Sophos WS100, WS1100, SM2000, SM5000, WS5000 User Manual
...
Sophos Web Appliance
User Guide
Product Version 4.3.2
Sophos Limited 2017
ii | Contents | Sophos Web Appliance
Contents
Chapter 1: About Your Appliance....................................................................................8
1.1 Sophos Web Appliance Features...................................................................8
1.2 Sophos Management Appliance Features......................................................9
1.3 Common Features..........................................................................................9
Chapter 2: Getting Started............................................................................................11
2.1 Appliance Hardware......................................................................................11
2.1.1 Replacing an SM5000 or WS5000 Hard Drive.................................15
2.1.2 Replacing an SM5000 Power Supply...............................................18
2.1.3 Replacing a WS5000 Power Supply................................................20
2.2 Virtual Appliances.........................................................................................22
2.2.1 Replacing Hardware Appliances with Vir tual Appliances.................22
2.3 Network Deployment.....................................................................................23
2.3.1 Explicit Deployment..........................................................................25
2.3.2 Transparent Deployment..................................................................29
2.3.3 Bridged Deployment.........................................................................31
2.3.4 Bypassing for Internal Servers.........................................................33
2.3.5 Existing Cache Deployment.............................................................35
2.3.6 Upstream ISA/TMG Server Deployment..........................................36
2.3.7 Integrating with Sophos Email Products..........................................37
2.3.8 Grouping Web Appliances...............................................................39
2.3.9 Network Deployment Troubleshooting..............................................42
2.4 Understanding Mode and Model Differences................................................43
2.5 Platforms and User Interface........................................................................46
2.6 Policy............................................................................................................48
2.7 Endpoint Web Control...................................................................................50
2.7.1 Appliance Features Not Supported by Endpoint Web Control.........54
2.8 Updates........................................................................................................54
2.9 Getting Support.............................................................................................55
Sophos Web Appliance | Contents | iii
2.10 Product Documentation..............................................................................56
Chapter 3: Dashboard..................................................................................................57
Chapter 4: Configuration...............................................................................................60
4.1 Accounts.......................................................................................................61
4.1.1 Administrators..................................................................................61
4.1.2 Notification Page Options.................................................................65
4.2 Group Policy.................................................................................................74
4.2.1 Default Policy...................................................................................75
4.2.2 Default Groups.................................................................................84
4.2.3 Special Hours...................................................................................87
4.2.4 Additional Policies............................................................................89
4.2.5 Configuring the Local Site List.........................................................97
4.2.6 Testing Policy Applied to a URL.....................................................100
4.2.7 Quota Status..................................................................................101
4.3 Global Policy...............................................................................................101
4.3.1 Configuring Security Filtering.........................................................102
4.3.2 Configuring Sandstorm..................................................................103
4.3.3 Configuring Dynamic Categorization.............................................104
4.3.4 Configuring Data Leakage Prevention...........................................104
4.3.5 Configuring HTTPS Scanning........................................................105
4.3.6 Configuring Certificate Validation...................................................108
4.3.7 Setting Download Options..............................................................110
4.3.8 Setting General Options.................................................................111
4.4 System........................................................................................................113
4.4.1 Updates..........................................................................................113
4.4.2 Alerts & Monitoring........................................................................115
4.4.3 Backup...........................................................................................120
4.4.4 Restore..........................................................................................122
4.4.5 Active Directory..............................................................................123
4.4.6 eDirectory.......................................................................................128
4.4.7 Authentication................................................................................131
4.4.8 Connection Profiles........................................................................139
iv | Contents | Sophos Web Appliance
4.4.9 Time Zone......................................................................................141
4.4.10 Central Management....................................................................141
4.4.11 Certificates...................................................................................144
4.4.12 Endpoint Web Control..................................................................144
4.5 Network.......................................................................................................146
4.5.1 Configuring the Network Interface..................................................147
4.5.2 Hostname and Other Network Settings.........................................150
4.5.3 Configuring WCCP.........................................................................153
4.5.4 Load Balancing with the Management Appliance..........................155
4.5.5 Testing Network Connectivity.........................................................155
4.5.6 Running the Diagnostic Tools.........................................................156
Chapter 5: Reports.....................................................................................................157
5.1 Available Reports........................................................................................157
5.1.1 Traffic & Performance: Volume ......................................................157
5.1.2 Traffic & Performance: Latency .....................................................157
5.1.3 Traffic & Performance: Throughput ................................................158
5.1.4 Users:Virus Downloaders .............................................................158
5.1.5 Users: Sandstorm Users ...............................................................158
5.1.6 Users: PUA Downloaders ..............................................................159
5.1.7 Users: High Risk Site Visitors ........................................................159
5.1.8 Users: Policy Violators ...................................................................160
5.1.9 Users:Top Users By Quota ...........................................................160
5.1.10 Users:Top Bandwidth Users .......................................................160
5.1.11 Users:Top Users By Browse Time ..............................................161
5.1.12 Users: Browse Time By User ......................................................161
5.1.13 Users: Browse Summary By User ...............................................162
5.1.14 Users:Top Users By Categor y ....................................................162
5.1.15 Users: Category Visits By User ...................................................163
5.1.16 Users: Site Visits By User ...........................................................163
5.1.17 Users: Users By Search Queries ................................................164
5.1.18 Users:Top Web Application Users ..............................................164
5.1.19 Policy & Content: Allowed Sites ..................................................164
Sophos Web Appliance | Contents | v
5.1.20 Policy & Content:Warned Sites ..................................................165
5.1.21 Policy & Content: Blocked Sites ..................................................165
5.1.22 Policy & Content: Categories ......................................................165
5.1.23 Policy & Content: Downloads ......................................................166
5.1.24 Policy & Content: Sandstorm Usage ...........................................166
5.1.25 Policy & Content: Advanced Threat Protection ............................166
5.1.26 Policy & Content:Web Application Usage ...................................167
5.2 Modifying Reports.......................................................................................167
5.3 Printing Reports..........................................................................................169
5.4 Exporting Repor ts.......................................................................................170
5.5 Options.......................................................................................................170
5.5.1 Reporting Groups...........................................................................170
5.5.2 Report Scheduler...........................................................................173
5.5.3 Report Exemptions........................................................................177
5.5.4 Search Terms.................................................................................178
Chapter 6: Search.......................................................................................................181
6.1 Searching Recent Activity...........................................................................181
6.1.1 Exporting Search Results..............................................................183
6.2 Searching Sandstorm.................................................................................183
6.3 Searching User Submissions......................................................................184
6.3.1 Viewing a User Submission Search...............................................185
6.3.2 Allowing a User’s Request.............................................................185
6.3.3 Deleting a User’s Request.............................................................187
Chapter 7: System Status...........................................................................................188
7.1 System Status on the Management Appliance...........................................191
Chapter 8: Using Help................................................................................................193
8.1 Searching the Documentation....................................................................193
8.2 Using the Table of Contents........................................................................193
8.3 Sophos Support..........................................................................................194
8.3.1 Filing a Support Request By Email................................................194
8.3.2 Opening a Remote Assistance Session.........................................194
8.4 About..........................................................................................................195
vi | Contents | Sophos Web Appliance
Appendix A: Configuring Ports....................................................................................196
Appendix B: Configuring Your Browser.......................................................................198
B.1 Adding the Sophos Root Certificate...........................................................198
B.1.1 Adding the Sophos Root Certificate in Internet Explorer...............198
B.1.2 Adding the Sophos Root Certificate in Firefox...............................199
B.2 Configuring Proxy Settings.........................................................................199
B.2.1 Internet Explorer Proxy Configuration............................................200
B.2.2 Firefox Proxy Configuration............................................................200
B.2.3 Apple Safari Proxy Configuration...................................................201
B.3 Other Internet Explorer Settings.................................................................202
B.3.1 Increasing the Number of Concurrent Connections in Internet
Explorer..............................................................................................202
B.3.2 Enabling PDF Access in Internet Explorer.....................................202
B.4 Other Firefox Settings.................................................................................202
B.4.1 Configuring Firefox for Active Directory in Transparent mode or
Bridged mode.....................................................................................202
Appendix C: Appliance Behavior and Troubleshooting...............................................204
C.1 Network Deployment Troubleshooting........................................................204
C.2 Active Directory Troubleshooting................................................................205
C.2.1 Appliance and AD Domain have the same name..........................205
C.2.2 Clock skew is too large..................................................................205
C.2.3 Could not auto-detect settings.......................................................205
C.2.4 Could not connect to Domain Controller........................................205
C.2.5 Could not join the domain..............................................................206
C.2.6 Could not test Kerberos settings....................................................206
C.2.7 Could not test LDAP settings.........................................................206
C.2.8 Domain could not be found............................................................206
C.2.9 Hostname is too long.....................................................................206
C.2.10 Invalid credentials........................................................................206
C.2.11 LDAP search query timeout.........................................................206
C.2.12 No IPC share found.....................................................................207
C.2.13 No NETLOGON share found.......................................................207
C.2.14 Server appears to be in wrong domain........................................207
Sophos Web Appliance | Contents | vii
C.2.15 Server error.................................................................................207
C.2.16 Subdomain failed to authenticate................................................208
C.2.17 Could not join the Secondary Domain Controller........................208
C.3 eDirectory Troubleshooting.........................................................................208
C.3.1 Invalid credentials..........................................................................209
C.3.2 Could not connect to server...........................................................209
C.3.3 Unable to establish Secure LDAP connection...............................209
C.3.4 No users or groups returned from LDAP server............................209
C.3.5 Could not sync users from LDAP server........................................209
C.3.6 Invalid authentication DN...............................................................209
C.3.7 Unable to bind to LDAP server......................................................209
C.3.8 Server error...................................................................................210
C.3.9 Network is unreachable.................................................................210
C.3.10 Could not resolve hostname........................................................210
C.4 Grouped Appliance Troubleshooting..........................................................210
C.5 HTTPS Compatibility..................................................................................213
C.6 Images Display as Gray.............................................................................216
Appendix D: Interpreting Log Files.............................................................................217
Appendix E: Copyrights and Trademarks....................................................................225
E.1 OpenLDAP Public License.........................................................................227
Appendix F: Contacting Sophos.................................................................................229
Appendix G: Glossary.................................................................................................230
8 | About Your Appliance | Sophos Web Appliance
1 About Your Appliance
The Sophos Web Appliances and Sophos Management Appliances include a powerful, highly
effective, and easy-to-use administrative web interface that provides configuration and reporting
tools, automated software updates, and self-monitoring to minimize the administrator’ s day-to-da y
involvement in web security and control maintenance.You can customize the appliances’ default
URL-handling policy and message pages, and accept or reject end user requests for changes to
the handling of blocked URLs submitted via an end user feedback system.
Organizations typically expend considerable resources and effort preventing virus, worm, and
T rojan inf ections from entering their networks via email.These threats, as well as spyware, adware,
and phishing scams are increasingly infiltrating organizations’ networks via web browsing.
Inappropriate web browsing by employees is also a significant legal liability and productivity
concern for many organizations.The Sophos Web Appliance provides extensive URL categorization
data that allows you to set acceptable web access policies for your organization that are highly
customizable and enforceable.These policies can allow user access, warn users that they will
be violating policy if they continue to a requested site, or block user access based on over fifty
categories of URLs. In addition to your default acceptable web access policy, group-based
exceptions are available as differentiated “Special Hours” policies.There is also the potential to
create numerous additional policies that can be used as per-user or per-group exceptions to the
default and Special Hours web access policies.
The Web Appliances use the prov en Sophos Anti-Virus engine, regularly updated with the latest
internet threats every 5 to 30 minutes by SophosLabs™, our global threat detection network.
SophosLabs has more than 20 years’ experience in protecting businesses from known and
emerging threats. URL categorization data is similarly updated every 5 to 30 minutes, and the
enhanced categorization data is updated hourly.
The Web Appliance is easy to install, configure, and maintain.
1.1 Sophos Web Appliance Features
The Web Appliance is an enterprise solution for organizations of various sizes.
Fast, full-spectrum protection and control
Sophos Web Appliance | About Your Appliance | 9
The Web Appliance provides protection against all web-based threats, while controlling access
to undesirable content.The Web Appliance:
■
is a highly efficient unified scanner that guarantees accurate detection with low system impact
and negligible latency.
■
inspects and secures web traffic against spyware, viruses, adware, potentially unwanted
applications, and other malicious threats.
■
prevents access to known malicious websites, hidden malicious code, phishing sites, and
undesirable content.
■
provides extensiv e, regularly updated URL categorization data upon which customizable web
access policies can be based.
1.2 Sophos Management Appliance Features
The Management Appliance works with multiple Web Appliances to provide:
■
centralized management of up to 50 Web Appliances
■
centralized policy configuration
■
centralized reporting and activity searches
■
a centralized dashboard that provides a status overview for any joined Web Appliances
■
storage for as many as 2,000 users (on the SM2000) or 10,000 users (on the SM5000).Three
years of reporting data is available.
1.3 Common Features
Easy to use
The appliances reduce administrative effort by providing quick access to relevant information.
The appliances offer:
■
an intuitive management console that enables optimal control with minimal time and effort.
■
a unified security policy that eliminates the complexity of administering effective web security.
■
powerful reports that deliver unprecedented insight on inbound and outbound web traffic.
Dependable
The appliances offer a complete infrastructure built to replace customers’ concerns about security
with the assurance of protection.The appliances provide:
■
dynamic threat response with instant protection against new web-based threats ev ery 5 minutes.
■
remote "heartbeat" monitoring that proactively ensures up-to-date protection and optimal
hardware and software performance.
■
industry-leading 24/7/365 live support directly from Sophos.
■
on-demand remote assistance that provides easy , direct access to SophosT echnical Support.
■
a robust hardware platform designed specifically to Sophos specifications.
■
a hardened Linux operating system optimized for Sophos software.
Sophos Web Appliance | Getting Started | 11
2 Getting Started
The Sophos Web Appliance is designed to function as a web proxy that provides HTTP security
at the gateway. Potentially risky content is scanned for various forms of malware. URL requests
are compared to the Sophos site list, in which sites are assigned a risk class and a site category.
Access to sites can be blocked on the basis of degree of risk or by site category.
Instead of blocking access to URLs that violate your organization’s acceptable browsing policy,
you can, as the administrator , allo w access or allo w access after a w arning is display ed to users ,
which they can acknowledge and continue or cancel the request to view. User access to such
URLs is recorded. Also, as the administrator, you can extend or override the Sophos site list by
adding URLs to a local site list. In the case of sites already in the Sophos site list, y ou can override
the default handling by changing the risk class or site category.
Only approved and scanned content is passed to users. It ma y be cached to increase performance.
If users attempt to access blocked URLs or download blocked content, message pages are
displayed, informing users of the problem and optionally providing a user-feedback form that
allows them to request changes to the handling of the block ed URL or file type. Similarly, requests
for large files can cause the Web Appliance to display a patience page (if you have chosen to
enable this option), advising the user that downloading and scanning is in progress and will take
some time.
This section introduces the role of the Sophos Web Appliance and the Sophos Management
Appliance in your network. It describes the compatible platforms and the administrative web
interface. It provides an overview of the appliance’s major capabilities and configurable behavior
and a general description of the appliances’ softw are and security data updating features . Finally,
this section provides information on contacting SophosTechnical Support .
2.1 Appliance Hardware
There are certain hardware differences between the various appliance models, which are
summarized in the following table or discussed in the sections below.
Processors
following note
dual-core,
light
capacity
See
dual-core,
medium-capacity
dual-core,
high-capacity
quad-core,
high-capacity
quad-core,
high-capacity
quad-core,
high-capacity
SM5000SM2000WS5000WS1100WS1000WS500WS100Feature
quad-core,
high-capacity
8 GB8 GB16 GB8 GB4 GB2 GB2 GBMemory (RAM)
NoNoYesOptionalYesOptionalNoBridge card
Power Supply
YesNoYesNoNoNoNoReplaceable
12 | Getting Started | Sophos Web Appliance
Drives
Note: Operating in bridged mode is only possible on a Web Appliance with a bridge card installed.
The Sophos Web Appliance is a high-performance appliance designed to handle web proxy
access for organizations of various sizes .The Web Appliance is scalable to m uch larger numbers
of users by grouping multiple W eb Appliances by joining them to a single Management Appliance.
The appliances raise alerts via the administrative web interface and via email if any hardware
components are not functioning optimally.
This section describes the front and back panel LEDs, powering the appliances down gracefully,
and hardware-related alerts.The Sophos Management Appliance provides centralized policy
configuration and centralized reporting for grouped appliances, thus minimizing system
administration work while providing organization-wide information without sacrificing security or
customizable web use control.
SM5000SM2000WS5000WS1100WS1000WS500WS100Feature
4No4NoNoNoNoReplaceable Hard
The appliances have a number of w ays to alert you if there is a problem with one of their hardware
components. In addition to status indicators in the administrative web interface and alerts sent
via email, the appliances have LED indicators and audible alarms.
Front Panel LEDs
Indicators on the front of each appliance provide status information and warnings.The arrangement
of the front panel LEDs are the same for the WS100, WS500, WS1000, WS1100, and the SM2000.
The indicators on the front of the SM5000 are slightly different, and the indicators on the front of
the WS5000 are also slightly different. Each variant is shown in the following diagrams.
WS500,WS1000,WS1100, & SM2000WS100
WS5000SM5000
Sophos Web Appliance | Getting Started | 13
IndicatesStateColorLEDKey
System OverheatedOnRedTemp. Sensor
System NormalOff
Shows rack location front and backOffBlueUnit ID LED (SM5000 only)
LinkedOnGreenNIC1 (config)
Config connection establishedBlink
DisconnectedOff
LinkedOnGreenNIC2 (non-bridged only)
Config connection establishedBlink
DisconnectedOff
HDD ActivityBlinkAmberHDD LED
No ActivityOff
System OnOnGreenPower LED
System OffOff
The front panel LEDs are on the upper-right corner of the front panel, to the left of the reset
and power buttons (and to the right of the Unit ID button on the SM5000).
Important: Sophos strongly suggests that you use the software shutdown and restart options
as documented on the System Status on page 188 page. Although a quick press and release of
the appliance’s power button will perform an elegant shutdown, if the power button is held down
for four seconds or more, an inelegant, immediate shutdown is performed. Also, the reset button
on the appliance always triggers an inelegant, immediate restart, so again the software option is
preferred.Using the appliance’s power and reset buttons may lead to file corruption and data
loss.
Rear Panel LEDs
Indicators on the rear of each appliance provide status information and warnings.The arrangement
of the rear panel LEDs depend upon whether the appliance is configured with a bridge card.There
14 | Getting Started | Sophos Web Appliance
is always a bridge card in a WS1000. Bridge cards are optional for the WS500 and WS1100.
There is never a bridge card in a WS100, SM2000, or SM5000.
For appliances with no bridge card:
There are two RJ45 network ports along the bottom of the appliance to the right of the middle:
■
The Config port : This is the port to which you connect your laptop or PC to run the setup
wizard.
■
The Network port : This is the port to which you make your LAN connection after the setup
wizard has been completed.
The two LEDs at the top of these ports indicate the following:
IndicatesColorLED Position
100 MbpsGreenLeft
1 GbpsAmberLeft
Port activeBlinking YellowRight
For appliances with a bridge card:
There is one RJ45 network port along the bottom of the appliance to the right of the middle, the
Configuration port . This is the port to which you connect your laptop or PC to run the setup
wizard.
The two LEDs at the top of this port indicate the following:
Sophos Web Appliance | Getting Started | 15
IndicatesColorLED Position
100 MbpsGreenLeft
1 GbpsAmberLeft
Port activeBlinking YellowRight
There is also a group of six LEDs to the left of the WAN and LAN ports on the bridge card,
which is located in the upper right corner on the back of the appliance.The LEDs are arranged
in two columns of three lights, with the left and right columns being indicators for the LAN and
WAN connections, respectively.The rows of LEDs are interpreted as follows:
■
Bypass: If all of the top four indicator lights are on, the appliance is in bypass mode.
— 1000 (top): On indicates a 1000Mbps connection is established; blinking shows traffic; off
indicates no connection.
— 100 (middle): On indicates a 100Mbps connection is established; blinking shows traffic;
off indicates no connection.
■
Act/Link (bottom): On indicates a connection at any speed is established; blinking shows
traffic; off indicates no connection.
Hardware Alerts
Depending on the severity of the issue, the appliances will raise an alert in the administrative w eb
interface or via email, or both. Alerts advise that devices are not working normally or draw attention
to potential problems. In most cases, the alert will instruct you to contact Sophos Technical
Support.
Powering Down the Appliances Gracefully
Power down the appliance gracefully by either pressing the power button briefly, or by clicking
Shutdown on the System Status page.The appliance will safely shut down its software, and
the fans will stop. Remove the power cord before servicing the unit.
Note: You can also power down by holding the power button for four or more seconds, which
will force an immediate shutdown of the appliance; however, this may cause a corruption of the
file system. Avoid immediate shutdown except in cases when graceful shutdown is not possible.
2.1.1 Replacing an SM5000 or WS5000 Hard Drive
The SM5000 and WS5000 have four hot-swappable redundant SCSI hard disk drives in a RAID
10 configuration. If a single hard drive fails, the other disk in the RAID mirror takes over, and the
appliance continues to function normally.The failed drive can be removed and a replacement
drive installed without removing these appliances from the rack, powering down or even exiting
the administrative web interface.The appliance automatically detects the removal of a failed or
defective drive and the installation of its replacement. After replacement, the RAID controller
automatically begins rebuilding the new drive.
16 | Getting Started | Sophos Web Appliance
SM5000, front view showing the four hard disk drive bays
Hardware Configuration
On the SM5000 and WS5000, the disks are mirrored using RAID 10, so only one disk can be
replaced or not be working at a time.
Failure Identification
Remove the front bezel to expose the disk drives. On a failed disk drive, the red LED on the front
of the drive is illuminated (the bottom LED of the two drive-specific LEDs) and the appliance’s
audible alarm is sounding.
Static-Sensitive Devices
CAUTION:
Electrostatic discharge (ESD) can damage electronic components.To prevent damage to any
printed circuit boards, it is important to handle them very carefully.The following measures are
generally sufficient to protect your equipment from ESD damage.
■
Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure
frame.
■
Touch a grounded metal object before removing the drive from the antistatic bag.
■
Put on the grounding wrist strap, handle the drive by its edges only, and do not touch
components on the bottom.
Single Hard Drive Replacement Procedure
As the disks are mirrored using RAID 10, only one disk can be replaced or not be working at a
time.
CAUTION: Disk drives are static-sensitive devices. Please make proper use of the wrist strap
included in the disk field-replaceable unit (FRU) ship kit.
CAUTION: Removal of the other drive during this procedure or during the rebuild of the RAID
10 mirror will result in system failure.
Sophos Web Appliance | Getting Started | 17
1. Press the colored release button beside the drive’s LEDs on the failed drive to unlatch the
handle.
2. Swing the handle fully out to disengage the drive.
3. Slide the drive halfway out of the drive bay and wait for it to spin down. Allow 10-20 seconds
before removing the drive from the drive bay.
4. While the system is running, insert the replacement disk in the empty slot. Insert the replacement
drive into the disk bay and slide the disk straight to the back of the bay.
5. Swing the handle in toward the appliance. Contin ue pushing the handle in until y ou f eel it loc k
in place.
18 | Getting Started | Sophos Web Appliance
6. Press firmly on the both the left and right edges of the drive with both thumbs. Applying this
pressure ensures that the drive is fully engaged, even if no movement of the drive is felt.
7. After the failed disk is replaced, the green and red LEDs on the new disk start to blink and the
audible alarm is silenced, indicating that the mirror is rebuilding. Once the rebuild is complete ,
the red LED goes off.The front bezel can then be replaced.
2.1.2 Replacing an SM5000 Power Supply
The SM5000 has two hot-swappable redundant power supplies. If a single power supply fails,
the redundant feature allows the other module to take over the full load, and the system runs
without interruption.The failed power supply can be removed and a replacement power supply
installed without removing the SM5000 from the rack, pow ering down, or even e xiting the SM5000’ s
administrative web interface.
Hardware Configuration
On the SM5000, the two power supplies are located on the left side of the rear of the appliance.
In normal operation, the "Power Indicator" LED on the front panel is green , as are the "Power
Supply Status" LEDs on the back of the SM5000 for each power supply , which are shown in
the graphics below.
Sophos Web Appliance | Getting Started | 19
Failure Identification
Case 1: If either of the two po wer supplies completely f ails, the "P ower Indicator" LED on the front
panel turns yellow, and an alarm sounds until the power supply is replaced. On the back of the
unit, the "Power Supply Status" LED for the unit that has failed is either off or yellow.This is the
power supply to replace.
Case 2: If either of the two power supplies partially fails, the "Power Indicator" LED on the front
panel is green and no alarm sounds. On the back of the unit, the "Power Supply Status" LED for
the unit that has partially failed is yellow.This is the power supply to replace.
Static-Sensitive Devices
CAUTION:
Electrostatic discharge (ESD) can damage electronic components.To prevent damage to any
printed circuit boards, it is important to handle them very carefully.The following measures are
generally sufficient to protect your equipment from ESD damage.
■
Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure
frame.
■
Touch a grounded metal object before removing the power supply from the anti-static bag.
■
Put on the grounding wrist strap, handle the power supply by its edges only, and do not touch
components on the bottom.
Single Power Supply Replacement
1. Ensure that the power cord is unplugged from the failed power supply module.Then, while
holding onto the handle, press the green locking tab on the bottom right of the power supply
in toward the handle.This will disengage the power supply.
2. Pull the power supply module straight out. Check to make sure that the replacement power
supply module is the same type as the one previously removed.
20 | Getting Started | Sophos Web Appliance
3. Carefully push the replacement power supply module straight into the appliance until you hear
the release tab click into place.
4. Plug the AC power cord back into the new power supply module.The "Power Supply Status"
LED on the new module should now be green.
2.1.3 Replacing a WS5000 Power Supply
The WS5000 has two hot-swappable redundant power supplies. If a single power supply fails,
the redundant feature allows the other module to take over the full load, and the system runs
without interruption.The failed power supply can be removed and a replacement power supply
installed without removing the WS5000 from the rack, powering down, or exiting the WS5000’s
administrative web interface.
Hardware Configuration
On the WS5000, the two power supplies are located on the left side of the rear of the appliance.
In normal operation, the "Power Indicator" LED on the front panel is green , as are the "Power
Supply Status" LEDs on the back of the WS5000 for each power supply , which are shown in
the graphics below.
Failure Identification
Case 1: If either of the two po wer supplies completely f ails, the "P ower Indicator" LED on the front
panel turns yellow, and an alarm sounds until the power supply is replaced. On the back of the
unit, the "Power Supply Status" LED for the unit that has failed is either off or yellow.This is the
power supply to replace.
Sophos Web Appliance | Getting Started | 21
Case 2: If either of the two power supplies partially fails, the "Power Indicator" LED on the front
panel is green and no alarm sounds. On the back of the unit, the "Power Supply Status" LED for
the unit that has partially failed is yellow.This is the power supply to replace.
Static-Sensitive Devices
CAUTION:
Electrostatic discharge (ESD) can damage electronic components.To prevent damage to any
printed circuit boards, it is important to handle them very carefully.The following measures are
generally sufficient to protect your equipment from ESD damage.
■
Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure
frame.
■
Touch a grounded metal object before removing the power supply from the anti-static bag.
■
Put on the grounding wrist strap, handle the power supply by its edges only, and do not touch
components on the bottom.
Single Power Supply Replacement
1. Ensure that the power cord is unplugged from the failed power supply module.Then, while
holding onto the handle, press the red locking tab on the bottom right of the power supply in
toward the handle.This will disengage the power supply.
2. Pull the power supply module straight out. Check to make sure that the replacement power
supply module is the same type as the one previously removed.
3. Carefully push the replacement power supply module straight into the appliance until you hear
the release tab click into place.
22 | Getting Started | Sophos Web Appliance
4. Plug the AC power cord back into the new power supply module.The "Power Supply Status"
LED on the new module should now be green.
2.2 Virtual Appliances
As an alternative to the hardware-based version of the Sophos Web Appliance, you can deploy
appliances as virtual machines using VMware.These appliances can be grouped with other virtual
appliances or with hardware-based appliances. Once deployed, they operate in the same way
as a hardware-based appliance.
Sophos virtual appliances provide a cost-effective web-filtering solution that is easy to set up.
Virtual appliances occupy less rack space, are energy-efficient, and require less hardware.
To learn more about configuring a virtual web appliance, see the Sophos Virtual Web Appliance
Setup Guide or the Sophos Virtual Management Appliance Setup Guide.
Note: Virtual appliances do not support Bridged Deployment, which requires a bridge card.
Related concepts
Understanding Mode and Model Differences on page 43
Grouping Web Appliances on page 39
2.2.1 Replacing Hardware Appliances with Virtual Appliances
At some point, you may decide to replace one or more of your hardware-based appliances.
Replacing either a Web Appliance or Management Appliance with a virtual appliance should be
done by following the steps in the order described below.
Note: These procedures only cover the replacement of existing hardw are-based appliances with
virtual appliances. If, instead, you want to add virtual appliances to use in conjunction with your
existing hardware-based appliances, see the instructions in “Grouping Web Appliances” and
“Central Management”.Virtual appliances integrate seamlessly with hardware-based appliances
as well as other virtual appliances.
Replacing a Stand-Alone Web Appliance
If you have a single hardw are-based Sophos W eb Appliance that you want to replace with a virtual
Web Appliance:
Sophos Web Appliance | Getting Started | 23
1. Configure the virtual appliance according to the instructions in the Virtual Web Appliance Setup
Guide.Take care when configuring the network settings to assign a network address that is
different from the hardware-based appliance it is replacing.
2. If your hardware appliance is not configured to perform automated backups, on the
Configuration > System > Backup page, click Download Now. Or, if automated backups
are configured, transfer the backed up archive file from the FTP site to the system on which
you will be performing the restoration.
3. On the virtual appliance, select Configuration > System > Restore. Follow the instructions
in Restoring a Backup on page 122.
Note: If your hardware-based appliance was configured to use Web Cache Communication
Protocol, you must reconfigure those settings manually on the virtual appliance.WCCP settings
cannot be restored from a backup.
4. When restoration is complete, power off and decommission the hardware-based appliance.
Replacing a Management Appliance
If you have a hardware-based Sophos Management Appliance that you want to replace with a
virtual Management Appliance:
1. Configure the virtual appliance according to the instructions in the Virtual Management Appliance
Setup Guide.Take care when configuring the network settings to assign a network address
that is different from the hardware-based appliance it is replacing.
2. Join the newly configured Management Appliance to a functioning Web Appliance in your
deployment (not the hardware-based Management Appliance) and cop y its configuration data
to the virtual Management Appliance. On the Management Appliance, ensure that these chec k
boxes are selected:Allow Web Appliances to join this Management Appliance and Copy
configuration and policy data from the first web appliance to join. F or complete instructions,
see On a Stand-Alone Web Appliance: Joining a Management Appliance on page 141.
3. When the join is complete, power off and decommission the hardware-based Management
Appliance.
Related concepts
Central Management on page 141
Related tasks
Backup on page 120
Restore on page 122
Configuring WCCP on page 153
2.3 Network Deployment
You can deploy the Sophos Web Appliance in a variety of configurations, depending on the
requirements of your organization and your existing network architecture.
24 | Getting Started | Sophos Web Appliance
Basic Deployment Options
Three basic network deployments are possible for the Sophos Web Appliance:
■
Explicit Deployment: All client web browsers are explicitly configured to use the appliance,
although this can be done centrally by using distributed Active Directory Group P olicy Objects
(GPO). Explicit Deployment also supports FTP over HTTP.
■
T ransparent Deployment:The firewall or router is configured to redirect port 80 and port 443
traffic through the Web Appliance. In this mode, web traffic filtering is transparent to users,
who only see evidence of the Web Appliance if they attempt to connect to certain URLs and
are presented with a notification page.
■
Bridged Deployment: All outbound network traffic is routed through the Web Appliance’s
bridge card, but only port 80 and port 443 traffic is examined.This deployment requires the
optional bridge card included with some appliance models.With a Bridged Deployment, network
traffic continues to flow in the event of an appliance failure.
Alternative Deployment Options
There are three additional deployments that allow the W eb Appliance to work with some common
network topologies.You may want to use one of the f ollo wing, depending on the structure of y our
existing network.
■
Bypass for Internal Servers: Allows clients to access specific internal servers directly.This
is recommended for use with Explicit Deployment.
■
Use with an Existing Cache: Allows the Web Appliance to work in conjunction with a
pre-existing investment in a web-caching server in any one of the three basic network
deployments (Explicit, Transparent, or Bridged).
■
Use with an ISA/TMG Server: Allows the Web Appliance to work with a downstream or
upstream Microsoft Internet Security and Acceleration (ISA) or Microsoft Forefront Threat
Management Gateway (TMG) Server in any one of the three basic network deployments
(Explicit, Transparent, or Bridged).
Network Deployment Recommendations
It may be necessary to make additional adjustments to accommodate the requirements of your
network.
Important: If Active Directory integration is not enabled, the Web Appliance allows connections
from any user or computer that can access it.This means that it could allow people from outside
of your organization to use your Web Appliance as a proxy, consuming your bandwidth and
creating traffic that appears to come from your organization.Sophos strongly advises that you
take the following steps to prevent this:
1. Configure your firewall to prevent inbound connections to the Web Appliance from outside
your network.The Web Appliance does not require that any inbound ports be open for external
traffic.
2. Configure the Web Appliance to accept requests only from your own network.To do this:
a. Select Configuration > Group Policy > Default Groups.
b. Create a custom user group consisting of all your internal subnets and add this group to
the Selected groups list.
c. Select the Only the users/groups selected below option, and click Apply.
Sophos Web Appliance | Getting Started | 25
Configure your firewall to allow email with attachments from the Web Appliance to
wsasupport@sophos.com.This is necessary information for Sophos, which uses system status
snapshots that you submit as email attachments to ensure that your W eb Appliance is operating
within acceptable thresholds.
Network Deployments Comparison Table
The following table presents the k ey characteristics of each basic supported deployment scenario.
For details of each, see the sections that follow.
Bridged DeploymentTransparent DeploymentExplicit Deployment
n\aYesNoWCCP Integration
Performance
Configure all clientsNetwork Configuration
Configure all clientsPost-Failure
Reconfiguration
Note: If you use the Transparent or Bridged deployment, see Switching from Transparent Mode
to Explicit Mode on page 31 or Switching from Bridged Mode to Explicit Mode on page 33 to learn
about making the transition to Explicit Deployment.
Related tasks
Configuring Authentication on page 133
Hostname and Other Network Settings on page 150
Configuring the Network Interface on page 147
Load Balancing with the Management Appliance on page 155
2.3.1 Explicit Deployment
This deployment inv olv es e xplicitly configuring all client web browsers to use the Web Appliance,
although you can also do this centrally by using distributed Activ e Directory Group P olicy Objects
(GPO).
■
Inspects HTTP, HTTPS, and FTP over HTTP traffic.
■
All clients require configuration (may be done centrally; see the “Configuration” section below).
■
If the deployment fails, all clients must be reconfigured (may be done centrally; see the
“Configuration” section below).
Only carries web trafficOnly carries web trafficWeb ApplianceTraffic
Configure firewall or
router
Configure the firewall or
router
Carries all outbound
traffic
Configure only Web
Appliance
Power down Web
Appliance
Operation
26 | Getting Started | Sophos Web Appliance
■
Users’ HTTP, HTTPS, and FTP over HTTP requests are passed to the Web Appliance .
■
The Web Appliance assesses URLs, blocks disallowed requests, checks if allowed URL
requests are currently cached, and passes URL requests that are not cached through the
firewall to retrieve them from the internet .
Note: Port 80, port 443, port 20, and port 21 requests from users are blocked at the firewall
; URLs are only accepted by the firewall if they are from the Web Appliance .
■
The Web Appliance receives any new pages or files and caches them; it passes the pages
or files of allowed requests back to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Configuration
1. Connect your organization’s LAN to the Web Appliance’s LAN port.
2. Configure each user’s web browser to use the Web Appliance via port 8080 as their web proxy
for HTTP, HTTPS, and FTP. (Ports 3128 and 8081 are also supported, but their use is only
suggested if the Web Appliance is replacing a previous proxy configuration that used one of
these ports.)
Note: For information about adding support for HTTPS applications that use non-standard
ports, see “Using the Local Site List Editor” in the Group Policy section of the documentation.
Note: Configuring all users’ bro wsers to use the Web Appliance as a web proxy can be done
centrally in Windows networks by using any of the methods described in the Sophos Web
Appliance: Configuring your network for Explicit Deployment Knowledgebase article, which
also includes links to the following:
■
Creating, Testing, and Deploying a proxy.pac File
■
Publishing Proxy Information as a wpad.dat File
■
Creating a GPO
Sophos Web Appliance | Getting Started | 27
3. In the Web Appliance’s administrative web interface, on the Configuration > Network >
Network Interface page, set the Deployment Mode to Explicit proxy.
Related concepts
Configuring Your Browser on page 198
Related tasks
Using the Local Site List Editor on page 99
Specifying an Upstream Proxy on page 151
Bypassing for Internal Servers on page 33
Upstream ISA/TMG Server Deployment on page 36
Related information
Windows Server Group Policy
2.3.1.1 Downstream ISA/TMG Server Deployment
This option, which uses either a Microsoft Internet Security and Acceleration (ISA) server or a
Microsoft Forefront Threat Management Gateway (TMG) server, is based on the Explicit
Deployment.This deployment is different in that it includes an ISA/TMG server (and optionally
an Active Directory server) between users and the Web Appliance.
■
Allows the Web Appliance to work with an ISA/TMG Server.
■
If the Sophos ISA/TMG plug-in is installed, and an Active Directory server is on the network
side of the ISA or TMG server, then clients (users) can be seen as usernames.
■
Allows you to use multiple Web Appliances in a simple load-balancing deployment.
■
If the Sophos ISA/TMG plug-in is not installed, all traffic will be identified as coming from one
user: the ISA/TMG server.
■
If the Sophos ISA/TMG plug-in is not installed or an Active Directory server is not on the
network side of the ISA/TMG server, then clients (users) will appear as IP addresses only.
■
Does not support individual user opt-out, although with the ISA/TMG plug-in installed custom
policy can be applied to an individual user or group.
Operation
28 | Getting Started | Sophos Web Appliance
■
Users’ HTTP and HTTPS requests are passed through an ISA/TMG server that uses
NTLM or IWA Authentication.
■
The ISA/TMG server passes URL requests to the Web Appliance .
■
The Web Appliance assesses the URL.
■
The Web Appliance blocks disallowed requests, chec ks if allowed URL requests are currently
cached, and passes URL requests that are not cached through to the firewall .
Note: Port 80 and 443 requests from users are blocked at the firewall , which retrieves
the URL’s material from the internet ; URLs are only accepted by the firewall if they are
from the Web Appliance .
■
The Web Appliance receives new pages or files, caches them, and passes the page or file
on to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Note: If the Sophos ISA/TMG plug-in is installed, clients (users) are identified individually;
otherwise, all traffic is identified as coming from one user: the ISA/TMG server .
Note: If the Sophos ISA/TMG plug-in is installed, and an Active Directory server is on the
network side of the ISA/TMG server , then clients (users) can be seen as usernames; if the
Active Directory server is not appropriately located, clients (users) appear only as IP addresses
in reports and user activity logs.
The ISA/TMG plug-in can be downloaded from the Configuration > Network > Hostname page.
The ISA/TMG plug-in is compatible with Microsoft ISA Server 2004 and 2006, and Microsoft
Forefront TMG 2010.
Configuration
Important: The Web Appliance may not catch malware stored in the ISA/TMG server’s cache.
To avoid this risk, be sure to clear the ISA/TMG cache prior to enabling this network deplo yment.
Sophos Web Appliance | Getting Started | 29
Follow the configuration instructions for the Explicit Deployment scenario, but with the following
differences:
■
Ensure that your ISA/TMG server is between the clients and your Web Appliance.
■
Ensure that your ISA/TMG server is configured to pass traffic through the Web Appliance if it
is configured in an Explicit Deployment.
■
Ensure that your Active Directory server, if you are using one, is located on the network side,
between your clients (users) and your ISA/TMG server.The ISA/TMG server must also be
configured to allow communications between your Web Appliance and your Active Directory
server.
Note: Web Appliance policy will be applied to users authenticated by the Active Directory
server using the pre-Windows 2000 format DOMAIN\username only.
■
If the ISA/TMG plug-in is installed, enter the IP address of the downstream ISA/TMG server
in the Accept authentication from downstream ISA/TMG servers section on the
Configuration > Network > Hostname page.
Note: A simple way to set up load balancing amongst multiple Web Appliances is to set up a
DNS round robin scheme. If you do this, y ou should disable DNS caching because Windows DNS
caching can mask the round robin effect.To disable Windows DNS caching, see the Microsoft
Support article http://support.microsoft.com/kb/318803.You must ensure that you ha ve a firewall
with network address translation (NAT), but not an ISA or TMG server in firewall mode, between
the Web Appliances and the internet.This firewall must be configured to present a single IP for
the Web Appliances to the sites on the internet.The NAT, or IP masquerading, prevents sites
that check and record the IP address of visitors in cookies from encountering multiple IP addresses.
Note: Explaining how to configure an ISA/TMG Server is beyond the scope of this documentation.
For details on ISA/TMG Server configuration, see the Microsoft ISA Server Deployment page or
the Microsoft Forefront TMG Deployment page.
Related tasks
Existing Cache Deployment on page 35
Related information
Disabling Client-Side DNS Caching
Microsoft ISA Server Deployment
Microsoft Forefront TMG Deployment
2.3.2 Transparent Deployment
This deployment inv olves configuring the firewall or router to route all port 80 and port 443 traffic
to the Web Appliance. In this mode, web traffic filtering is transparent to users. Unlike Explicit
Deployment, you are not required to configure end user browsers.
■
Inspects HTTP and HTTPS traffic.
■
Only the firewall and/or the router requires configuration.
■
If it fails, only the firewall and/or the router must be reconfigured.
Operation
30 | Getting Started | Sophos Web Appliance
■
Users make HTTP/HTTPS requests from their clients that are sent out to the LAN.
■
The router receives all network traffic and bounces all HTTP/HTTPS requests to the Web
Appliance .
■
The Web Appliance assesses URLs, blocks disallowed requests, checks if allowed URL
requests are currently cached, and passes URL requests that are not cached out to the LAN.
■
The router passes all HTTP/HTTPS requests from the Web Appliance out through the
firewall to retrieve the URLs from the internet .
■
The Web Appliance receives the new pages or files and caches them; it passes the pages
or files of allowed requests back to the users .
■
The users receive only safe and allowed pages and files or a notification page.
Configuration
1. Connect the Web Appliance’s LAN port to your organization’s LAN.
2. In the Web Appliance’s administrative web interface, on the Configuration > Network >
Network Interface page, set the Deployment mode to Transparent.
3. Configure your router so that it redirects all port 80 traffic to port 80 and port 443 traffic to port
443 on the Web Appliance. In this case , the destination of each pac ket remains unaltered, b ut
the packets are sent by the router to the Web Appliance.
Traffic on port 80 and 443 from the Web Appliance should be passed to the firewall. All other
port traffic is passed as usual.
Note: With Active Directory enabled in Transparent mode, a Windows issue causes Internet
Explorer to be repeatedly prompted for authentication.When deploying in Transparent mode, all
workstations must be able to resolve the hostname of the W eb Appliance into a FQDN (for instance
http://ws1000 must resolve to http://ws1000.example.com). For more information,
please see http://support.microsoft.com/kb/303650. Firefo x users may need to type their pass word
repeatedly unless browser settings are reconfigured.
Loading...