Transcription
iBoss Enterprise Deployment GuideiBoss Web Filters
Copyright Phantom Technologies, Inc. All rights reserved. No part of this publication maybe reproduced, transmitted, transcribed, stored in a retrieval system, or translated into anylanguage or computer language, in chemical, manual or otherwise, without the prior writtenpermission of Phantom Technologies, Inc.All brand and product names mentioned in this manual are trademarks and/or registeredtrademarks of their respective holders.www.iBossWebFilters.comPage 2 of 55
Table of ContentsTABLE OF FIGURES .41IBOSS ENTERPRISE INSTALLATION AND DEPLOYMENT GUIDE .61.12OVERVIEW . 6GETTING STARTED .62.1 PACKAGE CONTENTS .62.1.1iBoss Enterprise Appliance Description . 62.1.1.12.1.1.23Front Panel . 6Back Panel . 6DETAILED STEP BY STEP DEPLOYMENT GUIDE .73.1 CONFIGURE THE IBOSS IP ADDRESS.73.1.1Determine whether iBoss has Management Interface .73.1.2Description of Network Ports And How To Access Them .73.1.2.13.1.2.2iBoss without “Management” Network Interface (2 ports, LAN WAN) . 7iBoss WITH “Management” Network Interface (3 ports, LAN WAN Management) . 83.1.3Selecting the appropriate IP Address Settings for the iBoss . 93.1.4Methods for configuring iBoss IP Address . 113.1.5Configuring the IP Address via the serial console port . 113.1.6Configuring the IP Address via the network port . 123.2 CONFIGURE INITIAL IBOSS SETTINGS BEFORE DEPLOYING IBOSS INLINE . 133.2.1Confirm the iBoss is able to connect to the iBoss gateways and cloud database . 143.2.2Configure the Time zone . 153.2.3Configure iBoss DNS settings . 163.2.4Set a password for the iBoss interface . 163.2.5Configure iBoss Local Subnets . 173.2.6Bypass IP Ranges which contain servers and non-filtered nodes . 213.3 PHYSICAL INSTALLATION OF THE IBOSS ONTO THE NETWORK . 213.3.1Inline Installation . 223.3.2Non-inline installation (Out of band filtering) . 243.4 RELATION BETWEEN IBOSS FILTERING GROUPS AND DIRECTORY FILTERING GROUPS (ACTIVEDIRECTORY/EDIRECTORY) . 263.4.1Configure Filtering Groups . 263.4.2Look through the directory server and rename iBoss groups to match . 293.5 INTEGRATING WITH ACTIVE DIRECTORY . 293.5.1Active Directory Group Policy Object (GPO) Logon/Logoff Scripts Overview . 303.5.2Active Directory Plug-in Overview . 313.5.3Configuring the Active Directory Logon/Logoff scripts . 323.5.3.13.5.3.23.5.43.5.4.1How the Logon/Logoff Scripts work . 35Configuring the Logon and Logoff scripts in an Active Directory GPO. 37Configuring the Active Directory Plug-in . 41Step By Step Install Instructions . 413.6 INTEGRATING WITH EDIRECTORY . 483.6.1Key Features . 483.6.2Overview. 483.6.3iBoss Configuration . 493.6.4Global Settings . nable User Polling . 51Initial User Full Sync . 51User Login Polling Interval . 51User Polling In Progress . 51Last Users Found Count . 51eDirectory Info - Server Registration Settings . 51Name . 52Rev 2 Version 1.5: May 13, 2011Page 3 of 55
5.153.6.5.163.6.5.173.6.5.183.6.64Ip Address/Host . 52Port. 52Admin Username (DN) . 52Admin Password . 52Common Name Search Attribute . 52Username Search Attribute . 52Group Search Attribute . 52Group Attribute Value Key . 53Location Attribute . 53Ignore DN Pattern . 53Default Filtering Policy . 53Connect Timeout . 53Monitor Events . 53Poll User Logins . 53Allow Full Sync . 54User Polling Search Base . 54User SSL/SSL Certificate . 54Add The Server . 55CONCLUSION. 55Table of FiguresFigure 1 - iBoss inline deployment diagram . 8Figure 2 - Sample Computer Network Settings for configuring iBoss IP Address via NetworkInterface . 12Figure 3 - iBoss Successfully Configured With Access to Gateways . 14Figure 4 - Configure Timezone Page . 15Figure 5 - Adding local subnets . 19Figure 6 - iBoss Network Placement . 22Figure 7 - Inline Installation . 22Figure 8 - Cable Placement . 22Figure 9 - Current Activity . 23Figure 10 - Configure Tap Mode . 24Figure 11 - Tap Mode Option . 25Figure 12 - Mirror/Tap Configuration . 25Figure 13 - Mirror/Tap Cable Configuration . 25Figure 14 - Current Activity . 26Figure 15 - Active Directory via Logon/Logoff scripts . 34Figure 16 - Logon . 36Figure 17 - User Logged In . 36Figure 18 - Logoff . 37Figure 19 - Configuring Logon/Logoff Group Policy . 38Figure 20 - Installing Logon Script . 38Figure 21 - Installing Logoff Script . 39Figure 22 - Configuring Logon/Logoff Group Policy on 2008 Server . 40Figure 23 - Installing 2008 Logon Script . 40Figure 24 - Installing 2008 Logoff Script . 41Figure 25 - AD Plug-in Installation . 42Figure 26 - Minimum Configuration of the Active Directory Plug-in . 43Figure 27 - 2008 Audit account logon events . 46Figure 28 - 2008 Audit logon events . 47Rev 2 Version 1.5: May 13, 2011Page 4 of 55
Figure 29 - iBoss eDirectory Settings . 50Rev 2 Version 1.5: May 13, 2011Page 5 of 55
1 iBoss Enterprise Installation And Deployment Guide1.1OverviewThis guide will provide step-by-step instructions for deploying the iBoss Enterprise WebFilter on your network. The guide provides instructions for both the hardware installation aswell as initial configuration of the iBoss settings.2 Getting StartedThis section describes the initial preparation of the iBoss and provides an overview of whatis included in the iBoss packaging.2.1Package ContentsThe following items are included with the iBoss Enterprise:iBoss Enterprise appliancePower cableRS-232 null terminated console cableQuick Install Reference Pamphlet2.1.1iBoss Enterprise Appliance DescriptionThe iBoss Enterprise is a rack-mountable appliance. Typically, the iBoss will occupy 1U of rackmount space.2.1.1.1 Front PanelThe front panel consists of a power button and status LEDs. The power button provides softpower up and power down by pressing and releasing the button quickly.To perform a hard power down, press and hold the front panel power button while the applianceis powered on. It is recommended that you use the normal soft power down by quickly pressingand releasing the panel button and waiting approximately 1 minute for the iBoss to gracefullyshutdown.2.1.1.2 Back PanelThere back panel consists of two 10/100/1000 copper Ethernet network ports and a serial consoleport.The serial console port is accessible with the provided RS-232 null terminated console cable.The network ports are labeled LAN and WAN, respectively. These are used to connect the iBossinline on your network.Rev 2 Version 1.5: May 13, 2011Page 6 of 55
NOTEOn certain models, there is a third network interface. This interface is labeled“Management Interface”. With this interface, the iBoss is able to provide out ofband packet filtering support (via port monitoring/mirroring/spanning which isconfigured on the switch or firewall). This is described later in the guide.3 Detailed Step By Step Deployment GuideThis section provides a step by step guide to deploying the iBoss on your network. You maybe asked to jump to step numbers depending on your specific configuration.3.1 Configure the iBoss IP Address3.1.1Determine whether iBoss has Management InterfaceThere are two primary configurations the iBoss is shipped with. The two configurations are(1) without a management interface (2 network ports, LAN and WAN) and (2) with amanagement interface (3 network ports, LAN and WAN management port).Before proceeding, determine whether your iBoss is configured with a managementinterface or not. An iBoss with a management interface has 3 network ports on the back ofthe appliance. The two network ports in the center of the appliance are labeled LAN andWAN. In addition, the management interface is clearly labeled “Management Interface”and is typically located toward the right hand side of the appliance when facing the back ofthe appliance.An iBoss without a management interface has two ports in the center of the appliancelabeled LAN and WAN.NOTE3.1.2In order to deploy the iBoss in a non-inline deployment (out of band) via amonitor/mirror/span port, a management interface is required.Description of Network Ports And How To Access Them3.1.2.1 iBoss without “Management” Network Interface (2 ports, LAN WAN)This section describes the iBoss in a 2 network port configuration (without a managementinterface).The iBoss is a fully transparent network bridge which behaves similarly to a layer 2 networkswitch. It will use a single static IP Address which is accessible on both the LAN and WANport. The iBoss does not route packets and behaves similar to a switch. Thus, the LAN willcontain and use the same IP Address as the WAN port and they are not configuredseparately. The interfaces are a SINGLE “logical” interface.The assigned management IP Address will be accessible via either network port (it does notcontain an Inner Outer IP Address typically found in a firewall/router).A typical deployment with this configuration is show below:Rev 2 Version 1.5: May 13, 2011Page 7 of 55
Figure 1 - iBoss inline deployment diagram3.1.2.2 iBoss WITH “Management” Network Interface (3 ports,LAN WAN Management)NOTEThis section does not apply if you do not have a management interface present onthe iBoss Web filter. Typically, this configuration includes 3 network ports on theback of the iBoss device. If you do not have a management network interfacepresent, you may skip this section.This section describes the iBoss in a 3 network port configuration (1 network port for LAN, 1network port for WAN, and 1 network port for the Management Interface).The LAN and WAN port form a fully transparent network bridge that behaves similar to alayer 2 network switch. However, unlike the case without a management interface above,the LAN and WAN do not have an IP Address assigned and the management/configurationinterface cannot be accessed via the LAN or WAN port. The LAN
the iBoss Web filter. Typically, this configuration includes 3 network ports on the back of the iBoss device. If you do not have a management network interface present, you may skip this section. This section describes the iBoss in
