SonicWALL_CSM_Integrated_Solutions_Guide

Document Sample
SonicWALL_CSM_Integrated_Solutions_Guide Powered By Docstoc
					SonicWALL Content Security Manager
Integrated Solutions Guide

Document Scope
This solutions document describes how to deploy a SonicWALL Content Security Manager (CSM)
content filtering appliance along with the SonicWALL ADConnector software for Microsoft Active
Directory client integration into a new or existing network. The SonicWALL CSM solutions presented
in this document are based on actual customer deployments and are SonicWALL-recommended best
practices. These solutions were tested and verified in a lab environment.
This document contains the following sections:
 •   “SonicWALL Content Security Manager Overview” section on page 3
      – “What’s New in CSM 2.5” section on page 3
      – “What’s New in CSM 2.0” section on page 4
      – “Introduction” section on page 4
      – “User Policies and Client IP Dependencies” section on page 6
      – “SonicWALL ADConnector” section on page 9
 •   “SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist” section on page 11
      – “Installing the SonicWALL ADConnector Software” section on page 11
      – “Setting Up the SonicWALL CSM to Communicate with Active Directory” section on page 16
      – “Configuring the ADConnector” section on page 19
      – “Adding Multiple CSM Devices” section on page 19
      – “Removing CSM Appliances” section on page 21
      – “Viewing ADConnector Attributes” section on page 22
      – “Working with the Computer Object” section on page 25
      – “Configuring Global Settings” section on page 25
      – “Working with Multiple Domains” section on page 26
      – “Removing Domains” section on page 28
      – “Assigning Policies” section on page 29
      – “Searching Policies” section on page 34




                           SonicWALL Content Security Manager Integrated Solutions Guide
                                                                                            1
                 – “Viewing the Log” section on page 36
            •   “SonicWALL CSM Policies” section on page 36
                 – “SonicWALL CSM Policy Inheritance” section on page 37
            •   “SonicWALL CSM Deployment Solutions” section on page 37
                 – “Deployment Prerequisite: Set Up Active Directory” section on page 38
                 – “Solution #1: Configuring a Single Content Filtering Policy for All Users with Bypass” section
                    on page 38
                 – “Solution #2: Creating Distinct Filtering Policies for Different User Groups” section on page 39
                 – “Solution #3: Creating Static Lists of Allowed Websites for Different User Groups” section on
                    page 43
            •   “SonicWALL CSM Advanced Deployment Solutions” section on page 48
                 – “Using the SonicWALL CSM with a Caching Proxy Server” section on page 48
                 – “Scenario 1 – Single Path Upstream Proxy Server” section on page 49
                 – “Scenario 2 – Dual Path Upstream Proxy Server” section on page 50
                 – “Scenario 3 – Single Path Downstream Proxy Server” section on page 52
                 – “Scenario 4 – Reiterative Path Upstream Proxy Server” section on page 54
                 – “Scenario 5 – SonicWALL CSM and SonicPoint Integration” section on page 56
            •   “Deploying SonicWALL GMS for the SonicWALL CSM” section on page 58
            •   “Troubleshooting the SonicWALL CSM and SonicWALL ADConnector” section on page 73
            •   “Technical Frequently Asked Questions” section on page 88
            •   “Glossary” section on page 91
            •   “Related Documents” section on page 93
            •   “Contributors” section on page 94
            •   “Index” section on page 97




    SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
2
                                                                                 SonicWALL Content Security Manager Overview




SonicWALL Content Security Manager Overview
                      This section provides an introduction to the SonicWALL ADConnector software. This section contains
                      the following subsections:
                       •   “What’s New in CSM 2.5” section on page 3
                       •   “What’s New in CSM 2.0” section on page 4
                       •   “Introduction” section on page 4
                       •   “User Policies and Client IP Dependencies” section on page 6
                       •   “SonicWALL ADConnector” section on page 9


What’s New in CSM 2.5
                      The SonicWALL CSM series appliance is an appliance-based Internet filtering solution that integrates
                      real-time gateway anti-virus, anti-spyware and Internet filtering to deliver maximum network protection
                      from today’s sophisticated Internet threats. Combining dynamic threat management capabilities with
                      precise control over Internet usage in an affordable appliance-based solution, the SonicWALL CSM
                      series appliance boosts network security and employee productivity, optimizes network utilization and
                      mitigates legal liabilities. This unique solution integrates seamlessly into virtually any network topology
                      for powerful, scalable, and cost-effective threat protection.
                      New features in SonicWALL CSM 2.5 include:
                       •   Safe Search Enforcement - Safe Search Enforcement requires the strictest filtering on all searches
                           on search engines like Google and Yahoo that offer some form of safe-search filtering.
                           For example, Google's SafeSearch™ blocks web pages containing explicit sexual content from
                           appearing in search results. Google offers the following options:
                              – Use strict filtering (Filter both explicit text and explicit images)
                              – Use moderate filtering (Filter explicit images only - default behavior)
                              – Do not filter my search results.
                           When you enable Safe Search Enforcement on your SonicWALL Content Security Manager, all
                           search URLs sent to Google are rewritten to append the code to turn on strict filtering. Other
                           websites such as Yahoo have similar options, and the feature works similarly with them as well.
                       •   Intrusion Prevention Service - SonicWALL Intrusion Prevention Service, a service that performs
                           deep packet inspection to detect and block malicious attempts to break into your network.
                           SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans,
                           and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in
                           SonicWALL’s Deep Packet Inspection engine also provides proactive defense against newly
                           discovered application and protocol vulnerabilities.
                       •   Client Anti-Virus - SonicWALL Client Anti-Virus deploys a managed anti-virus client to every
                           Windows® host on your network. The clients are configured to update virus definitions
                           automatically. If a host has an out-of-date set of virus definitions, it is quarantined by the CSM until
                           it is updated.
                      For information on configuring these features, refer to the SonicOS CF 2.5 Administrator’s Guide. See
                      the “Related Documents” section on page 93 for more details.




 P/N: 232-000960-00, Rev. A                                SonicWALL Content Security Manager Integrated Solutions
                                                                                                                             3
  SonicWALL Content Security Manager Overview




What’s New in CSM 2.0
                    New features in SonicWALL CSM 2.0.22 include:
                    ADConnector Log - Records information on users, hosts, bad IP addresses, and other events.
                    Policy Search - Enables administrators to search for policies and what groups, users, and computers they
                    are assigned to.
                    New features in CSM 2.0 include:
                    Real-Time Gateway Anti-Virus and Anti-Spyware Scanning - Over a multitude of widely used ports
                    and protocols including HTTP, SMTP, POP3, FTP, and NetBIOS delivers complete protection by
                    eliminating viruses, worms, Trojans, spyware, and other Internet threats at the gateway before they can
                    infect the network.
                    Powerful Internet Filtering - Provides granular, policy-based controls to manage access to
                    inappropriate, unproductive, and potentially illegal Web content.
                    Instant Messaging (IM), Peer-to-Peer (P2P), and Multimedia Controls - Improves network
                    performance, enhances security and protects against legal liabilities. IM/P2P Application Filters can
                    now be nexted into policies and assigned to users, groups, computers, and hosts.
                    Granular Policy Control via Single Sign-On - Streamlines user authentication and the management of
                    access to network resources and online content.
                    Powerful Web-Based Reporting - Provides greater insight into network usage through custom reports
                    that can be viewed in multiple formats.
                    Seamless Integration Behind Virtually and Network Firewall - Enables organizations to leverage the
                    existing network infrastructure without the need to purchase additional hardware.
                    High Availability - Ensures the network is always protected and productivity remains uninterrupted by
                    automatically failing over to a secondary SonicWALL CSM series appliance should the primary unit fail.


Introduction
                    The SonicWALL CSM series appliance is a standalone content filtering appliance designed for seamless
                    integration into any networking environment. This broad compatibility is achieved though the intelligent
                    bridging architecture of the SonicWALL CSM series appliance, which offers a potent combination of the
                    transparency typically associated with layer 2 devices, along with application-layer analysis and control
                    provided by SonicWALL’s stateful and deep packet inspection engines associated with layer 3 devices.
                    While this architecture allows for drop-in integration, as well as single-sign on (SSO) capabilities
                    provided by the SonicWALL ADConnector, the architecture differs from many legacy content filtering
                    devices in that it is not a sockets-based proxy. A socket proxy acts as an intervening agent for client
                    connections; the client opens a socket (for example, makes a connection) to the proxy, and the proxy
                    then makes a connection on behalf of the client to the destination server to retrieve the content. This
                    man-in-the-middle approach affords the socket proxy the ability to have traffic directed to it explicitly
                    so that it may operate in a one-armed mode (rather than strictly inline), and it also allows it to perform
                    RFC 2617 HTTP Authentication. Although the architecture of the SonicWALL CSM series appliance
                    does not provide these capabilities, its bump-in-the-wire design is substantially simpler to deploy, and
                    the SonicWALL CSM series appliance can easily be used in conjunction with socket-based solutions,
                    such as caching proxy servers.




            SonicWALL Content Security Manager Integrated Solutions Guide                        P/N: 232-000960-00, Rev. A
   4
                                                                       SonicWALL Content Security Manager Overview




                     Figure 1   Cabling a SonicWALL CSM series appliance




P/N: 232-000960-00, Rev. A                        SonicWALL Content Security Manager Integrated Solutions
                                                                                                                5
 SonicWALL Content Security Manager Overview




User Policies and Client IP Dependencies
                   One of the key features of the SonicWALL CSM series appliance is its ability to apply per-user or
                   per-group policies for all users whose HTTP traffic passes through it. To provide such fine controls, the
                   SonicWALL CSM series appliance must be able to uniquely identify every user. Rather than requiring
                   every user to manually authenticate, the SonicWALL CSM series appliance employs an SSO
                   mechanism, where SSO refers to the automated reuse of user credentials across multiple authentication
                   checkpoints. Since most users today begin their computing sessions by logging on to a Microsoft
                   Windows Active Directory (MSAD) domain, the ability to reuse these MSAD credentials is a significant
                   convenience to users in environments where subsequent user identification is required.

                   Deployment Restrictions
                   As described in the SonicWALL ADConnector section, it is essential that the SonicWALL CSM series
                   appliance be able to correlate a user to a unique IP address for SSO to function correctly. Deployments
                   that this one-to-one correlation prevents are the use of per-user or per-group policies. The most common
                   disruptive conditions include:
                       •   A sockets-based proxy server placed between the clients and the SonicWALL CSM series appliance.
                           Sockets-based proxy servers present their own IP address rather than the IP address of the original
                           client to the SonicWALL CSM series appliance, preventing the SonicWALL CSM series appliance
                           from tracking users by their unique IP addresses.
                       •   A network address translation (NAT) device placed between the clients and the SonicWALL CSM
                           series appliance. NAT devices generally translate the original client IP address to some other
                           non-unique or uncorrelated value.
                       •   A multi user, or thin client environment, such as Citrix or Microsoft Terminal Server. Multi-user
                           servers present a single IP address for all of the virtual client sessions they host, preventing the
                           correlation of a unique IP address to a human user. Socket based proxy or content filter devices
                           sometimes work around this issue by implementing HTTP authentication, typically in the form of
                           either Basic or NTLM authentication. The SonicWALL CSM series appliance generally correlates
                           all traffic coming from the terminal server to the last user who logged on.


SonicWALL Gateway Anti-Virus, Anti-Spyware
                   •       Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus and
                           Anti-Spyware Service features a configurable, high-performance Deep Packet Inspection
                           architecture that uses parallel searching algorithms up through the application layer to deliver
                           complete application layer, Web and e-mail attack prevention. Parallel processing reduces the
                           impact on the processor and maximizes available memory for exceptional performance on
                           SonicWALL appliances.
                   •       Spyware Protection - SonicWALL Gateway Anti-Virus and Anti-Spyware Service prevents
                           malicious spyware from infecting networks by blocking spyware installations at the gateway
                           and disrupts background communications from existing spyware programs that transmit
                           confidential data.
                   •       Real-Time AV Gateway Scanning - SonicWALL Gateway Anti-Virus and Anti-Spyware and
                           Service delivers intelligent file-based virus and malicious code prevention by scanning in
                           real-time for decompressed and compressed files containing viruses, Trojans, worms and other
                           Internet threats over the corporate network.
                   •       Scalability and Performance - SonicWALL Gateway Anti-Virus and Anti-Spyware Service
                           utilities a per packet scanning engine, allowing the SonicWALL unified threat management
                           solution to handle unlimited file size and virtually unlimited concurrent downloads.



           SonicWALL Content Security Manager Integrated Solutions Guide                           P/N: 232-000960-00, Rev. A
  6
                                                                            SonicWALL Content Security Manager Overview




                      •   Day Zero Protection - SonicWALL Gateway Anti-Virus and Anti-Spyware Service ensures fast
                          time-to-protection by employing a dynamically updated database of signatures created by a
                          combination of SonicWALL’s SonicAlert Team and third-party sources.
                      •   Extensive Signature List - SonicWALL Gateway Anti-Virus and Anti-Spyware Service utilizes
                          an extensive database of thousands of attack and vulnerability signatures written to detect and
                          prevent intrusions, viruses, spyware, worms, Trojans, application exploits, and malicious
                          applications.
                      •   Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus and Anti-Spyware
                          Service utilizes a distributed enforcement architecture to deliver automated signature updates,
                          providing real-time protection from emerging threats and lowering total cost of ownership.
                      •   Inter-zone Protection - SonicWALL Gateway Anti-Virus and Anti-Spyware Service provides
                          application layer attack protection against malicious code and other threats originating from the
                          Internet or from internal sources. Administrators have the ability to enforce anti-virus scanning
                          not only between each network zone and the Internet, but also between internal network zones
                          for added security (Requires SonicOS Enhanced).
                      •   Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus and
                          Anti-Spyware Service includes advanced decompression technology that can automatically
                          decompress and scan files on a per packet basis to search for viruses, Trojans, worms and
                          malware. Supported compression formats include: ZIP, Deflate and GZIP.
                      •   File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus and Anti-Spyware
                          Service delivers protection for high threat viruses and malware by inspecting the most common
                          protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
                          NETBIOS, instant messaging and peer-to-peer applications, and dozens of other
                          stream-based protocols. This closes potential backdoors that can be used to compromise the
                          network while also improving employee productivity and conserving Internet bandwidth.
                      •   Application Control - SonicWALL GAV/IPS provides the ability to prevent instant messaging
                          and peer-to-peer file sharing programs from operating through the firewall, closing a potential
                          back door that can be used to compromise the network while also improving employee
                          productivity and conserving Internet bandwidth.
                      •   Simplified Deployment and Management - SonicWALL Gateway Anti-Virus and
                          Anti-Spyware Service allows network administrators to create global policies between security
                          zones and group attacks by priority, simplifying deployment and management across a
                          distributed network.
                      •   Granular Management - SonicWALL Gateway Anti-Virus and Anti-Spyware Service provides
                          an intuitive user interface and granular policy tools, allowing network administrators to
                          configure a custom set of detection or prevention policies for their specific network environment
                          and reduce the number of false policies while identifying immediate threats.
                      •   Logging and Reporting - SonicWALL Gateway Anti-Virus and Anti-Spyware Service offers
                          comprehensive logging of all intrusion attempts with the ability to filter logs based on priority
                          level, enabling administrators to highlight high priority attacks. Granular reporting based on
                          attack source, destination and type of intrusion is available through SonicWALL ViewPoint and
                          Global Management System.


SonicWALL Gateway Anti-Virus Overview
                      SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance
                      by using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses
                      the SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL
                      GAV inspects multiple application protocols, as well as generic TCP streams, and compressed



 P/N: 232-000960-00, Rev. A                            SonicWALL Content Security Manager Integrated Solutions
                                                                                                                     7
SonicWALL Content Security Manager Overview




                  traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size
                  limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77)
                  decompression are also performed on a single-pass, per-packet basis.

                  SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by
                  matching downloaded or e-mailed files against an extensive and dynamically updated database of
                  threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops.
                  New signatures are created and added to the database by a combination of SonicWALL’s
                  SonicAlert Team, third-party virus analysts, open source developers and other sources.

                  SonicWALL GAV can be configured to protect against internal threats as well as those originating
                  outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP,
                  HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other
                  stream-based protocols, to provide administrators with comprehensive network threat prevention
                  and control. Because files containing malicious code and viruses can also be compressed and
                  therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced
                  decompression technology that automatically decompresses and scans files on a per packet
                  basis.

                  SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance
                  by using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses
                  the SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL
                  GAV inspects multiple application protocols, as well as generic TCP streams, and compressed
                  traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size
                  limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77)
                  decompression are also performed on a single-pass, per-packet basis.

                  SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by
                  matching downloaded or e-mailed files against an extensive and dynamically updated database of
                  threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops.
                  New signatures are created and added to the database by a combination of SonicWALL’s
                  SonicAlert Team, third-party virus analysts, open source developers and other sources.

                  SonicWALL GAV can be configured to protect against internal threats as well as those originating
                  outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP,
                  HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other
                  stream-based protocols, to provide administrators with comprehensive network threat prevention
                  and control. Because files containing malicious code and viruses can also be compressed and
                  therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced
                  decompression technology that automatically decompresses and scans files on a per packet
                  basis.




          SonicWALL Content Security Manager Integrated Solutions Guide                  P/N: 232-000960-00, Rev. A
 8
                                                                             SonicWALL Content Security Manager Overview




SonicWALL ADConnector
                     The SonicWALL CSM series appliance achieves transparent, automated SSO integration by means of
                     the SonicWALL ADConnector software, an installable agent that runs as a service on a Microsoft Win32
                     workstation or server that is either a domain member or domain controller for the target (authenticating)
                     domain.
                     As illustrated in Figure 2, the SonicWALL CSM series appliance must see the request as coming from
                     the client’s actual IP address so that it may pass it to the SonicWALL ADConnector for enumeration. If
                     the enumeration attempt fails, the default policy (rather than the specific user or group policy) will be
                     applied to the request.
                     The following example details the sequence of events that occurs when a CSM series appliance attempts
                     to resolve an IP address to a corresponding user name. The example assumes the following:
                      •   A workstation with an IP address of 10.0.0.11
                      •   A default gateway of 10.0.0.1
                      •   The workstation requests content (such as, http://www.sonicwall.com) through the SonicWALL
                          CSM series appliance
                      •   The user logged on to the workstation is a member of the local AD domain
                      •   The user has logged on with username user1
                      •   The user is a member of the Sales group

                     Figure 2     SonicWALL CSM Series appliance Automated SSO Integration




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                        9
SonicWALL Content Security Manager Overview




                  1.   The SonicWALL CSM series appliance detects the request, and queries the SonicWALL
                       ADConnector (residing on domain member server 10.1.1.5) for the username corresponding to the
                       IP address 10.0.0.10.
                  2.   Since the SonicWALL ADConnector caches information to speed responses to queries, it first
                       checks its cache to see if it has previously resolved this IP address to the corresponding username.
                       a. If the cache contains the information, move to step 4.
                       b. If the cache does not contain the information (such as, this is the first request from IP address
                           10.0.0.10) the SonicWALL ADConnector uses the Microsoft .Net framework to issue a
                           NetWkstaUserEnum Lib call from netapi32.dll to 10.0.0.10 to determine the username logged
                           on to the current session. This function call is complete in its result, returning all logon
                           information for local, terminal service, impersonated users, and interactive logons.
                  3.   Upon receiving the logged on username information (user1), the SonicWALL ADConnector checks
                       its cache again to see if it has the applicable policy associated with the username user1.
                       a. If the cache contains the information, move to step 7.
                       b. If the cache does not contain the information, the SonicWALL ADConnector issues an LDAP
                           query to the AD Server (10.1.1.10) to retrieve the correct attribute information for the user, as
                           well as group membership (memberOf) information, and relevant group attribute information.
                  4.   The Active Directory server returns the response to the LDAP query. This includes the pertinent
                       attribute information for the user, the memberOf (group) information for the user, and the pertinent
                       attribute information for the group.




          SonicWALL Content Security Manager Integrated Solutions Guide                        P/N: 232-000960-00, Rev. A
10
                                                          SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




SonicWALL CSM and SonicWALL ADConnector
Configuration Tasklist
                      This section contains the following subsections:
                       •   “ADConnector Overview” on page 11
                       •   “Installing the SonicWALL ADConnector Software” section on page 11
                       •   “Setting Up the SonicWALL CSM to Communicate with Active Directory” section on page 16


ADConnector Overview
                      The CSM achieves transparent, automated Single-Sign-On (SSO) integration by means of the
                      ADConnector, an installable agent that runs as a service on a Microsoft Win32 workstation or server that
                      is either a domain member or domain controller for the target (authenticating) domain.


Installing the SonicWALL ADConnector Software
                      When installing the ADConnector software, you need to establish it as an Administrator equivalent. To
                      install the SonicWALL ADConnector software, perform the following steps:


            Step 1    If you have a previously installed version of the ADConnector, uninstall it prior to the installation of the
                      new version.
            Step 2    Download and install the SonicWALL ADConnector software. This file can be downloaded from the
                      http://www.mysonicwall.com site. If prompted to install the Microsoft .NET 1.1 Framework, click Yes.
                      After installing the Microsoft .NET Framework the computer will restart. After the restart is complete,
                      setup will continue automatically.
            Step 3    Double-click the SonicWALL ADConnector icon.
                      The installation script displays the InstallShield Wizard Welcome screen.

                      Figure 3     ADConnector - InstallShield Wizard Home Screen




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                           11
SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




        Step 4   Click Next.
                 The installation script displays the License Agreement screen.
        Step 5   Click the radio button for “I accept the terms in the License Agreement” and click Next.
                 The installation script displays the Customer Information screen.

                 Figure 4     ADConnector Customer Information Screen




        Step 6   Type a user name and organization name in the fields.
        Step 7   In the Install this application for region, click on the radio button that determines the level of
                 restrictiveness you want for the access to the application.
                       – Anyone who uses this computer (all users)
                       – Only for me
        Step 8   Click Next. The installation script displays the Destination Folder screen.

                 Figure 5     ADConnector Destination Folder




          SonicWALL Content Security Manager Integrated Solutions Guide                         P/N: 232-000960-00, Rev. A
12
                                                       SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




           Step 9    Review the default path of the folder to which the program will be stored. The default is
                     C:\ProgramFiles\SonicWALL\ADConnector\. If want the program to be loaded somewhere else, click
                     Change and browse to the location. Click Next.
                     The installation script displays the Ready to Install the Program screen.
           Step 10 Click Install.The installation script displays the ADConnector Configuration screen.


                     Figure 6    ADConnector Configuration Screen.




           Step 11 Make sure the IP address 192.168.168.168 appears in the CSM Appliance IP field. If the address has
                     changed, make sure it is the address assigned to the CSM series appliance if changed from its default.
                     Type it in if it is not there.
           Step 12 Type the system port number of the CSM series appliance in the CSM Appliance Port field. This is the
                     port over which the ADConnector and CSM communicate.
           Step 13 Type the assigned 16-character key value in the Shared Key field and click Next.
           Step 14 Click Next.


                     Figure 7    ADConnector Configuration Screen.




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                     13
  SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




          Step 15 The installation script displays the ADConnector User Configuration screen. Enter the username,
                   password, and domain name for the administrator account and click Next. If you do not want to enter
                   this information now, you can click on the Skip button.
          Step 16 The installation script installs the ADConnector.



Post-Installation Tasks
                   Once you have completed the installation, you are now ready to enter the ADConnector Configuration
                   environment.


          Step 1   After the installation has successfully completed open the SonicWALL ADConnector Configuration
                   Tool (Start > Programs > SonicWALL > SonicWALL ADConnector > ADConnector Configuration
                   Tool), as illustrated in Figure 8.

                   Figure 8     SonicWALL ADConnector Configuration Tool




            SonicWALL Content Security Manager Integrated Solutions Guide                   P/N: 232-000960-00, Rev. A
  14
                                                       SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




           Step 2    Expand the Domains directory. A dialog box like the one below will appear prompting you to select
                     Active Directory attributes in which to store SonicWALL CSM Group and User policies. Click OK to
                     continue.

                     Figure 9     ADConnector Attributes Message




           Step 3    A dialog box appears allowing you to select which attributes to use for storing Group, User and
                     Computer Policies. The exact attributes you choose are not important so long as they are not being
                     currently used. Select three attributes that are currently unused in your environment, then click OK to
                     continue.




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                      15
 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                  Figure 10    ADConnector Attribute Selection Dialog Box




                  If the Add Policy dialog box (as illustrated below) appears prompting you to add a policy, click Cancel
                  at this time.

                  Figure 11    ADConnector Add Policy Dialog Box




Setting Up the SonicWALL CSM to Communicate with Active
Directory
                  To set up the SonicWALL CSM series appliance to communicate with Active Directory, perform the
                  following steps:


           SonicWALL Content Security Manager Integrated Solutions Guide                     P/N: 232-000960-00, Rev. A
  16
                                                     SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




           Step 1    Navigate to the Users > Settings page in the SonicWALL CSM series appliance management GUI and
                     select the Use Directory Services Connector radio button under the Authentication Method section.
                     Click Apply to save your changes, as illustrated in Figure 12.

                     Figure 12   Users > Settings > Authentication Method




P/N: 232-000960-00, Rev. A                           SonicWALL Content Security Manager Integrated Solutions
                                                                                                                17
SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




        Step 2   Click the Configure button. In the ADConnector Configuration window and enter the following
                 information:
                  •   IP Address: The IP address of the machine running the SonicWALL ADConnector
                  •   Port Number: The value you entered when prompted during the installation of the SonicWALL
                      ADConnector software (default 2258)
                  •   Shared Secret: The value you entered when prompted during the installation of the SonicWALL
                      ADConnector software




        Step 3   Click Ok and return to the Configure screen.
        Step 4   Click the Check button. A successful configuration to communicate with the SonicWALL ADConnector
                 will be confirmed with a popup status window.




          SonicWALL Content Security Manager Integrated Solutions Guide                 P/N: 232-000960-00, Rev. A
18
                                                       SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




Configuring the ADConnector
                      When you configure the AD Connector, you need to perform the following tasks:
                       •   “Adding Multiple CSM Devices” on page 19
                       •   “Removing CSM Appliances” on page 21
                       •   “Viewing ADConnector Attributes” on page 22
                       •   “Working with the Computer Object” on page 25
                       •   “Configuring Global Settings” on page 25
                       •   “Working with Multiple Domains” on page 26
                       •   “Assigning Policies” on page 29
                       •   “Searching Policies” on page 34
                       •   “Viewing the Log” on page 36


Adding Multiple CSM Devices
                      This procedure allows for additional CSM devices to be defined to support multi-CSM environments
                      with a single ADConnector. To configure your CSMs, perform the following steps:


            Step 1    Click the SonicWALL ADConnector Configuration Tool option in the navigation pane.
                      ADConnector highlights the option.

                      Figure 13    ADConnector Configuration Tool




            Step 2    Right click on the SonicWALL ADConnector Configuration Tool option.
                      ADConnector displays a popup menu as shown in the following figure




 P/N: 232-000960-00, Rev. A                            SonicWALL Content Security Manager Integrated Solutions
                                                                                                                  19
SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                 Figure 14      ADConnector Configuration Tool Popup Window.




        Step 3   Click the Add New CSM Appliance option.
                 ADConnector displays the Add New CSM Appliance dialog box as shown in the following figure.

                 Figure 15      Add New CSM Appliance Dialog Box




        Step 4   Enter values for the following fields in the Add New CSM Appliance dialog box.

                  Field                             Description
                  CSM Appliance IP                  Indicates the IP address that uniquely identifies the CSM appliance.
                  CSM Appliance Port                Indicates the system port number used by the CSM appliance.
                  Friendly Name                     Indicates the string that has been correlated with the appliance
                                                    address by which you can identify the appliance.
                  Shared Key                        Indicates the key used to encrypt communications between the CSM
                                                    and the ADConnector. The Shared key can be either generated or
                                                    user defined.
                  Policy File                       The explicit pathname for the policy file that sets conditions for
                                                    permitting and denying packets into and out of the CSM appliance.


        Step 5   The second CSM will appear in the list of SonicWALL appliances.




          SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
20
                                                      SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                     Figure 16   Second CSM Successfully Added




           Step 6    Add any other CSM appliances as you just added the previous device.
           Step 7    Click Ok.


Removing CSM Appliances
                     To remove a CSM appliance, perform the following steps.


           Step 1    Select the CSM appliance from the list in the ADConnector Configuration Tool.
           Step 2    Right click on it and select the Remove CSM appliance option.

                     Figure 17   Remove CSM Appliance




           Step 3    Click Yes on the confirmation window that displays. The CSM appliance is removed.




P/N: 232-000960-00, Rev. A                           SonicWALL Content Security Manager Integrated Solutions
                                                                                                                 21
 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




Viewing ADConnector Attributes
                  Now that you have added your CSM series appliances, you can view the attributes. Attributes are the
                  unused optional attributes within the ADConnector that are selected to store the policy information
                  assigned to users, groups, and computers. To view attributes of your CSM series appliances, perform the
                  following steps.


         Step 1   Click the SonicWALL ADConnector Configuration Tool option in the navigation pane.
                  ADConnector highlights the option.Click on the plus (+) icon to the left of the SonicWALL
                  ADConnector Configuration Tool option.
                  ADConnector displays two options:
                        – SonicWALL_CSM Appliances
                        – Domains
         Step 2   Click on the plus (+) icon to the left of the SonicWALL CSM Appliances option.
                  ADConnector displays the appliance IP address 192.168.168.168.

                  Figure 18    ADConnector Configuration Tool CSM Appliance IP Address




         Step 3   Right click on the appliance address entry 192.168.168.168.
                  ADConnector displays the status line of the appliance address.




           SonicWALL Content Security Manager Integrated Solutions Guide                     P/N: 232-000960-00, Rev. A
  22
                                                        SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                     Figure 19    ADConnector CSM Appliance Status Columns




                         Note the status columns that appear in the appliance list:

                     Field                              Description
                     Default                            Indicates the administrative status of the device. It can be either Yes
                                                        or No.
                     Friendly Name                      Indicates the string that has been correlated with the appliance
                                                        address by which you can identify the appliance.
                     IP                                 Indicates the IP address of the appliance.
                     Port                               Indicates the system port number used by the appliance.
                     Shared Key                         Indicates the key used by the appliance used to create access by
                                                        users. The key is a sixteen-digit value that uses the Hexadecimal
                                                        value system.


           Step 4    Right click the appliance entry in the appliance list and click Properties.
                     ADConnector displays the CSM Appliance dialog box.




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                         23
SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                 Figure 20      AD Connector CSM Appliance Configuration Dialog Box




        Step 5   Fill in the fields as shown in the following table.

                  Field                              Description
                  CSM Appliance IP                   The IP address of the appliance
                  CSM Appliance Port                 The port number of the appliance.
                  Friendly Name                      The string correlated with the IP address of the appliance that identifies it.
                  Shared Key                         A generated value that enables a user to access the appliance.
                  Policy File                        The path where the policy file can be found.


        Step 6   Click the CSM Policies tab.
                 ADConnector associates policies with CSM series appliance devices. ADConnector displays either the
                 default policy for the CSM series appliance you selected or a list of policies for the CSM 2000 appliance.
                 If you have not synchronized to an appliance properly, ADConnector will display the following message:
                            The Policy list is not available. Please check if the ADConnector service is
                            running and has been configured correctly to communicate with your CSM appliance.
                 If you have synchronized to an appliance properly, ADConnector displays the CSM Policies dialog box
                 that may appear in a similar fashion to the following figure.




          SonicWALL Content Security Manager Integrated Solutions Guide                                   P/N: 232-000960-00, Rev. A
24
                                                          SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                      When you first configure the CSM, it provides a default policy. A policy is an object that contains criteria
                      to block certain categories of internet locations. You can add policies to provide better control over the
                      Internet access of the specific CSM device. At a minimum, you will simply have the Default policy
                      (called DEFAULT) associated with the CSM series appliance. If you see only the DEFAULT policy
                      name, it indicates that your network administrator did not set up ADConnector policies for this CSM
                      series appliance.
            Step 7    Click Ok.


Working with the Computer Object
                      When using the ADConnector, you can store information about users and computers in an object. A
                      computer is a single device on the network. You can apply rules to computers in the same way that you
                      apply rules to users. The ADConnector tracks computers by MAC addresses. A user is a person’s login
                      account on the network. A user can log into anything connected to the network. A domain is a network
                      space that is used to apply rules to groups of computers and/or users.


Configuring Global Settings
                      To configure your CSMs, perform the following steps:


            Step 1    Click the SonicWALL AD Connector Configuration Tool option in the navigation pane.
            Step 2    Right click on the SonicWALL CSM Appliance option and click Properties.
                      ADConnector displays the Configuration Editor dialog box as shown in the following figure.

                      Figure 21    ADConnector Configuration Editor Dialog Box




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                           25
  SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




          Step 3   View the following read-only fields that are necessary for the ADConnector to transfer information to
                   the Domain Controller about users and user names. These fields are necessary for the ADConnector to
                   talk to the Domain Controller.

                    Field                             Description
                    ComputerPolicyAttribute           A policy that provides values for settings for the computer associated with this
                                                      configuration.
                    GroupPolicyAttribute              A policy that provides values for settings for the group associated with this
                                                      configuration.
                    UserPolicyAttribute               A policy that provides values for settings for the user associated with this
                                                      configuration.


          Step 4   Set the priority levels for logs to this device in the Logging Level listbox where 0 is the lowest level of
                   priority and 2 is the highest. These levels apply to application logging. The logging levels enable a more
                   or less restrictive approach to the amount of logs you want displayed. 0 displays the least amount, only
                   critical severity logs; 1 displays the second least amount, critical and significant severity logs, and 2
                   displays all logs, using the debug level of severity.
          Step 5   Set the amount of time the device takes to reapply a policy in the Policy Refresh Time field. This
                   indicates how long the ADConnector checks for new policies after you have added them. The range can
                   be from 0 to 300 seconds.
          Step 6   Set the path of where you want the Policy Configuration File to reside. The Policy Configuration File
                   contains the policies associated with the device. The default is C:\Program
                   Files\SonicWALL\ADConnector\PolicyList.xml.
          Step 7   Click Ok.


Working with Multiple Domains
                   In the 1.0 version of CSM, you could only have one domain in your AD Connector environment. Now
                   you can add multiple domains. A domain is an area on the network that contains Users, Groups, and
                   Computers. The advantage to working with multiple domains is that it enables you to apply the benefits
                   of the CSM series appliance to all of your domains. Multiple domains enable you to:
                    •   Creates a set of separate network domains even if they don’t share the same network even if they
                        are located on the same site. This can be helpful if you want to separate a department into a secure
                        area protected from the rest of the network.
                    •   Enables you to partition your network into logical units to help organize your network when you
                        have a large number of nodes.
                    •   Enables you to match the organization of your network to the organization of your company.
                    •   Enables you to deploy the same policies across different domains, providing ease and convenience.


Understanding Trust Relationship Requirements
                   You need to define a trust relationship between different domains for which you want to manage. It can
                   be established using the Windows Active Directory management tools. The basic user under which you
                   are running must have read-write permissions to access these trusted domains.
                   Trust relationship is a description of the user access between two domains consisting of a one way and
                   a two way trust. Terms:




            SonicWALL Content Security Manager Integrated Solutions Guide                                 P/N: 232-000960-00, Rev. A
  26
                                                            SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                       •   One way trust - When one domain allows access to users on another domain, but the other domain
                           does not allow access to users on the first domain.
                       •   Two way trust - When two domains allow access to users on the other domain.
                       •   Trusting domain - The domain that allows access to users on another domain.
                       •   Trusted domain - The domain that is trusted, whose users have access to the trusting domain.
                       •   Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree.
                       •   Intransitive trust - A one way trust that does not extend beyond two domains.
                       •   Explicit trust - A trust that an administrator creates. It is not transitive and is one way only.
                       •   Cross-link trust - An explicit trust between domains in different trees or in the same tree when a
                           descendent/ancestor (child/parent) relationship does not exist between the two domains.
                      Windows 2000 only supports the following types of trusts:
                              – Two way transitive trusts
                              – One way non-transitive trusts.
                      This means the two way non transitive trust supported by Windows NT is no longer supported. The way
                      to deal with this is to create two one way trusts in Windows 2000.


Adding Multiple Domains

             Note     Depending on the number of objects in the domain you are adding, and speed of the network
                      connection to the domain controller, it might take a few minutes to enumerate and display the
                      domain.

                      To add a new domain, perform the following tasks:


            Step 1    Click the SonicWALL ADConnector Configuration Tool option in the navigation pane.
            Step 2    In the entity list, right click on Domains.
                      ADConnector displays a popup window.
            Step 3    Click on the option Add New Domain.

                      Figure 22      ADConnector Add New Domain Option




            Step 4    ADConnector displays the Add New Domain dialog box.



 P/N: 232-000960-00, Rev. A                                 SonicWALL Content Security Manager Integrated Solutions
                                                                                                                               27
 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                  Figure 23    ADConnector Add New Domain Dialog Box




         Step 5   Type a string in the Domain field.
         Step 6   Click the Test Connection button to determine whether the domain you selected is connected.
         Step 7   Click Ok to save your new domain.


Removing Domains
                  To remove a domain, perform the following steps.


         Step 1   Select the domain from the list in the ADConnector Configuration Tool.
         Step 2   Right click on it and select the Remove domain option.

                  Figure 24    Remove Domain




         Step 3   Click Yes on the confirmation window that displays. The domain is removed.




           SonicWALL Content Security Manager Integrated Solutions Guide                   P/N: 232-000960-00, Rev. A
 28
                                                         SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




Assigning Policies
                      You can assign policies to user, computer, and group objects, using the ADConnector Configuration
                      Tool. The following priorities exist for policy assignment:

                      Priority Level                     Description
                      Highest Priority                   Policy assigned to a computer object.
                      Medium Priority                    Policy assigned to a user object.
                      Low Priority                       Policy assigned to a group object.


                      The following sections describe how to assign policies using the ADConnector Configuration Tool:
                       •   “Assigning a Policy to a User” on page 29
                       •   “Assigning a Policy to a Computer” on page 31
                       •   “Assigning a Policy to a Group” on page 32
                       •   “Assigning a Policy to a Host” on page 33


Assigning a Policy to a User
                      A policy is a set of rules configured on the CSM that defines access to various resources, applications,
                      and classes of content. The CSM includes 12 pre-configured policies (denoted by an asterisk prefix) and
                      also allows for custom policies to be added. To be effective, these policies must be assigned to either
                      Users, Groups, or Computers through the ADConnector, or to Hosts through the CSM management
                      interface. The following procedure illustrates how to assign a policy to a User.


            Step 1    Click on the SonicWALL ADConnector Configuration Tool entry.
            Step 2    Click on the Domains option.
            Step 3    Click on the Plus icon (+) to the left of the Users option.
                      ADConnector displays the user list.




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                       29
SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                 Figure 25    ADConnector Users Screen




        Step 4   Right click on a user, in this example, Aaron Alesis.
                 ADConnector displays a popup window as shown in the following figure.

                 Figure 26    ADConnector Add Policy Option




        Step 5   Click Add Policy.
                 ADConnector displays the Add Policy dialog box.




          SonicWALL Content Security Manager Integrated Solutions Guide                  P/N: 232-000960-00, Rev. A
30
                                                         SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                      Figure 27     ADConnector Add Policy Dialog Box




            Step 6    Click on the Select Policy listbox and click on a policy. You have now added a policy to the user Aaron
                      Alesis.
            Step 7    Click Ok.


Assigning a Policy to a Computer
                      Assigning a policy to a computer allows an administrator to associate a policy with a particular
                      workstation or server within the domain. The computer policy takes precedence over everything. For
                      example:
                       •   In Active Directory, user A is a member of the Engineering group.
                       •   In ADConnector
                              – User A is assigned Policy1
                              – Engineering Group is assigned Policy2
                              – FastWorkstation is assigned Policy3
                      Using the above set of conditions, user A logs onto the computer named FastWorkstation. Policy3 will
                      be applied.
                      A computer is a device owned by a particular user in the network. The device can take a friendly name,
                      for example, Dans_Computer, or it can simply be an IP address. To access an area where you can view
                      all computers mapped to your system, perform the following steps:


            Step 1    Click the SonicWALL ADConnector Configuration Tool option in the navigation pane.
            Step 2    Click the plus (+) sign to the left of the Domains option.
                      ADConnector displays the your domain.
            Step 3    Click the plus (+) sign to the left of the sv directory.
                      ADConnector displays three options: Users, Groups, and Computers.
            Step 4    Click the plus (+) sign to the left of the Computers option.
                      ADConnector displays all the computers in your network as shown in the following figure.




 P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                       31
  SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                   Figure 28    ADConnector Computer List




          Step 5   Click on the plus sign (+) to the left of the Users option to display all users.
          Step 6   Right click on the desired computer.
                   ADConnectors displays a popup menu.
          Step 7   Click on the Add Policy option.
                   ADConnector displays the Add Policy dialog box.
          Step 8   Click on a policy in the Select Policy list box to add the policy to the user.
          Step 9   Click Ok.


Assigning a Policy to a Group
                   Assigning a policy to a group allows an administrator to associate a policy with an Active Directory
                   group. All members of that group will then inherit the assigned policy. The effective policy applied to
                   users will be a combination of inherited policies and any directly applied policies. To access an area
                   where you can view all groups mapped to your system, perform the following steps:


          Step 1   Click the SonicWALL ADConnector Configuration Tool option in the navigation pane.
          Step 2   Click the plus (+) sign to the left of the Domains option.
                   ADConnector displays the sv directory.
          Step 3   Click the plus (+) sign to the left of the directory of your domain.
                   ADConnector displays three options: Users, Groups, and Computers.
          Step 4   Click the plus (+) sign to the left of the Groups option.
                   ADConnector displays all the computers in your network as shown in the following figure.




            SonicWALL Content Security Manager Integrated Solutions Guide                           P/N: 232-000960-00, Rev. A
  32
                                                         SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                      Figure 29    ADConnector Group List




            Step 5    Look for the group you are interested in, for example, Domain Users, and right click on it.
            Step 6    Click Add Policy.
                      ADConnector displays the Add Policy dialog box.
            Step 7    Click on an existing policy in the Select Policy list box to assign the policy to the group.
            Step 8    Click Ok.


Assigning a Policy to a Host
                      You can also assign policies to a range of addresses, known as a host, in the CSM environment. This is
                      useful to non-Microsoft devices.


            Step 1    Navigate to Users and Hosts > Hosts.




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                      33
 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                  Figure 30    Hosts




         Step 2   Click Add.
                  CSM displays the Add IP Address Range dialog box.

                  Figure 31    Add IP Address Range




         Step 3   Specify an IP address range by supplying a beginning range address in the IP Address From field and an
                  ending range address in the IP Address To field.
         Step 4   Select a policy in the CFS Policy list box.
         Step 5   Click Ok.
         Step 6   CSM displays the new policy in the policy list in the Users and Hosts > Hosts dialog box.


Searching Policies
                  You can search for information on policies and what groups, users, and computers they are assigned to.
                  There are two methods for accessing the search function:


         Step 1   Click on Action > All Tasks > Search.




           SonicWALL Content Security Manager Integrated Solutions Guide                    P/N: 232-000960-00, Rev. A
  34
                                                       SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist




                     Figure 32   Search in Action Menu




                     Or, you can right click on the root node (SonicWALL ADConnector Configuration Tool) and click on
                     All Tasks > Search.

                     Figure 33   Search in Right Click Menu




                     The SonicWALL ADConnector Search window is displayed.

                     Figure 34   Search Window




           Step 2    Select a policy name by clicking on the downward arrow at the right of the search window or type the
                     name of the policy you want to search for. Click Search.
           Step 3    The Policy search results are displayed in the following format.
                     Total Records: 1     Policy Name: *Adult Content



P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                   35
 SonicWALL CSM Policies




                  Name                 Type
                  user1                Group/User/Computer



Viewing the Log
                  You can display the SonicWALL ADConnector log to view information on users, hosts, bad IP
                  addresses, and other event information.


         Step 1   To display the SonicWALL ADConnector log, click on View > Log.
         Step 2   Or you can right click on the root node (SonicWALL ADConnector Configuration Tool) and click on
                  View > Log.

                  Figure 35    View Log




         Step 3   The Log Viewer window is displayed. Select the category of log messages you want to view. The
                  following categories are available:
                   •   Users and Hosts - Displays the IP address, computer, user, policy name, and time of login for all
                       users and hosts.
                   •   Bad IPs - Displays IP addresses that caused errors, the error that occurred, and the time of error.
                   •   Messages - Displays all runtime event log messages.



SonicWALL CSM Policies
                  The SonicWALL CSM uses 54 different categories to classify web content. (A complete listing can be
                  found at the end of this document). Conceptually, SonicWALL CSM policies can be thought of as a
                  collection of categories under one administrative name. They are created in the management GUI by
                  selecting any combination of one or more categories to block and then saving that combination with a
                  descriptive name.
                  As a rule of thumb when creating SonicWALL CSM policies build functional topics containing several
                  related categories
                  Although either SonicWALL CSM policies can be applied directly to a user or group, understanding
                  what role each of these elements plays as well as their characteristics and behavior will help you design
                  your SonicWALL CSM configuration in a way that will provide you with maximum flexibility and
                  scalability.




           SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
  36
                                                                                        SonicWALL CSM Deployment Solutions




SonicWALL CSM Policy Inheritance
                      In order to achieve the desired behavior when creating SonicWALL CSM Policies and applying them to
                      Active Directory users and groups, it is important to understand how the various elements in the
                      SonicWALL CSM configuration interact with each other. There are three key rules to remember:


            Step 1    If a website belongs to multiple categories and a user’s policy blocks one but allows the other, the user
                      will not be allowed access to the site.
            Step 2    When a user is a member of multiple AD groups and each group has a different SonicWALL CSM
                      filtering Policy assigned, the user inherits all of the available privileges from each group so that the net
                      result will be the least restrictive attributes of all the combined policies.



SonicWALL CSM Deployment Solutions
                      This section provides three SonicWALL CSM deployment solutions.
                       •   Solution #1: A network administrator requires a standard content filtering policy for an entire
                           company with the ability to bypass filtering for the administrator and a few other key individuals
                           (such as the CEO of the company).
                       •   Solution #2: A network administrator in an education environment needs to create four levels of
                           filtering: Elementary, Middle, High and Teachers.
                       •   Solution #3: A network administrator needs to create three levels of filtering: Operations, Shift
                           Leads, and Managers, however, instead of using SonicWALL CSM Categories, Policies, the
                           administrator has chosen to create static white lists using SonicWALL CSM Trusted URLs of sites
                           members of each department can visit.
                      Functionally, the biggest difference between this and the previous examples is that when using
                      categories the specific websites a given category contains that are dynamic, you can specifically
                      hard-code what sites a user can visit. Any change to the ‘white list’ has to be explicitly made by the
                      network administrator.
                      This section contains the following subsections:
                       •   “Deployment Prerequisite: Set Up Active Directory” section on page 38
                       •   “Solution #1: Configuring a Single Content Filtering Policy for All Users with Bypass” section on
                           page 38
                       •   “Solution #2: Creating Distinct Filtering Policies for Different User Groups” section on page 39
                              – “Assigning Policies to an Active Directory Group” section on page 41
                              – “Testing” section on page 42
                       •   “Solution #3: Creating Static Lists of Allowed Websites for Different User Groups” section on
                           page 43
                              – “Testing” section on page 47
                       •   “SonicWALL CSM Filtering Architecture and Predefined Categories” section on page 47




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                           37
  SonicWALL CSM Deployment Solutions




Deployment Prerequisite: Set Up Active Directory
          Step 1   On your Domain Controller, navigate to the Start > Programs > Administrative Tools > Active
                   Directory Users and Computers page and create the following four users:
                    •   Bill
                    •   Ted
                    •   Alice
                    •   John
          Step 2   Create the following 7 groups:
                    •   CSM-Elementary
                    •   CSM-Middle
                    •   CSM-High
                    •   CSM-Teachers
                    •   CSM-Operators
                    •   CSM-Shift Leads
                    •   CSM-Managers
          Step 3   Add the following users to the following groups:
                    •   Bill > CSM-Elementary, CSM-Operators
                    •   Ted > CSM-Middle, CSM-Shift Leads
                    •   Alice > CSM-High, CSM-Managers
                    •   John > CSM-Teachers


Solution #1: Configuring a Single Content Filtering Policy for All
Users with Bypass
                   The *Predefined Policy is enforced without having to specifically assign it to users or groups. It also
                   acts as a template for subsequent policies that you create. Configure the default policy as your most
                   restrictive policy. As users require more access you can create less restrictive policies to accommodate
                   them.
                   To configure a single content filtering policy for all users with bypass, perform the following steps:


          Step 1   Navigate to Navigate to Policies > Policy List in the SonicWALL CSM management GUI and click the
                   edit icon for the *Default policy.




            SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
  38
                                                                                       SonicWALL CSM Deployment Solutions




            Step 2    At the Edit Policy window, click the Category Sets tab then check the Sports/Games/Gambling
                      checkbox (Adult, Drugs & Racism should be checked already).


Solution #2: Creating Distinct Filtering Policies for Different User
Groups
                      To create a distinct filtering policy for different user groups, perform the following steps:


            Step 1    Navigate to the Web Filters > Category Sets screen in the management GUI.
            Step 2    Click the Add button. In the pop-up window that appears enter *Elementary in the Name field, as
                      illustrated in Figure 36.

                      Figure 36    Web Filters > Category Sets > Add > Settings




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                      39
SonicWALL CSM Deployment Solutions




        Step 3   Click the Predefined tab and select all the categories except Education & Kid Friendly, as illustrated
                 in Figure 37.

                 Figure 37     Web Filters > Category Sets > Add > Predefined




        Step 4   Following the same procedure, create three more policies named *Middle, *High and *Teachers. For
                 the *Middle policy block all categories except the following:
                  •   Education
                  •   IT/Computers
                  •   Reference
                  •   Travel
                  •   Kid Friendly
        Step 5   For the *High policy block all the categories except the following:
                  •   Business/Economy
                  •   Education
                  •   Government
                  •   Health
                  •   IT/Computers
                  •   Search Engines
                  •   News
                  •   Reference
                  •   Travel




          SonicWALL Content Security Manager Integrated Solutions Guide                    P/N: 232-000960-00, Rev. A
40
                                                                                    SonicWALL CSM Deployment Solutions




            Step 6    For the *Teachers policy unblock all the categories except Pornography.
                      When your configuration is complete, your Web Filters > Category Sets screen should look like
                      Figure 38.

                      Figure 38   Web Filters > Category Sets




Assigning Policies to an Active Directory Group
                      To assign a policy to an Active Directory group, perform the following steps:


            Step 1    Open the ADConnector Configuration Tool and expand the Groups container. Find the
                      CSM-Elementary group, right-click and select Add Policy.
            Step 2    In the Add Policy pop-up window, select the *Elementary policy from the drop-down list then click
                      OK.
            Step 3    Repeat the same procedure this time assigning the *Middle, *High and *Teachers policies to the
                      CSM-Middle, CSM-High and CSM-Teachers groups respectively.




 P/N: 232-000960-00, Rev. A                            SonicWALL Content Security Manager Integrated Solutions
                                                                                                                   41
  SonicWALL CSM Deployment Solutions




Testing
                   On a test workstation login to the domain as user Bill. As you recall, Bill is a member of the
                   CSM-Elementary group that can only access sites categorized as Kid friendly. Attempt to navigate to
                   http://www.yahoo.com. You should see this site blocked because it is not within one of the allowed
                   categories. Now open a browser to: http://www.kids-space.org. Access should be allowed.
                   Log in as the other users Ted, Alice, and John bearing in mind that they are members of CSM-Middle,
                   CSM-High & CSM-Teachers respectively. Notice how the levels of access change appropriately in
                   accordance with the logged in user, his/her group membership and the specific SonicWALL CSM policy
                   assigned. Some websites you can use to test with are listed in Table 1.

                                               Table 1      Example Website URLs for Testing

                   Website                               Category
                   http://www.economist.com              Business and Economy (15)
                   http://www.education-world.com        Education (17)
                   http://www.kidshealth.org             Health (25)
                   http://www.fbi.gov                    Government (22)
                   http://www.microsoft.com              Information Technology/Computers
                                                         (26)
                   http://www.yahoo.com                  Search Engines & Portals (28)
                   http://www.usnews.com                 News & Media (32)
                   http://www.howstuffworks.com          Reference (35)
                   http://www.africa.com                 Travel (44)
                   http://www.kids-space.org             Kid Friendly (50)




            SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
  42
                                                                                      SonicWALL CSM Deployment Solutions




Solution #3: Creating Static Lists of Allowed Websites for Different
User Groups
                      To create a static list of allowed websites for different groups, perform the following steps:


            Step 1    Navigate to the Web Filters > Custom Categories page in the management GUI. In the Allowed URLs
                      section click the Add button.
            Step 2    In the Add Trusted URL pop-up window that appears, enter the following information:
                      a.      Name: Allowed Sites – Operators
                      b.   Entry: techtarget.com, Webopedia.com (click Add after each entry to move it into the List
                           window), as illustrated in Figure 39.

                      Figure 39      Web Filters > Custom Categories > Add Allowed URL




            Step 3    Click OK to save your changes.
            Step 4    Using the same procedure, create two more Trusted URL lists and enter the following information:
                      a.   Name: Allowed Sites – Shift Leads
                      b.   Entry: techtarget.com, webopedia.com, call-center.net
                      c.   Name: Allowed Sites – Managers
                      d.   Entry: techtarget.com, webopedia.com, call-center.net, callcentermagazine.com,
                           callcenterops.com, ccdigest.com, callcentertimes.com




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                       43
SonicWALL CSM Deployment Solutions




        Step 5   When done it should look like Figure 40.

                 Figure 40    Web Filters > Custom Categories




        Step 6   Navigate to the Web Filters > Category Sets page and click the Add… button.
        Step 7   In the Add window that appears, enter *Operators in the Name: field then click the Predefined tab.
        Step 8   Select all the categories in the list (you can click the first checkbox in the list to automatically select and
                 deselect all the categories in the list). It should look like Figure 41.

                 Figure 41    Web Filters > Category Sets > Add > Predefined




          SonicWALL Content Security Manager Integrated Solutions Guide                           P/N: 232-000960-00, Rev. A
44
                                                                                    SonicWALL CSM Deployment Solutions




           Step 9    Click the Custom tab then check the box next to the Allowed Sites – Operators custom category you
                     just created, as illustrated in Figure 42.

                     Figure 42      Web Filters > Category Sets > Add > Custom




           Step 10 Click OK to save your changes.
           Step 11 Using the same procedure, create two more Policies and enter the following information:
                      •      Name: *Shift Leads
                      •   Predefined Categories: Select all (same as before)
                      •   Custom Categories: Allowed Sites – Shift Leads
                      •      Name: *Managers
                      •   Predefined Categories: Select all except for Search Engines and Portals
                      •   Custom Categories: Allowed Sites – Managers




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                   45
  SonicWALL CSM Deployment Solutions




          Step 12 When done it should look like Figure 43.


                   Figure 43    Web Filters > Category Sets




Cleanup Tasks from Previous Example

          Step 1   Open the ADConnector Configuration Tool and expand the Groups container. Find the
                   CSM-Elementary group, click to select it and in the right-hand pane you should see the *Elementary
                   policy we added in the previous example. Highlight it then press the Del key to disassociate it from the
                   CSM-Elementary group.
          Step 2   Follow the same procedure and disassociate the SonicWALL CSM policies from the CSM-Middle,
                   CSM-High & CSM-Teachers groups.


Associations for This Example

          Step 1   Find the CSM-Operators group, right-click and select Add Policy.
          Step 2   In the Add Policy pop-up window that appears (see figure above), select the *Operators policy from
                   the drop-down list, then click OK.
          Step 3   this time assigning the *Shift Leads, and *Managers policies to the CSM-Shift Leads, and
                   CSM-Managers groups respectively.




            SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
  46
                                                                                               SonicWALL CSM Deployment Solutions




Testing
                      On a test workstation login to the domain as user: Bill. As you recall Bill is a member of the Active
                      Directory group CSM-Operators which was assigned the SonicWALL CSM policy *Operators. This
                      policy only allows access to two sites: http://www.techtarget.com and http://www.webopedia.com.
                      Verify this to be true. Login as users Ted and Alice and verify that their access corresponds to their group
                      membership and SonicWALL CSM policy assignment. You can use Table 2, which summarizes the
                      websites each employee type is allowed to access as a reference while testing.

                                                   Table 2       Example Website URLs for Testing

                      Website                                Operators      Shift Leads    Managers
                      http://www.techtarget.com              o              o              o
                      http://www.webopedia.com               o              o              o
                      http://www.call-center.net             x              o              o
                      http://www.callcenterops.com           x              x              o
                      http://www.callcentermagazine.com x                   x              o
                      http://www.callcenterops.com           x              x              o
                      http://www.ccdigest.com                x              x              o
                      http://www.callcentertimes.com         x              x              o
                      Search Engines & Portals               x              x              o


                      X=Blocked O=Allowed


SonicWALL CSM Filtering Architecture and Predefined Categories
                      The following section explains the structural hierarchy of the SonicWALL Content Security Manager
                      filtering architecture. The Category Set level includes the Predefined Categories (SonicWALL
                      Content Filtering Service categories), the Custom Categories (user defined), and Miscellaneous. You
                      manage these categories at the category set level. These default and user defined policies can be applied
                      to users or groups.


Working with Hardware Failover
                      On the Hardware Failover > Monitoring page, you can specify IP addresses that the SonicWALL
                      Content Security Manager performs an ICMP ping on to determine link viability. When using logical
                      monitors, the Content Security Manager pings the defined Probe IP Address target from the Primary as
                      well as the Backup SonicWALL.
                      If both can successfully ping the target, no failover occurs. If both cannot successfully ping the target,
                      no failover occurs, as the Content Security Managers assume that the problem is with the target, and not
                      the Content Security Managers. But, if one SonicWALL can ping the target but the other SonicWALL
                      cannot, it will failover to the SonicWALL that can ping the target.




 P/N: 232-000960-00, Rev. A                                      SonicWALL Content Security Manager Integrated Solutions
                                                                                                                              47
 SonicWALL CSM Advanced Deployment Solutions




SonicWALL CSM Advanced Deployment Solutions
                  This section illustrates four possible methods of deploying the SonicWALL CSM with a caching proxy
                  server and describes the advantages and disadvantages of each. Also illustrated will be the integration
                  of the SonicWALL CSM into a SonicPoint environment. This section contains the following
                  subsections:
                   •   “Using the SonicWALL CSM with a Caching Proxy Server” section on page 48
                   •   “Scenario 1 – Single Path Upstream Proxy Server” section on page 49
                   •   “Scenario 2 – Dual Path Upstream Proxy Server” section on page 50
                   •   “Scenario 3 – Single Path Downstream Proxy Server” section on page 52
                   •   “Scenario 4 – Reiterative Path Upstream Proxy Server” section on page 54
                   •   “Scenario 5 – SonicWALL CSM and SonicPoint Integration” section on page 56


Using the SonicWALL CSM with a Caching Proxy Server
                  As indicated earlier, per-user or per-group policy application requires that the SonicWALL CSM see
                  clients’ actual IP addresses. The following are three design considerations to keep in mind when using
                  the SonicWALL CSM with a caching proxy server:
                  1.   To make use of the SonicWALL CSM’s per-user or per-group Web Filter policies, place the caching
                       proxy server upstream (on the WAN segment) from the SonicWALL CSM, and configure the
                       SonicWALL CSM’s web proxy feature from the Network > Web Proxy page.
                  2.   To make use of the SonicWALL CSM’s Application Filter, be sure that all network traffic traverses
                       the SonicWALL CSM.
                  3.   For reasons of efficiency, try to avoid configurations wherein traffic traverses the SonicWALL CSM
                       more than once. Such a configuration is perfectly functional, and its design may prove to be
                       convenient in some circumstances. This configuration is illustrated in “Scenario 4 – Reiterative Path
                       Upstream Proxy Server” section on page 54.




           SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
  48
                                                                             SonicWALL CSM Advanced Deployment Solutions




Scenario 1 – Single Path Upstream Proxy Server
                      This first scenario is the preferred method of deploying a caching proxy server in conjunction with the
                      SonicWALL CSM because it adheres to all three design considerations above.

                      Figure 44       Single Path Upstream Caching Proxy Server




Advantages
                       •   Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy
                           application.
                       •      All client traffic flows through the SonicWALL CSM, allowing application filters to be employed.
                       •   The caching proxy server has a direct path to the Internet, so HTTP traffic does not repetitively pass
                           through the SonicWALL CSM.
                       •   This configuration supports either transparent redirection to the proxy server from the SonicWALL
                           CSM (from the Network > Web Proxy page) or an explicit proxy configuration on the client
                           machines (either manually or by a script).


Disadvantages
                       •   The SonicWALL CSM is in the path of all network traffic bound for the gateway.


 P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                          49
  SonicWALL CSM Advanced Deployment Solutions




Requirements
                    •   Configure the Network > Web Proxy feature on the SonicWALL CSM or configure each client to
                        explicitly use the proxy server (either manually or with a script).
                         – If using the explicit client proxy configuration, exclude the SonicWALL CSM itself, either by
                            setting the workstations to bypass the proxy server for local addresses, or by specifying the IP
                            address of the SonicWALL CSM as an exclusion.


Scenario 2 – Dual Path Upstream Proxy Server
                   This scenario removes the SonicWALL CSM from the path of all traffic, but requires additional
                   configuration, and also prevents the use of the Application Filters on the SonicWALL CSM.

                   Figure 45    Dual Path Upstream Proxy Server




            SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
  50
                                                                            SonicWALL CSM Advanced Deployment Solutions




Advantages
                       •      Removes the SonicWALL CSM from the path of all network traffic.
                       •   Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy
                           application.
                       •   The caching proxy server has a direct, dedicated path to the Internet, so HTTP traffic does not
                           repetitively pass through the SonicWALL CSM.


Disadvantages
                       •   The transparent web-proxy redirection feature of the SonicWALL CSM cannot be used in this
                           configuration because HTTP traffic must be explicitly sent through the SonicWALL CSM by the
                           clients.
                       •   Application Filters cannot be employed on the SonicWALL CSM because not all client traffic passes
                           through it, only HTTP traffic.


Requirements
                       •   Client machines must be explicitly configured to use the proxy server, since the SonicWALL CSM
                           is not in the path of their default gateway.
                       •      The proxy server must be dual-homed.
                       •   The client LAN connects to the SonicWALL CSM’s LAN (X0) interface, and the proxy server
                           connects to the WAN (X1) interface. The SonicWALL CSM’s default gateway resides on its LAN.
                       •   The upstream firewall/gateway should be configured to only allow HTTP traffic from the proxy
                           server and the SonicWALL CSM (to prevent clients going directly through the gateway).




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                        51
 SonicWALL CSM Advanced Deployment Solutions




Scenario 3 – Single Path Downstream Proxy Server
                  This scenario removes the SonicWALL CSM from the path of all traffic, but requires additional
                  configuration, and also prevents the use of the Application Filters on the SonicWALL CSM.

                  Figure 46    Single Path Downstream Proxy Server




           SonicWALL Content Security Manager Integrated Solutions Guide                   P/N: 232-000960-00, Rev. A
  52
                                                                              SonicWALL CSM Advanced Deployment Solutions




Advantages
                       •   All client traffic flows through the SonicWALL CSM, allowing application filters to be employed.
                       •   The proxy server itself is content and application filtered by the SonicWALL CSM.


Disadvantages
                       •   All HTTP traffic is sourced from the proxy server. The SonicWALL CSM is unable to apply per-user
                           policies.
                       •      The SonicWALL CSM is in the path of all network traffic bound for the gateway.
                       •   The transparent web-proxy redirection feature of the SonicWALL CSM cannot be used in this
                           configuration because HTTP traffic must be explicitly sent to the proxy server by the clients.


Requirements
                       •      Client machines must be explicitly configured to use the proxy server.
                       •   The upstream firewall/gateway should be configured to only allow HTTP traffic from the proxy
                           server and the SonicWALL CSM (to prevent clients going directly through the gateway).




 P/N: 232-000960-00, Rev. A                                SonicWALL Content Security Manager Integrated Solutions
                                                                                                                       53
 SonicWALL CSM Advanced Deployment Solutions




Scenario 4 – Reiterative Path Upstream Proxy Server
                  This scenario is effectively a simpler, single-homed proxy server variation of scenario 2.

                  Figure 47    Reiterative Path Upstream Proxy Server




           SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
  54
                                                                              SonicWALL CSM Advanced Deployment Solutions




Advantages
                       •   Removes the SonicWALL CSM from the path of all network traffic.
                       •   Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy
                           application.


Disadvantages
                       •   All HTTP traffic must traverse the SonicWALL CSM redundantly, once as it is requested, and again
                           as it is retrieved by the proxy server.
                       •   The transparent web-proxy redirection feature of the SonicWALL CSM cannot be used in this
                           configuration because HTTP traffic must be explicitly sent through the SonicWALL CSM by the
                           clients.
                       •   Application Filters cannot be employed on the SonicWALL CSM because not all client traffic passes
                           through it, only HTTP traffic.


Requirements
                       •      Client machines must be explicitly configured to use the proxy server.
                       •   The upstream firewall/gateway should be configured to only allow HTTP traffic from the proxy
                           server and the SonicWALL CSM (to prevent clients going directly through the gateway).




 P/N: 232-000960-00, Rev. A                                SonicWALL Content Security Manager Integrated Solutions
                                                                                                                      55
 SonicWALL CSM Advanced Deployment Solutions




Scenario 5 – SonicWALL CSM and SonicPoint Integration
                  The Web and application filtering provided by the SonicWALL CSM can be used on SonicPoint powered
                  WLAN Zones on SonicOS Enhanced 3.0 and higher.

                  Figure 48    SonicWALL CSM and SonicPoint Integration




           SonicWALL Content Security Manager Integrated Solutions Guide                 P/N: 232-000960-00, Rev. A
  56
                                                                              SonicWALL CSM Advanced Deployment Solutions




Advantages
                       •      Provides a single-sign-on capable alternative to using CFS on the upstream firewall.
                       •   Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy
                           application.
                       •      All client traffic flows through the SonicWALL CSM, allowing application filters to be employed.
                       •   Optionally, this configuration supports either transparent redirection to the proxy server from the
                           SonicWALL CSM (from the Network > Web Proxy page) or an explicit proxy configuration on the
                           client machines (either manually or by a script).


Disadvantages
                       •   WiFiSec cannot be used since the resulting traffic traversing the SonicWALL CSM will be
                           encrypted. WPA can be used in its place, since WPA decryption occurs at the SonicPoint – passing
                           clear traffic through SonicWALL CSM.
                       •      The SonicWALL CSM is in the path of all network traffic bound for the gateway.


Requirements
                       •   SonicPoint enforcement must be disabled on the WLAN Zone (requires SonicOS Enhanced 3.0 or
                           higher).
                       •   WPA must be used in place of WiFiSec.




 P/N: 232-000960-00, Rev. A                                SonicWALL Content Security Manager Integrated Solutions
                                                                                                                        57
 Deploying SonicWALL GMS for the SonicWALL CSM




Deploying SonicWALL GMS for the SonicWALL CSM
                  This section provides configuration tasks for deploying SonicWALL GMS to provide appliance-based
                  Internet filtering that enhances security and employee productivity, optimizes network utilization, and
                  mitigates legal liabilities by managing access to objectionable and unproductive Web content.
                  This chapter contains the following sections:
                   •   “Configuring Web Filters” section on page 58
                   •   “Configuring Settings” section on page 60
                   •   “Configuring Policies” section on page 62
                   •   “Configuring Custom Categories” section on page 63
                   •   “Configuring Privacy Prevention” section on page 64
                   •   “Configuring Custom Block Page” section on page 66
                   •   “Configuring Web Usage by User ViewPoint Reporting” section on page 66
                   •   “Configuring Web Usage by Site ViewPoint Reporting” section on page 69
                   •   “Configuring Browse Time Top Users ViewPoint Reporting” section on page 70


Configuring Web Filters
                  Web Filters includes settings for configuring Internet filtering on the SonicWALL CSM.

                  To configure Web Filters, follow these steps:


         Step 1   Access the SonicWALL CSM 2100 CF.
         Step 2   Select a SonicWALL Content Security Manager series appliance.




           SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
  58
                                                                     Deploying SonicWALL GMS for the SonicWALL CSM




           Step 3    Expand the Web Filters tree.

                     Figure 49   Web Filters




P/N: 232-000960-00, Rev. A                          SonicWALL Content Security Manager Integrated Solutions
                                                                                                               59
  Deploying SonicWALL GMS for the SonicWALL CSM




Configuring Settings
                   The Settings page provides information on the status of filtering subscription service updates, settings
                   for enabling filtering, managing the behavior of the Dynamic Rating engine, adding IP addresses to
                   exclude from filtering, and access to URL ratings with the SonicWALL Content Filtering Service
                   database.

                   Figure 50    Settings




Settings
                    •   Enable Web Filtering - enables Web Filtering on the SonicWALL Content Security Manager.
                    •   URL Cache Size (KBs) - specifies the URL Cache size on the SonicWALL Content Security
                        Manager. The default value is 5120 KBs. A larger URL Cache size can provide noticeable
                        improvements in Internet browsing response times.
                    •   Use Dynamic Rating - enables the use of the Content Security Manager’s integrated dynamic rating
                        engine that allows an unrated URL to be dynamically rated in real-time.
                    •   Dynamic Rating Settings - the Optimize for speed setting instructs the dynamic rating engine to
                        process less information for faster ratings with the trade off of less accuracy. The Optimize for
                        accuracy setting instructs the dynamic rating engine to process more information resulting in
                        slower ratings with the trade off of more accuracy.
                    •   Suppress Compressed Server Responses - selecting this setting blocks URLs from Web sites that
                        compressed content.




            SonicWALL Content Security Manager Integrated Solutions Guide                      P/N: 232-000960-00, Rev. A
  60
                                                                          Deploying SonicWALL GMS for the SonicWALL CSM




IP Address Exclusion List
                      The IP Address Exclusion List allows you to specify an IP address or IP address range on your network
                      that are excluded from any SonicWALL Content Security Manager filtering.

                      To add an IP address or IP address range:


            Step 1    To specify a single IP address, enter the IP address in the IP Address Begin and in the IP Address End
                      fields.
            Step 2    To specify an IP address range, enter the starting IP address in the IP Address Begin field and the ending
                      IP address in the IP Address End field.
            Step 3    Click the Add.
            Step 4    If you selected other settings for the IP Address Exclusion List, click Update.


URL Rating Review
                      Clicking the here link displays the same CFS URL Rating Review Request page that displays when
                      you click the URL Rating Review button.




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                         61
  Deploying SonicWALL GMS for the SonicWALL CSM




Configuring Policies
                   The Policies page allows you to create and edit policies that are used to filter categories, which in turn
                   are applied to user groups.

                   Figure 51    Policies




Policies Table
                   The Policies table lists the default policies. Clicking the + button expands the list to display every policy.
                   As you create custom policies, they are displayed in the table. The Policies table displays the following
                   information about each policy:
                    •   Name - The name of the policy.
                    •   Type - Displays Policy or Predefined Category. Clicking the + button expands the policies.
                    •   Comment - Displays a caption icon. When you move the pointer over the icon, the comment text is
                        displayed. The comment text is entered in the Add Policy or Edit Policy window.
                    •   Schedule - Displays the Schedule icon for policies indicating the policy has a schedule activation
                        time.
                    •   Configure - Includes the edit icon that displays the Edit Policy window, and the delete icon. The
                        Delete icon is dimmed for the *Default policy.
                   Clicking the + button expands displays the policies included in the group.
                   Clicking the Restore Defaults button removes all custom policies and any policies you added to the
                   *Default policy.
                   Clicking Add Policy button displays the Add Web Filter Policy window for adding new policies.


            SonicWALL Content Security Manager Integrated Solutions Guide                          P/N: 232-000960-00, Rev. A
  62
                                                                        Deploying SonicWALL GMS for the SonicWALL CSM




Configuring Custom Categories
                      The Custom Categories page allows you to create custom policies that can incorporate untrusted urls
                      and domains, untrusted keywords, and trusted urls and domains.

                      Figure 52   Custom Categories




Untrusted URLs
                      Untrusted URLs allows you to specify URLs that you want to selectively block or allow with logging
                      of the action by the Content Security Manager. You add Untrusted URLs to policies in the Web Filters
                      > Policies page.
                      The Untrusted URLs table displays the names of the Untrusted URLs categories you create, any
                      optional comments added when you create the category are displayed in the Comment column, and the
                      Configure column with the Edit icon for accessing the Edit Untrusted URLs window and the Delete
                      icon.
                      You have two available actions for Untrusted URLs categories in policies: Block and Log Only, which
                      you specify in the Web Filters > Policies page. Log Only allows users to access the URLs in the
                      Untrusted URLs category but logs each access event in the Content Security Manager log.




 P/N: 232-000960-00, Rev. A                            SonicWALL Content Security Manager Integrated Solutions
                                                                                                                    63
  Deploying SonicWALL GMS for the SonicWALL CSM




Untrusted Keywords
                   Untrusted Keywords allows you to specify keywords that are substrings of URLs, which allows you to
                   employ stricter filtering, blocking sites whose URLs contain specific words.
                   The Untrusted Keywords table displays the names of the Untrusted Keywords categories you create,
                   any optional comments added when you create the category are displayed in the Comments column, and
                   the Configure column with the Edit icon for accessing the Edit Untrusted Keywords window and the
                   Delete icon.
                   You have two available actions for Untrusted Keywords categories in policies: Block and Log Only,
                   which you specify in the Web Filters > Policies page. Log Only allows users to access the URLs in the
                   URLs category but logs each access event in the Content Security Manager log.


Allowed URLs
                   Allowed URLs allows you to specify URLs that are always allowed.
                   The Allowed URLs table displays the names of the Allowed URLs categories you create, any optional
                   comments added when you create the category is displayed in the Comment column, and the Configure
                   column with the Edit icon for accessing the Edit Allowed URLs window and the Delete icon.
                   You have one available action for Trusted URLs categories in policies: Allow, which is specified in the
                   Web Filters > Category Sets page.


Configuring Privacy Prevention
                   The Privacy Prevention page allows you to enhance your network security by blocking potentially
                   harmful applications from entering your network.

                   Figure 53    Privacy Protection




            SonicWALL Content Security Manager Integrated Solutions Guide                     P/N: 232-000960-00, Rev. A
  64
                                                                         Deploying SonicWALL GMS for the SonicWALL CSM




Miscellaneous
                      Miscellaneous compromises Block Cookies, Block ActiveX, Block HTTP Proxy Server, and Block
                      Fraudulent Certificates. These settings are always activated as Block and cannot be deleted or
                      modified.
                       •   Block Cookies - Cookies are used by Web servers to track Web usage and remember user identity.
                           Cookies can also compromise users' privacy by tracking Web activities.
                       •   Block ActiveX - ActiveX is a programming language that embeds scripts in Web pages. Malicious
                           programmers can use ActiveX to delete files or compromise security.
                       •   Block HTTP Proxy Servers - When a proxy server is located on the external interface, users can
                           circumvent content filtering by pointing their computer to the proxy server.
                       •   Block Fraudulent Certificates - Digital certificates help verify that Web content and files
                           originated from an authorized party. Enabling this feature protects users on the LAN from
                           downloading malicious programs warranted by these fraudulent certificates. If digital certificates
                           are proven fraudulent, then the SonicWALL Content Security Manager blocks the Web content and
                           the files that use these fraudulent certificates. Known fraudulent certificates blocked by
                           SonicWALL Content Security Manager include two certificates issued on January 29 and 30, 2001
                           by VeriSign to an impostor masquerading as a Microsoft employee.


Untrusted File Types
                      These are groupings of file extensions used for similar purposes. SonicWALL Content Security Manager
                      allows you to filter Internet content based on a file extension. For example, you can restrict access to
                      particular types of files from sites within an otherwise permitted. File type filtering is activated via
                      policies. SonicWALL provides several predefined file types for use in filtering. You can modify these,
                      or create new file types to suit your needs.
                      Untrusted File Types compromises of Java Applets, Executable Files, Video Files, Audio Files, and
                      user specified file types by extension. You have two available actions for Untrusted File Type
                      categories in policies: Block and Log Only, which you specify in the Web Filters > Category Sets page.
                      Log Only allows users to access the file types in the Untrusted File Types category but logs each access
                      event in the Content Security Manager log.
                      The Untrusted File Types table displays the names of the default Untrusted File Types categories and
                      the ones you create, any optional comments added when you create the category are displayed in the
                      Comment column, and the Configure column with the Edit icon for accessing the Edit Untrusted File
                      Types window and the Delete icon.


Miscellaneous Trusted Sites
                      The Trusted Site List is a list of domains that act as an exclusion list for Miscellaneous. Domains
                      specified in the Trusted Sites cannot act upon any other class.
                      Only a single Trusted Site List can be specified, but it can be shared among multiple policies.
                      The Trusted Domains includes Web sites you trust, which are sites that you believe users can access
                      without damaging your network or data. Cookies, ActiveX, Java and all other file types specified in the
                      Untrusted File Types categories are not blocked for these sites.
                      The Trusted Site List table displays only the Trusted Site List category, any optional comments added
                      when you create the Edit Trusted Site List window is displayed in the Comment column, and the
                      Configure column with the Edit icon for accessing the Edit Trusted Site List window and the Delete
                      icon.



 P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                        65
  Deploying SonicWALL GMS for the SonicWALL CSM




                   You have one available action for the Trusted Site List in policies: Trusted, which is specified in the
                   Web Filters > Category Sets page.


Configuring Custom Block Page
                   The Custom Block Page allows you to enter your customized text to display to the user when access to
                   a blocked site is attempted. Any message, including embedded HTML, can be entered in this field.

                   Figure 54    Custom Block Page




Message to Display when Blocking
                   Enter your customized text to display to the user when access to a blocked site is attempted. The default
                   message is This site is blocked by the SonicWALL Content Filter Service. Any message, including
                   embedded HTML, up to 255 characters long, can be entered in this field.
                   You can select a background color for the pop-up window from the Background Color menu.
                   Click Preview to display your pop-up window. A Web page is displayed in your browser with your
                   blocked site text. Clicking the Click here to bookmark URL link saves the URL of your page. Click
                   the Go Back button to return to the management interface.


Configuring Web Usage by User ViewPoint Reporting
                   The By User report displays a list of all users, their top sites, the number of hits to each site, and the
                   amount of data transferred.

                   To view the By User report, follow these steps:


          Step 1   Access the SonicWALL CSM 2100 CF.
          Step 2   Click the Reports tab.
          Step 3   Select a SonicWALL appliance.



            SonicWALL Content Security Manager Integrated Solutions Guide                         P/N: 232-000960-00, Rev. A
  66
                                                                        Deploying SonicWALL GMS for the SonicWALL CSM




           Step 4    Expand the Web Usage tree and click By User. The By User page appears (Figure 55).

                     Figure 55    By User Page




           Step 5    The table contains the following information:
                      •   User—the IP address of the user.
                      •   Hits—number of hits to each web site visited by the user.
                      •   MBytes—number of megabytes transferred.




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                  67
Deploying SonicWALL GMS for the SonicWALL CSM




        Step 6   To change the display settings, click Settings. The Report Settings dialog box appears.

                 Figure 56    Report Settings Dialog Box




        Step 7   Select the number of users that will be displayed from the Number of Users list box.
        Step 8   Select the type of chart from the Chart Type list box.
        Step 9   Select the year, month, and day that you would like to view.
        Step 10 To display a limited group of users, enter the user IDs in the Select Users field and separate each entry
                 with a comma.
        Step 11 This field does not use pattern matching. For example, “john” will not match john_smith, john42, or
                 big_john.
        Step 12 When you are finished, click Close. SonicWALL CSM 2100 CF refreshes the report based on the
                 selected settings.


         Note    These settings will stay in effect for all similar reports during your active login session.




          SonicWALL Content Security Manager Integrated Solutions Guide                         P/N: 232-000960-00, Rev. A
68
                                                                            Deploying SonicWALL GMS for the SonicWALL CSM




Configuring Web Usage by Site ViewPoint Reporting
                      The By Site report displays a list of all sites, the users that accessed the sites, the number of hits to each
                      site, and the amount of data transferred.

                      To view the By Site report, follow these steps:


            Step 1    Access the SonicWALL CSM 2100 CF.
            Step 2    Click the Reports tab.
            Step 3    Select a SonicWALL appliance.
            Step 4    Expand the Web Usage tree and click By Site. The By Site page appears (Figure 57).

                      Figure 57    By Site Page




            Step 5    The table contains the following information:
                       •   Site—the URL of the site.
                       •   User—the top users that visited the site (default: 10).
                       •   Hits—number of hits to the web site, by user.
                       •   MBytes—number of megabytes transferred, by user.




 P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                             69
 Deploying SonicWALL GMS for the SonicWALL CSM




         Step 6   SonicWALL CSM 2100 CF shows today’s report and all web sites. To change the date of the report or
                  web sites displayed, click Settings. The Report Settings dialog box appears.

                  Figure 58       Report Settings Dialog Box




         Step 7   Select the number of sites that will be displayed from the Number of Sites list box.
         Step 8   Select the number of users that will be displayed per site from the Number of Users per Site list box.
         Step 9   To only display a limited set of web sites, enter the URLs in the Select Site field and separate each entry
                  with a comma.
         Step 10 This field does not use pattern matching. For example, “www.yahoo.com” will not match yahoo.com,
                  mail.yahoo.com, or shopping.yahoo.com.
         Step 11 When you are finished, click Close. SonicWALL CSM 2100 CF adjusts the report for the selected day
                  and settings.


          Note    These settings will stay in effect for all similar reports during your active login session.



Configuring Browse Time Top Users ViewPoint Reporting
                  The Top Users report displays the users who spent the most time browsing non-job function-related sites
                  on the Internet for the specified date.

                  To view the Top Users report, follow these steps:


         Step 1   Start and log into SonicWALL CSM 2100 CF.
         Step 2   Click the Reports tab.
         Step 3   Select a SonicWALL appliance.




           SonicWALL Content Security Manager Integrated Solutions Guide                         P/N: 232-000960-00, Rev. A
  70
                                                                       Deploying SonicWALL GMS for the SonicWALL CSM




           Step 4    Expand the Browse Time tree and click Top Users. The Top Users page appears.

                     Figure 59    Top Users Page




           Step 5    The pie chart displays a Browse Time report on the total time spent browsing non-job function-related
                     sites on the Internet by each user.
           Step 6    The table contains the following information:
                      •   Hour—when the sample was taken.
                      •   Browse Time—number of minutes spent browsing non-job function-related sites on the Internet.
                      •   % of Browse Time—percentage of the total amount of time browsing non-job function-related sites
                          on the Internet during this hour, compared to the day.




P/N: 232-000960-00, Rev. A                            SonicWALL Content Security Manager Integrated Solutions
                                                                                                                    71
Deploying SonicWALL GMS for the SonicWALL CSM




        Step 7   By default, SonicWALL CSM 2100 CF shows today’s report, a pie chart, and the ten top users. To
                 change these settings, click Settings. The Report Settings dialog box appears.

                 Figure 60    Report Settings Dialog Box




        Step 8   Select the number of users that will be displayed from the Number of Users list box.
        Step 9   Select the type of chart from the Chart Type list box.
        Step 10 Select the year, month, and day that you would like to view.
        Step 11 To display a limited group of users, enter the user IDs in the Select Users field and separate each entry
                 with a comma.
        Step 12 This field does not use pattern matching. For example, “john” will not match john_smith, john42, or
                 big_john.
        Step 13 When you are finished, click Close. SonicWALL CSM 2100 CF displays the report for the selected day.


         Note    These settings will stay in effect for all similar reports during your active login session.




          SonicWALL Content Security Manager Integrated Solutions Guide                         P/N: 232-000960-00, Rev. A
72
                                                           Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




Troubleshooting the SonicWALL CSM and
SonicWALL ADConnector
                      The SonicWALL CSM series appliance is an inline appliance primarily designed to enforce Internet
                      usage policies by preventing access to inappropriate and unproductive Internet applications. It also
                      provides additional capabilities, including the ability to limit or completely disallow the use of IM, P2P,
                      and multimedia applications, the ability to block Java, ActiveX, and cookies, and the ability to block
                      users from downloading any type of file the administrator disallows.
                      The CSM series appliance can be configured to provide a single blanket policy that applies to the entire
                      user base or it can be configured with multiple policies that apply to different users and groups of users.
                      When configured with multiple policies, the CSM series appliance can transparently communicate with
                      Microsoft Active Directory to determine what policy applies to a network user or group. This Single
                      Sign-On (SSO) capability is provided via a software component called the ADConnector.
                      If you do not need an Application Filter, but only Web Filtering and a deployed HTTP proxy server, then
                      it is possible to deploy the SonicWALL CSM device to remove it from the path of all network traffic (see
                      the “SonicWALL CSM Advanced Deployment Solutions” section on page 48). But there is no other way
                      to make the Application Filter work except for placing the SonicWALL CSM device inline.


Different Roles of the CSM Series Appliance
                      The SonicWALL CSM is a combination of a transparent bridge and a regular network host.
                       •   As a transparent bridge it forwards packets without modifications until these packets are matched
                           by Web or Application filters and are blocked. The SonicWALL CSM device differs from regular
                           transparent bridges because direction of the network traffic matters for both Web and Application
                           Filters.
                       •   As a regular network host it has to communicate with other hosts on the network. For example,
                           the SonicWALL CSM does not have a local URL Ratings database (it has only a URL Rating cache),
                           so it receives URL ratings from the CFS Servers in the colocation site. This means that the
                           SonicWALL CSM has to send requests to a CFS Server and get a response back. The SonicWALL
                           CSM device also uses DNS to obtain URL Ratings, so it communicates with DNS servers. Another
                           example is the SonicWALL ADConnector. The SonicWALL CSM device sends requests to the
                           SonicWALL ADConnector and receives responses back from it.
                      This section contains the following subsections:
                       •   “Transparent Bridge Deployment Troubleshooting” section on page 74
                       •   “Network Host Deployment Troubleshooting” section on page 75
                       •   “System Settings and Performance Troubleshooting” section on page 76
                       •   “General Troubleshooting” section on page 79
                       •   “How to Verify the TSR” section on page 80
                       •   “Troubleshooting the Active Directory Connector” section on page 84
                       •   “Working with the ADConnector Checklist” section on page 85
                       •   “Troubleshooting Specific Symptoms” section on page 86




 P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                          73
 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




Transparent Bridge Deployment Troubleshooting
                  As a transparent bridge, the SonicWALL CSM device forwards all packets without any modifications
                  until these packets are matched by Web or Application filters and need to be blocked. The advantage of
                  this approach is you can deploy the SonicWALL CSM device without any changes to your network. You
                  need only switch cables:
                  1.   Disconnect the existing connection from your LAN to the default gateway (Internet Router) and
                       reconnect it into the LAN (X0) interface of the CSM series appliance.
                  2.   Connect the WAN (X1) interface of the CSM series appliance to the default gateway (Internet
                       Router) using a crossover cable.
                  3.   Power on the CSM series appliance. During startup, the CSM series appliance contacts the
                       SonicWALL License Manager Web site to update its license information, download its Application
                       Filter, and Dynamic Rating databases and then determine the IP address of the nearest URL Rating
                       Server.

                  Figure 61    Connecting the SonicWALL CSM Inline




                  The SonicWALL CSM device is different from regular transparent bridges because the direction of the
                  network traffic (ingress/egress) is established by how it will interact and filter that traffic. The CSM
                  series appliance Web Filters only filters outbound HTTP requests originating from the Internet destined
                  to internal web servers. Similarly, the CSM series appliance Application Filters (which are based on
                  signatures) only filter traffic that originates internally.
                  Your LAN must be connected to the LAN (X0) port of the SonicWALL CSM device, and the WAN (X1)
                  port of the SonicWALL CSM device must be connected to the Internet gateway.
                   •   The Web Filter filters only outgoing HTTP traffic. It filters only HTTP traffic generated by Internet
                       browsers or other programs on client PCs. It does not affect incoming traffic from Internet users to
                       web servers located on the LAN.
                   •   The Application Filter uses information about traffic direction. It is based on packet signatures,
                       which depend on traffic direction.




           SonicWALL Content Security Manager Integrated Solutions Guide                        P/N: 232-000960-00, Rev. A
  74
                                                                Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




Network Host Deployment Troubleshooting
                      The CSM device may not perform properly when you do not configure it correctly. To properly configure
                      the device, you may find it helpful to view the SonicWALL CSM as a network host. Also, you need to
                      successfully configure the device routing table, and be able to reach hosts on the Internet and some hosts
                      on the LAN.
                      The SonicWALL CSM will not work properly if it is not able to reach any of the components or hosts
                      on the network shown in Table 3:

                                                    Table 3   SonicWALL CSM as a Network Host

                      Network Host on the Internet Description
                      License Manager                          The SonicWALL CSM device communicates with License Manager (HTTPS protocol, TCP
                                                               443) at the colocation sites for updating license information, updating the Dynamic Rating
                                                               database and Application Filter database. For the SonicWALL CSM device, License Manager
                                                               is always on the Internet.
                      CFS server in the colocation sites       The SonicWALL CSM device also uses DNS protocol (UDP port 2257) to retrieve URL ratings.
                                                               For the SonicWALL CSM device, the CFS Server is always on the Internet.
                      NTP servers                              The SonicWALL CSM device uses NTP Servers (UDP port 123) to synchronize time with world
                                                               time clocks. For the SonicWALL CSM device, NTP Servers are always on the Internet until you
                                                               deploy a private NTP server on a LAN network.
                      DNS servers                              The SonicWALL CSM device uses DNS Servers (UDP port 53) to retrieve URL ratings. You
                                                               may use public or ISP DNS servers which are always on the Internet. You may have private
                                                               DNS servers on a LAN network.
                      AD Connector                             The SonicWALL CSM device uses SonicWALL ADConnector (port 2258) to obtain user names
                                                               and polices. The SonicWALL CSM device sends requests to the SonicWALL ADConnector
                                                               with the IP address of the user host and expects a response with name of the users logged into
                                                               this host and list of assigned policies.
                      ViewPoint                                The SonicWALL CSM device sends logs to ViewPoint using the syslog protocol (UDP port
                                                               514).
                      SMTP server                              The SonicWALL CSM device uses the SMTP server for sending logs and alerts via the SMTP
                                                               protocol (CTP port 25).



                      The SonicWALL CSM device should be able to reach all of these components or hosts. If the
                      SonicWALL CSM device sits behind the corporate firewall then you must configure the firewall to allow
                      network traffic from the SonicWALL CSM device. Sometimes your network has several firewalls on his
                      or her local network. These firewalls also must be configured to allow the SonicWALL CSM device to
                      communicate with internal DNS servers, SonicWALL ADConnector, ViewPoint, and other hosts.




 P/N: 232-000960-00, Rev. A                                   SonicWALL Content Security Manager Integrated Solutions
                                                                                                                                                      75
 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                  Figure 62    SonicWALL CSM as a Network Host




System Settings and Performance Troubleshooting
                  The following scenarios indicate common environments that require troubleshooting.

                  Symptom: Sluggish Web Browsing
                  The SonicWALL CSM Web Filter utilizes SonicWALL’s global content filtering infrastructure to deliver
                  its filtering services. The multi-level caching technology provides great performance for the
                  SonicWALL CSM. However, other factors can impact SonicWALL CSM’s performance, including
                  performance of DNS servers and the access time to SonicWALL’s CFS Server. To reduce the impact of
                  the second factor, SonicWALL provides multiple servers around the globe. Each SonicWALL CSM
                  device contacts the closest CFS server depending on its Time Zone setting.
                  If you experience slow web browsing, verify the following:
                   •   Check the time zone (System > Time).
                   •   Make sure DNS server settings (Network > Interfaces > configure X1) are configured properly,
                       and DNS servers have good response time and can resolve MX domain requests.
                        – Ping DNS servers from the CSM series appliance (System > Diagnostics > Ping) them from
                           SonicWALL CSM (System > Diagnostics > Ping). It is very important that ping time is less
                           than 100 ms, otherwise the SonicWALL CSM device could significantly slow down HTTP
                           traffic.
                        – Make sure that DNS servers are able to resolve domain names.
                        – Make sure that DNS servers are able to resolve MX records.




           SonicWALL Content Security Manager Integrated Solutions Guide                   P/N: 232-000960-00, Rev. A
  76
                                                          Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




Verifying Network Settings
                      CSM now provides a mechanism to verify your network settings from the System > Status page called
                      the Network Check button. To access this, perform the following steps:


            Step 1    Navigate to the System > Status page.




            Step 2    Note the entry Click here to verify your network settings in the lower right portion of the screen.
            Step 3    Click the hyperlinked here string in the entry.
                      CSM displays the System > Diagnostics page.




 P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                      77
    Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




               Step 4   Select a diagnostic test type from the Diagnostic Test list box. Most commonly, you will select the
                        default option, Check Network Settings.




               Step 5   Click the Run Test button at the bottom of the screen.
                        Wait for a minute and view the status messages that display in the lower left portion of the screen. When
                        the screen has completed its test of network resources, it displays output as showing the following region
                        in each screen.




               Step 6   Note that each region has a series of columns:

Column                               Description
Server                               The name of the server device to which the diagnostic test applies.
IP Address                           The IP address of the server device to which the diagnostic test applies.
Test Results                         Indicates the state of the test whether ready or not ready.
Notes                                Contains any special comments about the state of the device.



               Step 7   Note the following details displayed in the output.
                        General Network Connections Region. This region contains a table with data about servers and
                        gateways on your network.


                SonicWALL Content Security Manager Integrated Solutions Guide                                    P/N: 232-000960-00, Rev. A
     78
                                                             Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                      Security Management Region. This region contains a table with data about License Manager, Content
                      Filtering Server, and ADConnector.


General Troubleshooting
                      Symptom: No Traffic Flowing
                       •   Verify Physical Connections
                              – Make sure that the connection from your LAN to the Internet is plugged into the X0 (LAN) port
                                 of the CSM series appliance. Verify the Ethernet link light.
                              – Make sure that the X1 (WAN) port of the CSM series appliance is connected to the default
                                 Internet Gateway. This connection usually requires a crossover cable. Verify the Ethernet link
                                 light.
                       •   Check Network Settings
                              – Make sure that the default gateway (Network > Interfaces > configure X1) is configured and
                                 can be pinged from the CSM series appliance (System > Diagnostics > Ping)
                              – Make sure that DNS is properly configured (Network > Interfaces > configure X1)
                              – Make sure the CSM series appliance has a functioning connection to the Internet by pinging
                                 several common sites like http://www.yahoo.com/ and http://www.sonicwall.com/


             Note     Some Internet sites, like http://www.msn.com/ and http://www.sonicwall.com/, do not allow the ping
                      protocol.

                      Symptom: CSM Series Appliance Cannot Communicate with ADConnector
                       •   If the network contains a single-subnet LAN, make sure that the IP addresses for the ADConnector
                           is correct in the CSM series appliance’s configuration. Verify connectivity by pinging the
                           ADConnector host directly from the CSM series appliance (System > Diagnostics > Ping).
                       •   If the network is a multi-subnet LAN, then static routes may be required to properly communicate
                           with the ADConnector host.
                              – If the ADConnector is on a different subnetwork than the CSM series appliance, create a static
                                 route that tells the CSM series appliance how to get to the ADConnector (Network > Interfaces
                                 > Routing Table > Add).




 P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                         79
 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




How to Verify the TSR
                  The TSR output provides detailed information about the CSM series appliance’s configuration settings
                  and the network topology. Below is a sample TSR and a corresponding analysis.

                  Sample 1
                      Status
                      Serial number 0006-XXXX-XXXX
                      02/24/2005 08:20:05.320
                      SonicWALL has been up: 4 Days, 21 Hours, 45 Minutes, 22 Seconds
                      Firmware version: SonicOS CF 2.0.0.0-10e
                      restartRequired: False
                      Revision: 2.0.0.0-10e
                      min firmware for this hardware: 1.0.0.0
                      max firmware for this hardware: 0.0.0.0
                      vers check err: 0
                      Configured Ethernet Settings:
                      X0 Auto Negotiate
                      X1 Auto Negotiate
                      X2 Auto Negotiate

                      Currently Active Ethernet Settings:
                      X0 100Mbps Full-duplex
                      X1 100Mbps Full-duplex
                      X2 No Connection



                  Analysis: The CSM Series Appliance Running Firmware Version 2.0.0.0-10e
                  Verify that the CSM is running the latest version of firmware which can be downloaded from
                  http://www.mysonicwall.com. Other areas of interest in this section are uptime (4 Days, 21 Hours, 45
                  Minutes, 22 Seconds), no restart is currently required (restartRequired: False), and that the X0 and X1
                  interfaces are active.

                  Sample 2
                      Network
                      System Routing Table
                      Index      IP Address Range                          Gateway                          Interface



                  Analysis: No Static Routes Configured
                  Determine if all the devices the CSM series appliance needs to communicate with are on the same subnet
                  as it.

                  Sample 3
                      Interfaces

                      Interface:X0
                      IP Address:10.12.1.3
                      Network:10.12.0.0
                      Network Mask:255.255.0.0
                      MAC:00:06:B1:18:47:58Default:y
                      MTU:1500
                      Effective MTU:1500
                      Link Type:Ether CSMA/CDValue: 6
                      Link Status:UPValue: 1
                      Link Mode:Full DuplexValue: 1
                      Link Speed:100 Mbps



           SonicWALL Content Security Manager Integrated Solutions Guide                     P/N: 232-000960-00, Rev. A
  80
                                                         Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                         Failover Group: -1
                         Zone:InternalHandle: 1Type: 1
                         Management:HTTP y HTTPS y Ping y          SNMP n
                         User Login:HTTP n HTTPS n
                         LAN Mode:TRANSPARENT

                         -----------------------------------------------------------------

                         Interface:X1
                         IP Address:10.12.1.3
                         Network:10.12.0.0
                         Network Mask:255.255.0.0
                         MAC:00:06:B1:18:47:59Default:y
                         MTU:1500
                         Effective MTU:1500
                         Link Type:Ether CSMA/CDValue: 6
                         Link Status:UPValue: 1
                         Link Mode:Full DuplexValue: 1
                         Link Speed:100 Mbps
                         Failover Group: 0
                         Zone:ExternalHandle: 2Type: 0
                         Management:HTTP y HTTPS y Ping y          SNMP n
                         User Login:HTTP n HTTPS n
                         Gateway MAC:00:06:B1:0C:BF:68
                         Gateway IP:10.12.1.2
                         dnsServer1:4.2.2.2
                         dnsServer2:10.10.2.9
                         dnsServer3:0.0.0.0
                         WAN Mode:Static IPValue: 2
                         WAN Mode State:StartedValue: 0

                         -----------------------------------------------------------------

                         Interface:X2
                         IP Address:192.168.168.168
                         Network:192.168.168.0
                         Network Mask:255.255.255.0
                         MAC:00:06:B1:18:47:5ADefault:y
                         MTU:1500
                         Effective MTU:1500
                         Link Type:Ether CSMA/CDValue: 6
                         Link Status:DOWNValue: 0
                         Link Mode:Half DuplexValue: 0
                         Link Speed:0 Mbps
                         Failover Group: -1
                         Zone:ManagementHandle: 4Type: 8
                         Management:HTTP y HTTPS y Ping y          SNMP y
                         User Login:HTTP n HTTPS n



                     Analysis: Second DNS Server Inaccessible
                     The second DNS server belongs to a different subnet (10.10.0.0), but there were no static routes to the
                     10.10.0.0 network in the previous routing table. The CSM series appliance IP address is 10.12.1.3 and
                     the subnet mask is 255.255.0.0 so the network is 10.12.0.0. Add a static route to the 10.10.0.0 network.
                     Then verify connectivity to the second DNS server by pinging it from the CSM series appliance GUI
                     (System > Diagnostics > Ping).




P/N: 232-000960-00, Rev. A                             SonicWALL Content Security Manager Integrated Solutions
                                                                                                                       81
Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                 Sample 4
                     Users
                     Max local users 250, currently 1 configured
                     Max user groups 64, currently 3 configured
                     Max user logins 250
                     User Authentication Method = Windows Active Directory
                      - ADConnector IP: 10.10.2.4
                      - ADConnector port: 2258



                 Analysis: ADConnector Host Inaccessible
                 This is the same issue as the previous example. The ADConnector has been deployed in the 10.10.0.0
                 subnet, but there is no route to it. Add a static route to the 10.10.0.0 network. Then verify connectivity
                 to the ADConnector by pinging it from the CSM series appliance GUI (System > Diagnostic > Ping).

                 Sample 5
                     CFS Filter
                     Content Filtering Server: Not Responding
                     Dynamic Rating Database: Ready
                     Content Filtering Expires On: 01/30/2006
                     Dynamic Rating Database Timestamp: 08/30/2004
                     Web Filtering is Enabled
                     useCfaDR = 1
                     suppressZipped = 0
                     fastMode = 1
                     Server Address = webcfs00.global.sonicwall.com
                     URL Cache Size = 5120 KB
                     mode1 = 1
                     Timeout1 = 1
                     Timeout2 = 30
                     mode2 = 1
                     mode4 = 3
                     CFA IP Address Exclusion List
                     Server Ready = 0
                     Server Status Code = 1
                     Server IP = 64.41.135.50
                     Allocated cache: 145380 bytes
                     Failed Time = 7 secs (since 2005-02-24 08:20:05)



                 Analysis: The CFS Server (URL Rating Server) Not Responding in the Last Seven Seconds
                 The Internet connection may have been temporarily interrupted. The CSM series appliance was
                 connected to the Internet some time ago and was able to successfully update its licensing information as
                 indicated by the Content Filtering Expires On: 1/30/2006 entry. Also the Dynamic Rating Database has
                 been downloaded and is ready. Check connectivity by pinging the default gateway (10.12.1.2) and the
                 CFS server (webcfs00.global.sonicwall.com or 64.41.135.50). You need to mask the email, SMTP server
                 address, and MAC address.

                 Sample 6
                     Logging
                     smtpServerName = xyz.org'
                     Log email: xyz.org
                     Alert email: xyz.org
                     Firewall Name: 0006B1XXXXXX
                     logEmailFreq: daily
                     Day Of Week Sun, Time Of Day 0
                     Auxillary Syslog Servers(Address:Port)
                     10.10.2.4:514 Syslog Format: Default




          SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
82
                                                             Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                         Syslog Prority Threshold: 7
                         Syslog Individual Event Rate: 0
                         Rate Limiting:
                          Event Limiting: Disabled, Threshold: 1000 events/second
                          Syslog Output Limiting: Disabled, Threshold: 10000000 bytes/second
                         Legacy Categories: Use In Addition To Other Categories
                         Log Mask:
                          System Errors: GUI Alert Syslog
                             Blocked Web Sites: GUI Syslog
                             Blocked Java Etc: GUI Syslog
                             User Activity: GUI
                             System Environment: GUI Syslog
                             Authenticated Access: GUI Syslog
                             Appliance Event: GUI Syslog
                             Appliance Hardware: GUI Syslog
                             GMS: GUI Syslog
                          Protocols & Applications: GUI Syslog
                          RADIUS: None
                          Security Services: GUI Syslog
                          VPN IPSec: GUI Syslog
                          MSAD: GUI
                         ViewPoint: Upgraded
                         Message Queue Statistics:
                          Max Queue Size: 0
                          Queue Overflows: 0
                         Syslog Facility: 16



                     Analysis: Correct Server Configuration and Reachability Unclear
                     The CSM series appliance is configured to use SMTP server mail.xyz.org and Syslog server 10.10.2.4.
                     Verify that they can both be pinged from the CSM series appliance GUI (System > Diagnostic > Ping).

                     Sample 7
                         IDP is Activated
                         IDP is Enabled
                         Signature database is present
                         Signature database download is NOT in-progress
                         SchedulerId is 0
                         Last time we received a valid signature database we successfully loaded 154 signatures
                         running signature timestamp = UTC 02/21/2005 12:04:01.000
                         latest available signature timestamp = UTC 02/21/2005 12:04:01.000
                         last successful downloaded db signature timestamp = UTC 02/21/2005 12:04:01.000
                         compressed signature image size = 5724 bytes
                         P2P signatures are present
                         Multimedia signatures are present
                         IM signatures are present



                     Analysis: Application Filter Database Successfully Obtained
                     You successfully downloaded the Application Filter database. Application filtering is enabled.

                     Sample 8
                         License info
                         License User Count: 300
                         Current 235 HTTP users
                         fwinfoDomain is: licensemanager.sonicwall.com
                         GSC Policy Version: 0




P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                      83
 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                  Analysis: CSM Series Appliance Licensed for 300 Users.
                  The CSM series appliance is licensed for 300 users. The current number of HTTP users in the license
                  table is 235.

                  Sample 9
                       ARP Cache
                       ----------------------ARP TABLE------------------------------
                       entries=17 lookups=0 fails=2097926 hits=522 misses=2097183 hitRate=221 percent
                       ---------------------------------------------------------------
                               4.2.2.2 <-> 00:06:B1:0C:BF:68 (WAN) is expires in 20 mins
                       192.168.168.168 <-> 00:06:B1:18:47:5A (Management) is permanent published
                         10.10.103.119 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 19 mins
                             10.10.2.4 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 20 mins
                             10.12.1.1 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 9 mins
                             10.12.1.2 <-> 00:06:B1:0C:BF:68 (WAN) is expires in 20 mins
                             10.12.1.3 <-> 00:06:B1:18:47:58 (LAN) is permanent published
                             10.12.1.3 <-> 00:06:B1:18:47:59 (WAN) is permanent published
                          10.10.103.43 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 17 mins
                           10.10.100.5 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 13 mins
                            10.10.2.11 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 0 mins
                           10.15.100.3   <->   00:0F:20:E4:8E:00   (LAN)   is   expires   in   4 mins
                         10.10.100.101   <->   00:0F:20:E4:8E:00   (LAN)   is   expires   in   18 mins
                          10.10.100.21   <->   00:0F:20:E4:8E:00   (LAN)   is   expires   in   20 mins
                           10.10.103.8   <->   00:0F:20:E4:8E:00   (LAN)   is   expires   in   18 mins
                           10.15.103.9 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 20 mins
                          10.10.103.30 <-> 00:0F:20:E4:8E:00 (LAN) is expires in 0 mins
                       ---------------------------------------------------------------



                  Analysis: No Static Routes to Internal Subnets
                  The ARP table shows that there are several internal subnets: 10.10.0.0, 10.12.0.0, and 10.15.0.0, but as
                  previously mentioned there were no static routes to these networks. Unless there are specific hosts with
                  which the CSM series appliance needs to communicate with on these other subnets (ADConnector, DNS,
                  Syslog, SMTP, etc.), it is not necessary to configure static routes to them. However, in this particular
                  example, the ADConnector and a second DNS server were located on one of these subnets necessitating
                  the addition of a static route for the CSM series appliance to properly communicate with them.


Troubleshooting the Active Directory Connector
                  The SonicWALL ADConnector is a software service that allows the CSM series appliance to
                  transparently determine what user is logged into a particular workstation, what Active Directory
                  group(s) he or she is a member of and what CSM series appliance policies are assigned to them. For the
                  ADConnector to function properly, users must access the Internet from workstations where they logged
                  into the Active Directory domain.
                  The SonicWALL ADConnector log contains useful information for troubleshooting and monitoring the
                  ADConnector. To view the SonicWALL ADConnector log, click on View > Log. The following
                  categories of log records are available:
                   •   Users and Hosts - Displays the IP address, computer, user, policy name, and time of login for all
                       users and hosts.
                   •   Bad IPs - Displays IP addresses that caused errors, the error that occurred, and the time of error.
                   •   Messages - Displays all runtime event log messages.




           SonicWALL Content Security Manager Integrated Solutions Guide                           P/N: 232-000960-00, Rev. A
  84
                                                            Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                      The ADConnector software component is made up of two parts:
                      ADConnector Service. This is an always on, non-visual service that continually waits for requests from
                      the CSM series appliance and responds to requests, with username and policy assignment information.
                      As this queries host devices on the network, it is important to ensure that the ADConnector device can
                      resolve all client IP addresses that try to access the Internet via the CSM series appliance.
                      ADConnector Configuration Tool. This is an MMC snap-in that allows the administrator to perform
                      the following actions:
                       •   Display a list of available CSM series appliance policies.
                       •   Display a list of active Directory Users and Groups.
                       •   Assign CSM series appliance policies to Active Directory Users and Groups.
                       •   Start and stop the ADConnector service.
                       •   Configure the connection parameters the ADConnector service uses to communicate with the CSM
                           series appliance.
                       •   Configure which Active Directory attributes in which the CSM series appliance policies will be
                           stored.


Working with the ADConnector Checklist
                      The following is a list of checklist items for you to review before proceeding with your ADConnector
                      configuration.
                       •   Ensure you have met the requirements for installing the ADConnector. These can be found on page
                           94 of the SonicWALL Content Security Manager series Appliance Administrator’s Guide, but are
                           presented here again.
                       •   The Windows PC in which you install the SonicWALL AD Connector must meet the following
                           requirements:
                              – Windows 2000 (Professional or Server) or Windows XP (Home or Professional)
                              – A direct or routable access to both the Active Directory Domain Controller and the SonicWALL
                                 Content Security Manager
                              – An always-on computer, so that the SonicWALL Content Security Manager appliance can
                                 communicate with the Windows computer as needed.
                              – A computer that belongs to the domain against which the authentication occurs.
                              – Administrative privileges on the local device.
                       •   Make sure that you use the latest version of the firmware and the latest version of the ADConnector.
                           You can download this from http://www.mysonicwall.com/.
                       •   Make sure that all the latest patches for .NET framework have been applied.
                       •   Verify that the ADConnector host is able to communicate with all workstations that will access the
                           Internet through the CSM series appliance.
                       •   Verify that the Primary DNS server on the ADConnector host is set to the Domain controller.
                       •   Verify that the ADConnector service is running with Domain Administrator privileges. To verify
                           this:




 P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                        85
 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                        – Open the Services manager (Start > Run > services.msc). Scroll down to SonicWALL
                           ADConnector. Right click Properties. Click on the logon tab. Verify that the username and
                           password entered are of a user with domain administrator privileges. You may see the following
                           message box when this is set:




                           This is due to the Log on as Service right not being set before installation of the service as
                           documented in the Administrators Guide. This is the most common error encountered in initial
                           deployments.
                   •   If the ADConnector host is running a personal firewall, make sure that it is configured to allow the
                       ADConnector to communicate with the CSM and vice versa (the default is UDP 2258 and TCP 445).
                       You can verify this by stopping the ADConnector service and then deleting the file found in the
                       following path
                       C:\Program Files\SonicWALL\ADConnector\PolicyList.xml
                       Then restart the ADConnector service. If the ADConnector and the CSM series appliance are
                       communicating properly, the file will be automatically recreated.
                   •   Create an Active Directory user specifically for the ADConnector service. Add it to the Domain
                       Admins Group and make sure that they are in the Local Admins Group of the ADConnector host.
                       Use this user account for the Log On As A Service user. You can verify this using the following
                       procedure:
                        – Open the Local User and Groups manager (Start > Run > lusrmgr.msc)
                        – Go to Groups > Administrators and verify that the ADConnector user is a member of this group.



Troubleshooting Specific Symptoms
                  Symptom: The ADConnector does not log successful IP resolutions.
                  When this problem occurs, at the default logging level, only unresolvable IP addresses are logged
                  characterized by the following event log message:
                  Failed to get Logged in User (GetRemoteLoggedInUser) - for IP: 10.10.100.39 Error: Bad
                  netpath
                  The cause of this can be several things such as:
                   •   ADConnector cannot communicate with the workstation.
                   •   ADConnector service is running in the context of a user that is not an administrator on the
                       ADConnector host.
                   •   User is logged in locally instead of into the domain.
                   •   The workstation is not a member of the domain.
                   •   The workstation is running a personal firewall that blocks TCP port 445.
                   •   The workstation is not Windows 2000 or above.

                  Symptom: ADConnector will not return the intended policy on multi-user systems on which
                  multiple users are logged in at the same time.
                  This is a limitation of the ADConnector. It can only return the policy for the last user that logged in to
                  a multi-user system (for example, Terminal Server).


           SonicWALL Content Security Manager Integrated Solutions Guide                        P/N: 232-000960-00, Rev. A
  86
                                                          Troubleshooting the SonicWALL CSM and SonicWALL ADConnector




                     Symptom: Cannot launch the ADConnector configuration tool.
                     Make sure the tool is launched by a user who has administrative rights on the ADConnector host system
                     and has permissions to write to Active Directory. Domain Admins normally have these permissions.

                     Symptom: ADConnector cannot communicate with CSM series appliance
                     Verify that the port used to communicate with the CSM series appliance matches what the CSM series
                     appliance is configured as. You can view and modify these parameters by selecting the SonicWALL
                     CSM Appliance object in the ADConnector configuration tool and then editing the properties.

                     Symptom: CSM series appliance policies are not being displayed.
                     Restart the ADConnector host system and then verify connectivity to the CSM series appliance (Ping).

                     Symptom: Active Directory Users or Groups not being displayed when clicking on the User or
                     Group node
                     Verify that communication with the Domain Controller is available. Note that a NetBIOS name or a Fully
                     Qualified Domain Name (FQDN) can be used during installation. The format used must be resolvable
                     from the ADConnector device. To change this value, you need to edit the registry at:
                     \HKEY_LOCAL_MACHINE\SOFTWARE|SonicWALL\CFAService\DOMAIN



                     Symptom: A different user logs in but the CSM series appliance applies the previous logged in
                     user’s policy
                     The Refresh Time Registry parameter defines the amount of time an IP is cached by ADConnector before
                     it is required to redetermine who the associated logged in user is. If your environment has the same users
                     using the same workstations regularly, this can be set to a larger value. If you have different users
                     logging in to the same workstation frequently, this parameter should be set to a smaller value. The
                     default is 300 seconds and can be changed by editing the following registry key:
                     \HKEY_LOCAL_MACHINE\SOFTWARE\SonicWALL\CFAService\AUTOLOG




P/N: 232-000960-00, Rev. A                              SonicWALL Content Security Manager Integrated Solutions
                                                                                                                        87
   Technical Frequently Asked Questions




Technical Frequently Asked Questions
                     This section contains a list of FAQs documented by SonicWALL technical support engineers to address
                     common deployment questions.

                                                     Table 4           Technical FAQs

                      Registration, Licensing and Node Count
                      Q: How are CFS node licenses tracked on the SonicWALL CSM? Is this the number of IPs or Users behind the SonicWALL CSM?
                      Q: If a user doesn't specifically log out, how long do they remain in the license node count?
                      Q: I get a 'Connection to the licensing server timed out' error. Why?
                      Q: How is the SonicWALL CSM node license count maintained? Can you diagram the process in a flowchart?

                      SonicWALL CSM Filters
                      Q: How does the SonicWALL CSM determine if a user can access a web site? Or is this base on the requesting host IP address?
                      Q: In what order are SonicWALL CSM, custom and privacy policies applied? What order are Trusted, Untrusted and Keyword policies applied?
                      Q: How many custom entries can I make?
                      Q: If I block cbsnews.com will it block cbsnews.com:8080?
                      Q: My users are accessing sites using https. Why are they not blocked?
                      Q: I want to turn off IM for everybody but my bosses. How do I do that?

                      Networking
                      Q: Should I put the SonicWALL CSM in before or after my PRO 4060 in my network?




Registration, Licensing and Node Count
Q: How are CFS node licenses tracked on the SonicWALL CSM? Is this the number of IPs or Users behind
the SonicWALL CSM?

                     A: SonicWALL CSM counts LAN hosts (IP addresses) which open HTTP connections (HTTP protocol
                     on any port) to web servers on the WAN.

Q: If a user doesn't specifically log out, how long do they remain in the license node count?

                     A: It does not matter if the user logged out or not. It all depends on HTTP traffic generated by a specific
                     host. SonicWALL CSM counts all hosts that generate HTTP traffic. Even if a user logged out, his PC
                     still can open HTTP connections, for example to Microsoft Windows updates.

Q: I get a 'Connection to the licensing server timed out' error. Why?

                     A: This message means that SonicWALL CSM was not able to reach License Manager. You need to
                     check network settings on SonicWALL CSM and the network configuration.

Q: How is the SonicWALL CSM node license count maintained? Can you diagram the process in a flowchart?

                     A: The SonicWALL CSM will only allow a certain number of nodes (unique IP addresses) to pass
                     through its filtering at once. If this number is exceeded, then the filter will start blocking nodes that are
                     not in the licensing table.
                      1.   An IP address attempts to access a site, passing through the SonicWALL CSM to do so.
                      2.   The SonicWALL CSM looks up its IP address in the license table.


              SonicWALL Content Security Manager Integrated Solutions Guide                                                  P/N: 232-000960-00, Rev. A
   88
                                                                                         Technical Frequently Asked Questions




                      3.   If the IP address is found, the request goes through, and the table entry is marked with a timestamp
                           of the request.
                      4.   If the license is not found:
                              a. If the number of entries in the table is less than the number the SonicWALL CSM is licensed by
                                 the backend for, then the IP address is added to the table, and is timestamped.
                              b. If the number of entries in the table is already equal to the number the SonicWALL CSM is
                                 licensed for, then a block page is sent down, displaying the message
                                 You have exceeded your licens


                      Separately, a task is constantly running that will walk through the license table and look at the timestamp
                      on each entry. If a timestamp is more than one hour old, that entry is removed from the table. So if an IP
                      address hasn’t made any requests for one hour, its license is freed up for some other node to use.

                      Figure 63      Flow Diagram of Tasks for Node License Count




SonicWALL CSM Filters
Q: How does the SonicWALL CSM determine if a user can access a web site? Or is this base on the
requesting host IP address?

                      A: SonicWALL CSM inspects the HTTP header and extracts the domain name. It also can use the web
                      site IP address if the user typed it in the browser.




 P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                          89
   Technical Frequently Asked Questions




Q: In what order are SonicWALL CSM, custom and privacy policies applied? What order are Trusted,
Untrusted and Keyword policies applied?

                     A: The site is always allowed if it is matched by the Trusted category/policy.

Q: How many custom entries can I make?

                     A: It depends.
                      •   maximum 256 file types in all categories
                      •   maximum 256 keywords in all categories
                      •   maximum 128 custom categories
                      •   maximum 100 items in a category
                      •   maximum 128 policies
                      •   maximum 64 items in a policy

Q: If I block cbsnews.com will it block cbsnews.com:8080?

                     A: No.

Q: My users are accessing sites using https. Why are they not blocked?

                     A: You can add rules on a firewall to block TCP connections on port 443.

Q: I want to turn off IM for everybody but my bosses. How do I do that?

                     A: The current version of SonicWALL CSM does not support policies for the Application Filter.
                     SonicWALL will implement this feature in the next release of SonicWALL CSM.


Application Filtering
Q: Can I create a policy for IM, P2P, and Multimedia applications and apply them respectively by users and
groups?

                     A: No, at this time all application filtering policies are global and can be applied to all or none of the
                     users. You cannot apply them respectively by users and groups.


Networking
Q: Should I put the SonicWALL CSM in before or after my PRO 4060 in my network?

                     A: You should put SonicWALL CSM behind your company firewall.




              SonicWALL Content Security Manager Integrated Solutions Guide                         P/N: 232-000960-00, Rev. A
   90
                                                                                                                      Glossary




Glossary
                     Active Directory - A centralized directory service system produced by Microsoft that automates network
                     management of user data, security, and resources, and enables interoperation with other directories. Active
                     Directory is designed especially for distributed networking environments.
                     ADConnector - A mechanism that provides an interface between the content filtering appliance and
                     Active Directory for user identification and policy determination and application. The agent specifies
                     the domain on which it has been installed and provides the ability to apply appliance policies to Active
                     Directory users and groups. When a user makes a request through the appliance, it passes user attributes
                     to the ADConnector which then identifies the user within the Active Directory environment and returns
                     applicable policies to the appliance. The appliance then determines whether content requested is
                     permitted by the policy and either allows or denies the traffic.
                     Application Filtering - A signature-based deep packet inspection mechanism for controlling
                     peer-to-peer (P2P), Instant Messenger (IM), and Multimedia applications usage.
                     Authentication - A method that attempts to verify that packets entering a filtering device to determine
                     whether they can be forwarded based on policy criteria that includes source address, source port number,
                     and other source information.
                     Content Filtering - A method of screening Web pages and email messages to exclude specified users
                     from access to them, using special filtering policies. The policies use a variety of exclusion criteria
                     including character string matching or source IP address matching. Additionally, the policies contain
                     priority levels, that indicate levels of sensitivity of the content.
                     SonicWALL CSM Series Appliance - The Content Security Manager is an appliance-based Internet
                     content and application filtering solution that enhances security and employee productivity, optimizes
                     network bandwidth and mitigates legal liabilities. The Content Security Manager integrates into
                     virtually any network topography to provide powerful, scalable, cost-effective Internet content filtering.
                     It is easy to implement, requiring no change to your network clients. The Content Security Manager
                     filters all HTTP traffic on any port, regardless of whether the network clients use external proxy servers.
                     Category - A class of web site configured into a content filter to block from viewing on the local host.
                     The site typically contains sensitive content, for example, gambling or illegal drugs, that might be
                     viewed as unsuitable for all users.
                     Custom Categories - A category that provides the ability to recognize Web content entering the device
                     where the only option is to block it.
                     Predefined Categories - A class of web site that is pre-configured into the content filter.
                     Directory Service - A vessel for information about network-based entities, such as applications, files,
                     printers, and people. Directory services are important because they provide a consistent way to name,
                     describe, locate, access, manage, and secure information about these resources. They also provide a single
                     point of access of these entities for system administration. They also enable interoperability and centralized
                     management by provisioning standards-based interfaces.
                     Interfaces - An virtual or physical port that maps to network zones and address objects. Physical
                     interface objects include the LAN, WAN, OPT, and depending on which SonicWALL security appliance
                     you have, Modem and WLAN ports in the SonicWALL security appliance.
                     Lightweight Directory Access Protocol (LDAP) - A software protocol that enables you to locate
                     organizations, people, and other resources such as files and devices in a network, whether or not you are
                     on internet or a corporate intranet.




P/N: 232-000960-00, Rev. A                               SonicWALL Content Security Manager Integrated Solutions
                                                                                                                            91
Glossary




                  Single Sign On - A mechanism that permits a user to enter one name and password in a single session order
                  to access multiple applications. These applications have previously gained access rights to the server on
                  which the user enters login and password strings.
                  Policy - A grouping of predefined categories to make handling of multiple categories easier. Policies can
                  be assigned directly to users. There are 11 default properties.
                  Transparent Mode - A method of address assignment that allows for the WAN subnetwork to be shared
                  by the current interface using Address Object assignments. The interface’s IP address is the same as the
                  WAN interface IP address. Transparent mode is available on interfaces assigned to Trusted and Public
                  Zones.
                  Transparent Bridging - A processor SonicWALL CSM series that provides bridging functions, but that
                  also adds discriminating proxy ARP routines to this design to achieve statefulness and full control of all
                  connections passing through the device.
                  Zones - A logical grouping of one or more interfaces designed to make management a more simple
                  process. Typical management processes involved with zones includes creating and applying access rules
                  to a zone. A network security zone is a logical method of grouping one or more interfaces with friendly,
                  user-configurable names, enabling you to apply security rules to traffic passing through the zone.




           SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
92
                                                                                                                                Related Documents




Related Documents
                      This section contains related documentation specific to the SonicWALL CSM 2100 appliance and the
                      SonicWALL ADConnector software.


Product Datasheet
                       •   SonicWALL Content Security Manager 2100 appliance
                           http://www.sonicwall.com/support/pdfs/DS_1004_CSM2100CF.pdf




User Guides
                      This section contains URLs to online documentation for SonicWALL user’s guides.
                       •   SonicOS SC 2.0 Administrator’s Guide
                           http://www.sonicwall.com/support/pdfs/CFS_Premium_AdminGuide.pdf

                       •   SonicWALL CSM 2100 Appliance Getting Started Guide
                           http://www.sonicwall.com/support/pdfs/SonicWALL_Content_Security_Manager_Getting_Started_Guide.pdf




TechNotes
                      This section contains URLs to online documentation for SonicWALL TechNote application notes.
                       •   Microsoft Active Directory Authentication with SonicOS 3.0 Enhanced and SonicOS SC 2.0
                           http://www.sonicwall.com/support/pdfs/technotes/MSAD_Auth_with_SonicOS3e_and_csm2100cf.pdf

                       •   SonicWALL CSM 2100 Appliance Advanced Deployment Scenarios
                           http://www.sonicwall.com/support/pdfs/technotes/sonicwall_csm2100cf_advanced_deployment_scenarios.pdf




 P/N: 232-000960-00, Rev. A                                      SonicWALL Content Security Manager Integrated Solutions
                                                                                                                                              93
 Contributors




Contributors
                   Kevin Cheek has over 13 years in network security and database technical documentation in the Silicon
                   Valley. Kevin has provided documentation solutions for Microsoft--documenting Macintosh Web
                   software, Oracle--documenting Oracle's secure database server, and RSA Security--documenting the
                   Public Key Infrastructure (PKI) Java Developers Kit. He has also worked at General Magic, where he
                   led formal usability studies for both software design and documentation. Kevin earned a B.A. degree in
                   Technical Writing from the University of New Mexico, and he has completed courses and certifications
                   in Software Engineering, Networking, and Technical Writing at UC Santa Cruz, UC Berkeley, and
                   San Jose State.
                   Poul Frederiksen has over 10 years of Information Technology experience in the Silicon Valley and
                   Fortune 50 companies like DuPont, GE, and Sunoco. He has extensive international experience in the
                   United Kingdom, France and Germany. Frederiksen has led teams with project management with
                   multiple sites and systems engineering. He has headed exchange e-mail conversion projects at an
                   international construction company. He is noted for being Technical lead for Enterprise Resource
                   Planning (ERP) project. Frederiksen’s Technical background in electrical engineering was earned at
                   Drexel University with 99+% score on the Armed Services Vocational Aptitude Battery (ASVAB).
                   Liju George has worked in the software industry since 1995 engineering software solutions. With an
                   engineering degree from the University of Kerala, he worked in Europe and the Middle East before
                   joining SonicWALL in 2001 as an Application Development Specialist. His experience includes custom
                   solutions, ERP software development, web applications and standalone software.
                   Marco Ginocchio, Manager of Services, has over 10 years experience in the networking and security
                   industry. Prior to joining SonicWALL in 2001, Marco worked at Ignyte Technology, a leading
                   ASP/MSSP security integrator, as a Senior Systems Engineer specializing in network design and firewall
                   deployments. Marco has a B.S. degree in Management Information Systems from San Jose State
                   University.
                   Joe Levy, SonicWALL Senior Director of Engineering – Product Architecture and Publications, has
                   worked in the networking and network security industry for 10 years. Years of designing and
                   implementing solutions for SMB to Fortune 100 companies using products and technologies from
                   myriad vendors led to Joe’s drive and determination to enhance the capability, flexibility, and usability
                   of network and security products. Joe has a number of patents pending for innovations in the areas of
                   wireless networking and firewall technologies. Joe holds a B.A. degree in English Literature and Writing
                   from Queens College, New York.
                   Bob Marburg has worked for more than 10 years in networking technical documentation in the Silicon
                   Valley. Bob has provided documentation solutions for Juniper Networks, Cisco Systems, Nortel
                   Networks, and Hewlett-Packard, documenting various networking protocols, security, network
                   management, and broadband services for these companies. He earned a B.A. degree in Journalism from
                   Indiana University and a graduate certificate in Technical Writing from Middlesex College, Boston.
                   Dave Parry has over 12 years experience in MIS/IT/IT field, and has performed network architecture
                   design and deployment for over 100+ companies worldwide. Prior to SonicWALL, Dave served as the
                   senior systems engineer at Ignyte, a leading ASP/MSSP security integrator, focusing on network security
                   audits and distributed Firewall/VPN deployments. Dave has been at SonicWALL since 2001 and works
                   in the firmware architecture group.




            SonicWALL Content Security Manager Integrated Solutions Guide                       P/N: 232-000960-00, Rev. A
 94
                                                                                                            Contributors




                     Nikolay Popov has worked for more than 10 years as a networking software engineer. Nicolay has
                     developed networking solutions for Lynx and a number of smaller international networking companies.
                     He earned an M.S. degree in Biology from Moscow University where he also studied software
                     engineering.
                     Vanessa Roman started her apprenticeship in technical writing at SonicWALL documenting Secure
                     Wireless and Content Filtering network solutions. Vanessa is attending Foothill Community College.
                     Vanessa is an aspiring writer, network diagram and graphics designer, and an accomplished Webmaster.
                     Crystal Sorensen, SonicWALL Creative Manager and Webmaster, has over 5 years of Web authoring
                     and graphical design experience. Crystal is responsible for the content management and ongoing
                     enhancements to SonicWALL’s Corporate on-line presence as well as the creative direction of numerous
                     Marketing Communications collateral and graphical projects. Crystal joined SonicWALL in 2001 and
                     works in the Corporate Communications group.
                     Khai Tran has over 8 years of networking technical documentation experience. Author of “The Cisco
                     IOS Release Model” and “The Cisco IOS NetFlow Services Solutions Guide,” Khai has authored
                     enterprise and service provider best-practice network integrated solution guides for SonicWALL,
                     Cisco Systems, Boeing Aerospace, AOL Time Warner, and Electronic Arts. Khai works closely with
                     SonicWALL engineering, product management, corporate communications, and technical support and
                     customer advocacy organizations to author technical solution guides. Khai has also worked as a
                     Vietnamese bilingual public elementary school teacher in Northern California school districts. Khai
                     holds a B.A. degree in English Pre-and-Early Modern Literature from the University of California,
                     Santa Cruz, a California Bi-lingual Cross-Cultural Language Arts Degree (BCLAD) Teaching
                     Credential from San Jose State University, and an Advanced Project Management (APM)
                     Organizational Mastery certificate from Stanford University.




P/N: 232-000960-00, Rev. A                            SonicWALL Content Security Manager Integrated Solutions
                                                                                                                     95
Contributors




                  Solution Document Version History


                  Version Number          Date                 Notes
                  1                      3/16/2005             This document was created.
                  2                      3/31/2005             Added Glossary and Related Documents
                  3                      4/18/2005             Added Technical FAQs and Troubleshooting section.
                  4                      7/22/2005             Added 2.0 material.




           SonicWALL Content Security Manager Integrated Solutions Guide                               P/N: 232-000960-00, Rev. A
96
Index                                                         H
                                                              hard-code 37
                                                              HTTP 4
                                                              I
A                                                             impersonated users 10
Active Directory, see Microsoft Active Directory              inheritance, see policy inheritance
AD groups 37                                                  interactive logons 10
ADConnector, see SonicWALL ADConnector 73                     interfaces 76, 80
adding trusted URLs 43                                        Internet 49, 51, 58, 60, 65, 70–71, 74–75
administrators 11, 37, 73, 85–86                              K
application filtering 56                                      key concepts
authentication 4, 6, 17, 82                                      filtering architecture 47
C                                                             L
categories 37, 42, 45, 47, 90                                 LDAP 10
Citrix 6                                                      LDAP query 10
Computer Policies 15                                          Lightweight Directory Access Protocol, see LDAP
content filtering 4, 37–38, 47, 60, 65, 76, 82
CSM                                                           M
    managing with SonicWALL GMS 58                            management GUI 38
custom block page 66                                          message to display when blocking 66
custom categories 43–45, 63, 90                               Microsoft .NET 1.1 Framework 11
Custom tab 45                                                 Microsoft .NET Framework 11
                                                              Microsoft .Net framework 10
D                                                             Microsoft Active Directory 6, 10, 15–16, 37–38, 41,
default categories 45                                         47, 82
deployment examples, see deployment solutions                 Microsoft Terminal Server 6
deployment solutions 37, 48                                   Microsoft Win32 workstation 9
Domain Controller 38
dynamic rating 60, 75, 82                                     N
                                                              NAT 6
E                                                             netapi32.dll 10
Edit Policy Group window 39                                   NetWkstaUserEnum Lib 10
exclusion list, see privacy threat exclusion list             network host 73, 75–76
F                                                             NTLM authentication 6
filtering, see content filtering                              O
G                                                             optimizing dynamic rating 60
GAV/IPS features                                              P
   application control 7                                      P2P 83
   file based scanning protocol support 7                     performance 76
   file decompression technology 7                            policies 9–10, 16, 37–38, 40–42, 44–47, 49, 51, 55,
   granular management 7                                      57, 83, 90
   inter-zone scanning 7                                      Policies tab 39
GMS, see SonicWALL GMS                                        policy groups 38
Group Policies 15                                             policy inheritance


P/N: 232-000901-00, Rev. A                       SonicWALL Content Security Manager Integrated Solutions Guide
                                                                                                                 97
privacy prevention 64
privacy threat exclusion list 65
proxy server 4
R
registration 88
reporting 66, 69–70
restoring defaults 62
S
SonicWALL ADConnector 6, 9, 73, 75, 82
   installing 11
   setting up 16
SonicWALL ADConnector Configuration Tool 46
SonicWALL CSM 2100 5, 9
SonicWALL GMS 83
SSO 9
T
terminal service 10
transparent bridge 73–74
troubleshooting 73–76, 79
TSR 80
U
untrusted URLs 63
url cache size 60
URL ratings 60, 73, 75
user groups 39, 43, 62, 82
User Policies 15
users 6, 17, 37–38, 42, 47, 64–66, 68–72, 74–75,
82–83, 90
V
ViewPoint 66, 69–70, 75, 83
VPN 94
W
Web Filters 41
Web usage 65–66, 69
White-lists 37
WLAN 48
   overview 91
workstation 47
Z
zones 56, 91




            SonicWALL Content Security Manager Integrated Solutions Guide   P/N: 232-000901-00, Rev. A
    98

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:40
posted:11/6/2011
language:English
pages:98