- DL manuals
- M86 Security
- Gateway
- SWG
- User Manual
M86 Security SWG User Manual
Summary of SWG
Page 1
Secure web gateway swg user guide release 10.2.0 • manual version v 10.2.0.1.
Page 2: M86 S
S w g u s e r g u i d e copyright 2 m86 s ecurity s ecure w eb g ateway swg u ser g uide © 2012 m86 security all rights reserved. 828 w. Taft ave., orange, ca 92865, usa version 10.2.0.1, published february 2012 for swg software release 10.2.0. This document may not, in whole or in part, be copied, ...
Page 3: Table of Contents
S w g u s e r g u i d e 3 table of contents table of contents about this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 part 1: initial management console tasks . . . . . . . . . . . . . . . . . . . . . 9 chapter 1. Getting started . . . . . . . . . . ....
Page 4
S w g u s e r g u i d e table of contents 4 editing a message template. . . . . . . . . . . . . . . . . . . . . . . . . 26 chapter 4. Defining and managing users . . . . . . . . . . . . . . . . . . . . . . 27 setting default user policy assignments . . . . . . . . . . . . . . 28 defining and managin...
Page 5
S w g u s e r g u i d e 5 table of contents defining a caching policy . . . . . . . . . . . . . . . . . . . . . . . . . . 52 defining a rule in a caching policy . . . . . . . . . . . . . . . . . . 52 defining conditions in a caching rule . . . . . . . . . . . . . . . . 53 chapter 9. Assigning polici...
Page 6
S w g u s e r g u i d e table of contents 6 viewing transaction details (web log only) . . . . . . . . . . . 76 chapter 15.Implementing icap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 configuring swg to provide icap services . . . . . . . . . . . 77 configuring swg to use externa...
Page 7
S w g u s e r g u i d e 7 table of contents configuring a device to use an ntp server . . . . . . . . . 105 configuring administrative settings . . . . . . . . . . . . . . . . . 106 importing digital certificates. . . . . . . . . . . . . . . . . . . . . . . 107 configuring backup settings . . . . . ...
Page 8: Bout
S w g u s e r g u i d e about this guide 8 a bout t his g uide the swg user guide provides the procedures that you perform on the management console to implement, use, and maintain secure web gateway (swg) in your organization. The management console is your interface to swg. It is important to note...
Page 9: Part 1: I
S w g u s e r g u i d e 9 part 1: initial management console tasks part 1: i nitial m anagement c onsole t asks this part contains the following chapters and procedures: • chapter 1: getting started • performing preliminary tasks • performing first time login, password change, and license installati...
Page 10: Etting
Chapter 1: getting started 10 c hapter 1: g etting s tarted this chapter contains the following topics: • performing preliminary tasks • performing basic tasks in the management console performing preliminary tasks notes: this guide instructions for procedures that you perform on the management cons...
Page 11: Configuring The Mail Server
S w g u s e r g u i d e 11 chapter 1: getting started 3. Enter the administrator user name (default: admin) and password (default: finjan). 4. In the displayed change password window, do the following: a. Enter the current password for this administrator user. B. Enter a new password. Then reenter t...
Page 12: Logging In and Logging Out
S w g u s e r g u i d e chapter 1: getting started 12 performing basic tasks in the management console this section describes the following tasks: • logging in and logging out • changing your password • committing changes • working in multiple windows • relocating an item in a tree • customizing the...
Page 13: Working In Multiple Windows
S w g u s e r g u i d e 13 chapter 1: getting started you can wait and then click the icon only when it is convenient to distribute and implement the changes. Working in multiple windows if you are working in a window and need to access another window, you do not need to close your current window. Y...
Page 14: Using Keyboard Shortcuts
S w g u s e r g u i d e chapter 1: getting started 14 using keyboard shortcuts table 1 indicates the keyboard shortcuts that you can use to perform various actions in the management console. Table 1: keyboard shortcuts keyboard shortcut what it does f2 activates (same as clicking) edit esc activates...
Page 15: Onfiguring
Chapter 2: configuring / adding scanning servers 15 c hapter 2: c onfiguring / a dding s canning s ervers swg comes with default device settings. You can modify these defaults. Default settings are automatically applied to all new devices that you add. You can then modify the values for specific dev...
Page 16
S w g u s e r g u i d e chapter 2: configuring / adding scanning servers 16 • to configure the settings for a specific scanning server, select Æ Æ scanning server Æ general. The main window displays tabs for configuring the following: downloads, timeout, trans parent proxy mode, and device policy. ...
Page 17
S w g u s e r g u i d e 17 chapter 2: configuring / adding scanning servers adding devices and device groups swg comes with a default group, default devices group, for adding scanning servers, but you can add additional groups for holding scanning servers. This section contains the following procedu...
Page 18
S w g u s e r g u i d e chapter 2: configuring / adding scanning servers 18 to add a scanning server device you should perform this procedure when you add devices for either local scanning servers or cloud scanning servers. You can identify the device by a specific ip or a range of ips. 1. Select ad...
Page 19: Part 2: I
S w g u s e r g u i d e 19 part 2: implementing user security policies part 2: i mplementing u ser s ecurity p olicies this part contains the following chapters and procedures: • chapter 3: defining and customizing security policies • editing a pre‐supplied security policy in simplified mode • defin...
Page 20: Efining
Chapter 3: defining and customizing security policies 20 c hapter 3: d efining and c ustomizing s ecurity p olicies note: the process of implementing security for users at your site involves performing the following tasks: swg provides a number of pre‐defined policies for different purposes. A main ...
Page 21: Mode
S w g u s e r g u i d e 21 chapter 3: defining and customizing security policies • m86 emergency policy — allows immediate site‐wide implementation of special emergency measures. You can also create block/warn messages for use in conditions, and edit message templates. This chapter contains the foll...
Page 22
S w g u s e r g u i d e chapter 3: defining and customizing security policies 22 6. Click save. 7. If you are ready to distribute and implement the changes in your system devices, click . Defining a security policy in advanced mode note: this procedure does not apply to edits that you can perform on...
Page 23
S w g u s e r g u i d e 23 chapter 3: defining and customizing security policies 2. Do any of the following: • to edit an existing rule, click the rule in the tree, and then in the main pane, click edit. • to add a rule to a policy that has no rules, or to add a rule to the bottom of the rule list i...
Page 24
S w g u s e r g u i d e chapter 3: defining and customizing security policies 24 defining conditions in a security policy rule to define conditions in a security policy rule 1. In the policy tree, expand the relevant policy and rule. For instructions on displaying the policy tree, see step 1 in the ...
Page 25
S w g u s e r g u i d e 25 chapter 3: defining and customizing security policies creating a block/warn message block/warn messages are sent to end users in the event that the url site they are surfing to has been blocked by the secure web gateway or designated as a site requiring user approval or co...
Page 26: Editing A Message Template
S w g u s e r g u i d e chapter 3: defining and customizing security policies 26 editing a message template . Warning: it is recommended that you do not change message templates. Editing the block/ warn pages may result in security vulnerabilities. To edit a message page 1. Select policies Æ end use...
Page 27: Efining
Chapter 4: defining and managing users 27 c hapter 4: d efining and m anaging u sers note: the process of implementing security for users at your site involves performing the following tasks: the process for bringing users into the system and assigning them policies, depends on the category to which...
Page 28
S w g u s e r g u i d e chapter 4: defining and managing users 28 setting default user policy assignments to change which policies are set as the user defaults note: you can set default user policies for the following types of policies: emergency, master, security, logging, and https. Note the follo...
Page 29
S w g u s e r g u i d e 29 chapter 4: defining and managing users defining and managing ldap users this section contains the following topics: • adding and configuring ldap directories • importing ldap groups • configuring ldap group settings • importing ldap users • setting a schedule for ldap dire...
Page 30
S w g u s e r g u i d e chapter 4: defining and managing users 30 8. In the password field, enter the password for logging into your organization's directory. 9. To enable the import of ldap groups over ssl, select the use secure connection checkbox. If you selected this checkbox: • if the policy se...
Page 31: Importing Ldap Groups
S w g u s e r g u i d e 31 chapter 4: defining and managing users importing ldap groups note: this procedure assumes that the required ldap directories are defined. To import ldap groups 1. Display the list of ldap directories by selecting users Æ authentication directories Æ ldap. 2. If multiple ld...
Page 32: Importing Ldap Users
S w g u s e r g u i d e chapter 4: defining and managing users 32 importing ldap users ldap users can only be imported into ldap directories that you have already created. This section describes how to manually import ldap users. You can also define a schedule for automatically updating ldap directo...
Page 33: Groups
S w g u s e r g u i d e 33 chapter 4: defining and managing users assigning policies to unassigned ldap users unassigned ldap users refers to imported ldap users whose groups have not been imported. Therefore, instead of having policy assignments specific to their group, they will be subject to the ...
Page 34
S w g u s e r g u i d e chapter 4: defining and managing users 34 to define a user-defined user group and assign it policies 1. Select users Æ users/user groups. 2. In the tree, do either of the following: • to create a user group, right‐click on the user groups main node and select add group. The u...
Page 35: Adding and Defining Users
S w g u s e r g u i d e 35 chapter 4: defining and managing users 5. For the predefined unknown users group only: if you want unidentified user ids or ip addresses added to the unknown users group, select the checkbox in the new users area. 6. Click save. 7. If you are ready to distribute and implem...
Page 36: Defining User Lists
S w g u s e r g u i d e chapter 4: defining and managing users 36 moving users to a different group to move a user from one group to another 1. If the user group is not displayed, select users Æ users/user groups. 2. In the tree, right‐click on the node of the source user group from which you want t...
Page 37
S w g u s e r g u i d e 37 chapter 4: defining and managing users • if useful, you can select/clear the select checkbox to select/clear all items in the list, and then adjust the selected items as needed. 5. When done, click save. 6. If you are ready to distribute and implement the changes in your s...
Page 38: Part 3: C
S w g u s e r g u i d e part 3: configuring advanced network settings 38 part 3: c onfiguring a dvanced n etwork s ettings this part contains the following chapters and procedures: • chapter 5: implementing identification policy • defining and customizing identification policy • defining an active d...
Page 39: Mplementing
Chapter 5: implementing identification policy 39 c hapter 5: i mplementing i dentification p olicy note: the process of implementing security for users at your site involves performing the following tasks: identification policies define whether and how scanning servers will identify end‐users who ar...
Page 40
S w g u s e r g u i d e chapter 5: implementing identification policy 40 • read headers — identifies users based on pre‐authenticated http headers for regular scan‐ ners only. • source ip only — identifies users by source ip. This is the default policy. For more information, see the swg user identif...
Page 41: Defining An Active Directory
S w g u s e r g u i d e 41 chapter 5: implementing identification policy edit. • to add a new condition to a rule: i. Right‐click the rule and choose add condition. The main window displays the condition definition screen. Ii. In the condition name field, select the type of condition in the drop‐dow...
Page 42
S w g u s e r g u i d e chapter 5: implementing identification policy 42 b. Ensure that the active checkbox is selected unless there is a reason why you would not want it active. C. Specify the domain name. D. In the domain controller selection method, select the appropriate value primarybackup or ...
Page 43: Mplementing
Chapter 6: implementing authentication 43 c hapter 6: i mplementing a uthentication authentication is a type of identification policy. When a scanning server is assigned an authentication‐type identification policy, it matches user identifiers with available user credentials. If you will be assignin...
Page 44
S w g u s e r g u i d e chapter 6: implementing authentication 44 4. In the configuration tab, configure the authentication retention method parameters by doing one of the following: • if the scanning server should not retain authentication data but should instead request authentication for each cal...
Page 45
S w g u s e r g u i d e 45 chapter 6: implementing authentication d. In the replace domain with field, specify the correct domain that should be used to replace erroneously‐specified “domains” by the user (for example, if the user specified a computer name instead of a domain name). E. If an upstrea...
Page 46: Efining
Chapter 7: defining and customizing upstream proxy policy 46 c hapter 7: d efining and c ustomizing u pstream p roxy p olicy by default, that is when using the only pre‐supplied upstream proxy policy, scanning servers are allowed direct access to the internet in every situation. To limit scanning se...
Page 47
S w g u s e r g u i d e 47 chapter 7: defining and customizing upstream proxy policy 6. Continue with defining a rule in an upstream proxy policy ..
Page 48
S w g u s e r g u i d e chapter 7: defining and customizing upstream proxy policy 48 defining a rule in an upstream proxy policy if you duplicated a policy, it already has the same rules as were found in the original policy. You can edit these rules. You can also create new rules from scratch. To de...
Page 49
S w g u s e r g u i d e 49 chapter 7: defining and customizing upstream proxy policy defining conditions in an upstream proxy rule to define conditions in an upstream proxy rule 1. In the policy tree, expand the relevant policy and rule. For instructions on displaying the policy tree, see step 1 in ...
Page 50: Nabling
Chapter 8: enabling and customizing caching 50 c hapter 8: e nabling and c ustomizing c aching you can enable caching as the device defaults or enable caching for specific scanning servers. When caching is enabled, content is stored in the server for future use, thereby speeding up performance time....
Page 51
S w g u s e r g u i d e 51 chapter 8: enabling and customizing caching 6. If you are ready to distribute and implement the changes in your system devices, click ..
Page 52: Defining A Caching Policy
S w g u s e r g u i d e chapter 8: enabling and customizing caching 52 defining a caching policy note: you cannot edit a presupplied caching policy. However, you can duplicate such a policy and edit the duplicate; you can also create a caching policy from scratch. To define or duplicate and edit a ...
Page 53
S w g u s e r g u i d e 53 chapter 8: enabling and customizing caching 5. If the rule has an enable rule checkbox, ensure that the checkbox is appropriately selected or cleared, depending on whether or not the rule should be enabled after being committed. 6. Choose the rule action, as follows: • if ...
Page 54: Ssigning
Chapter 9: assigning policies to devices 54 c hapter 9: a ssigning p olicies t o d evices the following types of policies are relevant at the device level: identification, device logging (described in chapter 19 ), upstream proxy, caching, and icap clients. Swg comes with specific policies of the ab...
Page 55
S w g u s e r g u i d e 55 chapter 9: assigning policies to devices assigning policies to specific devices to assign policies for specific devices 1. Select administration Æ system settings Æ m86 devices. 2. In the m86 devices tree, expand the devices root note, and select Æ Æ scanning server Æ gene...
Page 56: Part 4: C
S w g u s e r g u i d e part 4: configuring logging and alert settings 56 part 4: c onfiguring l ogging and a lert s ettings this part contains the following chapters and procedures: • chapter 10: defining and customizing logging policy • defining a logging policy • defining a rule in a logging poli...
Page 57: Efining
Chapter 10: defining and customizing logging policy 57 c hapter 10: d efining and c ustomizing l ogging p olicy logging policy determines, at the user level, what types of user transaction events, either blocked, allowed or all, will be logged, and to where the information is sent (logs, archives, r...
Page 58
S w g u s e r g u i d e chapter 10: defining and customizing logging policy 58 defining a rule in a logging policy if you duplicated a policy, it already has the same rules as were found in the original policy. You can edit these rules. You can also create new rules from scratch. You can specify if ...
Page 59
S w g u s e r g u i d e 59 chapter 10: defining and customizing logging policy • if you chose select user lists, select the checkboxes of the user lists that contain the users to which the rule should apply. 5. To exclude specific users from application of the rule, select the except tab, and select...
Page 60
S w g u s e r g u i d e chapter 10: defining and customizing logging policy 60 7. Perform this step only if the condition name is malware entrapment profile. The window displays a security level setting line with the default setting; none. Depending on the policy type, it might also display an html ...
Page 61: Onfiguring
Chapter 11: configuring the log server 61 c hapter 11: c onfiguring the l og s erver a lone log server always resides on the policy server machine. Log relays resident on each device receive the following types information, which is then collected from the relays by the log server, and routed to app...
Page 62
S w g u s e r g u i d e chapter 11: configuring the log server 62 4. Do either of the following: • to configure the log server, fill in the relevant tabs in sequence, as described below: • if your site has multiple scanners, configure their log relays and their schedules in the collect logs from tab...
Page 63
S w g u s e r g u i d e 63 chapter 11: configuring the log server having log messages sent to the syslog in the syslog target tab of the log properties screen, do the following for each message type, system log, scanner, and/or audit, that you plan to send to a syslog: 1. In the top set of entry fie...
Page 64
S w g u s e r g u i d e chapter 11: configuring the log server 64 in the log archiving tab of the log properties screen, do the following: 1. Specify the log archiving locations as follows. Repeat these steps for each archive location: a. Click the icon. B. If archiving should be enabled to this arc...
Page 65
S w g u s e r g u i d e 65 chapter 11: configuring the log server • if you have completed log configuration, click save, and then if you are ready to distribute and implement the changes in your system devices, click . How to connect swg to security reporter via archiving in addition to the swg inte...
Page 66: Onfiguring
Chapter 12: configuring alerts 66 c hapter 12: c onfiguring a lerts through the alerts mechanism, swg can notify you of system events, application events, update events, and security events. Swg can send alerts through two different communication channels, besides system log messages: email messages...
Page 67: Configuring Snmp Settings
S w g u s e r g u i d e 67 chapter 12: configuring alerts 5. Click save. 6. To distribute and implement the changes in your system devices, click . Configuring snmp settings if you are sending snmp alerts, you must configure snmp settings. To configure the snmp settings 1. Select administration Æ al...
Page 68
S w g u s e r g u i d e chapter 12: configuring alerts 68 snmp mib monitoring area as instructed in the following substeps. Iv. In the authentication protocol field, select the authentication protocol — either verification checksums md5 or sha . V. In the authentication key field, specify the user’s...
Page 69
S w g u s e r g u i d e 69 chapter 12: configuring alerts setting thresholds for security alert notification you can have administrators alerted when blocked incoming events such as malicious activities, viruses, scripts, binary content, and/or blocked outgoing events such as url categorization, url...
Page 70: Part 5: P
S w g u s e r g u i d e part 5: performing monitoring and maintenance 70 part 5: p erforming m onitoring a nd m aintenance this part contains the following chapters and procedures: • chapter 13: viewing security and component statuses at a glance • viewing security status information (dashboard) • v...
Page 71: Iewing
Chapter 13: viewing security and component statuses at a glance 71 c hapter 13: v iewing s ecurity and c omponent s tatuses at a g lance the dashboard enables you to view security status information at a glance in the dashboard. In addition, the configuration screens for some components allow you to...
Page 72
S w g u s e r g u i d e chapter 13: viewing security and component statuses at a glance 72 viewing dynamic component information table 1 lists the components for which you can view dynamic information, what information is displayed, and where and how to access it. For descriptions of the displayed i...
Page 73: Iewing
Chapter 14: viewing logs 73 c hapter 14: v iewing l ogs there are three types of logs: • web logs — records web‐surfing transactions of users in your network, according to your logging policy. • system logs — records events that have taken place in the system, for example, updates that have been ins...
Page 74
S w g u s e r g u i d e chapter 14: viewing logs 74 6. For web logs only: a. To display the logs of a different admin group, select the admin group. Note that you must have permissions to see the logs of the group. B. To limit the web log display to a specific time frame, either select a time frame ...
Page 75
S w g u s e r g u i d e 75 chapter 14: viewing logs 5. In the filter tab, define filtering criteria as follows: a. To add a new row, click . If a popup menu appears, select add filter. B. In the field drop‐down list, select the required filter type. C. In the operator drop‐down list that appears, se...
Page 76
S w g u s e r g u i d e chapter 14: viewing logs 76 viewing transaction details (web log only) you can view the transaction details of any displayed web log entry. To view the transaction details of an entry in the web log 1. In the web logs display, click the icon or double‐click on the selected tr...
Page 77: Mplementing
Chapter 15: implementing icap 77 c hapter 15: i mplementing icap beginning with swg release 10.2.0, swg can provide icap services and can use external icap services. Prior to this release, swg could only provide icap services. This chapter contains the following main topics: • configuring swg to pro...
Page 78: Configuring The Icap Client
S w g u s e r g u i d e chapter 15: implementing icap 78 b. Select the client type. Valid values: • blue coat • netapp • generic c. Specify the source ip — ip from which the icap client can use this scanner for the icap services. Mandatory. D. In the weight field, specify the percentage of resources...
Page 79: Defining Icap Service Groups
S w g u s e r g u i d e 79 chapter 15: implementing icap 4. To enable the icap client, select the enable icap client checkbox. 5. In the timeouts tab, adjust the following values, as needed: • connection timeout — maximum number of second to wait for a connection to be estab‐ lished. Default: 60. • ...
Page 80: Defining Icap Services
S w g u s e r g u i d e chapter 15: implementing icap 80 d. In the health check url field, specify the url to which the swg scanner sends health check requests through the icap service to ensure that the icap service server is alive, or up and running. E. Specify the in the expected return code fiel...
Page 81
S w g u s e r g u i d e 81 chapter 15: implementing icap b. Click the discovery button. The remaining fields in the scanner area display the returned connection option values: • max connections — maximum number of simultaneous connections to the service. • supports preview — when checked, that is, i...
Page 82
S w g u s e r g u i d e chapter 15: implementing icap 82 edit these rules. You can also create new rules from scratch. To define a rule in an icap forward policy 1. In the policy tree, expand the policy so that you display its existing rules. For instructions on displaying the policy tree, see step ...
Page 83
S w g u s e r g u i d e 83 chapter 15: implementing icap a. Right‐click the rule and choose add condition. The main window displays the condition definition screen. B. In the condition name field, select the type of condition in the drop‐down list. For any selected condition type, the window display...
Page 84: Iewing
Chapter 16: viewing and working with reports 84 c hapter 16: v iewing and w orking w ith r eports the m86 security reporting tool come with a number of predefined reports, that is, report definitions, that enable enterprises to analyze the activity and performance of the swg system based on data sto...
Page 85
S w g u s e r g u i d e 85 chapter 16: viewing and working with reports • if the run in background checkbox was selected, to view the report you must access the report history. For instructions, see viewing a report’s history . Creating or modifying report definitions swg comes with a number of pred...
Page 86: Managing Reports
S w g u s e r g u i d e chapter 16: viewing and working with reports 86 depending on your selections, the value field displays either a drop‐down list or a blank field. D. Select or specify a value in the value field to complete your initial filter selection. E. To define multiple filter criteria: i...
Page 87
S w g u s e r g u i d e 87 chapter 16: viewing and working with reports • run the report once at a specified date and time • run the report daily, weekly, and/or monthly, at the specified times. 5. In the report target tab, which allows you to send the report to one or more targets, specify the foll...
Page 88: Viewing A Report’S History
S w g u s e r g u i d e chapter 16: viewing and working with reports 88 f. To delete a filtering row, click the icon if it is displayed. Otherwise, right click the icon of the row, and choose delete filter. 8. Click save. Adding report shortcuts to the favorites folder the favorites folder serves as...
Page 89
S w g u s e r g u i d e 89 chapter 16: viewing and working with reports you can also define that scheduled reports be automatically exported. As part of this definition process, you must first define the exported reports location. This requires that you choose a connection method. The chosen connect...
Page 90
S w g u s e r g u i d e chapter 16: viewing and working with reports 90 6. Click the test button to verify the connection. 7. If it works, click save. 8. If you are ready to distribute and implement the changes in your system devices, click . Samba report location must include the server ip address ...
Page 91: Aintaining
Chapter 17: maintaining your system 91 c hapter 17: m aintaining y our s ystem this section contains the following topics and procedures: • performing manual backup and restore • viewing and installing updates • importing from and exporting policy databases performing manual backup and restore this ...
Page 92
S w g u s e r g u i d e chapter 17: maintaining your system 92 to manually backup your reports database 1. Select administration Æ reports db backup Æ backup settings. 2. Ensure that the backup configuration parameters are set. For instructions, see configuring backup settings . 3. Click backup now....
Page 93
S w g u s e r g u i d e 93 chapter 17: maintaining your system to upload and/or install an update 1. Select administration Æ updates Æ updates management. The updates management window displays the list of available updates in the available updates tab. The following icons in the status column indic...
Page 94
S w g u s e r g u i d e chapter 17: maintaining your system 94 importing from and exporting policy databases administrators can export security, https, identification and logging policy databases on a policy server to a file. They can then import policies, rules, conditions, and condition options fr...
Page 95
S w g u s e r g u i d e 95 chapter 17: maintaining your system c. For individual conditions that are displayed in the conditions table, select the desired actions where the same actions available for the policy in step b are available for conditions. D. If you chose to rename conditions, specify the...
Page 96: Part 6: P
S w g u s e r g u i d e part 6: performing advanced configuration 96 part 6: p erforming a dvanced c onfiguration this part contains the following chapters and procedures: • chapter 18: defining administrators • creating/editing an administrator group • creating/editing an administrator • setting ac...
Page 97
S w g u s e r g u i d e 97 part 6: performing advanced configuration • defining an icap forward policy.
Page 98: Efining
Chapter 18: defining administrators 98 c hapter 18: d efining a dministrators swg supports multiple administrators and administrator groups. All administrator groups are characterized by the permissions that they are granted to access different items (for example, alert settings, or block and warn m...
Page 99
S w g u s e r g u i d e 99 chapter 18: defining administrators 4. Select the appropriate checkboxes for any desired password requirements and for expiration, set the number of days. Note that enforcing a secure password means that the password will have to satisfy at least 3 of the following criteri...
Page 100: Setting Access Permissions
S w g u s e r g u i d e chapter 18: defining administrators 100 setting access permissions you can assign access permissions using either the categories view tab or the grid view tab. The procedure is the same for both administrator group definitions and administrator definitions. • assigning permis...
Page 101
S w g u s e r g u i d e 101 chapter 18: defining administrators assigning permissions using the grid view tab important: it is recommended that the radius default group be assigned view only permissions, so that higher permissions are not granted to every administrator authenticated by the radius se...
Page 102
S w g u s e r g u i d e chapter 18: defining administrators 102 7. In the accompanying port field, enter the radius authentication port. This is the port on which the servers will communicate. 8. Optionally, enter secondary authentication host and port values. 9. In the shared secret field, enter a ...
Page 103: Erforming
Chapter 19: performing additional configuration tasks 103 c hapter 19: p erforming a dditional c onfiguration t asks this chapter includes the following configuration tasks and procedures: • adjusting network settings for a device • configuring a device to use an ntp server • configuring administrat...
Page 104
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 104 the limited shell works by prompting you to enter a value, often in response to displayed infor‐ mation. For example, it might display a numbered list and ask you enter the number of the item you want to choose; or it ...
Page 105
S w g u s e r g u i d e 105 chapter 19: performing additional configuration tasks configuring a device to use an ntp server this procedure explains how to use the limited shell to configure the device to use an ntp server. To configure a device to use an ntp server 1. Log in to the limited shell. Yo...
Page 106
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 106 configuring administrative settings this procedure explains how the administrator can: • set the amount of idle time, in minutes, after which the current session times out and requires the user to re‐log in. • force th...
Page 107
S w g u s e r g u i d e 107 chapter 19: performing additional configuration tasks importing digital certificates this section explains how to import digital certificates, how to edit their details, and how to check to what rules and policies the certificates are applied. The m86 certificate store is...
Page 108: Configuring Backup Settings
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 108 configuring backup settings two kinds of backups can be configured and run: • system backups — these backups save, to an external location, all data that an administrator can customize in the management console includi...
Page 109
S w g u s e r g u i d e 109 chapter 19: performing additional configuration tasks 5. For reports db backup only: to enable the reports db to be automatically backed up according to a predefined swg schedule, select the enable automatic backup checkbox. 6. For system backup only: to enable automatic ...
Page 110
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 110 defining and customizing device logging policy device logging policy determines, at the device level, what types of transactions carried out by the identification and upstream proxy policies, will be logged. M86 securi...
Page 111
S w g u s e r g u i d e 111 chapter 19: performing additional configuration tasks to define a rule in a device logging policy 1. In the policy tree, expand the policy so that you display its existing rules. For instructions on displaying the policy tree, see step 1 in the procedure defining a device...
Page 112
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 112 7. If you are ready to distribute and implement the changes in your system devices, click . Configuring default and device-specific access lists the access list feature enables you to limit access to an swg device. The...
Page 113
S w g u s e r g u i d e 113 chapter 19: performing additional configuration tasks configuring transparent proxy mode by default, explicit proxy mode is used. However, to enable ftp, https, and http requests to be intercepted, you should enable and configure transparent proxy mode. Working in transpa...
Page 114
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 114 scheduling configuration and security updates for scanning server device groups you can define schedules to apply configuration and security updates to the devices in scanning server device groups. To define configurat...
Page 115
S w g u s e r g u i d e 115 chapter 19: performing additional configuration tasks passive policy server. In the event of failure of the active policy server, swg automatically fails over to the secondary policy server, making it the primary active policy server. When the failed server can again be u...
Page 116
S w g u s e r g u i d e chapter 19: performing additional configuration tasks 116 4. In the user identifier attribute field, specify the attribute that is used to indicate a user’s unique identifier. The value of this attribute will be compared to the user name provided by the proxy authentication. ...
Page 117: Nabling
Chapter 20: enabling https scanning 117 c hapter 20: e nabling https s canning if your site will be using https scanning, you must perform the following tasks: • defining an https policy • defining a rule in an https policy • defining conditions in an https rule • configuring and certifying https de...
Page 118
S w g u s e r g u i d e chapter 20: enabling https scanning 118 5. When done, click save. 6. Continue with defining a rule in an https policy . Defining a rule in an https policy if you duplicated a policy, it already has the same rules as were found in the original policy. You can edit these rules....
Page 119
S w g u s e r g u i d e 119 chapter 20: enabling https scanning f. For block https rule action only: if the blocked page message should not be displayed to the end user, select the do not display end user message checkbox. 4. To apply the rule to specific users, select the applies tab, and click the...
Page 120
S w g u s e r g u i d e chapter 20: enabling https scanning 120 configuring and certifying https before https policy can be effective, you must: • ensure that https is enabled in the https module, • obtain a certificate, and ensure that it is propagated to the scanners and users. Scanning server dev...
Page 121
S w g u s e r g u i d e 121 chapter 20: enabling https scanning d. In the remaining fields, fill in all relevant data as needed. E. Click ok. F. Copy the entire certificate request, including the begin ... And end ... Lines, and provide them to the ca. G. When the ca provides the certificate, copy t...
Page 122: Mplementing
Chapter 21: implementing cloud security 122 c hapter 21: i mplementing c loud s ecurity this chapter is relevant only if implementing a hybrid swg deployment. Hybrid deployment is an swg feature providing web security for users when working off‐site, that is, connecting to the internet from hotels, ...
Page 123
S w g u s e r g u i d e 123 chapter 21: implementing cloud security implementing cloud security outline this is to be read in conjunction with the overall hybrid deployment process. Outlining a hybrid deployment requires the following: • deployment decisions: • certificate management method pki mode...
Page 124
S w g u s e r g u i d e chapter 21: implementing cloud security 124 configuring cloud settings in internal mode note: before configuring cloud settings, ensure that you have: to configure cloud settings in internal mode 1. Select administration Æ cloud Æ configuration. 2. Click edit. 3. If the cloud...
Page 125
S w g u s e r g u i d e 125 chapter 21: implementing cloud security location. C) in the address field, specify the ip address or hostname of the scanner/load balancer. D) in the local client http port field, specify the client‐side port number used to uniquely identify a specific cloud proxy or clou...
Page 126
S w g u s e r g u i d e chapter 21: implementing cloud security 126 i. Click the generate csr link that is under the import csrbased ca button. The window displays fields for defining the certificate authority. Ii. In the common name field, specify a name for the ca. It is mandatory to specify a ca...
Page 127
S w g u s e r g u i d e 127 chapter 21: implementing cloud security 9. Configure provisioning parameters, and perform downloads, in the provisioning tab, as follows: a. In the agent installer url field specify the address chosen by the administrator where the agent installation package is saved. B. ...
Page 128
S w g u s e r g u i d e chapter 21: implementing cloud security 128 4. Configure cloud proxies in the proxies (cloud) tab, as follows: a. In the server side area, define the following details: i. In the cloud proxy http port field, specify the server‐side http port number on which all cloud proxies ...
Page 129
S w g u s e r g u i d e 129 chapter 21: implementing cloud security hostname and display the results in the internal hostname ip field. • manually specify the internal hostname ip. 6. Import certificates in the certificate management tab, as follows a. Import the ca certificate as follows: i. Reques...
Page 130
S w g u s e r g u i d e chapter 21: implementing cloud security 130 7. According to need, define nonroutable network bypass and trusted url bypass settings in the bypass tab, as follows. A. For each network or domain to be bypassed while the mobile security client agent is browsing in cloud proxy o...
Page 131
S w g u s e r g u i d e 131 chapter 21: implementing cloud security certifying and managing cloud users note: this section is relevant only when the cloud is configured to work in internal mode. In pki mode, cloud users are certified and managed externally. Cloud users must be properly certified. Wh...
Page 132
S w g u s e r g u i d e chapter 21: implementing cloud security 132 note that pending status displays cloud users who will get certificates after you click as opposed to nonissued status, which displays cloud users who have not been issued a certificate. B. Click the filter button. This list of use...
Page 133
S w g u s e r g u i d e 133 chapter 21: implementing cloud security 5. To ensure that new users cannot disable the mobile security client agent installed on their machines, ensure that the prevent user from disabling mobile security client checkbox is selected. The selected checkbox is the default. ...
Page 134
S w g u s e r g u i d e chapter 21: implementing cloud security 134 defining a private cloud scanner note: before defining a private cloud scanner, ensure that you have added and setup the needed device. To define a private cloud scanner 1. Using the limited shell commands, define the device as a pr...