Access Control to Internet

Transcription

1 Web: Access Control to Internet Administration Guide Version 7.3

2 Copyright Cogilab 2017, all rights reserved. Any reproduction, modification or distribution of this document is prohibited without the prior written consent of Cogilab. The Cogilab and SurfPass trademarks are filed with the INPI. All other trademarks used in this document belong to their respective owners. 2

3 Table of contents INTRODUCTION... 6 PRESENTATION OF SURFPASS...6 RECOMMENDATIONS...6 TO JOIN COGILAB...6 INSTALLATION... 7 INSTALLING THE SERVER...7 The different modes of integration...7 Set the integration mode...8 Server in explicit proxy mode...8 Server in transparent proxy mode:...8 Example of gateway with two network cards...8 INSTALLING THE ADMINISTRATION CONSOLE ON A DEDICATED COMPUTER (OPTIONAL)...8 AD AUTHENTICATION CLIENT INSTALLATION (OPTIONAL)...9 FIRST USE OF THE ADMINISTRATION CONSOLE...9 General structure of the administration...9 Select the identification / authentication method...9 End of user session...10 Session end:...10 Filtering by blacklist or whitelist...10 Filtering video sites, social networking Enter the serial numbers...10 Changing default passwords...10 CONFIGURATION ACCOUNT...10 Installation options...11 Address of the server computer...11 Address of the database computer...11 Local Web server...11 Access to the administration console...12 SERIAL NUMBER...12 PARAMETERS IMPORT FROM SURFPASS 4, 5, HOW TO UNINSTALL SURFPASS...12 ADMINISTRATION GENERAL STRUCTURE OF THE ADMINISTRATION...13 MANAGEMENT OF THE USER ACCOUNTS...14 The different types of user accounts in SurfPass...14 Adding a new account...14 Modifying an account...14 Deleting an account...15 Exporting the users list...15 Importing the users list...15 Update the list of users...15 MANAGEMENT OF THE USER GROUPS...16 Adding a new group...16 Modifying a group...16 Deleting a group...16 Advanced functions...17 Exporting the list of the user groups...17 Importing the user groups...17 MANAGEMENT OF THE USER PROFILES...18 Adding a new profile

4 Modifying a profile...18 Deleting a profile...18 Edition of a profile...19 General...19 Filtering...19 Timetable...22 Advanced functions...22 MANAGEMENT OF THE COMPUTER ACCOUNTS...23 Adding a new account...23 Modifying an account...23 Deleting an account...23 MANAGEMENT OF THE COMPUTER GROUPS...24 Adding a new group...24 Modifying a group...24 Deleting a group...24 Advanced functions...25 MANAGEMENT OF THE COMPUTER PROFILES...26 Adding a new profile...26 Modifying a profile...26 Deleting a profile...26 Edition of a profile...27 General...27 Filtering...28 Advanced functions...29 GLOBAL...31 General...31 Integration settings...31 Licenses...31 Serial number...31 Filtering lists...33 Update...33 Lists editing...34 Adding a new filtering list...34 Modifying a filtering list...35 Removal of a filtering list...35 History...35 Routing subnets...36 Auto Create stations...37 SSL/TLS inspection...38 IMPLEMENTATION OF FILTERING...39 Block everything except a few ports (80, )...39 User profiles and computer profiles...39 Prohibit / allow a filtering theme...39 White lists...39 Setting...39 External links...39 Allow s...39 Allow all https sites...40 Do not forget the rule of the list of updates...40 Black lists...40 How do I know which list blocks?...40 When not to display the warning forbidden sites...40 Creating a local list...40 When making your own lists...40 SafeSearch...40 Themes of Toulouse s black lists...40 Videos...40 Social networks...40 SYNCHRONIZATION WITH ACTIVE DIRECTORY

5 Introduction...42 Operation...42 Correspondence of the user groups SurfPass /Activates Directory Activation / deactivation HISTORY RELOADING Reloading of the accounts...44 USE CONNECTION TO INTERNET...45 Captive portal...45 Windows Authentication Agent...45 BROWSING...45 DISCONNECT...46 Captive portal...46 Session end:...46 Windows Authentication Agent...46 MAINTENANCE QUIET INSTALLATION...47 SECURITY WITH THE SERVER OF FIREBIRD DATABASES...47 BACKUPS...47 CHANGE OF SERVER...47 SCRIPTS OF MAINTENANCE...48 REPAIRING A CORRUPTED DATABASE...48 MANAGEMENT OF THE SURFPASS HTTPS CERTIFICATE...48 ACCESS TO THE PORTAL TO HTTPS...48 RECOMMENDATIONS FOR VERY LARGE SITES

6 Introduction Presentation of SurfPass SurfPass is software to filter and control the access to the Internet of a complete network. It is used in enterprises, government, schools as well as sites offering public Wi-Fi access. Here are the main features of SurfPass 8: Operates as explicit or transparent proxy. SSL/TLS inspection with public key. SafeSearch mode (URL rewriting) Captive portal, subnets support. Blocking and filtering of Internet. Filtering by content analysis and with the black list of the University of Toulouse (more than a million sites). Centralization of the accounts and all parameters in a SQL database. Management of users and the computers by groups and profiles. Timetable by user profile. Archived and real-time detailed log. Optional synchronization with Active Directory. Recommendations If you are informed of sites with inappropriate content not indexed in the black lists, you are highly encouraged to submit them here: Do not forget to backup the database regularly (see chapter Maintenance ). To join COGILAB We invite you to send your suggestions and your remarks to the following address: support@cogilab.com You can also visit our Web site to be informed of last versions: You can drop your address at the bottom of any page of the Web site of Cogilab to stay informed by about the last available version. 6

7 Installation The same software is installed on the server computer, administration and in some cases on client computers. If a previous version of SurfPass is already installed, you must uninstall it before installing version 7. It is possible to restart the computer only once after several setting changes calling for a restart. Installing the server The computer must be running Windows 10, 8.1, Windows 8, Windows 7, Windows 2016, 2012 R2, Windows 2012, Windows 2008 R2. This is not necessarily a "true" server as a Windows server. The.Net Framework 4.6 must be installed to get all features such as lists downloading. This framework comes in standard with Windows 10 / 2016 and above, there is nothing to install. Installation options: Enable only "Install Server". Leave the other default settings. Keep for the server address and the database address the value "localhost". The server computer can be the same as the administration computer. The different modes of integration It is possible to integrate SurfPass in a network with two possible modes. The mode is set in the administration of SurfPass: Global / General The explicit proxy mode: client browsers are configured to access the Web in proxy mode. Advantages: o o disadvantages: o o o No network addressing change. Only one Ethernet adapter is required on the SurfPass server. Requires changing the configuration of the browsers. If users are administrator of their computer, it is necessary to add rules at the firewall to prevent direct access to ports 80 and 443 from clients (attempt to bypass the proxy). Only the HTTP/S traffic is filtered and stored in the history. The transparent proxy mode: the SurfPass server is acting as a router between two Ethernet cards and redirects Automatically HTTP/S traffic to the proxy. Advantages: o o o o disadvantages: o o All services are filtered and stored in the history, not only HTTP/S. Captive Portal for public Wi-Fi. Not modifying the settings of the browsers. Secured (hard to bypass) The SurfPass server must have two Ethernet adapters: one WAN adapter in the subnet of the main router and a LAN adapter in the subnet of the client computers. Potential impact on client addressing for transit via the LAN card of the SurfPass server rather than directly through the main router. It is possible to mix the two modes: e.g. the explicit proxy mode for desktops, and transparent proxy for public Wi-Fi. In all cases, it is advisable to not enable the local filtering unless SurfPass is installed on a TSE / Remote Desktop server 7

8 Set the integration mode Set the integration mode in the tab "Global" / "General": - Explicit proxy only: Do not activate network driver, activate "Enable Proxy". - Transparent proxy: enable the network driver, "Enabling proxy forwarder" and "Enable Proxy". - Simple gateway mode (same SurfPass v6): enable the network driver, disable "Enable proxy forwarder" and "Enable Proxy". Server in explicit proxy mode The server installation is complete. The TCP port that will be used as proxy port must be open on the server. Enter the proxy setting in client browsers. The proxy port must be opened in the firewall of the SurfPass server. If users have administrator rights on their computer: block ports 80 and 443 on the main firewall between client computers and the main router, only SurfPass server machine must have access. To prevent bypassing the proxy, it is also possible to add to the SurfPass server a second NIC in the same subnet than the first one and only dedicated to the client filtering, this second NIC does not have direct access to the main router. Server in transparent proxy mode: The gateway computer must have at least two Ethernet interfaces: One has an IP address in the public network (WAN), where is the main router providing Internet access. The other interface has an address in the private subnet (LAN), the network of controlled computers. SurfPass performs the routing between these two cards and performs address translation (NAT). This is during the routing between interfaces that the filtering is performed. Once the server installation is complete, enter in the SPAdmin administration console with the name "admin" and the password "Cogilab" then go to the "Global" tab / "Routing Subnets" sub-tab. Add at least one route, selecting the Ethernet interface of the private subnet (LAN) to be filtered and the Ethernet interface of the public subnet (WAN) where is the main router. It is possible to add more routes for the other private subnets. Then reboot the computer. All used TCP ports must be open in the server firewall on the LAN interface: 5031, 3050, Clients of private subnet with static IP addresses: in the network settings, you must change the address of the default gateway, it is the IP address of the private interface of the SurfPass server. Other parameters such as DNS do not change. Clients of private subnet with DHCP IP addresses: you must install a DHCP software such as dhcpserver.de or Tftpd32, and set it to be active on the private LAN. It is also possible to use the DHCP server of Windows Server. The DHCP server can be on another computer, in the same private LAN than the gateway. Wi-Fi Clients: Installing a DHCP server software as explained above. The Wi-Fi access point is connected to the private LAN. It is configured in bridge mode and not in router mode which must be completely disabled (no UPnP, DHCP, DNS...). Example of gateway with two network cards Public WAN subnet: address / mask Private LAN subnet: address / mask Primary router and DNS: Configuring WAN (public) interface of the gateway: Default Gateway: , DNS: Configuring LAN (private) interface of the gateway: Default Gateway: (blank) DNS: (blank) Configuring a client: IP , Default Gateway: , DNS: Installing the Administration Console on a dedicated computer (optional) The computer must be running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows 2016, Windows 2012 R2, Windows 2012, Windows 2008 R2. The.Net Framework 4.6 must be installed, otherwise an error occurs when launching the administration console. This framework comes in standard with Windows 10 / 2016 and above, there is nothing to install. Server Address: Replace "localhost" with the IP address of the server. Access to routing subnets must be done from the SurfPass server computer and not from a remote administration console. 8

9 AD authentication client installation (optional) The computer must be running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows 2016, Windows 2012 R2, Windows 2012, Windows 2008 R2. SurfPass is compatible with TSE servers - Remote Desktop / Citrix. The client deployment can be done automatically by GPO. Leave all other default settings, including localhost for the server address. TCP ports 5030 must be open on the client machine, this is the server that connects to the client and not the reverse. Once the authentication agent is installed, it is necessary to move the client from the Generic computer group to the Remote Desktop computer group. The only difference between these two groups is the declaration of the presence of the authentication module in Remote Desktop. The taking into account will be effective for the next user sessions and not for current sessions. The authentication agent is compatible with all integration modes: explicit proxy, transparent proxy or simple gateway. If the agent installation is not possible (e.g. on Windows XP or Vista) it is possible to start the PowerShell script Disconnect_SP.ps1 available at the root of the SurfPass installation: C:\Program Files\Cogilab\SurfPass7\ Disconnect_SP.ps1, launched by the task scheduler or a GPO when the Windows session is opening. If a SurfPass session was already open on the same computer, it will be closed. This allows a more accurate log and filtering when the same machine is used by several people and that people forget to log out via the status.html page at the end of a session open with the captive portal. First use of the administration console To launch the console: Start menu / All Programs / Cogilab / SurfPass7 / SPAdmin from the Windows session used for the installation of SurfPass. The login is "admin" and password "Cogilab". By default all passwords in the administration are "cogilab". General structure of the administration - Whenever a form is changed, press the green button «Apply» at the top to save the changes. - Users belong to groups of users whose rights are defined by a user profile. Structure is the same for the computers. - The computer profile is active when the computer is idle; that there is no SurfPass user connected. Otherwise, the profile of the user currently logged applies. The user profiles and computer profiles are mutually exclusive, only one is active at a time, including the filtering rules. - The settings in the "Global" tab are shared by the entire system. For example, if a filtering list is disabled in Global / Filtering lists / Lists editing, it will also be disabled in all profiles that use it, even if the related rules are still active. - The filtering rules, filtering lists and all other tabular presented settings appearing on a white background when they are enabled and on a gray background when they are disabled. Select the identification / authentication method Transparent identification: The user name is the computer name or its IP address. This is the default mode of SurfPass. AD authentication without entering a login and a password o Authentication agent: Install the agent on the clients, then switch clients in the computer group "Remote Desktop." o Or Windows / NTLM Enable Windows / NTLM authentication in the settings of the browsers. Then switch clients in the computer group "Portal". Captive Portal with entering a username and a password Switch the clients in the computer group "Portal". o SurfPass user accounts. Manually creating new users with a login and password. o Or AD's Login and password verified by the domain controller. SurfPass checks the login and the password against the domain controller. Also works with non-windows devices, e.g. Android or ios. By default, SurfPass operates in automatic identification (no identification or transparent Active Directory authentication). To force a manual identification with the captive portal or with the SurfPass client identification box, go to the tab "Computer profiles" / "generic" / "General" and disable "Automatic identification", or select Portal group or profile. 9

10 The computer group 'Portal' forces identification through the captive portal because the Automatic identification option is already disabled. The default computer group can be defined by the IP address range of the client, in "Global" / "Auto Create computers." If AD authentication is used, the SurfPass server must be member of a domain. End of user session Session end: By the end of user rights: exhausted time, time slots, etc... By inactivity: the default time is 2 hours. It is possible to reduce this value to 5 minutes in the computer profile / tab "General" / "Disconnect if network is idle for ()". Manually: calling from the client browser the URL: <IP of the private interface>:8081/status.html Filtering by blacklist or whitelist By default the filtering operates in blacklist mode: everything is permitted except what is expressly prohibited by rules of simple addresses or addresses lists. To get the operation in whitelist mode (all is prohibited except what is explicitly permitted), go to the tab "Filtering" of the corresponding user profile and uncheck the first check box: "All connections are allowed (except for rules)" and confirm with the button «Apply». Then add authorization rules. Filtering video sites, social networking... For sites like YouTube or Dailymotion, simply enable the audio-video or filehosting lists. Facebook and twitter are in the social_networks list. The activation or deactivation of a list is in the "Global" / "Filtering lists" / "Lists editing". Enter the serial numbers Except for evaluation period, serial numbers must be entered within 30 days after the installation: - Cases of a site license: Tab "Global" / "General". Save the change with «Apply». - Cases of per computer licenses: Tab "Computers": select the computer on the left; enter the serial number in the form on the right, save the change with «Apply». Serial numbers must be distinct for each computer. After the expiration, the routing is still active but there is no filtering or log. Changing default passwords By default, all passwords are "cogilab". For security issue, a change is required for: - Admin account - The user accounts test, test1 and test2 which may be deleted. Configuration account The configuration account allows taking control locally on the server and on each client, all the time, even when the client is not connected to the SurfPass server or to a local network. The configuration account is the only way to modify the local parameters for each computer, i.e. those not centralized in the database. The access to the configuration account requires the Windows administrator rights. To access this account from the Windows desktop: Start Menu / All Programs / Cogilab / SurfPass7 / SPConfig. 10

11 The configuration account Installation options - Server with administration console: Installs all the features necessary for the server. - Administration console alone: only installs the management console. - Windows authentication agent: This optional module to be installed on client allows automatic Active Directory authentication. Address of the server computer This setting must be changed only for the administration console alone. Address: the address of the SurfPass server. Port: by default, the SurfPass server uses TCP port Address of the database computer This setting is to be changed if multiple servers / gateways share a common database. Address: address of the server database, preferably in the form of an IP address, or localhost for the server and the gateway. Port: the default port of the database is If the port is different, it must also be changed in the installation directory SurfPass: \Firebird\firebird.conf. Local Web server This option must be enabled on the server machine. It displays the error messages and the captive portal. HTTP Port: The port used by the browser of the client to connect to the SurfPass Web server. Enable HTTPS: identification in the captive portal is either in HTTP or HTTPS. By default the key is self-signed, which causes a warning message in the browser. To not have these messages, you must either add an exception in the browser or install an SSL certificate from a vendor. HTTPS Port: The port used by the browser of the client to connect to the Web server SurfPass for captive portal when HTTPS is active. 11

12 Access to the administration console Configuration and administration accounts can be reached from the Windows desktop: Start / All programs / Cogilab / SurfPass7. This gives access to the following dialog box: Enter admin in the user name field and cogilab in the password field, validate by clicking on OK. The tabulation key makes it possible to pass from a field to another. The enter key replaces the press the button OK. Serial number The serial number is entered after the SurfPass installation in the tab Global / General. Parameters import from SurfPass 4, 5, 6 In the administration console: Global / Tools and select the database to import. How to uninstall SurfPass There are 2 ways for uninstalling SurfPass. - In the Windows control panel, Add or remove programs, SurfPass7. - With the command prompt: got to the c:\program Files\Cogilab\SurfPass7 repertory, enter the command: spconfig /Uninstall <enter key>. The Windows administrator rights are required. Here is the complete procedure: Menu Start / Accessories / Command prompt. Then enter: (quotation marks are required) c:\program Files\Cogilab\SurfPass7\spconfig /Uninstall <enter> It is the uninstalling mode to use in case of failure of the normal uninstalling procedure. 12

13 Administration At the first installation time, SurfPass creates groups, profiles and several user accounts as example. All these parameters can be modified or removed. Among the user accounts, there are an account for administration ("admin") and a reloading account ("credit"). All passwords must be changed; by default it is "cogilab" everywhere. The "admin" account cannot be removed; its password can (must) be changed. Test is an unlimited user account; Test1 is a limited user account with a credit of 1 hour. Test2 is an unlimited not filtered user account. Groups and profiles are preset for other values of account. To enter in administrator mode the first time, enter "admin" for the login and "cogilab" for the password. The administration console can also be called from the Windows desktop: Start /All programs / Cogilab/SurfPass7/SPAdmin Once connected as administrator, the accounts list appears. The color of the last column of the left panel indicates the state of an account: Gray: administration account or reloading account (credit). Blue: unlimited user account. Green: limited user account with enough time credit. Red: limited user account with empty time credit. Orange: limited user account with a time credit lower than the quarter of the quota. (Near empty). General structure of the administration SurfPass manages the two following entities distinctly: Users of the system. The computers (client machines) controlled by SurfPass. The users and the computers are: Organized in groups (user groups and computer groups). Characterized by profiles (user profiles and computer profiles). The users and computer accounts have very few parameters. Most of parameters are defined at the level of the users profiles or computer profiles. In summary: Each user and computer belongs to a group. A group is characterized by a name and a profile. A profile contains most of the settings of a user or computer. The computer profile is used when SurfPass computer is idle; the user profile is applied during user SurfPass session. Only one is active at a time. By default, all passwords are Cogilab. For security reasons, you must change as quickly as possible all passwords: all the users accounts, including those of administration and credit. You can t read passwords, but you can overwrite the current one with a new one, then validate with the Apply green button. 13

14 Management of the user accounts Tab Users The different types of user accounts in SurfPass The group of membership of an account defines the user account type, and a user group is defined by a user profile. Users accounts dedicated to the end users. They can be used with a credit of limited or unlimited time. Administration accounts. They give access to all SurfPass parameters, except the local parameters of each computer, accessible locally with the configuration account. When installing SurfPass, these are "admin" and "credit" account (charging) accounts. The access rights to the administration, log, real-time and reloading are distinct rights, each one can be given independently of the others by delegation. Adding a new account Press the button «Add» (blue cross) on the top on the left, fill out the form in the right panel. A user account includes Login. Password. Group. The choice of the group determines the operation of the account, because the choice of the group also defines the profile which will be applied to the user account. It is the choice of the group which determines whether the account is an administrator account, a user account with time limitation, etc A user-friendly name such as it appears in the list of the users. If this field is left empty, it takes the value of the user name. If it is an account of the administrator family, it is possible to define the rights given to this account: main administration, creation/reloading of account, log, real-time. If it is a user account with time limitation, it is possible to visualize and modify the remaining time. The indicated time is the time stored in the database, and does not reflect the exact value of a session in progress. For that, it is necessary to go in the module History. Validity start/end: allows to set a validity date to the user account. Disabled: allows to disable an account temporarily, without deleting it. Once the form filled out, it is necessary to validate it with the green button «Apply» on the top on the right. Modifying an account Select the account in the list on the left, modify its parameters in the form on the right, and validate with the green button «Apply» on the top on the right. To cancel a modification in progress, quit with «Cancel on the top on the right. 14

15 Deleting an account Select the account in the list, press the button Delete (blue minus sign) on the top on the left. The multiple selections are possible. Exporting the users list This option makes it possible to convert into HTML the list of the user accounts, for example to print them. For that, press the button Export on the top on the left. Importing the users list This option makes it possible automatically to create a great number of users accounts. Press the button Import on the top on the left. Select the user group for the imported accounts and the access path to the text file containing the declaration of the accounts. If the text file contains accents, it must be encoded in UTF-8, not ANSI. This option is available in the menu "Save As" of text editors. Structure of an importation text file: Comment: any line starting with the character `#'. The fields are separated by tabulation, ; or :. Space is not a separator. From 1 to 5 fields per line. If there are less than 5 fields, the missing fields are automatically defined by SurfPass. Fields are: user name, password, user group, convivial name, credit. If only one field: it is the user name. In this case, password = user name, user group = import user group, convivial name = user name, credit of the account = quota of the profile of its importation group. If two fields: user name then password. In this case, user group = import user group, convivial name = user name, credit of the account = quota of the profile of its importation group. If three fields: user name then password then user group. In this case, convivial name = user name, credit of the account = quota of the profile of its user group. If four fields: user name then password then user group then convivial name. In this case, credit of the account = quota of the profile of its user group. If five fields: user name then password then user group then convivial name then credit of time in seconds. Update the list of users This option causes the reloading of user accounts from the database. To do this, press the "Refresh" button in the upper left. 15

16 Management of the user groups Users of the same group share exactly the same settings and the same rights. There must be in SurfPass at least one user group. Several user groups can share the same user profile. Tab User groups Adding a new group Press the button «Add» (blue cross) on the top on the left, fill out the form in the right panel. Group name: it is important to choose the name of the group carefully the first time, because it is not possible any more to modify it after the validation. Profile: choice of the user profile which definite rights of the user group. Disabled: allows to disable a group of user accounts temporarily, without deleting it. Delete inactive users (in days): Delete user accounts that have not been used for a number of days. Useful for public spaces. Computer groups restrictions: allows to enable the button Modify the list to choose the computer groups that the current user group will have the right to use, the other computer groups are then prohibited. Validity start/end: allows setting a validity date for the users of the group. Modifying a group Select the group in the list on the left, modify its parameters in the form on the right, validate with the green button «Apply» on the top on the right. To cancel a modification in progress, quit with Cancel on the top on the right. Deleting a group Select the group in the list, press the button Delete (blue minus sign) on the top on the left. The multiple selections are possible. If the group contains at least one user, the suppression is not possible. 16

17 Advanced functions Functions Advanced The advanced button in the upper left allows: To delete users belonging to a group. Change the user group. It is a way to rename a group: The administrator creates a new group set as the old one. The former group is the source group; the new group is the target group. Exporting the list of the user groups This option makes it possible to convert into HTML the list of the uses groups, for example to print them. For that, press the button Export on the top on the left. Importing the user groups This option makes it possible automatically to create a great number of user groups. Press the button Import on the top on the left. Select the access path to the text file containing the declaration of the accounts. The first parameter is the name of the group. The second parameter, optional (CSV format), is the user profile. If the profile is not specified, a profile with the same name as the group is created. If the text file contains accents, it must be encoded in UTF-8, not ANSI. This option is available in the menu "Save As" of text editors. 17

18 Management of the user profiles The user profile defines the SurfPass behavior at the beginning of a user session and during a user session. A user profile defines a set of user parameters. Each user is linked to one and only one profile, defined in its membership group. Several user groups can share the same user profile. The tab User profiles, general sub-tab Adding a new profile Press the button «Add» (blue cross) on the top on the left, fill out the form in the right panel. The name must be carefully chosen, because it is not possible any more to modify it afterwards. The edition of the profile extends on five tabs: General, Filtering, Timetable. Modifying a profile Select the profile in the list on the left, modify its parameters in the form on the right, validate with the green button «Apply» on the top on the right in each tab of right panel containing a modification. To cancel a modification in progress, quit with «Cancel» on the top on the right. Deleting a profile Select the profile in the list, press the button «Delete» (blue minus sign) on the top on the left. The multiple selections are possible. If the profile is used by at least one group, the suppression is not possible. 18

19 Edition of a profile General Defines general properties of user accounts using the profile. Profile name: it is important to choose the profile name carefully the first time, because it is not possible any more to modify it after the validation. Type of account: user, administrator. If administrator, the following parameters are ignored. Do not store visited sites: only the beginning and the end of the session are stored in the log, without the visited Web sites. Prohibit simultaneous use of the same account: prohibited the simultaneous use of the same unlimited account on several machines. The accounts with time limitation can never be used simultaneously. Time limit: assign a time limit of use for user accounts (e.g. 1 hour). Time use: This value is proposed by default at the time of reloading operations. It is also the value used for reloading all the accounts at the same time and by the automatic operation of reloading. Time use reloading: if it is selected, the accounts are automatically reloaded after a given interval of time. The automatic reloading is made at the beginning of the session. Filtering Defines a set of rules to prohibit or authorize Internet sites or addresses. The rules which appear on a grayed background are disabled. All connections are allowed (except for rules): defines the default behavior; the rules are the exceptions to this default behavior. It is the option to choose to operate in black list mode (all authorized except few sites). If this option is not selected, no access to Internet is possible except the exceptions given in the authorization rules. It operates in white list mode: all is prohibited, except few sites. Warning forbidden sites: if selected, SurfPass informs by a message the user each time that he/she tries to reach a prohibited site. In the case of advertising filtering, it is advised to not select this box in order to not be disturbed by the very frequent display of the warning message. The display or not of the warning message does not change the filtering operation. Enable URL rewriting (SafeSearch). Takes into account the defined domains in the "Rewriting" sub-tab. Enable SSL/TLS inspection: Enable HTTPS decryption. This option must also be active at the global level. The "TLS exceptions" list works whitelisted (not decrypted content) if the option is enabled, and works by black list otherwise (only the contents of the list is decrypted). If this option is enabled in the user profile, it is advisable to also enable it in the corresponding computer profile. Filtering lists: enable or disable all the rules based on filtering lists. Content analysis filtering: enable or disable filtering by content analysis. Content analysis theme: one or more topics can be selected. If all topics are disabled, filtering by content analysis is disabled. Level of content analysis filtering: the higher the level is, the more filtering will be sensitive, with possibly risks of false-positive. Recommended values are: 1-2 for adults, 3-4 for teenagers, 5-7 for pre-teenagers, 8-10 for young children. Options of reverse DNS control: when SurfPass cannot determine domain name corresponding to an IP address, it sends a DNS request which can take a long time. It is possible to disable this option, either for the distant accesses, or for the local network. It is recommended to disable reverse DNS locally, because local networks do not always have a DNS server locally. 19

20 The tab Filtering of a user profile The buttons «Add», «Delete» on the top on the right make it possible to add or remove a simple rule or list rule. There are two operating processes for filtering: By black list: all the sites are authorized, except a few. In this case it is necessary to select the box All connections are allowed (except for rules) and to add blocking rules for the prohibited sites. By white list: by default all is prohibited, except few sites. In this case it is necessary to unselect the box All connections are allowed (except for rules) and to add rules of authorization for the few sites which should not be blocked. Parameters of a simple rule are: Action: Allow or Deny. Type: All, Domain (example: surfpass.com), URL (example: surfpass.com/index.html), IP (example: ), and newsgroup. Address: the address corresponding to the type. Protocol: TCP, UDP or both. Port (to be chosen in the list or to type in the editing zone). Priority. It is useful only in the case of conflict between two rules. For example to prohibit *.com and authorize surfpass.com. In this case, the rule with the highest priority wins. Comment: optional description of the rule. Disabled: the rule is not active. Quiet: neither user warning nor log entry when the rule is triggered. Parameters of a list rule are: Action: Allow or Deny. Type: Domain (example: surfpass.com), URL (example: surfpass.com/index.html), IP (example: ), and newsgroup. List name: name of the list. Protocol TCP, UDP or both. Port: to be chosen in the list or to type in the editing zone. Priority: It is useful only in the case of conflict between two rules. Comment: optional description of the rule. Disabled: the rule is not active. 20

21 Quiet: neither user warning nor log entry when the rule is triggered. Edition of an address filtering rule in a user profile Edition of a list filtering rule in a user profile 21

22 Timetable Defines a set of time segments for each day of the week. The tab Timetable of a user profile The checkbox Every day identical to Monday avoids entering the same values for each day of the week if they are identical (to be validated on the top by the button Apply on the left). It is possible to prohibit the access to certain hours, to modify the calculation of time: for example a coefficient of 50 instead of 100 will cause a reduction of 50% during this time slot. It s also possible to force the user profile, an easy way to change the filtering for a user according to the current time. When a time slot is overlapping midnight, it should be broken up into two time slots: one before midnight, and another starting from 00:00 the following day. The buttons «Add», «Delete» make it possible to add or remove a time slot for one day of the week. Advanced functions Functions Advanced user profile The advanced button at the top on the left allows: To replace a target profile by a source profile in all groups which use the target profile. It is a way to rename a profile: the administrator creates a new profile, sets parameter as the old one then replaces the old one by the new one everywhere. To copy the contents of a profile towards another. Allows to separately copying the filtering parameters and timetable. This function makes it possible to create a profile close to an already existing profile very quickly. 22

23 Management of the computer accounts For each computer controlled by SurfPass corresponds a computer account, member of a computer group which is characterized by a computer profile. There are as many computer accounts as there are computers controlled by SurfPass on the network, and there is at least one computer group and one computer profile. At the first session of a SurfPass controlled computer, SurfPass creates automatically a computer account with the computer name in the Generic group. The group and the other parameters can be modified thereafter. The tab Computers Adding a new account Press the button add (blue cross) on the top on the left, fill out the form in the right panel. If a machine changes name or is withdrawn from the network, the old account should be removed. A computer account includes: A name (could be IP address). A group. The choice of the group determines the operation of the account, because the choice of the group also defines the profile which will apply to the computer account. Bypass in subnets routing. The computer network traffic continues to be routed, but not to be filtered or logged. This option is intended for computers or servers which already incorporate a complete filtering server and share the same database. This avoids logging and filtering duplicate. Description (optional) A computer account contains the following information: The creation date of the computer. Date of the last boot time. The MAC address. The last IPv4 address. The last IPv6 address. The name of the last user. Modifying an account Select the account in the list on the left, modify its parameters in the form on the right, validate with the green button «Apply» on the top on the right. To cancel a modification in progress, quit with «Cancel on the top on the right. Deleting an account Select the account in the list, press the button «Delete» (blue minus sign) on the top on the left. The multiple selections are possible. 23

24 Management of the computer groups Computers of the same group share exactly the same settings and the same rights. There must be in SurfPass at least one computer group. Several computer groups can share the same computer profile. Four groups are created with the installation: - Administrator: reserved for the administration and server computers, no filtering by default. - Generic: the default group for client computers. - Portal: force the identification through the captive portal. This group uses the portal computer profile whose only difference with the Generic profile is disabling the automatic identification. - Remote Desktop: This group includes only computers with the Windows authentication agent installed. Never put in this group a computer that does not have the Windows authentication agent installed otherwise navigation will be very slow. The tab Computer groups Adding a new group Press the button add (blue cross) on the top on the left, fill out the form in the right panel. Group name: it is important to choose the name of the group carefully the first time, because it is not possible any more to modify it after the validation. Profile: choice of the computer profile which defines the rights of the computers of the group. Disabled: allows to disable an account temporarily, without deleting it. Delete inactive computers: removes computers that have not been used for a number of days. Useful for public Wi-Fi hotspots. User groups restriction: allows to activate the button «Modify the list» to choose the user groups that the current computer group will have the right to use, the other user groups are then prohibited. Modifying a group Select the group in the list on the left, modify its parameters in the form on the right, validate with the green button «Apply» on the top on the right. To cancel a modification in progress, quit with Cancel on the top on the right. Deleting a group Select the group in the list, press the button «Delete» (blue minus sign) on the top on the left. The multiple selections are possible. If the group is used by at least one computer, the suppression is not possible. 24

25 Advanced functions Functions Advanced computer groups The advanced button at the top on the left allows: To delete all the computers belonging to a group. To replace a target group by a source group for all the computers which belong to the source group. It is a way to rename a group: the administrator creates a new group with the same parameter than the old one then replaces the old one with the new one everywhere. 25

26 Management of the computer profiles The computer profile defines the SurfPass behavior at the end of a user session and outside user session (no user connected). A computer profile defines a set of user parameters. At least one computer profile must be defined in SurfPass, one for the administrator and one for the end-user. Each computer is linked to one and only one profile, defined in its membership group. Several user groups can share the same user profile. After the first installation, SurfPass creates three computer profiles: the first is Administrator and is particularly appropriate for an administration computer because it is transparent: it does not block Internet access even when SurfPass is not in a user session. For all other cases, the Generic profile is more appropriate for automatic identification and the profile Portal for captive portal identification. The tab Computer profiles Adding a new profile Press the button add (blue cross) on the top on the left, fill out the form in the right panel. The name must be carefully chosen, because it is not possible any more to change it afterwards. The edition of the profile extends on 5 tabs: General, Filtering. Modifying a profile Select the profile in the list on the left, modify its parameters in the form on the right, validate with the green button «Apply» on the top on the right in each tab of right panel containing a modification. To cancel a modification in progress, quit with «Cancel on the top on the right. Deleting a profile Select the profile in the list, press the button «Delete» (blue minus sign) on the top on the left. The multiple selections are possible. If the profile is used by at least one group, the suppression is not possible. 26

27 Edition of a profile General Defines the general properties of the computer accounts that use the profile. Profile name: it is important to choose the profile name carefully the first time, because it is not possible any more to modify it after the validation. Disconnect if network idle more than: finish the user session after a certain time of Internet inactivity. Activate log: if this box is not selected, no log is stored. Do not store visited sites: store in the log the beginning/end of session, reloading, errors but not the visited Web sites. Automatic identification: If this option is selected, SurfPass automatically starts a session with the computer s name or the Windows user s name if the optional Windows authentication agent is installed on the clients. Automatic accounts creation: when a Windows account is used for the first time with SurfPass, SurfPass can automatically create it in its own base of users. The SurfPass user name is exactly the same name than the Windows user name. For the membership group, SurfPass seeks it in priority in the comment of the Windows account, in the name of one of the Windows membership groups of the Windows account. If the group could not be determined, SurfPass takes the name of the default user group (see below). Default user group: name of the user group used during the automatic creation of accounts whether the group could not be found otherwise (correspondence between a SurfPass user group name and an Active Directory user group name). No time metering: if this option is activated, the time limited user accounts will not be debited during sessions on computers with this profile. 27

28 Filtering Defines a set of rules to prohibit or authorize Internet sites or addresses when SurfPass is in idle mode, i.e. outside user session. So addresses that must be accessible permanently such as for example updates of an antivirus should be added here. The behavior by default is defined by the box All connections are allowed (except for rules) ; the rules are exceptions to this default behavior. Generally this check box is not selected for a computer profile, the Internet access is indeed blocked outside user sessions. The rules which appear on a grayed background are disabled. All connections are allowed (except for rules): defines the default behavior; the rules are the exceptions to this default behavior. It is the option to choose to operate in black list mode (all authorized except few sites). If this option is not selected, no access to Internet is possible except exceptions given in the authorization rules. It operates in white list mode: all prohibits, except few sites. Warning forbidden sites: if selected, SurfPass informs by a message the user each time that he/she tries to reach a prohibited site. In the case of advertising filtering, it is advised to not select this box in order to not be disturbed by the very frequent display of the warning message. The display or not of the warning message does not change the filtering operation. Enable URL rewriting (SafeSearch). Takes into account the defined domains in the "Rewriting" sub-tab. Enable SSL/TLS inspection: Enable HTTPS decryption. This option must also be active at the global level. The "TLS exceptions" list works whitelisted (not decrypted content) if the option is enabled, and works by black list otherwise (only the contents of the list is decrypted). If this option is enabled in the user profile, it is advisable to also enable it in the corresponding computer profile. Filtering lists: activate or deactivates all the rules based on filtering lists. The following parameters are the same ones than for the user profile, but they are in general not used in the computer profile. The tab Filtering of a computer profile The buttons «Add», «Delete» on the top on the right make it possible to add or remove a simple rule or list rule. There are two operating processes for filtering: By black list: all the sites are authorized, except a few. In this case it is necessary to select the box All connections are allowed (except for rules) and to add blockings rules for the prohibited sites. 28

29 By white list: by default all is prohibited, except few sites. In this case it is necessary to unselect the box All connections are allowed (except for rules) and to add rules of authorization for the few sites which should not be blocked. Parameters of a simple rule are: Action: Allow or Deny. Type: All, Domain (example: surfpass.com), URL (example: surfpass.com/index.html), IP (example: ), and newsgroup. Address: the address corresponding to the type. Protocol: TCP, UDP or both. Port (to be chosen in the list or to type in the editing zone). Priority. It is useful only in the case of conflict between two rules. For example to prohibit *.com and authorize surfpass.com. In this case, the rule with the highest priority wins. Comment: optional description of the rule. Disabled: the rule is not active. Quiet: neither user warning nor log entry when the rule is triggered. Parameters of a list rule are: Action: Allow or Deny. Type: Domain (example: surfpass.com), URL (example: surfpass.com/index.html), IP (example: ), and newsgroup. List name: name of the list. Protocol: TCP, UDP or both. Port: to be chosen in the list or to type in the editing zone. Priority. It is useful only in the case of conflict between two rules. Comment: optional description of the rule. Disabled: the rule is not active. Quiet: neither user warning nor log entry when the rule is triggered. Edition of a rule of filtering in a computer profile Advanced functions 29

30 Function Advanced computer profile The Advanced button at the top on the left allows: To replace a target profile by a source profile in all groups which use the target profile. It is a way to rename a profile: the administrator creates a new profile, sets parameter as the old one then replaces the old one by the new one everywhere. To copy the contents of a profile towards another. Allows to separately copying the filtering parameters. This function makes it possible to create a profile close to an already existing profile very quickly. 30

31 Global This tab contains administration parameters which are common to the whole system. General Integration settings - Network driver enabled. The network driver must be enabled in all modes of integration, except for the explicit proxy mode only. In this case it is advisable to not to enable it. Proxy redirector enabled: must be enabled for transparent proxy mode. Forwarded ports: lists of ports redirected to the transparent proxy. Generally ports 80 and 443. Local filtering enabled: Do not activate unless the SurfPass server is installed on a TSE / Remote Desktop server. - Proxy Activation. Must be enabled for the explicit proxy mode and transparent proxy mode. Proxy port: Proxy listener, usually 8080 or The port must be valid in explicit and transparent proxy mode. The firewall must leave the port open only for explicit proxy mode. - QoS enabled: This option allows to better balance the bandwidth between the different user sessions. Note: The gateway mode SurfPass 6 is obtained with the following settings: - Network driver enabled: enable - Proxy redirector enabled: disabled - Proxy enable: disabled In this mode, the SSL / TLS and inspection SafeSearch is not available. The passage in transparent proxy mode allows all options without changing the mode of integration. Tab Global, sub-tab General Licenses Serial number This is where you enter the serial number after installation. In evaluation period, the number of days until expiration is shown here. 31

32 Tab Global, sub-tab General 32

33 Filtering lists SurfPass makes it possible to use several filtering lists, white or black. The lists can be either downloaded directly by Internet, such as for example the black list of the University of Toulouse, or locally imported. The lists defined here are usable in the filtering rules of the user profiles (inside a user session) and in the filtering rules of the computer profiles (outside user session, in idle mode). It is possible to update all the lists in only one operation. Update Tab Global, sub-tab Filtering lists / Update Update mode: the lists are automatically downloaded from Internet at regular interval. Manual download: force the download of all lists (local and distant) which have the attribute Automatic update active. 33

34 Lists editing The lists which appear on the left with a grayed background are disabled. To activate or disable a list, it is enough to select it on the left then to modify the option of activation on the right, and to validate the change with the button «Apply» on the top on the right. Tab Global, sub-tab Filtering lists / Lists editing Adding a new filtering list Press the button «Add» on the top on the left. Then the various fields should be filled: Source: where the list comes from, for example Toulouse for the list of the University of Toulouse. List name: category (theme): Adult, Warez, Violence, advertising File: for example certain lists contain a file domains and a file urls. Distant host: to validate if the list must be downloaded (not presents locally on the machine). Server: address of the HTTP server from where the list must be downloaded. Path: path of the file in the HTTP server. For the local lists, not downloaded, the path of the list is c:\program files\cogilab\surfpass7\lists\ <Source> \ <List name> \ <File>. multi-lists archive: should be selected when a multi-lists archive is used. In this case, fill the name of the archive in the field Archive name. Archive name: if several lists of several topics are packed in the same archive (multi-lists Mode). Manual update: should be selected to include this list in global manual update. Automatic update: should be selected to include this list in global automatic update. Ignore IP format addresses: if this box is selected, addresses of this type will be ignored. List disabled: if this box is selected, the list is not used any more for the operations of filtering without being deleted, for all profiles. Last update: contains the date of the last successful update. Entries: number of sites (address) or pages in the list. Size in bytes: list size, in bytes. 34

35 Modifying a filtering list Select the list in the list on the left, modify its parameters in the form on the right, and validate with the green button «Apply» on the top on the right. To cancel a modification in progress, quit with Cancel on the top on the right. Removal of a filtering list Select the list, press the button «Delete» (blue minus sign) on the top on the left. The multiple selections are possible. History This tab contains log parameters which should be accessible only to the administrator. Rotation type: automatic (the frequency is the parameter below) or manual. In this last case, the log is deleting only by the administrator. Log keeping duration (in days): depth of the log. Delete all: manual deleting of the log. Tab Global, sub-tab History 35

36 Routing subnets This tab allows to implement the SurfPass gateway. Access to this tab must be done from the SurfPass server computer and not from a remote administration console. Tab "Global", sub-tab "Routing Subnets" Name of the subnets route: Description of the route. Private Interface (LAN ): subnet interface whose traffic should be routed and filtered. Public Interface (WAN ): subnet interface where is the main router. NAT: Network Address Translation for IPv4. Disabled: Disable the route without erasing it. Port Forwarding Description: Description of the port forwarding purpose. Source Port: The port used to redirect. Destination IP: IP address to which the port is redirected. Destination port: The port on the destination computer. Protocol: TCP, UDP, or both. Remarks: - If the client computers have a static IP address: just change the settings of the default gateway address of their network card with the IP address of the private (LAN) interface of the gateway. Other parameters such as DNS do not change. - If the client computers like wireless devices have a DHCP IP address: A DHCP server software such as dhcpserver.de or Tftpd32 is installed on the gateway and set to be active on the private (LAN) interface of the gateway. The Wi-Fi access point is installed in bridge mode. Note: the DHCP server could be installed on any computer of the private (LAN) network, not necessarily on the gateway. 36

37 Auto Create stations This tab allows you to choose in which computer group the new computers are added based on their IP address. By default the new computers are added in the group "Generic". Range Description: the name of the IP range. Starting IP address: the first IP address in the range. Ending IP Address: last IP address in the range. Default Computer Group: name of the group to which the new computers in the IP range are added. Tab "Global", sub-tab "Stations Auto Create" 37

38 SSL/TLS inspection Use this tab to enable SSL/TLS inspection. This option is disabled in all profiles if it is not enabled in this tab. Certificate authority: name of the local certificate SurfPass server used to re-encrypt SSL / TLS connections to clients. The name may be the one of the organization (company). Generate certificate: CA creates the certificate and automatically install the private key on the SurfPass server. The corresponding public key is available in the Data folder / Certificates of SurfPass and must be installed on clients, by double-clicking on the certificate file for each client. Note: - The private key stored on the SurfPass server can be exported from the Windows certificate store / Trusted Root Certificates, with the Windows certmgr.msc utility. It is advisable to keep a copy in a safe place, so that in case of complete reinstallation of SurfPass server the public keys of all clients won t change. The private / public keys work by single pair. - IMPORTANT: The private key must be present on the server SurfPass. NEVER install the private key on a client, but only the public key available in the Data folder / Certificates folder of SurfPass. - The public key can be freely distributed to users without special precautions, such as part of BYOD. - IE browsers, Chrome Edge and use the Windows certificates store, so there is nothing special to do. The Firefox browser has its own certificate store, it is necessary to perform a second installation of the public key specifically for this browser: Options / Advanced / Certificates / View Certificates / Import - It is possible to install the public key by GPO. Tab "Global", sub-tab "SSL/TLS inspection" 38

39 Implementation of filtering Any changes to the settings must be validated by the green button "Apply" at the top. Block everything except a few ports (80, ) In the corresponding user profile, filtering tab: - All connections are allowed (except for rules): unchecked. - Simple rules: Add a simple rule for each port to be allowed with the following parameters: * Action: allow * Type address: all * Port: choice of the port in the list or numeric input (for example web or 80) * Priority: low. User profiles and computer profiles The choice of filtering (white or black list, allowed or prohibited sites...) is in the "Filtering" tab of the corresponding user profile, such as "Unlimited". There is another filtering tab in the computer profile; this profile is active only when there is no user session in progress. Prohibit / allow a filtering theme The themes are present in the content analysis and black lists. In the case of lists, there are two ways to activate or disable a theme: - If the modification covers all user profiles, enable or disable it directly in the Global / Filtering lists / Lists editing. - If the modification covers only one or few profile, activate or disable the filtering rule that uses the list in the filtering tab of the user profile. White lists Setting In white list mode, the settings of the "Filtering" tab should be set as follows: - All connections are allowed (except for rules): Off - Warning forbidden sites: On during the setup of the list, then turned off. - Filtering lists: active if the white list is a separate list and not a set of simple rules. In the case of a separate list, all other lists must be disabled in the lists rules. - Content analysis filtering: Off. - The rules must be allow and never deny in white list mode. External links - Some sites contain redirections to other sites. To determine what sites to add in the white list, just open a short session under a black list (or unfiltered) SurfPass user account with these sites, then at the end of the session consult the log that contains all these hidden sites, and simply add them in the white list. - Some sites contain external links, for example to advertising or log analysis. These sites will trigger the blocking of SurfPass in white list. For this reason, it is advisable to disable "Warning forbidden sites" in the "Filtering" tab when the filter is set in white list. - It is recommended to keep the Warning forbidden sites during the development of the white list. Allow s In white list mode, everything is blocked including s. To allow them, simply add two authorization rules in the filtering tab of the user profile: - Rule 1: Action: Allow Address type: All Port: smtp (preset in the list of ports, or possibly smtps) Priority: Medium Disabled, Quiet not checked - Rule 2: Action: Allow 39

40 Address type: All Port: pop3 (preset in the list of ports, or possibly pop3s) Priority: Medium Disabled, Quiet not checked Allow all https sites To allow all https sites, just add a rule to allow all IP addresses for the port "https". Do not forget the rule of the list of updates It is advisable to keep the cleaning list and its associated rule, for example to allow the Windows or antivirus updates. Black lists How do I know which list blocks? The blocking page shows the rule, also present in the log (denied sites). I f nothing is indicated, it is the content analysis that triggered the blocking. When not to display the warning forbidden sites The setting of a rule with no warning for forbidden sites is useful in the case of an advertising black list or videos black list (filehosting, audio-video lists). For example, it prevents the display of the temporary blocking if a valid page embeds a Youtube video. Creating a local list - The list is created in a text editor, and stored in a directory tree which is c:\program files\cogilab\surfpass7\lists\ <Source> \ <List name> \ <File>. - Then declare the new list in the lists tab (Global / Filtering lists /Lists editing). - Import the list a first time; check that the number of entries is correct. - Then create the list rule in the corresponding user profile. - A list is in itself neutral. This is the rule which makes a list of permit or deny. When making your own lists It is advisable to use a local list when the number of sites is over 100. Creating a list is a slightly more complex than the use of simple rules, but it had the advantage of not having limits, and a backup of them is possible. SafeSearch It is advisable for schools to enable SafeSearch in SurfPass user profile. Themes of Toulouse s black lists Videos Youtube, Dailymotion are in the audio-video and filehosting lists. Social networks Facebook, twitter are in social_networks. NAME OF THE LIST DEFAULT DESCRIPTION adult black Some adult site from erotic to hard pornography. agressif black Some aggressive sites. astrology black Astrology audio-video black Some audio and video sites. blog black Some blogs sites. celebrity black Famous people, actors, and magazine which talk about them cleaning white Cleanup, Antivirus etc. dangerous_material black Sites which describe how to make bomb and some dangerous material. dating black Dating, matching site for single person drogue black Sites relative to drugs. filehosting black Websites which host files (pictures, video,...) financial black Sites relative financial information. forums black Forums site. 40

41 gambling black Gambling and games sites, casino, etc. games black games sites (flash and online games ) hacking black Hacking sites. liste_bu white A French list for educational sites. VERY locally oriented. may help libraries. marketingware black Very special marketing sites mixed_adult black Websites which contains adult sections unstructured mobile-phone black Sites for mobile phone (rings, etc.). phishing black Phishing sites publicite black Advertisement radio black Internet radio sites redirector black Some redirector sites, which are used to circumvent filtering. sect black Sect sexual_education white Website which talk about sexual education, and can be misdetected as porn shopping black Any shopping, selling center social_networks black Social networks (Facebook, MySpace ) strict_redirector black Same as redirector, but with Google, Yahoo, and other cache/images search robots. strong_redirector black Same as strict_redirector, but, for Google, Yahoo, we are only blocking some terms. tricheur black Sites which are designed to explains cheating on exams. warez black Warez sites. webmail black Webmail sites (hotmail like...) 41

42 Synchronization with Active Directory. Introduction Active Directory synchronization requires the installation on clients of the Windows authentication agent available in the SurfPass account configuration: "Install Windows authentication agent." It is not necessary to activate the other options on client computers. Then it should be reported in the administration console in a computer group where the agent is activated, such as computer group "Remote Desktop". Never put a client in this group if the agent is not present, the navigation would be slowed. Operation By default the synchronization is automatic and transparent, there is no import to do. SurfPass has its own list of users, which allows it to function even without Windows / Active Directory synchronization, in an autonomous way. Each time a user connects for the first time to Windows after installing SurfPass, his account is automatically added to the list of SurfPass users. For the user, SurfPass is completely transparent, he is identified only as usual in the Winlogon, there is no additional SurfPass identification. Synchronization not only works with Windows user accounts in Active Directory, but also for the local Windows user accounts. The log keeps for a given session the name of the Windows computer and the name of the Windows user. Correspondence of the user groups SurfPass /Activates Directory. The group of an already existing user can easily be modified in the user s form, tab "Users". It is possible to assign each user a personalized group automatically. To do this, simply create user groups in SurfPass with exactly the same name (caste, accents...) than the user groups involved in Active Directory. During automatic creation, SurfPass seeks a name match between at least one of the AD user groups of the new account and a user group in SurfPass. If it finds it, the user is automatically added in the corresponding group. If SurfPass cannot make a connection between a SurfPass user group and an AD user group, it chooses as group the default group defined in the "Computer profiles" / "generic" / "General". Activation / deactivation. The tab "Computer profiles" / "generic" / "General" contains the parameters for the mode of identification. If the "Automatic identification" option is checked, identification is automatic, if not it is done manually. Changes must be validated with the green button "Apply" in the upper right. The change will take effect after the reopening of a user session. 42

43 History It is possible to consult the logs of the computers whose parameter Do not store visited sites is not activated in the user profile and computer profile. Tab History There are 6 report forms: Events per session: users sessions, sites, reloading, errors Events merged: all events of all sessions in chronological order. Allowed sites: all sites which were not blocked. Denied sites: all sites which were blocked. Users: time spent by the users, reloading of the accounts. Security: Indicators of compromise for the 10 computers and 10 users most at risk. The filters for the log visualization are: The choice of the report (events, allowed sites, denied sites, users). The period (today, yesterday ) that can be personalizes with the beginning and end dates/hours. The users (all, one group, only one). The computers (all, one group, only one). Once these parameters entered, it is enough to press the button Display or Report. 43

44 Reloading Reloading of the accounts Reloading does not apply to administration accounts or unlimited user accounts. The left panel makes it possible to reload an existing account. The button refresh forces the reloading from the database, but does not reflect the exact value of an account currently in use. For that, it is necessary to use the module Real-time. Access to reload form can be done from a SurfPass account with administrator rights "Create / reload." In other cases, the "Credit" icon does not appear in the top banner. The right panel makes it possible to create a new user account. Tab Credit 44

45 Use Connection to Internet Captive portal If the computer profile does not have the "Automatic Identification" option enabled and without the optional client agent, it is necessary to be identified through the captive portal to access the Internet. The captive portal can not be called directly, but trying to open an external site to which the user is redirected after the identification. This site should be a HTTP site and not an HTTPS site. If the browser home page is Google, the address of that page should have the following value in the browser settings: After authentication in the captive portal, there will be an automatic redirection to the HTTPS version of the site. If NTLM / Kerberos authentication is enabled on the client computer, the dialog is not displayed and it is the name of the authenticated Windows user that is used for SurfPass identification. Windows Authentication Agent In this mode the opening of the SurfPass user session is automatic. The name of the SurfPass user is the same one than the current Windows user. Browsing Once the connection is open, any Internet program can be launched (explorers, , etc.). SurfPass remains transparent during use as long as the services and addresses are allowed. Otherwise, the following dialogue box is displayed: 45

46 The user tried a prohibited access Disconnect Captive portal Session end: By the end of user rights: exhausted time, time slots, etc... By inactivity: the default time is 2 hours. It is possible to reduce this value to 5 minutes in the computer profile / tab "General" / "Disconnect if network is idle for ()". Manually: calling from the client browser the URL: <IP of the private interface>:8081/status.html Windows Authentication Agent The logoff happens automatically when closing the Windows session. 46