connectivity and
diagnostic tools
Network connectivity
and diagnostic tools
Options
Reporting Groups
Report Scheduler
NoNoNoNoYesConfig > Network,
YesConfig > Network >
Yes
(read-only)
(read-only)
NoNoYes
NoYesNoNoYesReports > All, except
NoNoNoNoYesReports > Options >
NoYes (limited)NoNoYesReports > Options >
Page 64
64 | Configuration | Sophos Web Appliance
Page
Report Exemptions
Search Terms
Activity Search
Submissions > Sites
Submissions > PUAs
Search > User
Submissions > File
Types
Link
Admin
YesSearch > User
Yes (delete
only)
only)
Yes (delete
only)
NoNoYesReports > Options >
only)
User ActivityReportingPolicyHelpdeskFull Access
NoNoNoNoYesReports > Options >
NoYes
(read-only)
YesNoNoNoYesSearch > Recent
NoNoYesYesYesSearch > User
NoNoYesYes (delete
NoNoYes (delete
NoNoYesNoYesHelp > Sophos Support
4.1.1.2 Modifying an Administrator Account
In the Administrators table, click the username of the account that you want to modify.The
Administrator Accounts Wizard is displa yed with the information f or the existing account shown.
Use the Previous and Next buttons to move between pages of the wizard, the Save button to
close the wizard and save any changes you have made to the account, or the Cancel button to
close the wizard and discard any changes you have made to the account.
In the Administrator Accounts Wizard make any required changes:
■
On the Details page of the wizard, you can modify the Full name and Passw ord f or that user .
Note: You can only change the password of the initial, default administrator account; you
cannot change the Full name or the Username of the account. For added accounts, only the
Username cannot be modified.
■
On the Roles page of the wizard, you can modify whether the user should be a Full Access
Administrator or a Limited Access Administrator, or you can select different roles for a
Limited Access Administrator.
NoNoNoNoYesSystem Status
Page 65
Note: If there are scheduled reports that have been created by a Limited Access
Administrator account, that role cannot be removed from that account until any associated
reports have first been deleted.
■
The Reporting Groups page is enabled only for Limited Access Administrators with one
or both of the Reporting or User Activity roles selected.
Note: You cannot remove a reporting group from a report user if that reporting group is used
by a scheduled report belonging to that report user.
■
On the Description page of the wizard, you can modify the description of the administrator.
■
Click Save when you have finished making changes.
The Administrator Accounts Wizard is closed, and changes to the modified account appear
in the Administrators list.
4.1.1.3 Removing an Administrator Account
■
In the Administrators table, select the check box beside the account (or multiple accounts)
that you want to delete.
Sophos Web Appliance | Configuration | 65
Note:
— The initial, default administrator account cannot be selected or deleted.
— You cannot delete an account if you are logged in to that accont.
— If there are scheduled reports that have been created by an account, that account cannot
be deleted until its associated reports have first been deleted.
■
At the bottom of the table, click Delete.
The selected account is removed from the table.
4.1.2 Notification Page Options
The Configuration > Accounts > Notification Page Options page allows you to modify the
appearance of the notification pages that the Web Appliance shows to users when they try to
access:
■
virus-infected files
■
malware
■
blocked sites
■
sites or applications that violate policy
■
sites which will use or exceed their quota time
■
restricted sites
■
large, downloadable files that take a long time to scan
■
unapproved secure sites
Page 66
66 | Configuration | Sophos Web Appliance
The Global options panel allows you to set options that apply to every notification page.The
Notification page text panel allows you to edit the text of specific notification pages.
Related concepts
About Authentication on page 132
4.1.2.1 Setting Global Notification Options
The Global options panel allows you to set options that apply to every notification page.
1. On the Global options panel, select the check box to the left of any of the options that you
want enabled.
2. If you want to display your own graphic on the notification pages, select the Display logo on
notification pages option. Select the graphic file on your local (browsing) system by clicking
Browse to find the graphic on your local system, and then copy it to the appliance by clicking
Upload. If you do not upload your own graphic, the default Sophos logo will be used.
Note: It is suggested that you use .jpeg files because the appliance assigns the graphic a
default name of image.jpg. Using .gif or .png files may work because your users’ browsers
will likely detect the proper file type, but this might not work with all browsers .The logo graphic
must be no larger than 512 Kb.
3. Click Apply.
4.1.2.2 Modifying Notification Page Text
1. On the Notification page text panel, from the Page drop-down list, select the notification
page that you want to modify.
2. From the Choose language drop-down list, select the language in which you want the
notification page to be displayed.
Note: For your users to view non-English notification pages properly, their browsers must be
configured to use UTF-8 character encoding. Also, for you to view previews of non-English
notification pages, you must have your browser configured to use UTF-8 character encoding.
3. Optionally, in the Page title text box, type the page title that is displayed on the notification
page and in the browser title bar.
4. Optionally, in the Text explanation te xt bo x, type the e xplanation that is displa y ed in the body
of the notification page.
5. Optionally, click Preview to see how the notification page will look.
If you decide to change your selected options, you must clear the currently selected options
first by clicking Cancel.
6. Repeat steps 1 through 5 for each of the notification pages that you want to modify.
7. Click Apply.
Page 67
4.1.2.3 Advanced Notification Page Options
Use the Advanced tab to download, edit, and upload notification page templates that allow you
to extensively customize the notification pages displayed to your users.There are three different
notification page templates:
■
Block page template:This template is used by all policy-related notification pages display ed
to users when they try to access:
— virus-infected files
— malware
— blocked sites
— sites or applications that violate policy
— sites which will use or exceed their quota time
— restricted sites
— or when they try to access unapproved secure sites
■
Patience page template:This template is used by the page displayed when users request a
large file download.
■
Error page template:This template is used by the server error pages that display HTTP error
messages. For example, the 404 File not Found or the 500 Internal Server Error.
■
To upload a modified notification page template to the appliance:
Sophos Web Appliance | Configuration | 67
a) Click Browse in the Templates section of the Advanced tab.
The File Upload dialog box is displayed.
b) Navigate to the directory in which you saved the modifications to the uploaded template
files, select one of the modified notification template files, and click Open.
The file is uploaded to the appliance.
c) Click Apply.
■
To download a modified notification page template from the appliance:
a) Click Using custom template beside the modified template that you want to download
and save the file using your browser’s save file capabilities.
The selected template is saved to the hard disk on your local system.
b) Edit and save the template using a text editor.
c) Click Apply.
■
To revert to using the default notification pages:
a) Select the check box to the right of the template that you no longer want to use.
b) Click Delete in the Templates section of the Advanced tab.
Page 68
68 | Configuration | Sophos Web Appliance
The selected notification page template is deleted from the appliance and the appliance
reverts to using the relevant default notification pages.
c) Click Apply.
■
To upload an image for use in a template:
a) Click Browse in the Images section of the Advanced tab.
The File Upload dialog box is displayed.
b) Navigate to the directory in which you saved the modifications to the uploaded template
files, select one of the modified notification template files, and click Open.
The file is uploaded to the appliance.
c) Click Apply.
■
To delete an uploaded image:
a) Select the check box to the right of the graphic that you want to delete.
b) Click Delete in the Images section of the Advanced tab.
The selected image is deleted from the appliance.
c) Click Apply.
4.1.2.3.1 Block Page Template
The block page template allows you to modify the appearance of the various notification pages
that the Web Appliance displays to users when they try to access:
■
virus-infected files
■
malware
■
blocked sites
■
sites or applications that violate policy
■
sites which will use or exceed their quota time
■
restricted sites
■
unapproved secure sites
This template affects neither the appearance of the patience page (the page displayed when
users request a large file download), nor the server error pages (HTTP error messages), for
example, 404 File not Found or 500 Internal Server Error.
This template has very few required elements, and it provides a set of optional page element
keys. Apart from HTML requirements and the page element keys that are required for the
appliance’s administrative web interface, you are free to use or remove any of the optional page
element keys provided by the template and to modify the template as much as you like.
Right-click this link and select “Save Link As” or “Save Target As” to download the Block Page
Template.
Page 69
Sophos Web Appliance | Configuration | 69
Important: If you plan to use a custom template, it is strongly recommended that you download
the Sophos template, availab le from the preceding link rather than using a template from another
source.Sophos cannot be held responsible for any malicious or problematic code included in
other templates or introduced in added code. Realize that such malicious or problematic code
could be distributed to many of your users if included in a custom template and, theref ore, ex ercise
caution.
Required Elements
The following elements are required:
■
DOCTYPE Declaration:The provided HTML DOCTYPE declaration of XHTML 1.0, Strict, is
required.You should not change this.
■
<div id="main" class="[full|mini]"> ... </div>:This <div> tag can be used with the class
attribute set to full. It will be automatically set to mini when the page is sho wn in an ifr ame . By
default, the full option displays any graphics within these tags and contains no iframe layout
settings. By default, the mini option hides any graphics within this tag and includes iframe
layout settings, making this section full page width.The CSS settings controlling these options
can, however, be modified.
This tag must wrap the visible content of the notification page, with the exception that banner
or background images may be placed before this <div> tag.
■
%%sophos_blockpage_content%%:This page element key must appear within the <div
id="main" class="[full|mini]"> ... </div> tags.This content includes text entered in the Text
explanation text box.
■
%%sophos_warn_proceed_content%%:This page element key must appear within the <div
id="main" class="[full|mini]"> ... </div> tags if you wish to use the Warn option in any of the
policy pages.
■
%%sophos_feedback_content%%:This page element key must appear within the <div
id="main" class="[full|mini]"> ... </div> tags if you wish to enable the Allow user feedback
option in any of the policy pages.
■
%%sophos_quota_proceed_content%%:This page element key must appear within the
<div id="main" class="[full|mini]"> ... </div> tags if you wish to use the Quota time option in
any of the policy pages.
Note: Server-side scripting is not supported within this block page template.
Optional Elements
The following page element keys are available:
■
Client-side scripting:You may add client-side scripting, such as JavaScript.
■
%%title%%: It is suggested that y ou use this in the <head> section of the template. It provides
the appropriate <title> for the block pages . Also, this page element k ey can also be used within
the <div id="main" class="[full|mini]"> ... </div> tags of the template . In this location, it provides
the appropriate in-page heading for the block pages. As this key is replaced with plain text,
you may choose to wrap it in a div or heading tag; for example:
<h1>%%title%%</h1>
Page 70
70 | Configuration | Sophos Web Appliance
This content is drawn from text entered in the Page title text box.
■
%%server_address%%:This page element key provides the fully qualified domain name
(FQDN) of the Web Appliance. It is an essential initial part of the URL for any of the
Sophos-supplied graphics, but the use of these is optional. If you continue to use any of these
graphics, you must retain this page element k e y, as well as the rest of the URL for the graphic,
/resources/images/[filename.ext]. For example:
%%server_address%%/resources/images/SophosImageFile.jpg
■
%%image_asset%%:This page element key is used as the base URL for any graphic that
you have uploaded in the Images section of the Advanced tab in the Configuration >
Accounts > Notification Page Options page.Y ou m ust complete this URL by adding a slash
(/) and the full filename of the uploaded graphic, for example:
%%image_asset%%/MyImageFile.jpg
■
%%user_name%%:This page element key provides the name of the user who has made the
request for the bloc ked page, as provided b y Active Directory . If Activ e Directory is not availab le,
the IP address from which the request was made will be displayed instead.
■
%%user_ip%%:This page element key provides the IP address from which the request for
the blocked page has been made.
■
%%user_workstation%%:This page element key provides the hostname from which the
request for the bloc ked page has been made . If this cannot be determined, the IP address will
be displayed instead.
■
%%sophos_block_text%%:This page element key provides the reason that a requested
page has been blocked.
■
%%logo%%:This page element key calls the logo set in the Global Options tab of the
Configuration > Accounts > Notification Page Options page.This page element key is
replaced with a string for the logo image like <img src=”path_to_logo/logo_filename”
/>. Note that the Displa y logo on notification pa ges option must be enab led on the Global
Options tab for this page element key to work.
■
%%alert_icon_class%%:This page element key may be used as the value for the class
attribute of the div to specify the display of an alert icon.
4.1.2.3.2 Patience Page Template
The patience page template allows you to modify the appearance of the patience page (the page
displayed when users request a large file download).
This template affects neither the appearance of the server error pages (HTTP error messages),
for example, 404 File not Found or 500 Internal Server Error, nor the various notification pages
that the Web Appliance displays to users when they try to access:
■
virus-infected files
■
malware
■
blocked sites
Page 71
Sophos Web Appliance | Configuration | 71
■
sites or applications that violate policy
■
restricted sites
■
unapproved secure sites
This template has very few required elements, and it provides a set of optional page element
keys. Apart from HTML requirements and the page element keys that are required for the
appliance’s administrative web interface, you are free to use or remove any of the optional page
element keys provided by the template and to modify the template as much as you like.
Right-click this link and select “Save Link As” or “Sa v e Target As” to download the Patience Page
Template.
Important: If you plan to use a custom template, it is strongly recommended that you download
the Sophos template, availab le from the preceding link, rather than using a template from another
source. It is required that the patience page use CSS that includes all of the elements from the
sample patience template CSS for the page to be rendered properly.Sophos cannot be held
responsible for any malicious or problematic code included in other templates or introduced in
added code. Realize that such malicious or problematic code could be distrib uted to many of your
users if included in a custom template and, therefore, exercise caution.
Required Elements
The following elements are required:
■
DOCTYPE Declaration:The provided HTML DOCTYPE declaration of XHTML 1.0, Strict, is
required.You should not change this.
■
<div class="alertTitle" id="heading">: It is required that you have a div with id=’heading’.
It is recommended that you set its initial value as %%title%%, for example:
<div class="alertTitle" id="heading">
%%title%%
</div>
The contents of the id=heading div will change as the patience page downloads and scans
the file. It will also change appropriately if a virus/error is found.
■
%%sophos_patience_content%%:This page element key must appear somewhere in the
template.This content includes text entered in the Text explanation text box.
Note: Server-side scripting is not supported within this patience page template.
Note: There must not be a closing </body> or </html> tag in the patience template.
Optional Elements
The following page element ke ys are a vailab le, or can be used, depending upon y our pref erence:
■
Client-side scripting:You may add client-side scripting, such as JavaScript.
■
%%title%%: It is suggested that y ou use this in the <head> section of the template. It provides
the appropriate <title> for the patience page. Also, this page element key can also be used
within the <div id="main" class="[full|mini]"> ... </div> tags of the template. In this location, it
Page 72
72 | Configuration | Sophos Web Appliance
provides the appropriate in-page heading for the patience page. As this key is replaced with
plain text, you may choose to wrap it in a div or heading tag; for example:
<h1>%%title%%</h1>
This content is drawn from text entered in the Page title text box.
■
%%server_address%%:This page element key provides the fully qualified domain name
(FQDN) of the Web Appliance. It is an essential initial part of the URL for any of the
Sophos-supplied graphics, but the use of these is optional. If you continue to use any of these
graphics, you must retain this page element k e y, as well as the rest of the URL for the graphic,
/resources/images/[filename.ext]. For example:
%%server_address%%/resources/images/SophosImageFile.jpg
■
%%image_asset%%:This page element key is used as the base URL for any graphic that
you have uploaded in the Images section of the Advanced tab in the Configuration >
Accounts > Notification Page Options page.Y ou m ust complete this URL by adding a slash
(/) and the full filename of the uploaded graphic, for example:
%%image_asset%%/MyImageFile.jpg
■
%%logo%%:This page element key calls the logo set in the Global Options tab of the
Configuration > Accounts > Notification Page Options page. Note that the Display logo
on notification pages option must be enabled on the Global Options tab for this page element
key to work.
4.1.2.3.3 Error Page Template
The error page template allows you to modify the appearance of the server error pages (HTTP
error messages), for example, 404 File not Found or 500 Internal Server Error.
This template affects neityher the appearance of the patience page (the page displayed when
users request a large file download), nor the various notification pages that the Web Appliance
displays to users when they try to access:
■
virus-infected files
■
malware
■
blocked sites
■
sites or applications that violate policy
■
restricted sites
■
unapproved secure sites
This template has very few required elements, and it provides a set of optional page element
keys. Apart from HTML requirements and the page element keys that are required for the
appliance’s administrative web interface, you are free to use or remove any of the optional page
element keys provided by the template and to modify the template as much as you like.
Page 73
Sophos Web Appliance | Configuration | 73
Right-click this link and select “Save Link As” or “Save Target As” to download the Error Page
Template.
Important: If you plan to use a custom template, it is strongly recommended that you download
the Sophos template, availab le from the preceding link, rather than using a template from another
source.Sophos cannot be held responsible for any malicious or problematic code included in
other templates or introduced in added code. Realize that such malicious or problematic code
could be distributed to many of your users if included in a custom template and, theref ore, ex ercise
caution.
Required Elements
The following elements are required:
■
DOCTYPE Declaration:The provided HTML DOCTYPE declaration of XHTML 1.0, Strict, is
required.You should not change this.
■
<div id="main" class="[full|mini]"> ... </div>:This <div> tag can be used with the class
attribute set to full. It will be automatically set to mini when the page is sho wn in an ifr ame . By
default, the full option displays any graphics within these tags and contains no iframe layout
settings. By default, the mini option hides any graphics within this tag and includes iframe
layout settings, making this section full page width.The CSS settings controlling these options
can, however, be modified.
This tag must wrap the visible content of the notification page, with the exception that banner
or background images may be placed before this <div> tag.
■
%%sophos_error_content%%:This page element key must appear after the <div id="main"
class="[full|mini]"> ... </div> tags and immediately bef ore the closing </body> tag.This content
includes text entered in the Text explanation text box.
Note: Server-side scripting is not supported within this error page template.
Optional Elements
The following page element ke ys are a vailab le, or can be used, depending upon y our pref erence:
■
Client-side scripting:You may add client-side scripting, such as JavaScript.
■
%%title%%: It is suggested that y ou use this in the <head> section of the template. It provides
the appropriate <title> for the error pages. Also , this page element ke y can also be used within
the <div id="main" class="[full|mini]"> ... </div> tags of the template . In this location, it provides
the appropriate in-page heading for the error pages. As this key is replaced with plain text,
you may choose to wrap it in a div or heading tag; for example:
<h1>%%title%%</h1>
This content is drawn from text entered in the Page title text box.
■
%%server_address%%:This page element key provides the fully qualified domain name
(FQDN) of the Web Appliance. It is an essential initial part of the URL for any of the
Sophos-supplied graphics, but the use of these is optional. If you continue to use any of these
Page 74
74 | Configuration | Sophos Web Appliance
graphics, you must retain this page element k e y, as well as the rest of the URL for the graphic,
/resources/images/[filename.ext]. For example:
%%server_address%%/resources/images/SophosImageFile.jpg
■
%%image_asset%%:This page element key is used as the base URL for any graphic that
you have uploaded in the Images section of the Advanced tab in the Configuration >
Accounts > Notification Page Options page.Y ou m ust complete this URL by adding a slash
(/) and the full filename of the uploaded graphic, for example:
%%image_asset%%/MyImageFile.jpg
■
%%logo%%:This page element key calls the logo set in the Global Options tab of the
Configuration > Accounts > Notification Page Options page. Note that the Display logo
on notification pages option must be enabled on the Global Options tab for this page element
key to work.
■
%%heading%%:This page element key may be used within the <div id="main"
class="[full|mini]"> ... </div> tags of the template. It displays the appropriate server error. As
this key is replaced with plain text, you may choose to wrap it in a div or heading tag; for
example:
<h1>%%heading%%</h1>
■
%%error_text%%:This page element key may be used within the <div id="main"
class="[full|mini]"> ... </div> tags of the template. It gets replaced with a string in the form <p
id=”error_text”>the error text is here</p> that displays the explanatory text
for the appropriate server error provided by Sophos, and it appends any additional text sent
by the server that originates the error.
4.2 Group Policy
Note: In this section, only the Policy Test page is available on a joined Web Appliance, as the
functionality of the other pages have been shifted to the Management Appliance.
Use the Group Polic y pages to configure how the Web Appliance policies are applied to specified
user groups or are applied at specified times.
■
Use the Default Policy page to configure how URL requests to sites categorized by content
type and download types are handled by the Web Appliance, and to manage access to popular
Web Applications.
■
Use the Default Groups page to select the groups of users to which the default policy rules
set on the Default Policy page are applied.
Page 75
■
Use the Special Hours page to configure a second set of rules about how URL requests to
sites classified by content type and download types are handled by the Web Appliance that
can be used during scheduled time periods.
■
Use the Additional Policies page to create additional policies that can override the Default
policy and the Special hours policy.
■
Use the Local Site List page to view all of the URLs that have been added to the list and to
manage that list. URLs are added to the list to e xtend the filtering provided by the W eb Appliance
to URLs not included in the Sophos site list or to override the default filtering specified in the
Sophos site list.
■
Use the Policy Test page to test the policy applied to a specified site with a specified user
and, optionally, at a specified time.
Related concepts
Policy on page 48
4.2.1 Default Policy
Use the Configuration > Default Policy pages to configure the default policies that are applied
to all users and groups, and to manage access to popular Web Applications. Select either the
Categories & Download T ypes or W eb Applications tab to configure the related default policies .
Sophos Web Appliance | Configuration | 75
Related tasks
Controlling Web Applications on page 93
4.2.1.1 Categories & Download Types
The Configuration > Group Policy > Default Policy > Categories & Download Types page
allows you to configure how URL requests to sites categorized b y content type and files categorized
by download type are handled by the Web Appliance.
1. Set the behavior that you want the Web Appliance to apply to each category listed in the Site
categories section:
■
Allow: Lets users view sites of this classification.
■
Warn: Presents a w arning to users that they are at risk of violating their organization’s w eb
use policy, but allows them to proceed. Once a user has chosen to proceed, no warning
page for that site will be display ed to that user f or 30 min utes. If the site is in the Streaming
Media category, proceeding will enable all streaming media for 30 minutes.
■
Block: Prevents users from viewing sites of this classification.
Important: Blocking Advertisements and Pop-ups also b locks content that appears behind
interstitial pages, pages of advertising that appear prior to the loading of a requested content
URL. In blocking these pages, the content that is behind them is also blocked.
2. Allow user feedback from the notification pages by selecting this check box or remove this
option by clearing it.
This option applies to only low risk sites and to medium risk sites if they have been configured
to be scanned.
Page 76
76 | Configuration | Sophos Web Appliance
Note: If this option is enabled, users’ requests from notification pages f or site recategorizations
or to allow downloading of file types or PU As can be viewed in the Search > User Submissions
pages.
3. Select the download type controls that you want to apply.
Note: Download-type controls for Windows system files, Windows scripts, and Windows HTML
App files are not supported in Endpoint Web Control.
■
Allow: Lets users download files of this type.
■
Warn: Presents a warning to users that they are at risk of violating their organization’s
download policy, but allows them to proceed. A log entry is created when a user proceeds
in possible contravention of the organization’s web use policy.
■
Block: Prevents users from downloading files of this type.
Note: The display of Web Appliance w arning pages disrupts the playback of streaming media
players, such as Windows Media Player, RealPlayer, and the QuickTime player. If you want
to allow your users to play streaming media using any of these players, ensure that the Warn
option is not selected.
Important: To enable access to Quicktime video with a warning displayed to users, set the
Site category, "Streaming Media", with Warn enabled.Then set the Download type of
"QuickTime Video (mov)" to Allow with Warn cleared.When users request a streaming
QuickTime video URL, a warning page will be displayed, and when they click Proceed, the
media stream will begin.
4. Select the Sandstorm profile that you want to apply.
■
Send any suspicious files for analysis: all suspicious downloaded items will be sent for
analysis in the Sophos Active Sandbox component of Sophos Sandstorm.
■
Exclude suspicious PDFs and documents: send all suspicious downloads for analysis
in the Sophos Active Sandbox, except PDFs and other documents.
■
Do not send suspicious files for analysis: do not send any downloaded items f or analysis,
even if they are suspicious.
Note: The Sandstorm option is not available if you do not hav e a Sophos Sandstorm license.
5. Block PUA Downloads from being downloaded b y users by selecting this chec k box, or allo w
PUA downloads by clearing it.
Note: Specific PUAs can be allow ed with this f eature enab led b y setting the e xception on the
Configuration > Global Policy > Download Options page.
6. Click Apply.
Related tasks
Web Applications on page 83
Additional Policies on page 89
4.2.1.1.1 Site Categories
The pages in this section describe the SophosLabs site categories.
Page 77
4.2.1.1.1.1 Adult Sexually Explicit
This category includes sites for adult products including sex toys, CD-ROMs, and videos; child
pornography and pedophilia (including the IWF list); adult services including video-conferencing,
escort services, and strip clubs; erotic stories and textual descriptions of sexual acts; explicit
cartoons and animation; online groups, including newsgroups and f orums that are sexually e xplicit
in nature; se xually-oriented or erotic sites with full or partial nudity; depictions or images of se xual
acts, including with animals or inanimate objects used in a sexual manner; sexually exploitive or
sexually violent text or graphics; bondage, fetishes, genital piercing; naturist sites that feature
nudity; and erotic or fetish photography, which depicts nudity.
Note: We do not include sites regarding sexual health, breast cancer, or sexually transmitted
diseases (except those with graphic examples).
4.2.1.1.1.2 Advertisements and Pop-ups
This category includes sites of banner ad servers, sites with pop-up advertisements, and sites
with known adware.
Important: Blocking Advertisements and Pop-ups also blocks content that appears behind
interstitial pages, pages of advertising that appear prior to the loading of a requested content
URL. In blocking these pages, the content that is behind them is also blocked.
Sophos Web Appliance | Configuration | 77
Note: Sophos’s advanced categorization data uses the most current technical definition for
Adware, and thus recognizes the difference between non-malicious adware, such as "cookies"
and more serious Spyware.
4.2.1.1.1.3 Alcohol and Tobacco
This category includes sites that promote or distribute alcohol or tobacco products for free or for
a charge.
4.2.1.1.1.4 Arts
This category includes sites for museums, galleries, artist sites (sculpture, photography, etc.),
performing arts (theater, vaudeville, opera, symphonies, etc.), dance companies, studios, and
training; book reviews and promotions; and variety magazines and poetry.
4.2.1.1.1.5 Blogs and Forums
This category includes sites of weblogs (blogs), newsgroups, and opinion or discussion forums.
4.2.1.1.1.6 Business
This category includes general business corporate web sites, international and multi-national
large general business corporate sites, business associations, and basic b usiness sites , such as
FedEx, that enable organizations to manage their necessary daily business tasks.
Note: Business sites that fit more appropriately into another related category, such as Finance
or Travel, will be categorized in those categories.
4.2.1.1.1.7 Chat
This category includes sites of web-based chat and instant message servers.
Note: This category filters HTTP traffic only.
Page 78
78 | Configuration | Sophos Web Appliance
4.2.1.1.1.8 Computing and Internet
This category includes sites of reviews, information, buy er’ s guides of computers, computer parts
and accessories, computer software and internet companies, industry news and magazines, and
pay-to-surf sites.
4.2.1.1.1.9 Criminal Activity
This category includes sites for advocating, instructing, or giving advice on performing illegal acts;
tips on evading law enforcement; and lock-picking and burglary techniques.
4.2.1.1.1.10 Custom
This category is available for you to define a custom policy for whichever sites you assign to it.
For example, you could set sites that you want to be always approved by adding them to your
local classifications list, and setting their Risk class to T rusted and their Site category to Custom.
4.2.1.1.1.11 Downloads
This category includes sites for downloadable (non-streaming) movie, video or sound clips;
downloadable PDA software, including themes and graphics; freeware and shareware sites;
personal storage or backup sites; and clip art, fonts and animated .gif pages.
Note: This category does not include update sites such as those for operating systems, anti-virus
agents, or other business-critical programs.
4.2.1.1.1.12 Education
This category includes sites for educational institutions, including pre-schools, elementary,
secondary, and high schools and universities; educational sites at the pre-school, elementary,
secondary , and high school and university le vels; distance education and tr ade schools, including
online courses; and online teacher resources (lesson plans, etc.).
4.2.1.1.1.13 Entertainment
This category includes sites about television, movies, music and video programming guides;
online magazines and reviews of the entertainment industry; celebrity fan sites; broadcasting
firms and technologies (satellite, cable, etc.); horoscopes; jok es, comics, comic books , comedians,
or any site designed to be funny or satirical; online greeting cards; and amusement and theme
park sites.
4.2.1.1.1.14 Fashion and Beauty
This category includes sites of fashion or glamor magazines, online beauty products, and
cosmetics.
4.2.1.1.1.15 Finance and Investment
This category includes sites for stock quotes, stock tic kers, and fund rates; online stock or equity
trading; online banking and bill-pay services; investing advice or contacts for trading securities;
money management or investment services or firms; gener al finances and companies that advise
about finances; and accountancy, actuaries, banks, mortgages, and general insurance companies.
4.2.1.1.1.16 Food and Dining
This category includes sites for recipes, cooking instruction and tips, food products, and wine
advisors; restaurants , cafes, eateries, pubs , and bars; and f ood and drink magazines and reviews .
Page 79
4.2.1.1.1.17 Gambling
This category includes sites of online gambling or lottery web sites that invite the use of real or
virtual money; information or advice for placing wagers, participating in lotteries, gambling, or
running numbers; virtual casinos and offshore gambling ventures; sports picks and betting pools;
and virtual sports and fantasy leagues that offer large rewards or request significant wagers.
Note: Casino, hotel, and resort sites that do not feature online gambling or provide gaming tips
are categorized under Travel.
4.2.1.1.1.18 Games
This category includes sites for game playing or downloading, game hosting or contest hosting,
tips and advice on games or obtaining cheat codes ("cheatz"), and journals and magazines
dedicated to online game playing.
4.2.1.1.1.19 Government
This category includes sites for local, state, federal and international government sites, and
government services, such as taxation, armed forces, customs bureaus, and emergency services.
4.2.1.1.1.20 Hacking
This category includes sites for the promotion, instruction, or advice on the questionable or illegal
use of equipment and software for purpose of hacking passw ords, creating viruses, gaining access
to other computers and computerized communication systems; sites that provide instruction or
work-arounds for filtering software; crack ed software and information sites; warez; pirated software
and multimedia download sites; and computer crime sites.
Sophos Web Appliance | Configuration | 79
4.2.1.1.1.21 Health and Medicine
This category includes sites for prescription medicines; medical information and ref erence about
ailments, conditions, and drugs; gener al health, such as fitness and well-being; medical procedures,
including elective and cosmetic surgery; dentistry, optometry, and other medical-related sites;
general psychiatry and mental well-being sites; psychology, self-help books, and organizations;
promoting self-healing of physical and mental abuses, ailments, and addictions; alternative and
complementary therapies, including yoga, chiropractic, and cranio-sacral; and hospital and medical
insurance sites.
4.2.1.1.1.22 Hobbies and Recreation
This category includes sites for recreational pastimes, such as collecting, gardening, and kit
airplanes; outdoor recreational activities, such as hiking, camping, and rock climbing; tips or trends
focused on a specific art, craft, or technique; online publications on a specific pastime or
recreational activity; online clubs, associations , or forums dedicated to a hobby; traditional games,
such as board games and card games, and their enthusiasts; and animal and pet related sites,
including breed-specific sites, training, shows, and humane societies sites.
4.2.1.1.1.23 Hosting Sites
This category includes web sites that host business and individuals’ web pages, for example
GeoCities, earthlink.net, and AOL.
4.2.1.1.1.24 Illegal Drugs
This category includes sites for recipes, instructions or kits for manufacturing or growing illicit
substances for purposes other than industrial usage; glamorizing, encouraging, or instructing on
the use of or masking the use of alcohol, tobacco, illegal drugs, or other substances that are illegal
Page 80
80 | Configuration | Sophos Web Appliance
to minors; information on "legal highs", including glue sniffing, misuse of prescription drugs, or
abuse of other legal substances; distributing illegal drugs free or for a charge; and displaying,
selling, or detailing the use of drug paraphernalia.
4.2.1.1.1.25 Infrastructure
This category includes sites for content delivery networks, XML reference schemas, web analytics
and statistics services, transaction servers, and corporate image servers.
Note: Sophos recommends that this category of its enhanced categorization data be used for
monitoring and reporting purposes only.
4.2.1.1.1.26 Intimate Apparel and Swimwear
This category includes sites for lingerie, negligee, and other intimate apparel modeling; s wimwear
modeling; models’ fan pages; modeling information and agencies; and fitness models and sports
celebrities sites.
4.2.1.1.1.27 Intolerance and Hate
This category includes sites that advocate or incite degradation or attack of specified populations
or institutions based on associations such as religion, race, nationality, gender, age, disability, or
sexual orientation; sites that promote a political or social agenda that is supremacist in nature
and exclusionary of others based on their race, religion, nationality, gender, age, disability, or
sexual orientation; holocaust revisionist or denial sites and other revisionist sites that encourage
hate; coercion or recruitment for membership in a gang1 or cult2; militancy and extremist sites;
and flagrantly insensitive or off ensive material, including those with a lack of recognition or respect
for opposing opinions and beliefs.
Note: We do not include news, historical, or press incidents that may include the above criteria
(except in graphic examples).
1
A gang is defined as: a group whose primary activities are the commission of felonious criminal
acts, which has a common name or identifying sign or symbol, and whose members individually
or collectively engage in criminal activity in the name of the group.
2
A cult is defined as: a group whose f ollowers ha ve been deceptively and manipulativ ely recruited
and retained through undue influence such that followers’ personalities and behavior are altered;
a group in which leadership is all-powerful, ideology is totalistic, and the will of the individual is
subordinate to the group; and a group that sets itself outside of society.
4.2.1.1.1.28 Job Search and Career Development
This category includes sites of employment agencies, contractors, job listings, career inf ormation,
career searches, and career-networking groups.
4.2.1.1.1.29 Kids Sites
This category includes child-oriented sites and sites published by children.
4.2.1.1.1.30 Motor Vehicles
This category includes sites for car reviews, vehicle purchasing or sales tips, and parts catalogs;
auto trading, photos, and discussion of vehicles including motorcycles, boats, cars, trucks, and
RVs; journals and magazines on vehicle modification, repair, and customization; and online
automotive enthusiast club sites.
Page 81
4.2.1.1.1.31 News
This category includes online newspapers, headline news sites, news wire services, personalized
news services, and weather sites.
4.2.1.1.1.32 Peer-to-Peer
This category includes peer-to-peer file sharing clients and peer-to-peer file sharing servers.
4.2.1.1.1.33 Personals and Dating
This category includes singles listings, matchmaking and dating services, advice for dating or
relationships, and romance tips and suggestions sites.
4.2.1.1.1.34 Philanthropic and Professional Organizations
This category includes sites of philanthropic and charity organizations, environmental organizations,
professional associations, labor unions, and social organizations.
4.2.1.1.1.35 Phishing and Fraud
This category includes sites involved in phishing and telephone scams, service theft advice sites,
and plagiarism and cheating sites, including the sale of research papers.
4.2.1.1.1.36 Photo Searches
Sophos Web Appliance | Configuration | 81
This category includes sites that provide resources for photography, image searches, online photo
albums, digital photo exchanges, and image hosting.
4.2.1.1.1.37 Politics
This category includes sites for political parties; political debate, canv assing, election information,
and results; and conspiracy theory and alternative gov ernment view sites that are not hate-based.
4.2.1.1.1.38 Proxies and Translators
This category includes sites for remote proxies or anonymous surfing, search engine caches that
circumvent filtering, and web-based translation sites that circumvent filtering.
4.2.1.1.1.39 Real Estate
This category includes sites for home, apartment, and land listings; rental or relocation services;
tips on buying or selling a home; real estate agents; and home improvement sites.
4.2.1.1.1.40 Reference
This category includes sites for personal, professional, or educational reference; online dictionaries,
maps, and language translation sites; census, almanacs, and library catalogs; and topic-specific
search engines.
4.2.1.1.1.41 Religion
This category includes sites of churches, synagogues, and other houses of worship; any faith or
religious belief sites, including non-traditional religions such as Wicca and witchcraft.
4.2.1.1.1.42 Ringtones and Mobile Phone Downloads
This category includes sites of providers of mobile phone downloads, including ringtones, logos,
backgrounds, screensavers, and games.
4.2.1.1.1.43 Search Engines
This category includes general search engines, such as Yahoo, AltaVista, and Google.
Page 82
82 | Configuration | Sophos Web Appliance
4.2.1.1.1.44 Sex Education
This category includes sites with pictures or text advocating the proper use of contraceptives;
sites relating to discussion about the use of the pill, IUDs, and other types of contraceptives; and
discussion sites on how to talk to your partner about diseases, pregnancy, and respecting
boundaries.
Note: Not included in the category are commercial sites that sell sexual paraphernalia.These
sites are typically found in the Adult category.
4.2.1.1.1.45 Shopping
This category includes sites for department stores, retail stores, company catalogs, and other
sites that allow online consumer shopping, sites for online auctions, online do wnloadable product
warehouses, specialty items for sale, and freebies or merchandise giveaways.
4.2.1.1.1.46 Society and Culture
This category includes sites on home life and family-related topics, including weddings, births
and funerals; parenting tips and family planning; non-pornographic gay, lesbian, and bisexual
issues; f oreign cultures and socio-cultural information; and non-explicit tattoo and piercing parlors.
4.2.1.1.1.47 Spam URLs
This category includes URLs found in spam, particularly on these topics: computing, finance and
stocks, entertainment, games, health and medicine, humor and novelties, personal and dating,
products and services, shopping, and travel.
4.2.1.1.1.48 Sports
This category includes sites for team or conference web sites; national, international, college,
professional scores and schedules; sports-related online magazines or newsletters; and fantasy
sports and virtual sports leagues that are free or low-cost.
4.2.1.1.1.49 Spyware
This category includes sites that provide or promote information gathering or tracking that is
unknown to, or done without the explicit consent of, the end user or the organization, including
sites that carry malicious executables or viruses, third party monitoring, and other unsolicited
commercial software, spyware, and malware "phone home" destinations.
Note: The technical definition of Spyware used for this category may not exactly match the
definition used elsewhere by Sophos.This category focuses on filtering malicious and tracking
content, not simply adware and cookies. For non-malicious adware filtering, please block the
Advertisements and Pop-ups category.
4.2.1.1.1.50 Streaming Media
This category includes sites for streaming media files or events (any live or archived audio or
video file), Internet TV and radio, non-explicit personal webcam sites, telephony sites that allow
users to make calls via the internet, and VoIP services
4.2.1.1.1.51 Tasteless and Offensive
This category includes sites that feature offensive or violent language, including through jokes,
comics, or satire, and excessive use of profanity or obscene gesticulation.
Page 83
4.2.1.1.1.52 Travel
This category includes sites of airlines and flight booking agencies, accommodation information,
travel package listings, city guides and tourist information, and car rentals.
4.2.1.1.1.53 Uncategorized
This category includes all sites that have not been categorized.This means that these sites have
not come to the attention of SophosLabs.
4.2.1.1.1.54 Violence
This category includes sites portraying, describing or advocating ph ysical assault against humans,
animals, or institutions; depicting torture, mutilation, gore, or horrific death; advocating, encour aging,
or depicting self-endangerment, or suicide, including through eating disorders or addictions;
instructions, recipes, or kits for making bombs or other harmful or destructive devices; sites
promoting terrorism; and excessiv ely violent sports or games, including videos and online games.
Note: We do not block news, historical, or press incidents that may include the above criteria,
except those that include graphic examples.
4.2.1.1.1.55 Weapons
This category includes sites with online purchasing or ordering information, including lists of prices
and dealer locations; any page or site predominantly containing, or providing links to, content
related to the sale of guns, weapons, ammunition or poisonous substances; displaying or detailing
the use of guns, weapons, ammunition or poisonous substances; and clubs which offer training
on machine guns, automatics, other assault weapons, and sniper training.
Sophos Web Appliance | Configuration | 83
Note: Weapons are defined as something (as a club, knife, or gun) used to injure, defeat, or
destroy.
4.2.1.1.1.56 Web-Based Email
This category includes sites for web-based e-mail accounts and messaging sites.
4.2.1.2 Web Applications
The Configuration > Group Policy > Default Policy > Web Applications page allows you to
configure the default policy for popular W eb Applications, such as F acebook, or Linkedin. Settings
configured on this page take precedent over policy configured for categories or tags.
Note: If you do not have HTTPS scanning enabled on the Configuration > Global Policy >
HTTPS Scanning page, detection and control of web applications will not work for sites that use
HTTPS.
1. Next to the related web application click the Action drop down menu.
2. Select a policy for an application by selecting an option from the related Action drop down
menu:
■
Choose Allow to allow access to the web application.
■
Choose Block to block access to the web application.
■
Choose Follow Category to allow the site category to control access to the web application.
Page 84
84 | Configuration | Sophos Web Appliance
3. For web applications that are set to Allow you can also configure Enabled features:
a) Click on the row for an application.
b) Ensure that only the features you want enabled are selected.
For instance, if only Status Update is not selected under Enabled features f or F acebook
only status updates will be disabled. Access to the rest of the site will be allowed.
4. Click Apply
Related tasks
Categories & Download Types on page 75
Configuring Sandstorm on page 103
4.2.2 Default Groups
The Configuration > Group Policy > Default Groups page allows you to set the user groups
to which the default policy is applied. If Active Directory or eDirectory access has been properly
configured, the Available groups list is populated with your organization’s Active Directory or
eDirectory groups.
If your appliance is configured to access a single-domain Active Directory server, Activ e Directory
group names are displayed in the f orm "groupname"; if the appliance is configured to access the
global catalog of a multidomain Active Directory forest, Active Directory group names are displa yed
in the form "domain\groupname". If the appliance is configured to integrate with eDirectory,
then group names are displayed in eDirectory format (group.context).
Alternatively and additionally , you can create , edit, and delete custom groups. Once the A vailable
groups list is populated to meet your requirements, you can select which groups are denied or
allowed access to the internet, depending upon which policy association option you have selected.
4.2.2.1 Creating a Custom User Group
1. In the Available Groups list, click Create.
The Group Editor dialog box is displayed.
Note: The groups that are added in this window are also added to the Reports > Options >
Reporting Groups page.
2. In the top text box, enter a name for the group.
3. Use at least one of the following methods to select the members of the new custom group:
a) Click the Groups tab, highlight the groups that you want to include in your custom group,
and click the double-right arrow (>>) to mov e the selected groups into the Selected Entries
list.
b) Click the Users tab highlight the users that you want to include in your custom group, and
click the double-right arrow (>>) to mov e the selected users into the Selected Entries list.
c) Optionally, to remove a group or user from the Selected Entries list, highlight the item(s)
that you want to remove from the custom group, and click the double-left arrow (<<).
d) To add manual entries that are not listed in the Groups or Users lists, do the following:
Page 85
Sophos Web Appliance | Configuration | 85
1. In the text box in the Manual Entries section, enter a username, IP address, or an IP
address range, and click Add.
Usernames must be in the form DOMAIN\username for Active Directory and user.
context for eDirectory. IP address ranges must be in CIDR format.
Important: The Web Appliance will interpret any dotted quad followed by a slash and
a number less than 33 as a CIDR range.This creates the possibility that a URL entered
as an IP address followed by a numbered directory from 0 to 32 would be improperly
treated as a CIDR range.To avoid this possibility, always enter URLs to numbered
directories using fully qualified domain names rather than IP addresses.
After clicking Add, the entry is displayed in the Manual Entries list.
2. Optionally, to delete an item from the list, select the check box to the right of the entry
that you want to delete, and click Delete.
The selected item is removed from the Entries list.
4. Once you have the list of group members that you want in the Selected Entries and Manual
Entries lists, click Save.
The Group Editor dialog box closes and you are returned to the Configuration > Group
Policy > Default Groups page with the newly created custom group shown in the Available
Groups list.
5. Click Apply.
4.2.2.2 Editing a Custom User Group
1. Click the name of the custom group that you want to edit.
Note: Custom groups, which can be edited, are indicated by a Sophos icon ( ); Active
Directory and eDirectory groups, which cannot be edited, are indicated by a directory icon ( ).
The Group Editor dialog box is displayed with the selected list properties displayed.
Note: The group changes that you make in this window are also displayed on the Reports >
Options > Reporting Groups page.
2. Optionally, in the top text box, enter a new name for the group.
3. Optionally, use any of the following methods to change the members for the selected custom
group:
a) Click the Groups tab , highlight the groups that you want to add to your custom group , and
click the double-right arrow (>>) to move the selected groups into the Selected Entries
list.
b) Click the Users tab, highlight the users that you want to add to your custom group, and
click the double-right arrow (>>) to mov e the selected users into the Selected Entries list.
c) To remove a group or user from the Selected Entries list, highlight the item(s) that you
want to remove from the custom group, and click the double-left arrow (<<).
d) To add manual entries that are not listed in the Groups or Users lists, do the following:
Page 86
86 | Configuration | Sophos Web Appliance
1. In the text box in the Manual Entries section, enter a username, IP address, or an IP
address range, and click Add.
Usernames must be in the form DOMAIN\username for Active Directory and user.
context for eDirectory. IP address ranges must be in CIDR format.
Important: The Web Appliance will interpret any dotted quad followed by a slash and
a number less than 33 as a CIDR range.This creates the possibility that a URL entered
as an IP address followed by a numbered directory from 0 to 32 would be improperly
treated as a CIDR range.To avoid this possibility, always enter URLs to numbered
directories using fully qualified domain names rather than IP addresses.
After clicking Add, the entry is displayed in the Manual Entries list.
2. Optionally, to delete an item from the list, select the check box to the right of the entry
that you want to delete, and click Delete.
The selected item is removed from the Manual Entries list.
4. Once you have modified the name, or the list of group members that you w ant in the Selected
Entries and Manual Entries lists, click Save.
The Group Editor dialog box closes and you are returned to the Configuration > Group
Policy > Default Gr oups page with the modified custom group listed in the A vailable gr oups
list.
5. Click Apply.
4.2.2.3 Deleting a Custom User Group
1. In the Available groups list, select the check box to the right of the custom group(s) that you
want to delete.
The custom group that you want to delete must not be in the Selected Entries list.
Note: Custom groups, which can be deleted, are indicated by a Sophos icon ( ); Active
Directory and eDirectory groups, which cannot be deleted, are indicated by a directory icon
( ).
Note: The groups that are deleted in this window are also removed from the Reports >
Options > Reporting Groups page.
2. Click Delete.
The selected custom group(s) is removed from the Available Groups list.
3. Click Apply.
4.2.2.4 Applying the Default Policy to Groups
1. Select the desired Default Policy association option button.
You can choose between:
■
All users/groups except those selected belowThis will block internet access for users
in the selected groups and apply the default policy for internet access to all others.
Page 87
■
Only the users/groups selected belowThis will apply the default policy for internet access
for users in the selected groups and block access to all others.
2. In the Available Groups list, select the groups that will be b locked (if y ou chose the first option
in step 1) or that will have the def ault policy applied to their browsing (if y ou chose the second
option in step 2).
You can Shift-click to select a range of groups, or Ctrl-click to select several groups
individually.
3. Click the right arrow button, (>), to move the selected groups into the Selected groups list.
4. Click Apply.
4.2.3 Special Hours
The Configuration > Group Policy > Special Hours page allows you to set a second policy to
override the rules of the default policy controlling how URL requests to sites (categorized by
content type) and to files (categorized by download type) are handled.You then define the hours
during which these rule overrides are used instead of the Default Policy page rules.
For example, if you want to apply a default policy that restricts users from accessing sites that
reduce productivity during regular working hours, but you want to allow users to access those
sites outside of regular working hours, you can configure the special hours policy to apply from
the end of regular work hours to the beginning of regular work hours and during the lunch hour
too.
Sophos Web Appliance | Configuration | 87
Related tasks
Configuring Sandstorm on page 103
4.2.3.1 Setting a Special Hours Policy
1. Set the schedule during which the special hours policy will apply:
a) Set the main block of time during which the special hours policy will apply by selecting
Daily from and setting the beginning and end times by using the adjacent time selector
controls.
You can set the times by clicking beside either the hour, minute, or meridian (AM or PM)
setting and scrolling with your mouse wheel until you get the time that you want.
b) Optionally, set a second block of time during which the special hours policy will apply by
selecting And from and setting the beginning and end times by using the adjacent time
selector controls.
You can set the times by clicking beside either the hour, minute, or meridian (AM or PM)
setting and scrolling with your mouse wheel until you get the time that you want.
c) Optionally, select the chec k box and all day on weekends to apply the special hours policy
settings 24 hours per day throughout the weekends as w ell, which overrides the time blocks
set in the Daily from and And from time settings.
Note: You can also set which days of the week are treated as the weekend by clicking
weekends and selecting only those days that you want treated as weekend days.
Page 88
88 | Configuration | Sophos Web Appliance
2. Set the policy rules for the Site categories and Download types, as well as for the
Sandboxing Profile, Allow user feedback, and Block potentially unwanted applications
options in the same way as you did on the Default Policy page:
a) Set the behavior that you want the Web Appliance to apply to each category listed in the
Site categories section.
■
Allow: Lets users view sites of this classification.
■
Warn: Presents a warning to users that they are at risk of violating their organization’s
web use policy, but allows them to proceed. Once a user has chosen to proceed, no
warning page for that site will be displayed to that user for 30 minutes.
■
Block: Prevents users from viewing sites of this classification.
Important: Blocking Advertisements and Pop-ups also blocks content that appears
behind interstitial pages, pages of advertising that appear prior to the loading of a requested
content URL. In blocking these pages, the content that is behind them is also blocked.
b) Select the Sandstorm profile that you want to apply.
■
Send any suspicious files for analysis: all suspicious downloaded items will be sent
for analysis in the Sophos Active Sandbox component of Sophos Sandstorm.
■
Exclude suspicious PDFs and documents: send all suspicious downloads for analysis
in the Sophos Active Sandbox, except PDFs and other documents.
■
Do not send suspicious files for analysis: do not send any downloaded items for
analysis, even if they are suspicious.
Note: The Sandstorm option is not available if you do not have a Sophos Sandstorm
license.
c) Allow user feedback from the notification pages by selecting this check box or remove
this option by clearing it.
Note: If this option is enabled, users’ requests from notification pages for site
recategorizations or to allow downloading of restricted file types or PUAs can be viewed
on the Search > User Submissions pages.
d) Select the controls that you want to apply to the Web Appliance’s handling of each of the
file Download types.
■
Allow: Lets users download files of this type.
■
Warn: Presents a warning to users that they are at risk of violating their organization’s
download policy, but allows them to proceed.
■
Block: Prevents users from downloading files of this type.
e) Block potentially unwanted applications from being downloaded by users by selecting
this check box or allow PUA downloads by clearing it.
Note: Specific PUAs can be allowed with this feature enabled by setting the exception on
the Configuration > Global Policy > Download Options page.
3. Click Apply.
Page 89
Related tasks
Configuring Tags on page 94
Configuring Sandstorm on page 103
4.2.3.2 Disabling a Special Hours Policy
1. Ensure that the Daily from, And from, and And all day on weekends check boxes are all
cleared.
2. Click Apply.
4.2.4 Additional Policies
The Configuration > Group Policy > Additional Policies page allows you to set additional
policies that can be used as exceptions to the Default Policy and the Special Hours policy and
which are executed as part of the Web Appliance’s policy filtering process.
Additional policies are added or modified in the Additional Policy editor.The additional policies
that have been added are arranged by execution priority (enabled or disabled) and deleted on
the Additional Policies page.
Sophos Web Appliance | Configuration | 89
Note: The Quarantined Machines policy is a default policy that cannot be deleted, turned off,
or have its priority changed.This policy manages machines which have been blocked because
they have been detected attempting to contact malware command and control services.This
policy applies only to machines connecting from inside your network.
■
To add a policy:
a) Click Add.
The Additional Policy editor is displayed.
b) Configure the new special policy on the seven tabs of the Additional Policy editor:
— Selecting Users on page 91: specify the groups or users to which the additional policy
will apply.
— Configuring Site Categories on page 91: set overrides to both the Default and Special
Hours policy’s handling of site categories.
— Configuring Download Types on page 93: set overrides to the Default and Special Hours
policy’s handling of download types.
— Controlling Web Applications on page 93: configure how the additional policy differs
from the default policy for specific web applications.
— Configuring Tags on page 94: set what actions will be applied to tags.
— Additional Options on page 96: set additional options, including sandboxing, quota
minutes, and whether to disable logging for the new addional policy.
— Name and Schedule on page 96: set the name of the new additional policy, schedule
when it will apply, set whether it is enabled, and if it will be deactivated at a predefined
date and time.
Once created, the new policies appear in the Additional P olicies list in the order they were
created.
Page 90
90 | Configuration | Sophos Web Appliance
■
To edit an additional policy, click the name of the additional policy that you want to modify in
the Policy Name column and make the required changes on the pages of the Additional
Policy editor.
■
To set the order in which the special policies will be applied, click the up or down arrows in
the Priority column beside the special policy for which you want to change the priority to mov e
that policy up or down in the list, and click Save Order to save the priority order.
Optionally, click Reset Order to return to the last saved priority order.
■
To set the operational status for a policy, either click T urn On in the row of the policy that you
want to enable, or click Turn Off in the row of the policy that you want to disable.
Note: A warning icon will appear in the Active column if the time period for the policy is set
to Special Hours and the special hours policy has been deactivated.This only happens if the
Special Hours policy is deactivated after an Additional P olicy was created based on the previous
Special Hours policy.You cannot define a policy based on a Special Hours if Special Hours
is not activated.
■
To remove a special policy, select the check box to the right of the additional policy that you
want to remove, and click Delete.
Related concepts
Using Tags on page 95
About Authentication on page 132
Policy & Content: Advanced Threat Protection on page 166
Related tasks
Web Applications on page 83
Categories & Download Types on page 75
Configuring the Local Site List on page 97
Using the Local Site List Editor on page 99
4.2.4.1 Quota Time
Policies created under Configuration > Group Policy > Additional Policies can be configured
using the quota time feature. Quota time allows y ou to create a policy that allows access to certain
sites for a limited amount of time in a day. For instance, you may want to limit access to social
media sites without blocking them completely. Using the quota time feature, y ou can create policies
for different users and g roups to limit access based on categories and tags to a specified amount
of browsing time.
When creating a policy in the Additional Policy Wizard, you can choose Quota from the Action
drop-down on both the Site Categories and Tags page, and then set the allowed minutes for
that policy on the Name and Schedule page. All categories and tags set to Quota for an additional
policy will count towards the allowed minutes f or that quota, which can be configured on the Name
and Schedule page of the Additional Policy Wizard.
Note: Sophos Endpoint Web Control cannot enforce quota time. If you use Endpoint Web control
you can configure an alternate action on the Configuration > System > Endpoint W eb Contr ol
page. By default, Endpoint Web Control will warn a user when browsing to a site associated with
a quota time policy.
Page 91
Related tasks
Controlling Web Applications on page 93
Endpoint Web Control on page 144
4.2.4.2 Selecting Users
On the Select Users page of the Additional Policy wizard:
■
Set the users or groups to which you want the additional policy to apply:
■
In the Groups list, select the groups that you want, and clic k the right arrow button to mo ve
them to the Selected groups list.
This list will be populated with Active Directory or eDirectory groups (if Active Directory or
eDirectory has been properly configured) as well as any custom groups added on the
Default Groups or Reporting Groups pages.
■
On the Users tab, select the users that you want, and click the right arrow button to move
them to the Selected Entries list.
This list will be populated with Active Directory or eDirectory users (if Active Directory or
eDirectory integration has been properly configured).
Sophos Web Appliance | Configuration | 91
■
In the text box in the Manual Entries section, enter a username, IP address, or an IP
address range, and click Add.
Usernames must be in the form DOMAIN\username for Active Directory and user.
context for eDirectory. IP address r anges must be in CIDR f ormat, using full dotted quad
notation (X.X.X.X/X).
The entry is displayed in the Manual Entries list.
■
To delete an entry from the Manual Entries list, select the check box beside the entry that
you want to remove, and click Delete.
Note: If there are long lists of entries in the Groups, Users, or Selected Entries lists, you
can use the paging controls at the top of these lists to navigate through the lists, or use the
filtering controls at the bottom to reduce the number of items that are displayed.
The individuals or groups (or their IP addresses or range of IP addresses) listed in both the
Selected Entries, and the Manual Entries lists are affected by the new policy that you are
creating.
Note: Additional policies are applied as exceptions to, or extensions of, the default policy, so
if you add a user to an additional policy who is ex empt from the default policy, they will become
subject to the default policy with the additional policy differences.
■
Once the users to which this additional policy will apply are set, move to the next page of the
wizard by clicking either the Site Categories icon or the Next button.
4.2.4.3 Configuring Site Categories
On the Site Categories page of the Additional Policy wizard, y ou can modify an y of the default
policy settings or leave them unchanged to accept the default.
Page 92
92 | Configuration | Sophos Web Appliance
Note: The current option, whether it is Allow, Warn, or Block, is shown as Use default, indicating
the state as set in the default or special hours policy at the time that the additional policy is first
created.
■
Modify the settings or accept the default settings for an y of the Site Categories that y ou want
to change by selecting:
— Allow (green): If selected, lets users view sites of this category; if cleared, denies users
the ability to view them.
— Warn (yellow): If selected, presents a warning to users that they are at risk of violating their
organization’s web use policy, but allows them to proceed to their requested page. Once
a user has chosen to proceed, no warning page for that site will be displayed to that user
for 30 minutes. A log entry is created when a user does proceed in possible contravention
of the organization’s web use policy. If cleared, no warning is given.
— Block (red): If selected, prevents users from viewing sites of this category, and displays a
warning page explaining the reason why access is blocked.
— Quota (blue): If selected, presents a page to users that allows them to select how much
quota time they wish to consume. Once a user has chosen to proceed, no warning page
for that site will be displayed to that user until they have used their current selection of
quota time. After they hav e consumed all of their av ailable quota time, the y will be presented
with a block page that informs them they have no quota time remaining.
— Use default (gray):This is the current setting, to which you can restore any changed
category.
Note: Rules that have been overridden are displayed with the background color associated
with that setting: Allow is green, Warn is yellow, and Block is red.This does not necessarily
mean that the override setting is different from the default or special hours policy setting. It
only indicates that this option is no longer drawn from the default or special hours policies
settings.
Important: Blocking Advertisements and Pop-ups also b locks content that appears behind
interstitial pages (pages of advertising that appear prior to the loading of a requested content
URL). In blocking these pages, you are also blocking access to the content that is behind
them.
■
Modify the settings or accept the default settings for the Allow user feedback option.
Note: If the Allow user feedback option is set to Y es, users’ requests f or site reclassifications
can be viewed on the Search > User Submissions pages.
■
Once the category handling for this additional policy is set, move to the ne xt page of the wizard
by clicking either the Download Types icon or the Next button.
Related tasks
Controlling Web Applications on page 93
Configuring the Local Site List on page 97
Page 93
4.2.4.4 Configuring Download Types
On the Download T ypes page of the Additional P olicy wizard, you can modify an y of the default
policy settings or leave them unchanged to accept the default.
■
Modify the settings or accept the default settings for any of the Download Types that you
want to change by selecting:
— Allow (green): If selected, lets users download content of this type; if cleared, denies users
the ability to download them.
— Warn (yellow): If selected, presents a warning to users that they are at risk of violating their
organization’s web use policy, but allows them to proceed with their requested downloads
of this type. A log entry is created when a user does proceed in possible contravention of
the organization’s web use policy.
— Block (red): If selected, prev ents users from do wnloading content of this type and displays
a warning page explaining the reason why access is blocked.
— Use default (gray):This is the current setting, to which you can restore any changed type.
Note: Rules that have been overridden are displayed with the background color associated
with that setting: Allow is green, Warn is yellow, and Block is red.This does not necessarily
mean that the override setting is different from the default or special hours policy setting, it
only indicates that this option is no longer drawn from the default or special hours policies
settings.
Sophos Web Appliance | Configuration | 93
■
Modify the settings or accept the default settings for the Block potentially unwanted
applications option.
■
Once the category handling for this additional policy is set, move to the ne xt page of the wizard
by clicking either the Tags icon or the Next button.
4.2.4.5 Controlling Web Applications
On the Web Applications page of the Additional Policy wizard you can configure how your
additional policy differs from the default policy for each web application.The default behavior is
to Use default.
1. Click the drop-down menu under Action.
■
Use default will use the Default Policy.
■
Choose Allow to allow access to the web application.
■
Choose Block to block access to the web application.
■
Choose Quota to allow access to the web application, but hav e it count towards y our Quota
Time.
■
Choose Follow Category to allow the site category to control access to the web application.
2. For web applications that are set to Allow or Quota, you can also configure Enabled features:
a) Click on the row for an application.
b) Ensure that only the features you want enabled are selected.
For instance, if only Status Update is not selected under Enabled features f or F acebook
only status updates will be disabled. Access to the rest of the site will be allowed.
Page 94
94 | Configuration | Sophos Web Appliance
3. Click Next or Save.
Related concepts
Quota Time on page 90
Default Policy on page 75
Related tasks
Configuring Site Categories on page 91
Configuring Tags on page 94
Configuring the Local Site List on page 97
4.2.4.6 Configuring Tags
Adding tags to your additional policy is optional.Tags allow you to set policy rules more simply
and flexibly than is possible by using other policy features.
Tags can be created in two places: this wizard and the Local Site List Editor dialog box, which
is accessed on the Configuration > Group Polic y > Local Site List page. In the Local Site List
Editor dialog box, you can apply one or more tags to a URL. In the Additional Policy wizard,
you can set what action is taken in response to a tag. For tags to work, you must perform the
configuration steps in both places.
1. In the Tag editable drop-down list, either enter the name of a new tag that you want to create
in the text box, or click the adjacent down arrow icon to choose an existing tag from the
drop-down list.
Note: There is no need to delete tags. Any tags that are not applied to URLs in the Local Site
List and that do not have an additional policy set are automatically removed every Sunday
night at midnight.
2. From the Action drop-down list, select the action that you want taken in response to the tag.
The available actions are:
■
Allow: If selected, allows access to the sites to which this tag has been applied.
■
Warn: If selected, presents a warning to users that they are at risk of violating their
organization’s web use policy, but allows them to access the sites to which this tag has
been applied.
■
Block: If selected, prevents users from accessing the sites to which this tag has been
applied.
■
Quota: If selected, allows users to select a portion of their allotted quota time and continue
browsing. Once all of a user’s quota time has been consumed, pre vents them from accessing
the sites to which this tag has been applied.
3. Once you have set the action that you want taken to the selected tag, click Add.
A line is added to the list that shows the Tag name and the Action that will be taken.
4. Optionally, you can remove a tag from the list by selecting the check box to the right of the
tag that you want to remove and clicking Delete.
5. Repeat the preceding steps as often as required to set as many tags and actions as are
required for your additional policy.
Page 95
6. Move to the next page of the wizard by clicking either the Name and Schedule icon or the
Next button.
Related concepts
Using Tags on page 95
Quota Time on page 90
Related tasks
Controlling Web Applications on page 93
Configuring the Local Site List on page 97
Using the Local Site List Editor on page 99
Configuring Sandstorm on page 103
Categories & Download Types on page 75
Setting a Special Hours Policy on page 87
4.2.4.6.1 Using Tags
Tags allow you to set properties to individual websites, so that set policy rules may enforce an
action on these individual sites, regardless of the policy applied to the category in which the sites
belong.This is implemented more simply and flexibly than is possible by using other policy f eatures.
Sophos Web Appliance | Configuration | 95
Using tags, you can fine tune a policy to the point of applying default policy o verrides for individual
users. For example, in your organization, you may wish to create a policy that allows the CEO to
visit a number of news websites, even though the News category is blocked by default for the
entire organization.
This can be done in two simple steps:
1. Tags are created and applied to a URL on the Configuration > Group Policy > Local Site
List page’s Local Site List Editor dialog box. In the Local Site List Editor dialog box, you
can create and apply one or more tags to a URL.
2. Once tags are applied to one or more URLs, you can set the policy for a tag on the fourth tab
of the Configuration > Group Policy > Additional Policy page’s Additional Policy wizard.
on the Tags tab of the Additional Policy wizard, you select the tag for which you want to set
policy from a drop-down list of all the available tags. or enter the name for a new tag.Then
you select the action that you want applied to URLs marked with this tag. Because additional
policies are applied to only those users that you select on the first tab of the Additional P olicy
wizard, this tag-based policy can be applied to as few or as many individuals or g roups as you
want.
For tags to work, you must perform these configuration steps in both the Local Site List Editor
and the Additional Policy wizard. If you start by creating a new tag in the Additional Policy
wizard and applying policy to that tag, you must rev erse the steps listed abo v e and subsequently
add this new tag to the URLs of your choice in the Local Site List Editor.
There are, however, three system tags, Globally allowed sites, Globally blocked sites, and
Never send to Sandstorm.These tags only appear in the Local Site List Editor dialog box’s
tag drop-down list.Their actions are predefined and match what their name indicates.The Globally
allowed sites tag will not override the behavior expected as a result of a site’s risk class.
Note: There is no need to delete tags. Any tags that are not applied to URLs in the Local Site
List and that do not have an additional policy set are automatically removed every Sunday night
at midnight.
Page 96
96 | Configuration | Sophos Web Appliance
Related tasks
Configuring the Local Site List on page 97
Using the Local Site List Editor on page 99
Additional Policies on page 89
Configuring Tags on page 94
4.2.4.7 Additional Options
On the Additional Options page of the Additional Policy wizard:
1. Select the Sandstorm profile that you want to apply.
■
Use default: use the default Sandstorm profile.
■
Send any suspicious files for analysis: all suspicious downloaded items will be sent for
analysis in the Sophos Active Sandbox component of Sophos Sandstorm.
■
Exclude suspicious PDFs and documents: send all suspicious downloads for analysis
in the Sophos Active Sandbox, except PDFs and other documents.
■
Do not send suspicious files for analysis: do not send any downloaded items f or analysis,
even if they are suspicious.
Note: The Sandstorm option is not available if you do not hav e a Sophos Sandstorm license.
2. Under Quotas select the number of quota minutes allowed for this policy.
The browse time for all categories and tags that hav e been set to quota will count toward the
browse time selected here.
Note: If you update the allowed browse time , the ne w setting will not tak e effect until the next
day. If you need the new browse time to tak e effect immediately, you can manually reset users’
quota times on the Configuration > Group Policy > Quota Status page.
3. Optionally, select Don't log traffic for this policy if you do not wish to record logging
information for users and actions associated with this policy.
4. Click Next or Save.
Related concepts
Quota Time on page 90
4.2.4.8 Name and Schedule
On the Name and Schedule page of the Additional Policy wizard:
1. In the Policy name text box, enter the name for the added policy.
2. In the Effective time panel, set the time during which you want the policy to apply.
a) Select either:
■
All the time:The policy will always apply.
■
Specified times: If you select this option, you must select one of the following options
from the drop-down list:
— Regular hours:The policy will apply during regular hours (not during Special Hours).
Page 97
Sophos Web Appliance | Configuration | 97
— Special Hours:The policy will apply during special hours (as defined on the Special
hours page).
— Custom times: If you select this option, you must set at least one custom time by
doing the following:
1. Set the start and end times by using the From and to time-selector controls.
You can set the times by clicking beside either the hour, minute , or meridian (AM
or PM) setting and scrolling with your mouse wheel until you get the time that you
want.
2. Select the days of the week check boxes for the days on which you want the
additional policy to apply.
3. Click Add to add the date and time setting to the list of custom times.
You can select multiple date and time settings, but the times that you select must
be chronological: the From time cannot follow the to time. For example, you
cannot set a time range ending at 12:00 AM, as this is treated as the beginning
of the day, not the end of the day , which is 11:59 PM.Y ou can set up to 25 custom
times. All of the custom times that you set will be used.
Note: If you select Specified times, and Special hours is not available, this is because
you have not defined a special hours policy, or you have configured a special hours policy
and enabled it, but then disabled it.
3. Select the Turn on this policy for machines connecting from: check box and choose
anywhere, outside your network or inside your network. If you do not select this check
box, the policy will not be immediately enabled.
For more information on how users can connect from outside y our network, see Endpoint W eb
Control on page 144.
4. Optionally, select the Automatically deactivate policy on check box, and set the Date and
Time on which you want the exception turned off.
You can set the times by clicking beside either the hour, minute , or meridian (AM or PM) setting
and scrolling with your mouse wheel until you get the time that you want.
5. Click Save to close the Additional Policy wizard and return to the Additional P olicies page.
4.2.5 Configuring the Local Site List
The Configuration > Group Policy > Local Site List page allows you to view all of the URLs
that have been added to the list and to manage that list. URLs are added to the list to extend the
filtering provided by the Web Appliance to URLs not included in the Sophos site list or to ov erride
the default filtering specified in the Sophos site list.The URLs listed in the Local Site List can
be edited to change their Tags, Risk class, or Site category, or they can be deleted from the
list.
For information on adding sites using the Local Site List Editor and on the use of tags, see Using
the Local Site List Editor on page 99.
Page 98
98 | Configuration | Sophos Web Appliance
The default display of the list, if y ou accessed it b y clic king Local Site List on the Configuration
tab’s sidebar, is to show all Local Site List entries. If you accessed this page from the Security
Filter page, the list is limited to showing only entries that match the Risk class option from which
you accessed this page.
■
To add a local classification entry, click Add Site.
The Local Site List editor dialog box is displayed. See "Using the Local Site List Editor" for
instructions on the use of this pop-up dialog box.
■
To edit a local classification entry, click on the URL of the entry that you want to edit.
The Local Site List editor dialog box is displayed. See "Using the Local Site List Editor" for
instructions on the use of this pop-up dialog box.
■
To filter the list of local sites that is display ed, click Show Filters and use the newly displayed
Filters toolbar to narrow the list of displayed entries.
— Site: Enter a search pattern in the text box below and click the icon to apply the filter.
Click the icon to clear the text box.
— Tagged as: Enter a search pattern in the text box below and click the icon to apply the
filter. Click the icon to clear the text box.
— Category: Select the category of the URLs that you want to view.
— Risk: Select the security risk level of the URLs that you want to view.
Only those URLs currently in the Local Site List that match your selected criteria are displayed.
Click Hide Filters to close the Filters toolbar , which will reset all of the filters to display the full
list of site in the local site list.
■
To delete a local classification URL entry, click on the check box to the right of that entry in
the Current local site list, and click Delete.
The selected URL is deleted from the Local Site List list.
■
To change the sort order of the filtered results, click the up/down arrow icon that appears to
the right of each column name (Site, Tagged as, Category, and Risk).To reverse the order
of the entries, click on the same up/down arrow icon a second time.
Related concepts
Using Tags on page 95
Images Display as Gray on page 216
Related tasks
Configuring Sandstorm on page 103
Configuring Security Filtering on page 102
Controlling Web Applications on page 93
Configuring Site Categories on page 91
Configuring Tags on page 94
Web Applications on page 83
Additional Policies on page 89
Page 99
4.2.5.1 Using the Local Site List Editor
1. On the Configuration > Group Policy > Local Site List page, click Add Site.
2. In the Specify the site to add text box, enter the URL, domain, top-level domain (TLD), IP
address, or CIDR range that you want to add.
To add multiple entries by entering one per line, click Enter multiple sites to expand the
Specify the site to add text bo x. Click Enter single site to reduce it to single line size.When
URLs are added, the protocol is stripped from the URL. So, to the Web Appliance,
http://example.com is the same as ftp://example.com. Note that:
■
A TLD entry should begin with a '.' (for example '.edu').
■
If you enter a domain or top-lev el domain (TLD) with a single subdomain lev el, any additional
subdomain levels will also be filtered. For example, an entry such as example.com will
also filter subdomain.example.com and sub.subdomain.example.com.
■
If your entry includes a domain and at least one level of subdomains, no additional
subdomains will be filtered. For example, an entry such as subdomain.example.com
will not result in the filtering of other subdomains of example.com, including other.
example.com or sub.subdomain.example.com.
Sophos Web Appliance | Configuration | 99
Note: Some TLDs are known as second-level domains.These are similar to a subdomain
and TLD. For instance, .co.uk is a second-level TLD that is distinct from .uk. In the
above, if .example.com was a second-level TLD, the other entries would be filtered.
■
You can simultaneously create different rules for TLDs and subdomains. For instance, if a
country had a TLD of .zz, you could block all sites by blocking the .zz top level domain
and then selectively allow specific sites such as example.zz.
■
You can add the URL of an HTTPS service that uses a non-standard port (other than port
443), which extends Web Appliance filtering support to that URL.We suggest that you set
such sites as Low Risk.
Important: The Web Appliance will interpret any dotted quad followed by a slash and a number
less than 33 as a CIDR range.This creates the possibility that a URL entered as an IP address
followed by a numbered directory from 0 to 32 would be improperly treated as a CIDR range.
For example, http://192.168.3.4/6, where '/6' is a directory, would be interpreted as a
CIDR range.To avoid this possibility, always enter URLs to numbered directories using fully
qualified domain names rather than IP addresses.
3. On the Modify the site properties panel, do one or more of the following:
Important: You must choose at least one of the following three options to create a new local
site list entry.
■
From the Tag editable drop-down list, either enter the name of a new tag that you want to
create in the text box, or clic k the adjacent do wn arro w icon to choose an existing tag from
the drop-down list.
Tags allow you to set policy rules more simply and flexibly than is possible by using other
policy features.Tags can be created in two places, this Local Site List Editor and the
Configuration > Group Polic y > Additional Policy page . In the Additional P olicy wizard,
you can set what action is taken in response to a tag. In this, the Local Site List Editor
Page 100
100 | Configuration | Sophos Web Appliance
wizard you can apply one or more tags to a URL. For tags to work, you must perform the
configuration steps in both places.
There are, however, three system tags:Globally allowed sites, Globally blocked sites,
and Never send to Sandstorm.These tags only appear in the Local Site List Editor
dialog box’s tag drop-down list.Their actions are predefined and match what their name
indicates.The Globally allowed sites tag will not override the behavior expected as a
result of a site’s risk class.
Note: There is no need to delete tags. Any tags that are not applied to URLs in the Local
Site List and that do not have an additional policy set are automatically removed every
Sunday night at midnight.
■
Select Override the risk class, and select the risk class that you want to use from the
drop-down list.
■
Select Override the category, and select the category that you want to use from the
drop-down list.
4. Optionally, add a comment explaining why you are treating the URL this way.
This is useful for future reference and for other administrators.
5. Click Save.
The Local Site List editor closes, and the new local site list entry that you configured is
viewable in the Local Site List.
Related concepts
Using Tags on page 95
Related tasks
Explicit Deployment on page 25
Configuring Sandstorm on page 103
Configuring Security Filtering on page 102
Configuring Tags on page 94
Additional Policies on page 89
4.2.6 Testing Policy Applied to a URL
The Configuration > Group Policy > Policy Test page allows you to test what policy is applied
to a specified URL for a specified user.
1. Enter the URL or IP address that you want to test in the URL or IP address text box.
2. Enter the name of the user or IP address that you want to test in the Username or IP address
text box.
You must enter either the Active Directory username in the Down-Level Logon Name format
(for example , DOMAIN\username), or the eDirectory username (for example, user.context).
3. Optionally, select the Test for a page request at check box and select the time and day from
the adjacent controls.
You can set the times by clicking beside either the hour, minute , or meridian (AM or PM) setting
and scrolling with your mouse wheel until you get the time that you want.
Loading...