Olfeo Solution€¦ · eMail: [email protected] Phone: +33 (0)1.78.09.68.01 URL Reclassification Service This email address is made available by Olfeo. You can use it to request a

Olfeo Solution

User guideCopyright © Olfeo

Version:1.0.6

Legal information

Copyrights

© Copyright 2014 Olfeo. All rights reserved. This documentation cannot be used unless under a license contract withthe Olfeo company.

No fragment of this publication can be reproduced, transferred, transcribed, saved on an archiving system or convertedto any machine language, to any format or through any means, unless you have a prior written authorization from Olfeo.Olfeo gives you limited rights, authorizing you to print or make any other type of copies of the entire documentation foryour own use, as long as these copies contain the Olfeo copyright. No other right regarding copyrights is given withouta prior written agreement from Olfeo.

The information contained in this document is subject to change without notice.

Trademarks

Olfeo is an internationally registered trademark of the Olfeo company.

This document contains names, logos, software components or materials that are the property of third-party editors andowners:

• Java, JavaScript, and their respective logos are registered trademarks of Oracle Corporation.• MySQL is a registered trademark of MySQL AB Company.• SSH is a registered trademark of Communications Security Corp. CORPORATION FINLAND.• Linux is a registered trademark of Linus Torvalds.• Realplayer is a registered trademark of RealNetworks, Inc.• Windows Media Player, Microsoft Excel, Microsoft, Windows, Active Directory, Hyper-V, Internet Explorer and

their respective logos are trademarks of Microsoft Corporation.• Check Point FireWall-1, SmartDashboard, SmartCenter, OPSEC and their respective logos are trademarks or

registered trademarks of Check Point Software Technologies Limited.• Netasq and its logo are trademarks of Netasq (SA).• eDirectory is a trademark of Novell, Inc.• OpenLDAP is a trademark of the OpenLDAP Foundation.• ClamAV is a registered trademark of Sourcefire, Inc.• Websense is a registered trademark of Websense, Inc.• WISP is the protocol developed by Websense, Inc.• Cisco Pix, ASA are trademarks or registered trademarks of Cisco Technology, Inc.• Nagios is a registered trademark of Nagios Enterprises, Llc.• Firefox is a registered trademark of the Mozilla Foundation.• HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,

Massachusetts Institute of Technology.• Squid is a proxy software distributed under the terms of the GPL (GNU General Public License).• ICAP protocol is documented in RFC 3507.

All other brand names mentioned in this manual or in all the other documentation provided with the Olfeo products aretrademarks or registered trademarks of their respective owners.

Contacts

Olfeo15, Boulevard Poissonnière75002 ParisFrance

Customer Account Management Service

Whether you are a partner or the end user of the Olfeo solution, the Olfeo Customer Account Management Service isat your disposal for any comments and requests.

eMail: [email protected]: +33 (0)1.78.09.68.07

Olfeo Technical Support

The access to Support is reserved for the clients with "ISV Direct Technical Support" agreement. If you would like tohave direct contact with our technical engineers, please contact your Customer Account Management Representative.

eMail: [email protected]: +33 (0)1.78.09.68.01

URL Reclassification Service

This email address is made available by Olfeo. You can use it to request a possible re-categorization of a URL.

eMail: [email protected]

Documentation Departement

You can send documentation comments or correction request to the following email address.


Consulting and Training Department

Use the following email address to send comments or questions regarding Olfeo Consulting and Training services.



mailto:[email protected]






Olfeo Solution / User guide / 7

Contents

Chapter 1: Menu: URL Filtering......................................................................... 111.1 Sub-menu: Categories.................................................................................................................................. 12

1.1.1 Looking up a URL Category........................................................................................................ 131.1.2 Creating your own category..........................................................................................................141.1.3 Using a category............................................................................................................................15

1.2 Sub-menu: Categories Group....................................................................................................................... 161.2.1 Creating a categories group.......................................................................................................... 171.2.2 Using a categories group...............................................................................................................17

1.3 Sub-menu: Web 2.0 Lists.............................................................................................................................181.3.1 Creating a Web 2.0 list................................................................................................................. 191.3.2 Twitter............................................................................................................................................201.3.3 Dailymotion................................................................................................................................... 211.3.4 Setting up a Web 2.0 list.............................................................................................................. 22

1.4 Sub-menu: Policies.......................................................................................................................................231.4.1 Creating a URLs filtering policy.................................................................................................. 251.4.2 Configuring a URL filtering policy.............................................................................................. 27

Chapter 2: Menu: Protocol Filtering....................................................................292.1 Sub-menu: Protocols.................................................................................................................................... 302.2 Sub-menu: Policies.......................................................................................................................................30

2.2.1 Creating a protocol filtering policy...............................................................................................312.2.2 Assigning a protocol filtering policy............................................................................................ 33

Chapter 3: Menu: Proxy Cache Qos.................................................................... 353.1 Sub menu: HTTP......................................................................................................................................... 36

3.1.1 Configuring the HTTP proxy........................................................................................................373.1.2 Configuring HTTP Proxy Authentication..................................................................................... 413.1.3 Configuring HTTP Proxy Cache...................................................................................................463.1.4 Cache Statistics..............................................................................................................................503.1.5 Configuring the QOS.................................................................................................................... 51

3.2 Submenu : FTP.............................................................................................................................................533.2.1 Configuring the FTP Proxy...........................................................................................................543.2.2 Configuring FTP Proxy authentication......................................................................................... 55

3.3 Sub menu: RTSP..........................................................................................................................................563.3.1 Configuring the RTSP proxy........................................................................................................ 57

3.4 Sub menu: TCP............................................................................................................................................ 573.4.1 Configuring the TCP proxy.......................................................................................................... 58

3.5 Sub menu: SOCKS.......................................................................................................................................593.5.1 Configuring the SOCKS proxy..................................................................................................... 593.5.2 Configuring an authentication for the SOCKS proxy...................................................................60

Chapter 4: Menu: Antivirus..................................................................................614.1 Sub-menu: Parameters..................................................................................................................................62

4.1.1 Antivirus parameters......................................................................................................................634.1.2 Creating an ICAP connector for the antivirus.............................................................................. 654.1.3 Enabling the antivirus................................................................................................................... 66


4.2 Sub-menu: Log............................................................................................................................................. 68

Chapter 5: Menu: Mobility Controller................................................................ 715.1 Sub-menu: Portals........................................................................................................................................ 72

5.1.1 Adding a public portal.................................................................................................................. 735.2 Sub-menu: Voucher Types...........................................................................................................................75

5.2.1 Add a voucher type.......................................................................................................................765.3 Sub-menu: Access Control Lists..................................................................................................................78

5.3.1 Add an operator to the public portal.............................................................................................785.4 Sub-menu: Messages.................................................................................................................................... 79

5.4.1 Creating a message set..................................................................................................................805.4.2 Creating a template set..................................................................................................................825.4.3 Previewing custom messages and template set.............................................................................845.4.4 Assigning your messages and template sets................................................................................. 85

5.5 Activating the public portal......................................................................................................................... 855.6 Operator portal..............................................................................................................................................87

5.6.1 Operator: Creating accounts..........................................................................................................895.6.2 Viewing existing accounts information........................................................................................ 915.6.3 Modifying existing account information.......................................................................................92

Chapter 6: Menu: Rules........................................................................................ 956.1 Sub-menu: Users.......................................................................................................................................... 96

6.1.1 rules engine....................................................................................................................................966.1.2 Users list...................................................................................................................................... 100

6.2 Sub-menu: Quotas...................................................................................................................................... 1086.2.1 Creating a time quota..................................................................................................................1096.2.2 Creating a volume quota............................................................................................................. 1106.2.3 Using a quota.............................................................................................................................. 111

6.3 Sub-menu: Time slots................................................................................................................................ 1126.3.1 Creating a timeslot...................................................................................................................... 1126.3.2 Using a timeslot...........................................................................................................................113

6.4 Sub-menu: URLs lists................................................................................................................................ 1146.4.1 Creating a URL List....................................................................................................................1146.4.2 Using a URLs list........................................................................................................................115

6.5 Sub-menu: Messages.................................................................................................................................. 1166.5.1 Creating a Message Set...............................................................................................................1176.5.2 Creating a templates set.............................................................................................................. 1196.5.3 Previewing your custom pages................................................................................................... 1216.5.4 Assigning the message and template sets................................................................................... 122

6.6 Submenu: Internet Charters........................................................................................................................1226.6.1 Creating an Internet Charter........................................................................................................1246.6.2 Enabling an Internet charter........................................................................................................1266.6.3 History of Internet charter acceptance........................................................................................ 127

Chapter 7: Menu: Analysis..................................................................................1297.1 Submenu: Creation..................................................................................................................................... 130

7.1.1 Creating a report or analysis.......................................................................................................1327.1.2 Performing a time spent analysis................................................................................................137

7.2 Submenu: Consultation...............................................................................................................................1387.2.1 Displaying a report......................................................................................................................1397.2.2 Setting the report retention period.............................................................................................. 1437.2.3 Displaying an analysis.................................................................................................................144

7.3 Submenu: Diffusion lists............................................................................................................................146


7.3.1 Creating a diffusion list...............................................................................................................1477.4 Submenu: Coaching....................................................................................................................................149

7.4.1 Configuring coaching.................................................................................................................. 1507.4.2 Enabling the coaching feature.....................................................................................................152

7.5 Submenu: Livelog...................................................................................................................................... 1537.6 Submenu: Log extract................................................................................................................................ 157

7.6.1 Extracting statistics......................................................................................................................158

Chapter 8: Menu: Parameters............................................................................ 1638.1 Submenu: Architecture............................................................................................................................... 164

8.1.1 Creating a connector................................................................................................................... 1648.1.2 Adding a proxy.pac..................................................................................................................... 1708.1.3 Implementing a proxy.pac...........................................................................................................171

8.2 Submenu: Authentication........................................................................................................................... 1718.2.1 Adding an Active Directory enterprise directory and synchronizing the users...........................1738.2.2 Adding a LDAP compatible enterprise directory and synchronizing the corresponding users....1778.2.3 Joining the Olfeo solution to the Windows domain................................................................... 1808.2.4 Grouping and prioritizing authentications in a mode................................................................. 181

8.3 Submenu: High Availability.......................................................................................................................1828.3.1 Creating an Olfeo Domain.......................................................................................................... 1848.3.2 Joining an Olfeo domain.............................................................................................................1858.3.3 Creating a cluster.........................................................................................................................1878.3.4 Adding a secondary logs server..................................................................................................188

8.4 Submenu: Administrators........................................................................................................................... 1898.4.1 Olfeo Rights Principle.................................................................................................................1908.4.2 Adding an administrator..............................................................................................................1938.4.3 Adding rights to an administrator............................................................................................... 194

8.5 Sub-menu: Network....................................................................................................................................1958.5.1 DNS Configuration......................................................................................................................1968.5.2 Configuring SMTP...................................................................................................................... 1978.5.3 SMS Configuration......................................................................................................................1988.5.4 Sending a test SMS..................................................................................................................... 2008.5.5 Configuring the HTTP proxy......................................................................................................2008.5.6 Testing your network configuration............................................................................................201

8.6 Submenu: System....................................................................................................................................... 2028.6.1 Stop/Start Configuration..............................................................................................................2048.6.2 Configuring the NTP synchronization........................................................................................ 2058.6.3 Configuring logs archiving..........................................................................................................2068.6.4 Enabling Olfeo administration console HTTPS access.............................................................. 207

8.7 Submenu: Monitoring.................................................................................................................................2088.7.1 Enabling email based system notifications................................................................................. 2118.7.2 Filtering system events by type.................................................................................................. 2128.7.3 Configuring SNMP agents' access to Olfeo................................................................................2138.7.4 Adding a syslog server................................................................................................................2138.7.5 Forcing execution of a scheduled task........................................................................................214

8.8 Submenu: Updates......................................................................................................................................2158.8.1 Updating Olfeo............................................................................................................................ 2178.8.2 Manually updating the Olfeo URL database.............................................................................. 2188.8.3 Configuring Olfeo URL database automatic update...................................................................2188.8.4 Entering your Olfeo license........................................................................................................ 2198.8.5 Renewing your license................................................................................................................ 220

8.9 Submenu: Backup.......................................................................................................................................2218.9.1 Creating a CIFS mount point in Olfeo....................................................................................... 2228.9.2 Mounting an NFS share in Olfeo................................................................................................2238.9.3 Configuring a Backup Destination in Olfeo............................................................................... 224


8.9.4 Creating a Backup Task.............................................................................................................. 2258.9.5 Manually running a backup task.................................................................................................2268.9.6 Restoring a backup......................................................................................................................2278.9.7 Backing up legal traffic logs (RAW and NCSA)....................................................................... 227

8.10 Submenu: Advanced.................................................................................................................................2288.10.1 Redirecting Olfeo Blocking Pages............................................................................................ 2308.10.2 Configuring a gateway.............................................................................................................. 2318.10.3 Auto Populating Users.............................................................................................................. 234

8.11 Submenu: Support.................................................................................................................................... 2358.11.1 Opening a Technical Support Tunnel....................................................................................... 236

Chapter 9: Syntax.................................................................................................2399.1 Regex Syntax..............................................................................................................................................240

Chapter

1Menu: URL Filtering

Topics:

• Sub-menu: Categories• Sub-menu: Categories Group• Sub-menu: Web 2.0 Lists• Sub-menu: Policies

1 Menu: URL Filtering


Sub-menu: Categories

The page [URL Filtering] > [Categories] allows you to view the list of Olfeo categories and to the category a givenURL belongs to..

A category is a group of URLs sorted in the Olfeo database. The categories are organized by themes and updated daily. Actually, every 15 minutes all the Olfeo solutions reassemble the unknown URLs that are encountered on a centralsite. A multilingual team then sorts them in order to integrate them in categories. These categories are then returned toOlfeo solutions through an update in the internal database. Through this process the database of your Olfeo solution isconstantly updated, which enables you to benefit from a very performant and dynamic filtering.

Note: If you want you can add your own categories or add URLs to existing categories in the Olfeo database.



Looking up a URL Category

1. Go to the page containing the categories via the following menus [URL Filtering] > [Categories].

Section: Categories

2. Enter the URL for which you want to know the category in the [Search URL] field.

Warning: You must enter the URL fully qualified domain name to find its Olfeo category (e.g.www.google.fr).

3. Click on the [Search] button.

4. The result of the search will be displayed in front of the label Result.

Note: An unknown URL will have as a result: Others > URL Not classified.



Creating your own category

1. Go to the page containing the categories via menus [URL Filtering] > [Categories].

Section: List

2. In the List section of the categories, expand the My categories tree using the icon .

3. Click on the link [Add a category].

Section: Category

4. Enter a name in the [Label] field.

5. Enter a description in the [Description] field.

6. You can also enter an alias in the [Alias] field.

Note: When viewing a blocking page, the [Alias] field content will be displayed.

Imagine that you did set the alias "Banned Site" for the category "Sex - Pornography". When the blockingpage will be displayed, the user will be notified: This site is classified as: "Bannedsite".



Note: In statistics, it is the name of the category that will be displayed and not the alias.

Section: URLs added

7. In order to add URLs in the category you want to create, you have two options:

• you can add a list of URLs from a text file by selecting it with the button [Browse] and then clicking on:

• the button [Add] to import [Added URLs] field content.• the button [Replace] to replace the [List] field content.

• You can manually add the URLs in the [List] field.

Each line of your category should contain a single URL and then end with a "new line". You can create URLs usingthe REGEX syntax explained in the chapter Regex Syntax on page 240.

Here is an example of a list of URLs:

http://www.facebook.fr.*youtube\.fr.*google\.fr.*http://www.dailymotion.fr.*yahoo\.fr.*

8. Click on the [Create] button to create your own category.

Using a category

Categories are used either in a policy, or in the rule engine.

• To use a category in a policy, go to the [URL Filtering ] > [Policies] page. Then edit the desired policy and set yourcategory in the Destination column for the rule that you want to modify.

• To use a category in the rule engine, go to the [Rules] > [Users] page and use your category in the Destinationcolumn for the rule you want to modify.



Sub-menu: Categories Group

The page [URL Filtering] > [Categories Group] enables you to create lists of categories. A category group allowsyou to regroup the categories of your choice.

The categories group can be used in the policies ([URL Filtering] > [Policies]).



Creating a categories group

1. Go to the page for categories group creation via the following menus [URL Filtering] > [Categories Group].

2. Click on [Add group of categories].

Section: Categories group

3. Enter a name for the new categories group in the [Label] field.


Section: Categories

5. Select one or more categories from the list [Categories] to create your list.

To select multiple categories you will need to use the CTRL key on your keyboard.

a) Press without release the CTRL key on your keyboard.

b) Using the mouse click on one or more of the categories you want to include in your list.

c) Release the CTRL key when the list is complete.

6. Click on [Create] to create your categories group.

Using a categories group

In order to use a categories group, it needs to be used in a policy, or in the rule engine.

• To use a categories group in a policy, go to page [URL Filtering] > [Policies]. Then edit the policy you want anduse your categories group in the Destination column of the rule you want to modify.



• To use a categories group in the rule engine, go to page [Rules] > [Users] and set your categories group in theDestination column of the rule you want to modify.

Sub-menu: Web 2.0 Lists

The page [URL Filtering] > [Web 2.0 List] allows you to create lists detailing the content of some Web 2.0 sites youwant to allow or block. The granularity of filtering operations on each of these sites offers a rich feature set and allowsa more accurate and less restrictive filtering.



Creating a Web 2.0 list

1. Go to the Web 2.0 list creation page via the menus [URL Filtering] > [Web 2.0 List].

2. Click on [Add Web 2.0 list].

Section: Web 2.0 lists


4. Enter a description in the field [Description].

5. Add a media file using the button .

Window: Media

6. Select a Web 2.0 to add using the radio button from the Label column.

Window: Objects

7. Select from the dropdown list [Select] the Web 2.0 site resources you want to filter on.

Option Description

Dailymotion • Native Applications: Allows you to create a filter for the Web 2.0 features of theDailymotion website.

• Posters: Allows you to filter by Dailymotion videos posters.• Videos: Allows you to filter specific videos found on DailyMotion.

Twitter • Natives Applications: Allows you to create a filter specific Twitter Web 2.0 features.

Warning: Olfeo reserves the right to change the features available for each media/Web 2.0 site at anytime based on the changes underlying of the respective websites.

8. Configure the filtering operations based on the media above.



Option Description

Dailymotion The documentation needed for Dailymotion configuration is here: Dailymotion on page21.

Twitter The documentation needed for Twitter configuration is here: Twitter on page 20.

9. Click on [Create] to save the changes.

Tab: Web 2.0 Lists

10. Click on [Create] to create your Web 2.0 list.

Twitter

Twitter is a microblogging service that allows users to blog using short messages (140 characters, one or two sentences).Besides this limitation, the main difference between a traditional blog and Twitter, is the fact that Twitter does not invitereaders to comment on posts.

The limitation of Twitter messages to 140 characters has fostered the emergence of content platforms, such as TwitPicthat allows sending images and photos.

With Olfeo you can filter Twitter content as follows:

• Select [Native Apps] from the menu [Select].

Table 1: Window: Objects. Menu: Native Apps

Native Apps Option

Content • Photos: Photos in different elements of Twitter (tweet, profile, search, etc.).• Vidéos: Videos in searches, ... .• Places: Places in trends.• Follow: Subscription to a source of tweets.• Trends: Twitter Trends.• Re-tweets: Transfer of a tweet and of the access to re-tweets.• Search in tweets: Search in tweets and saved searches.• Suggestions: Comments of tweets and sending of comments.

User Homepages • Settings of all options: Access to edit the general parameters (accounts,functionalities, photos, videos).

• Phone parameters: Display mobile phone parameters from the profile.• Account parameters: Access to editing the profile parameters.

Miscellaneous • About: Access to the About page of the Twitter site.• Terms of use and contracts: Page Terms and conditions of use of the Twitter site.• Help and suggestions: Section Help and Suggestion of the Twitter site.

User contribution • About: Access to the About page of the Twitter site.• Terms of use and contracts: Page Terms and conditions of use of the Twitter site.• Help and suggestions: Section Help and Suggestion of the Twitter site.

Third Party Sites related to Twitter • Twitpic (image publishing): Access to Twitpic (twitpic.com).• Twitvid (video publishing): Access to Twitvid (twitvid.com).• Twitgoo (image hosting): Access to Twitgoo (twitgoo.com).• Bubbletweet (image cropping): Access to Bubbletweet (www.bubbletweet.com).



Dailymotion

Dailymotion is a site for video sharing and hosting. In Olfeo you can filter the following content of Dailymotion:

• Select [Natives Applications] from the menu [Select]:

Natives Applications Option

Multimedia Content: Multimediacontent (video, ...) available onDailymotion.

• Videos: Video content.

Pages: This feature groups differentpages from DailyMotion.

• Channels: Access to thematic channels proposed by Dailymotion : News andPolitics, Cooking, Video games, ... .

• Quick list: Access to the quick list (Quick List) associated to the Dailymotionconnected account.

• Contests: Access to the contests section of Dailymotion.• History: Access to the history page of the Dailymotion connected account.• Blog: Access to the Dailymotion blog.• Playlists: Access to Playlists defined for the connected user.

Account management: This setcontains certain functions related tothe management of a Dailymotion useraccount.

• Preferences: Access to user account preferences for the connected user.• Identification: Access to the identification function of Dailymotion. This criterion

allows you to block the use of a Dailymotion personal account.• Subscription: Access to create a Dailymotion account. You can prevent the creation

of personal accounts.

User contribution: This set containsfunctions of Dailymotion that arespecific to the connected user.

• Favorites: Access to the Favorites function of Dailymotion.• Playlists: Access to playlists defined by the connected user.

Miscellaneous: This set containsvarious other functions/pages specific toDailymotion.

• Solution Pro: Access to the professional part of Dailymotion (Dailymotion Cloud).

• Select [Posters]: Allows applying a filtering policy on all Dailymotion content issued by one or more users. Enteringposters IDs can be done by selecting Posters from the dropdown list of Dailymotion and specify the posters IDsyou want to filter.

Figure 1: Example of adding a poster

• Select [Videos]: Filter the videos of Dailymotion according to a list of IDs/video ID numbers. These video IDs areautomatically assigned by Olfeo depending on the URLs of the indicated videos. Add each URL of the videos, oneby one in the text box URLs of videos to add and click on the Add button.



Figure 2: Example of adding a video

Setting up a Web 2.0 list

To set up a Web 2.0 list you need to go to policy.

To use a Web 2.0 list in a policy, go to the [URL Filtering] > [Policies] page. Edit the policy you want and then setyour Web 2.0 list in the Destination column of the rule you want to modify.



Sub-menu: Policies

An URL filtering policy is a set of predefined rules that you can assign to an organizational unit, to a user group, toa specific user or to an IP address.

The URL filtering policies can be created via the menu [URL Filtering] > [Policies].

The policies are assigned to users in the lower part of the rule engine (menu [Rules] > [Users]), more specifically inthe Protocol Filtering column.

Warning: The policies are executed only when the general rule engine has the field [Fallthrough rule] setto Apply user policy.



Figure 3: Field [Fallthrough rule]

The Olfeo solution evaluates filtering policies starting with the lowest level (the user or the IP address), and then goesupwards to the highest level (the default configuration) until it finds a filtering rule matching the request context.

A URLs filtering policy can inherit a policy from a higher level. To configure inheritance of a higher policy, edit thechild policy in [URL Filtering] > [Policies] and set the field [Fallthrough rule] to the value Upstream policy.

A policy whose inheritance is positioned will be displayed with the icon while a policy without inheritance will be

displayed with the icon .

Note: To facilitate navigation, if you click on the icon or you will have direct access to edit the attachedpolicy.



Creating a URLs filtering policy

1. Go policy creation page via the menu [URL Filtering] > [Policies].

2. Click on [Add a policy].

Section: Policy

3. Enter a name for the new policy in the [Label] field.


Section: Rules

5. Add a rule using the button .



6. In the newly created rule, click on the link from the Time slot column, then click on one of the time ranges in theLabel column.

Note: If you want to create a timeslot go here: Sub-menu: Time slots on page 112.

7. In the newly created rule, click on the link from the Scheme column then click on the protocol(s) for which yourrule will be applied.

The possible protocols are:

• ftp• http• https

8. In the newly created rule, click on the link from Destination column, then click on the type of destination for whichyou want to apply the rule via the menu [Select].

a) If you would like to filter the URLs by a regex regular expression click on [URL (regex)] then enter the regularexpression in the [Url] field. To finish click on [OK].

Note: Remember that the REGEX syntax is explained here: Regex Syntax on page 240.

b) If you would like to filter the URLs by URLs lists click on [URLs Lists] then confirm the lists of URLs that youwant by using the checkboxes in the Label column. To finish click on [OK].

Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114.

c) If you would like to filter the URLs by categories lists, click on [Categories Lists] then confirm the lists thatyou want using the checkboxes in the Label column. To finish click on [OK].

Note: If you want to create a Categories List go here Sub-menu: Categories Group on page 16.

d) If you would like to filter URLs using a Web 2.0 List, click on [Web 2.0 List] then confirm the web 2.0 listsyou want, using the checkboxes from the Label column. To finish click on [OK].

Note: If you want to create a Web 2.0 list go here: Sub-menu: Web 2.0 Lists on page 18

e) If you would like to filter the URLs by categories click on [Categories] then confirm the categories you want,using the checkboxes from the Label column. To finish click on [OK].

Note: If you would like to create a customized category go here: Creating your own category onpage 14.

9. In the newly created rule, click on the image from the [Action] column, then click on the type of action on whichyou want to apply your rule, using the menu [Select].



a) If you want your filtering rule action to allow the traffic, select [Allow].

b) If you want your filtering rule action to deny the traffic, select [Deny]. In case it is needed, you can configure a"Override". In this case confirm the checkbox [Override]. You can also set a password that will be distributedto users who want to use the "override" function, by filling in the [Override Password] field.

c) If you want your filtering rule action to time limit the browsing activity select [Time Quota]. Then select atime quota in the [Quota] menu. In case it is needed, you can configure an "Override". In this case confirm thecheckbox Override. You can also set a password that will be distributed to users who want to use the "override"function, by filling in the [Password] field.

Note: If you would like to create a time quota, go here: Sub-menu: Quotas on page 108.

d) If you want the action that will be performed by your filtering rule to limit the consultation of the selected URLsby volume, select [Volume Quota]. Then select a volume quota.

Note: If you would like to create a volume quota, go here: Sub-menu: Quotas on page 108.

10. Set a priority order in which you want your rules to be executed using the arrows and .

11. Following the last rule and using the menu [Fallthrough rule] select the default behavior for non covered as either[Allow], [Deny] or to defer the filtering decision to the [upstream policy].

Note: If you set the field [Fallthrough rule] to [Upstream policy] you set up an inheritance. The currentpolicy will then inherit the rules from the policies positioned above it in the list of users of the rules engine(Users list on page 100).


Configuring a URL filtering policy

1. Go to the URL filtering policy configuration page using the menu [Rules] > [Users].

2. In the [Directories] tab or [Mobility controllers] expand the users' hierarchy in the [Name] column in order to

display the organizational units, the groups or the users for which you want to apply your policy, using the icon .

3. Click on the corresponding link from the [URL Filtering] and then select the URL filtering policy that you want.



Note: If you would like to edit the policies or to create a policy, go to the page [URL Filtering] >[Policies].

Chapter

2Menu: Protocol Filtering

Topics:

• Sub-menu: Protocols• Sub-menu: Policies

2 Menu: Protocol Filtering


Sub-menu: Protocols

Similar to URL filtering, Olfeo car perform protocol filtering operations. On the [Protocol filtering] > [Protocols] youcan explorer the list of protocols Olfeo is able to filter.

If you are looking for a specific protocol, enter the protocol name in the lookup field [Filter] and click the button .

To clear the filter field and return to the whole protocol list, click on .

Sub-menu: Policies

A protocol filtering policy is a set of rules you can assign to an organizational unit, a user's group, a specific user oran IP address.



Protocol filtering policies can be created using menu [Protocol filtering] > [Policies].

Protocol filtering policies are assigned in the section at the lower end of the main rules engine (menu [Rules] > [Users]),more specifically in the Protocol filtering column.

A protocol filtering policy can inherit from another protocol filtering policy higher in the users' hierarchy. In order touse this inheritance mechanism, edit the filtering policy which will be using the inheritance mechanism from [Protocolfiltering] > [Policies] and set the field [Fallthrough rule] to the value Upstream policy. A non-terminal policy

using the inheritance mechanism is identified with the icon as opposed to a terminal filtering policy identified using

the icon .

Note: As a shortcut to quickly edit a policy, you can click on the ou icon to directly go to the filteringpolicy edit page.

Creating a protocol filtering policy

1. Go to the protocol filtering policies creation page using [Protocol filtering] > [Policies].

2. Click on [Add a policy].



Section: Policy

3. Enter a name for the new policy in the [Label] field.


Section: Rules

5. Add a rule using the button .

6. In the newly created rule, click on the link from the Time slot column, then click on one of the time slots in theLabel column.

Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112.


a) If you want your filtering rule to apply to all the traffic, click on the link [Any].

b) if you want to restrict the application of the rule to a set of protocols, click on the link [Protocols]. Next, selectall the protocols you would like to use by enabling the corresponding checkboxes in the Label column. Thenclick on the [Ok] button.

8. In the newly created rule, click on the image from the [Action] column, then click on the type of action you wantto apply to your rule, using the menu [Select].

a) if you want the action of you filtering rule to allow the corresponding traffic, select [Allow].

b) If you want the traffic to be blocked select [Deny].

9. Use the up and down arrows and in order to change the priority of each rule composing your policy.

10. Last, using the menu [Fallthrough rule] select the default behavior for any traffic not matching the preceding rules.Choose if you want for the behavior to [Allow] or [Deny] or use inheritance with the value [Upstream policy].

Note: If you set the field [Fallthrough rule] to [Upstream policy] you activate the inheritance behavior.The current policy filtering will call policies above it in the list of users for any traffic not matching thecurrent policy rules (Users list on page 100).

11. Click on [Ok] to save the changes.



Assigning a protocol filtering policy

1. Go to the main Olfeo page used to assign filtering policy using menu [Rules] > [Users].

2. In the [Directories] tab or [Mobility controllers], expand the users' hierarchy in the [Name] column using the icon in order to display the organizational units, the groups and users you would like to apply a filtering policy on.

3. Click on the link in the [Protocol Filtering] column and select the desired protocol filtering policy.

Note: If you would like to modify existing policies or create a new policy go to the [Protocol filtering] >[Policies] page.

Chapter

3Menu: Proxy Cache Qos

Topics:

• Sub menu: HTTP• Submenu : FTP• Sub menu: RTSP• Sub menu: TCP• Sub menu: SOCKS

3 Menu: Proxy Cache Qos


Sub menu: HTTP

This menu allows for the HTTP proxy setup and configuration. The HTTP proxy configuration is done using the 5following tabs:



Table 2: The five HTTP proxy configuration tabs

Tab Description

[Configuration] The [Configuration] tab allows for the definition of HTTP proxy listening ports configuration and for theproxy type specification (explicit or transparent). Using this tab you can also chain the HTTP proxy with aparent proxy, configuration URL filtering behavior and perform manual configurations.

[Authentication] [Authentification] tab allows for the proxy authentication mode configuration.

Warning: This tab depends on your integration and authentication architecture choice whichis the objective of the Olfeo Integration Guide. We recommend you to refer to this guide formore information regarding authentication.

[Cache] The [Cache] tab allows for the memory cache configuration and the specification of cache behavior rules.

The cache is a space dedicated to keep in memory objects most frequently used by end users in order forthe objects to be served to the end users faster than a direct access connection. This Olfeo solution featureallows for internet access bandwidth reduction and for objects access time reduction.

[Cache statistics] The [Cache statistics] displays cache statistics allowing you to monitor HTTP proxy cache efficiency thusproviding you valuable information to tune its configuration in order to maximize its efficiency.

[QOS] The [QOS] tab allows for the HTTP proxy quality of service configuration.

The quality of service allows for the attribution of resources to a specified traffic in order to maximizebandwidth availability and optimize bandwidth utilization and transmission. This feature is particularlyinteresting if you have specific traffic requiring optimal bandwidth.

Configuring the HTTP proxy

1. Go to the HTTP proxy configuration using the [Proxy Cache QoS] > [HTTP] > [Configuration] tab.



Section: Listening ports

2. In the section Listening ports add a listening port using the button.

a) Enter the interface IP address and TCP port you would like the proxy to listen on.

The syntax used to specify the TCP listening port allows you to restrict listening on a specific IP address. Usethe following syntax:

Ipaddress:Tcpport

Note: If you want to listen to all of the local machine’s IP addresses, enter the IP address as 0.0.0.0

Example of how to specify the IP address and listening port:

0.0.0.0:3129

b) To configure a transparent proxy enable the Transparent checkbox at the end of your newly created proxy TCPport.

Warning: This field is linked to the integration architecture choice which is the objective of the OlfeoIntegration Guide. We recommend you to refer to this guide for more information regarding HTTPtransparent proxy.

c) If you do not want the proxy to pass the end user private IP addresses to the destination server, enable[Anonymize access] .

Note: This option helps to avoid the generation of HTTP headers of the type "X-Forwarded-For"which generally includes the IP address of the end user machine for which the proxy carries out anaction. For security reasons, it is generally preferable not to disclose information concerning yourlocal network, therefore turning on this option is recommended.

Section: Allowed query types by destination port

3. Add a request type using the icon .

The section "Allowed query types by destination port" lets you define the destination ports and the correspondingprotocols allowed on each of these destinations ports.

a) Enter a destination port in the field under the Port column.



Note: Enter a range of ports separating start and end ports with "-". Example: 1025-65535.

Note: To enter multiple ports in a query, separate them with a space. Example: 70 210 280.

b) Select the protocols you want to authorize on the destination ports by enabling the corresponding checkboxes inthe columns headedBrowsing, FTP over HTTP, WebDAV or Raw/SSL.

There are four possible protocols:

• Browsing: Authorizes the standard HTTP browsing.• FTP over HTTP: Authorizes use of the FTP protocol encapsulated in HTTP (FTP over HTTP) and thus

allows file downloads. This protocol can only be used if the client application supports it. Internet browserstypically do when you specify an HTTP proxy for the FTP protocol.

• WebDAV: Authorizes the HTTP-based collaboration protocol allowing management of files shared andstored on a web server.

• Raw/SSL: Allows SSL-type traffic.

c) To allow for use of extended passive mode in the FTP over HTTP protocol enable the [FTP over HTTP makesuse of extended passive mode] checkbox. In this mode, the Olfeo proxy can use the EPSV command and thusmake FTP requests that are IPv6 compatible. Please refer to RFC 2428 FTP Extensions for IPv6 and NATs formore information.

Warning: Use of the EPSV command and of IPv6 may result in this option being incompatible witholder firewalls.

Section: Proxy chaining

4. If the Olfeo solution’s proxy needs to be chained to a parent proxy, select the [Use parent proxy] checkbox in theProxy Chaining section. Then provide the following information:

a) The IPv4 address of the parent proxy in the [Host] field.

b) The TCP port of the parent proxy in the [Port] field.

c) The user name for authentication with the parent proxy in the [Login] field.

d) The user's password for authentication with the parent proxy in the [Password] field.

Section: URL filtering

5. To filter URLs, enable the [Filter URL] checkbox in the URL Filtering section. Fill in the following fields asrequired:

a) [Disable Olfeo caching]. For performance reasons, the Olfeo solution stores the authorizations obtained by yourusers’ various browsing sessions. This optimization makes it possible to avoid authorization checks for the samewebsite (Internet domain) previously authorized. Enabling this checkbox will force an automatic authorizationcheck, even for sites previously visited.

b) [Redirector number]. This field controls the number of internal processes used by the Olfeo solution to performHTTP browsing authorization checks. The default value of 70 should be appropriate for most Olfeo solution

http://tools.ietf.org/html/rfc2428



installations. It is therefore recommended not to change this value unless explicitly requested by Olfeo TechnicalSupport.

c) [Bypass if the filtering service is unavailable]. This checkbox allows you to control the Olfeo HTTP proxy’sbehavior in the event the URL filtering service is not reachable. Browsing will be blocked by default if thischeckbox is not enabled.

d) [Delay before next connection attempt upon error (minimum 30s)]. This field controls the timeout that maybe inserted at the Olfeo HTTP proxy level in case there is an error connecting to Olfeo URL filtering service.The default value of 30- second is suitable for most cases.

Section: Squid custom configuration

6. Configure your desired Squid ACLs in the fields [Start of file], [Pre Authentication], [Post Authentication] and[End of file].

Your Olfeo solution internally uses an optimized version of an Open Source proxy solution. In some cases, it might benecessary to configure advanced options that are not directly configurable using the Olfeo Administration Console.The purpose of the Squid custom configuration section is to allow for the configuration of Squid directives in theHTTP proxy.

Danger: Theses directives can alter the proxy operations. Therefore it is recommended to alter the contentof these fields solely under suggestions provided by Olfeo Technical Support.

Here is an example of Squid directives configuration using the Squid custom configuration.

Adobe Flash Player setup may not work for end users authenticating proxy. Indeed post-setup processingincludes contacting various servers on the Internet in order to complete the installation. Therefore the Olfeo proxyconfiguration will ask for an authentication before allowing the operation. In order to bypass this authenticationrequest, it is possible to create Squid directives allowing for an exception to this authentication mode in order toallow for the Adobe Flash Player setup to complete.

Here is a Squid directive example to apply in the [Pre Authentication] field disabling authentication for domainnames used by the Adobe Flash Player setup application:

acl adobeflashplayer dstdomain .verisign.com .adobe.com .adobetag.com .macromedia.comhttp_access allow CONNECT adobeflashplayerhttp_access allow adobeflashplayer

Once applied, this directive will allow access to domain names ending in verisign.com adobe.com adobetag.commacromedia.com to bypass the proxy authentication.

7. Click on [OK] to save changes.



Configuring HTTP Proxy Authentication

1. Go to HTTP proxy authentication page configuration using the [Proxy Cache QoS] > [HTTP] > [Authentification]tab.

Section: Module

2. Select the HTTP proxy authentication mode in the [Authentication mode] field.

Warning: This field depends on your integration and authentication architecture choice which is theobjective of the Olfeo Integration Guide. We recommend you to refer to this guide for more informationregarding proxy authentication.

Note: This tab is only displayed once an enterprise directory has been configured.

The following choices are available:



Option Description

[NTLM (Active Directory)] Olfeo HTTP proxy supports NTLM over HTTP authentication method asspecified by Microsoft. This authentication mode requires the use of aMicrosoft ActiveDirectory 2003 or higher enterprise directory.

Warning: NTLM authentication method is only available if yourOlfeo installation has been joined to the Windows domain usingthe [Parameters] > [Authentication] > [Windows domainjoin].

Once selected, this authentication mode will perform the following 2authentications:

• A transparent authentication for end users using a computer memberof the Windows domain and with a currently active Windows interactivesession started with their end user domain account.

• An explicit authentication using an authentication popup for all otherend users. In order to pass the authentication step, the end user will haveto enter his Windows domain end user account (format:"DOMAIN"\"login") and his password.

[Kerberos] This authentication mode allows for the use of Microsoft Kerberosauthentication using an ActiveDirectory 2003 enterprise directory. Similarto [NTLM (Active Directory)] authentication mode, this [Kerberos] modeallows :

Warning: The [Kerberos] authentication is only availableif your Olfeo installation has been joined to the Windowsdomain using the [Parameters] > [Authentication] > [Windowsdomain join] menu.

• A transparent authentication for end users using a computer memberof the Windows domain and with a currently active Windows interactivesession started with their end user domain account.

• An explicit authentication using an authentication popup for all otherend users. In order to pass the authentication step, the end user will haveto enter his Windows domain end user account (format:"DOMAIN"\"login") and his password.

Note: On end users computers, the browser must usethe Microsoft integrated authentication et must explicitlyreference the Olfeo proxy using its Fully Qualified DomainName (FQDN).

Warning: Microsoft [Kerberos] implementation isincompatible with Kerberos based authentication Olfeoclusters. If you require high availability in Kerberosauthentication mode with Olfeo, it is recommended to usea proxy.pac for your proxies configuration and to returnmultiple proxies in your proxy.pac on each return in order tobenefit from a proxy.pac failover behavior.



Option Description

[Kerberos 2008] This authentication mode is identical to [Kerberos] but should be used onlyfor ActiveDirectory 2008 or above enterprise directories.

[Basic - <AuthenticationZone>]

This authentication mode allows for the configuration of a LDAP basedbasic authentication mechanism. This authentication mode requires the useof Olfeo authentication zones. Based on the number of Olfeo authenticationzones configured, one or more basic authentication modes will be available.

Note: If you want to create an authentication zone, go to the page:[Parameters] > [Authentication] > [Authentication Mode].

Danger: The [Basic - <authentication zone>] authenticationmode is a weak authentication mode because it carries userscredentials (login/password) in clear over the network. It'stherefore recommended to use a stronger authentication mode.

[None] Olfeo HTTP proxy will not perform any authentication.

3. In the field [Number of instances], change the number of instantiated authentication helper processes if necessary.

The number of instances correspond to the maximum number of authentication requests which can be processedin parallel at any given time.

Default number of instances:15

Section: Rules

4. Use the button to add an authentication rule.

5. In the newly created rule, click the link in the Sources column.

a) Select the [IP Ranges] field in the [Select] menu if you would like to restrict a rule to one or more IP addressesranges.

b) Use the button to add an Ip address range.

c) Enter the range beginning IP address in the Start IP column.

d) Enter the range end IP address in the End IP column.

e) optionally enter a description text for the IP adresses' range in the Range Description column.

f) Once you have created all your IP addresses ranges, click the [Ok] button to save your changes.

6. In the newly created rule, if you would like to restrict the rule to specific HTTP clients click on the [User-Agent]column link.

a) Select the HTTP client's identifiers you would like to restrict the rule to using the Active column checkbox.

Note: This feature is very useful to disable HTTP proxy authentication for certain types of applicationsnot compatible with authenticating proxies (audio/video player, ...).



b) If you have an unreferenced application you would like to add, you can enter a regular expression in the editablefield under the Regular expression column. You can then enter a description in the Description column andenable the corresponding checkbox in the Active column

Note: For more information regarding regular expression (REGEX) syntax, please refer to chapterRegex Syntax on page 240.

Note: If you don't know how to find the user-agent identifier for a particular HTTP client, pleasecontact Olfeo Technical Support.

7. In the newly created rule, if you would like to restrict the rule to a particular proxy port, click on the link in the[Proxy ports] column.

Note: You can discriminate your end-user population by sending them to different proxy ports. Oncesegmented, these end-user populations can then be attributed different authentication rules using the linkin the [Proxy ports] column.

8. In the newly created rule, if you want to restrict the rule application to a particular destination you can click on the[Destination] column link.

Two choices are available:

• You can enter a destination using a URL or regular expression described in chapter Regex Syntax on page 240.In this case:

• Click on the [URL (regex)] link and enter a URL or regular expression in the [URL] list.• To save your changes click on the [Ok] button.

• You can specify a destination using A URL List that you would have previously configured using the [Rules] >[URL Lists]. In this case:

• Click on the [URL Lists] and select the corresponding URL lists of your choice in the Label column.• To save your changes click on the [Ok] button.

9. In the newly created rule, click on the link in the Authentication column in order to select the desired authenticationtype.

The followings are available choices:

Option Description

[No authentication] This choice allows you to disable authentication for the Olfeo HTTP Proxy.

Warning: Without any authentication and any captive portal, theOlfeo HTTP proxy cannot identify the end user connecting to theproxy. Therefore, the Olfeo filtering engine would not be able toapply any specific filtering policies except for the default policy(Users list on page 100).



Option Description

[Authentication] This choice enables authentication at the Olfeo HTTP proxy level(authentiation configured at step 2 on page 41).

Note: Following the selected authentication in step Users liston page 100, some of these authentications will be performedtransparently. Refer to the Olfeo Integration guide for moreinformation.

[ip2login]This choice allows you to configure Olfeo HTTP proxy to performauthentication (authentication configured in step 2 on page 41). Oncethe authentication performed, the end-user computer IP address will beassociated to the end-user and no further authentication will be requested bythe proxy for new connections.

Note: [ip2login] main advantage is to facilitate end userbrowsing by reducing the number of authentication requests.

Warning: If you would like to configure the duration of the enuser IP adress / login association, please contact Olfeo TechnicalSupport.


11. After the last rule and using the [by default] menu, select the default behavior to apply among [no authentication],de [Ip2login] or [authentication].




Configuring HTTP Proxy Cache

Olfeo embedded HTTP proxy implements a cache feature. This feature allows for the optimization of browsing requestsby providing contents already cached from prior similar requests.

1. Go to the HTTP Proxy configuration page using the [Proxy Cache QoS] > [HTTP] > [Cache] tab.

Section: Memory cache

Memory cache refers to the cache maintained in physical memory or RAM.

2. Enter the memory cache size in the [Cache size] field.

Default size is: 128 Mo.



Danger: An oversized cache can degrade performance. It is therefore recommended to size the cache insuccessive attempts incrementing its size and finding an acceptable compromise between Olfeo solutionoperation and the RAM size allocated to the memory cache.

3. Enter the objects maximum size that can be stored in memory cache in the [Object max size] field.

The memory cache must be dedicated to small objects sizes. Indeed, a memory cache performance will be higher iffilled with a large number of small objects rather than a small number of large objects. Maximizing the number ofobjects in memory cache generally provides better performance for a larger number of end users.

Default size is: 6 ko.

4. Select the replacement policy algorithm for replacing objects in the cache using the [Replacement policy] field.

• [Least recently used]: When the cache is full, objects replacement in memory cache is based on last objectutilization. The least recently used objects will be the ones that will be evicted from the memory cache. Thisreplacement policy is not the most performant one because it only takes into account the last utilization datewithout considering other parameters such as objects size, utilization frequency, cost of download, ...

• [LRU Policy implemented using a heap]: This algorithm is similar to the Last Recently Used one butits operation used a heap. This algorithm allows for a more efficient cache management providing quickerreplacements, additions or removals from the memory cache. Unfortunately this algorithm, similar the previousone, only takes into account each object last utilization date without considering other objects properties.

• Least frequently used with dynamic aging: This algorithm is based on objects access frequencies in orderto manage the memory cache. A replacement policy following LFU maximize hits ratio in bytes. Neverthelessthis replacement policy can pollute the memory cache with very old objects because it only takes into accountaccess frequency. The Least frequently used with dynamic aging algorithm is an evolution compared to LFUbecause it also takes into account objects ages in order to avoid polluting the cache with old popular objects.This replacement policy generally offers good results in terms of hits ratio in bytes.

• [Greedy-Dual Size Frequency]: This algorithm is a cache management algorithm evolution. It takes intoaccount various parameters / properties such as cost of download, object size, age and utilization frequency. Thisreplacement policy generally provides better performances in his ratios compared to other replacement policies.

Section: Disk cache.

Disk cache utilization allows for objects non eligible for memory cache to be stored on disk. A disk cache is obviouslyslower than a memory cache.

5. In the Disk cache section enter the cache size in Mo you would to use on the disk for your disk cache inthe Cache size field.

Default size is : 2 000 Mo

6. Enter the minimum size for objects to be eligible for storage in disk cache in the Objects min. size field.

Default size is: 254 ko

7. Enter the maximum size for objects to be eligible for storage in disk cache in the Objects max. size field.

8. Select the objects replacement policy for disk cache objects in the [Replacement policy].

As previously covered:

• [Least recently used]: When the cache is full, objects replacement in memory cache is based on last objectutilization. The least recently used objects will be the ones that will be evicted from the memory cache. Thisreplacement policy is not the most performant one because it only takes into account the last utilization datewithout considering other parameters such as objects size, utilization frequency, cost of download, ...



• [LRU Policy implemented using a heap]: This algorithm is similar to the Last Recently Used one butits operation used a heap. This algorithm allows for a more efficient cache management providing quickerreplacements, additions or removals from the memory cache. Unfortunately this algorithm, similar the previousone, only takes into account each object last utilization date without considering other objects properties.

• Least frequently used with dynamic aging: This algorithm is based on objects access frequencies in orderto manage the memory cache. A replacement policy following LFU maximize hits ratio in bytes. Neverthelessthis replacement policy can pollute the memory cache with very old objects because it only takes into accountaccess frequency. The Least frequently used with dynamic aging algorithm is an evolution compared to LFUbecause it also takes into account objects ages in order to avoid polluting the cache with old popular objects.This replacement policy generally offers good results in terms of hits ratio in bytes.

• [Greedy-Dual Size Frequency]: This algorithm is an evolution of cache management algorithms. It takes intoaccount other parameters or properties such as the download cost, the object size, the age and the utilizationfrequency. This replacement policy generally provides the best performances in terms of hit ratio compared toother replacement policies.


If you would like to add rules to control cache operations, please refer to the Adding cache operation rules on page48 chapter.

Adding cache operation rules

1. Go to the HTTP Proxy configuration page using the [Proxy Cache QoS] > [HTTP] > [Cache] tab.

Section: Caching

2. In the Caching section add a cache operation rule using button.

3. In the newly created rule, click on the icon in the [Cache] column in order to define a rule caching ( icon) or

not caching ( icon) an object.

4. In the newly created rule, click on the link in the Destination column in order to define the condition that will triggera cache or a cache exclusion operation.

a) If you don't want to specify any specific condition click on [Any].

b) If you would like to specify as a condition a regular expression, click on [URL (regex)] and enter a regularexpression in the [Url] field. Click on [Ok] once done.




c) If you would like to specify as a caching condition a URL list, click on [URL Lists], then select the URLs listsof your choice using the checkbox in the Label column. Once done click on [Ok].


d) If you would like to specify a categories list as a caching condition, click on [Categories Lists] then select thecategories lists of your choice using the checkbox in the Label column. Once done click on [Ok].

Note: If you want to create a Categorie List go here Sub-menu: Categories Group on page 16.

e) If you would like to specify categories as a caching condition, click on [Categories] then select the categoriesof your choice using the checkbox in the Label column. Once done click on [Ok].


5. In the newly created rule, click on the link in the Mime type column.

A MIME type is an identifier defining a standard data format on the internet. Using MIME types you can choosethe types of media that you want to assign to your caching rule.

a) In the Label column expand the MIME types tree using the icon.

b) In the MIME types tree select the types of your choice using the checkbox from the Label column.

c) Click on [Ok] to save the changes.


7. Following the last rule and using the [Fallthrough rule] select the behavior to apply for non-matching cases among[Use cache] or [Do not use cache].


Configuring cache objects lifetime

Cache objects lifetime allows for specifying the maximum life for objects in memory and disk cache.

1. Go to the cache lifetime configuration page using the [Proxy Cache QoS] > [HTTP] > [Cache] tab.



Section: Lifetime

2. In the Lifetime add a cache lifetime rule using the button.

3. In the newly created rule, click on the link in the [Mime type] column.

A MIME type identifier is associated for a date format on the internet. Using MIME types identifiers you can selectthe data types you want to specify cache lifetime for.

a) In the Label column expand the MIME types tree using the icon.

b) In the MIME types tree select the types of your choice using the checkbox from the Label column.

c) Click on [Ok] to save the changes.

4. In the newly created rule, enter the maximum lifetime in the cache before expiration in the [Max age].

5. Once done, enter the default cache lifetime maximum in the [Fallthrough max age] field.

Cache Statistics

The [Proxy Cache QoS] > [HTTP] > [Cache statistics] tab is divided in three sections:

1. Queries: This section provides information regarding the number of end user requests for a subset of time periods.



For each predetermined time period, the following statistics are available:

• Total: Total number of requests.• Hits: Total number of requests resulting in a cache operation.• Errors: Cache miss ratio. Remember that your caching rules have an influence on this ratio.• Efficiency: Cache efficiency basedd on the caching rules.

2. Network: This section provides statistics regarding Olfeo HTTP proxy cache efficiency based on data volume.

The following statistics are available for each predetermined time period:

• Downstream: Data volume downloaded from the cache.• Upstream: Data volume download from origin servers.• Efficiency: Cache efficiency measured as the ratio between downstream and upstream data volume.

Note: Data volumes are expressed in kibibyte, or 1024 bytes.

3. Latency: This section provides statistics regarding Olfeo HTTP Proxy cache access time.

The following statistics are available for each predetermined time period:

• From cache: Average access time for data accessed from the cache.• Forwarded: Average access time for data retrieved from origin servers.• Efficiency: Cache efficiency measure as the ratio between average data access time from the cache and average

access time from origin servers.

Note: Statistics are expressed in milliseconds.

Configuring the QOS

The Olfeo solution provides an embedded proxy implementing a QOS (Quality Of Service) feature. This QOS featureallows for capping bandwidth utilization for some traffic in order to guarantee bandwidth availability. This feature isparticularly interesting if you have on your network some traffic that cannot experience any bandwidth degradation.

1. Go to the HTTP Proxy Configuration page using the [Proxy Cache QoS] > [HTTP] > [QOS] tab.

Section: General

2. Enter your maximum measured bandwidth in the [Total Bandwidth] fields in KB/s.

Example:

1. You have a 10 Mbit/s connection.2. 10 mbps = 10 000 kbit/s.3. 10 000 kbit/s = 1250 kb/s (because 1 byte = 8 bits)

You can then enter in the field [Total bandwidth] theoretical bandwidth of 1250 KB/s.



Section: Rules

3. Click on the to add a QOS rule.

4. In the newly created rule, you can use timeslot as one of the condition for a QOS rule. To do so click on the link inthe Timeslot column then click on one of the defined timeslots in the Label column.


5. In the newly created rule, you can use the source as one of the condition for your QOS rule. To do so, click on the linkin the [Source] column. Then, select the source type you want to use as a condition from the [Select] dropdown list.

a) If you want to use a group of users as a condition for your QOS rule, select [Users]. Expand the users' hierarchy

using the icon then select the users using the checkbox from the Name column. Once done click on [Ok].

6. In the newly created rule, if you would like to use a destination as a condition for your QoS rule, click on the linkin the Destination column. Then click on the type of destination to use using the [Select] drop-down list.

a) If you would like to use a regular expression for a destination as a condition for your QOS rule, select [URL(regex)] then enter the regular expression in the [Url] field. Once done click on [Ok].


b) If you would like to use a URL List as a condition for the destination of your QOS rule, click on [URL Lists]then select the URL lists of your choice using the checkbox from the Label column. Once done click on [Ok].


c) If you would like to use a categories list as a destination condition for your QOS rule, click on [Categories Lists]then select the categories lists of your choice using the checkbox in the Label column. Once done click on [Ok].


d) If you would like to filter the URLs by categories click on [Categories] then confirm the categories you want,using the checkboxes from the Label column. To finish click on [OK].


7. In the newly created rule, click on the link in the [Bandwidth] column in order to define the bandwidth properties.

For information, Olfeo used the x / y syntax in the rules to display for each rule the [Global limit (KB/s)] and the[Per user limit (KB/s)].

a) Enter the maximum bandwidth in KB/s you would like to give to this rule in the field [Global limit (KB/s)].



Note: This limit must be lower or equal to the [Total Bandwidth] defined in step 2 on page 51.

b) If you would like to set a maximum limit for the per user bandwidth, enable the [Enable per user limit] checkboxthen enter the per user maximum bandwidth in the [Per user limit (KB/s)] field.

Note: This limit must be lower than the limit defined in the [Global limit (KB/s)] field.

c) Click on [OK] to save changes.

8. In the newly created rule, if you prefer setting the maximum bandwidth as a percentage of the [Total Bandwidth]defined in step 2 on page 51, enter the desired percentage in the [%] column.

Warning: If you change the [Total Bandwidth] value, Olfeo automatically recalculate the [Global limit(KB/s)] defined in step 7 on page 52. Indeed the [Global limit (KB/s)] and the percentage of the[Total Bandwidth] are two ways of expressing the same bandwidth limit for your QOS rule.

For example: If you would like to limit traffic for your rule to half of your [Total Bandwidth], enter 50 in the [%]column field.


Submenu : FTP

FTP (File Transfer Protocol) is client/server file exchange protocol.

The Olfeo Solution provides a native FTP proxy. Using this menu you can configure the FTP proxy and optionallyconfigure its authentication mode.

Note: The Olfeo Solution only supports this protocol passive mode because of the unsecure nature of theactive mode.



Configuring the FTP Proxy

1. Go to the FTP Proxy configuration page using the [Proxy Cache QoS] > [FTP] > [Configuration] tab.

Section: Proxy List

2. Add an FTP proxy using the button.

3. In the newly created proxy, enter a name in the field from the Label column.

4. In the newly created proxy, enter the listening TCP port in the field from the Port column.

For example: 9021

5. For the newly created proxy, if you want to specify additional options click on the link in the Options column.

a) If you would like to limit the maximum number of outgoing connections for the proxy, enter this maximumnumber in the [Connections limit] field.

b) If you want to specify a parent proxy:

• Enable the [Enabled] checkbox.• Enter the parent proxy IP address in the [Host] field.• Enter the parent proxy port in the [Port] field.• Select the proxy authentication behavior using the [Authentification] dropdown list:

• [None]: The parent proxy does not require any authentication.• [Same as client]: The login/password provided to the Olfeo FTP proxy will be forwarded to the parent

proxy.• [Defined below]: This configuration allows for the configuration of a specific login/password pair to use

with the parent FTP proxy. If you select this option, enter the login in the [Login] field and the passwordin the [Password].

• Click on [OK] to save changes.




Configuring FTP Proxy authentication

1. Go to the FTP proxy authentication configuration page using[Proxy Cache QoS] > [FTP] > [Authentification].

2. Use the button to an authentication rule for the FTP proxy.

3. In the newly created rule, if you want to configure a type of authentication with predefined timeframes click on thelink from the Timeframe column then click on the timeframes from the Label column.


4. In the newly created rule, if you want to specify a source click on the link from the [Source] column. Select the typeof source on which you want to make the authentication using the menu [Select].

a) If you want to specify an IP address select [IPs range]. Then enter the [Start IP] address, the [End IP] address

and a [Range Description]. Note that you can add other IP address ranges using the button . To finish, click[Ok].

5. In the newly created rule, if you want to specify an authentication mode to use, click on the link from the [Mode]column, then select an authentication mode from the Label column.

Recall that an authentication mode allows for the configuration of a basic LDAP authentication.

Note: If you want to create an authentication zone, go to : [Parameters] > [Authentication] >[Authentication Mode].

6. In the newly created rule, if you want to create an association between an IP address and a login on the firstauthentication therefore avoiding subsequent authentication requests, enable the [IP2login] checkbox.




Sub menu: RTSP

RTSP (Real Time Streaming Protocol) is a data communication protocol used for media streaming. It allows forreceiving content and controlling remote media server with typical features of a video or audio player, features such as"play", "stop", "pause" or "seek" to a particular time t".

RTSP does not carry data bytes but provide flow control. A RTSP player uses a data transport protocol such as RTP(Realtime Transport Protocol) or RDT (Real Data Transport), this last one being a RealNetworks proprietary protocol.

With Olfeo you can configure a RTSP proxy to control and receive media flow. The implementation architecture shouldnevertheless consider the following limitations:

• RTSP over UDP: For data transport only UDP as a transport is currently supported. Nevertheless RTSP uses TCP.• RTP Data Transport: Olfeo RTSP proxy only supports RTP as a data transport protocol.• Integrations: Olfeo RTSP proxy only support RTSP flow proxying:

• In a transparent proxy configuration using a traffic redirection toward the Olfeo RTSP proxy using a firewall orthird party equipment capable of traffic redirection.

• In an explicit proxy configuration requiring a specific configuration for RTSP client applications.

• Supported RTSP players: The Olfeo RTSP proxy used in an explicit proxy configuration has only been certifiedto be used with Windows Média Player and RealPlayer. Using these players require a specific explicit proxyconfiguration for each one of them to use Olfeo RTSP proxy and UDP as data transport protocol. additionally anyproprietary application using RTSP should, in order to use Olfeo RTSP proxy, support configuring a RTSP proxyexplicitly with UDP as the data transport protocol.

• RTSP proxy ephemeral ports: Similar to Olfeo FTP proxy, it is not possible to specify outgoing TCP ports usedby Olfeo RTSP proxy.

Note: You can create rules regarding RTSP traffic in the main rules enginer on the [Access] from [Rules] >[Users].



Configuring the RTSP proxy

1. Go to the RTSP proxy configuration page via [Proxy Cache QoS] > [RTSP].

Section: Proxy List

2. Click on the to add a RTSP proxy.

3. In the newly created proxy, enter a name in the field from the Label column.

4. In the newly created proxy, enter the listening TCP port in the field on the Port column.

For example: 30554

5. Click on [Ok] to save changes.

Warning: Olfeo RTSP proxy is a separate system process that must be configured for automatic start fromthe [Parameters] > [System] > [Services] page.

Sub menu: TCP

The TCP proxy allows for the configuration of a generic proxy that can be used for any TCP based client/server trafficin an application not supporting any proxy.



Warning: Application protocols are generally proprietary and undocumented. Therefore Olfeo TCP proxycannot identify the destination IP addresses. Using the Olfeo TCP proxy requires a transparent proxyintegration using a third party equipment, typically a firewall, and port redirection toward the Olfeo TCPproxy.

Your architecture should nevertheless take into account the following limitations:

• Number of TCP proxy: An Olfeo TCP proxy instance must be configured for each application you would like toproxify. Each TCP proxy will redirect its traffic toward a specific IP address and TCP port.

• TCP ephemeral ports: It is not possible to restrict the Olfeo TCP proxy ephemeral ports to specific values.• Protocol recognition: The Olfeo TCP proxy cannot provide any protocol recognition considering the protocols are

typically proprietary.• User identification: The Olfeo TCP proxy does not provide any user authentication or identification mechanisms.

TCP proxy utilization example: A specific set of end users computers needs to access a publicly accessible server. Thesecomputers are not routed on the Internet but require access to the Olfeo solution. In this situation, configure the Olfeosolution with a TCP proxy redirecting its traffic to the application server on the internet and configure your proprietaryapplications to connect to the Olfeo TCP proxy as if it was the destination server.

Configuring the TCP proxy

1. Go to the RTSP proxy configuration page using the [Proxy Cache QoS] > [TCP] menu.

Section: Proxy List

2. Click on the button to add a TCP proxy.

3. In the newly created proxy, enter a name in the field on the Label column.


For example: 30554

5. Click on the link on the Options column and enter the IP address and TCP port for the destination server.

For example: 192.168.4.3:37141

6. Click on [Ok] to save your changes.



Sub menu: SOCKS

SOCKS is a network protocol allowing for applications to use a proxy if they have been developed with support forthis protocol.

SOCK protocol support in applications is a mandatory requirement in order to use a SOCKS proxy. Refer to yourapplications documentations in order to verify the SOCKS version and features supported by your applications and thevarious configurable options.

Limitations

• Supported SOCKS versions: Olfeo SOCKS proxy implements version 4 and 5 of the SOCKS protocol.• SOCKS v4 clients authentication: Olfeo SOCKS proxy does not support any user authentication in SOCKS v4.

This limitation is inherited from the SOCKS v4 protocol which does not support any end-user authentication.• SOCKS v5 clients authentication: SOCKS v5 protocol supports end-user authentication on the connection to the

SOCKS proxy.• TCP ports used: It is not possible to specify the outgoing TCP ports used by the Olfeo SOCKS proxy.

Configuring the SOCKS proxy

1. Go to the configuration page for the SOCKS proxy via [Proxy Cache QoS] > [SOCKS] > [Configuration].

Section: Proxy List

2. Use the button to add a SOCKS proxy.



3. In the newly created proxy, enter a name in the field on the Label column.


For example: 1038


Configuring an authentication for the SOCKS proxy

1. Go to the SOCKS proxy authentication configuration page via [Proxy Cache QoS] > [SOCKS] > [Authentication].

2. Add an authentication rule to the SOCKS proxy using the button.

3. In the newly created rule, to configure an authentication mode with a specific timeframe condition, click on the linkfrom the Timeslot column then click on the timeslot from the Label column.


4. In the newly created rule, if you want to specify a source click on the link from the [Source] column. Select the typeof source on which you want to make the authentication using the menu [Select].

a) If you want to specify an IP address range select [IP ranges]. Then enter the [Start IP] address, the [End IP]

address and a [Range Description]. Note that you can add other IP address ranges using the button. To finish,click [Ok].

5. In the newly created rule, if you want to specify an authentication mode to use, click on the link on the [Mode]column, then select an authentication mode from the Label column.

Recall that an authentication mode allows for the configuration of a basic LDAP authentication.

Note: If you want to create an authentication zone, go to : [Parameters] > [Authentication] >[Authentication Mode].

6. In the newly created rule, if you want to create an association between an IP address and a login on the firstauthentication therefore avoiding subsequent authentication requests, enable the [IP2login] checkbox.


Chapter

4Menu: Antivirus

Topics:

• Sub-menu: Parameters• Sub-menu: Log

4 Menu: Antivirus


Sub-menu: Parameters

The Olfeo solution provides an antivirus to scan end user browsing traffic. Activating the antivirus is done using theantivirus rules in the Olfeo rules engine.

Note: To communicate with the antivirus, Olfeo internally uses an ICAP connector. Remember to create thisconnector if it is not defined in [Parameters] > [Architecture].

The use of the Olfeo antivirus as a perimeter antivirus is based on virus signatures detection. The Olfeo antivirus solutionguarantees uninterrupted protection of your environment through regular updates of these virus signatures databases.This feature is enabled by default and requires no configuration on your side.

Note: If you want to update your antivirus manually, go to the page: [Parameters] > [Updates] > [Database].

4 Menu: Antivirus


Antivirus parameters

1. Go to the antivirus parameters page via [Antivirus] > [Parameters].

Section: Configuration

2. If you want Olfeo admins to be notified when a threat is detected, enable the [Enable Virus Mail alert] checkbox.

To create the Olfeo admins, go to the page: [Parameters] > [Administrators].

Section: Performance

3. Enter the maximum size for the antivirus incoming connection queue in the [Maximum length for the incomingconnection queue] field.

This parameter controls the maximum number of concurrent connections (TCP or local) that can be sent to the Olfeoantivirus.

Warning: A larger number of incoming connections can lead to errors once the incoming connectionqueue is full. In this case an error will be displayed in the Olfeo log.

Default value: 15

4. Enter the maximum number of threads that can be executing in parallel for virus scanning, in the [Maximum numberof threads] field.

This parameter controls the size of the thread pool available for virus scanning. If you experience slower than usualbrowsing, you can try to increase this parameter if you use Olfeo antivirus and observe the behavior change. Repeatthe tuning operation as necessary.

4 Menu: Antivirus


Warning: Tuning this parameter too larger may lead to a large number of idle threads. It is thereforerecommended to perform your tuning operation in incremental steps observing the system behavior aftereach change.

Default value: 10

5. Enter the maximum amount of data scanned by the antivirus when scanning large files in the [Maximum amountof data to scan for each file].

Default value: 100 MB

Section: Analysis

6. If you would like to treat encrypted archives as viruses, enable the [Mark encrypted archives as viruses] checkbox.

Default value: Disabled

7. If you would like Olfeo antivirus to treat executables (PE or ELF) with corrupted or invalid headers as viruses,enable the [Mark broken executables (PE and ELF) as viruses] checkbox.

PE (Portable Executable) and ELF are header formats used in executables. PE is a type of format used by MicrosoftWindows executables. You can get a description of the PE format from http://msdn.microsoft.com/library/windows/hardware/gg463125. ELF is a header format used for Unix/Linux executables. You can get a description of the ELFformat using the Unix/Linux man elf command.

Default value: Disabled

Section: Treatment of filed files

8. Enter the maximum depth for nested archives analysis in the [Maximum level of nested archives to inspect] field.

This parameter limits Olfeo antivirus recursion when analyzing nested archives. For performance reasons you maywant to limit this value.

Default value: 31

9. Enter the maximum amount of data to be scanned in files in an archive in the [Maximum size to scan per file inan archive] field.Default value: 25 MB

10. Enter the maximum number of files to scan in an archives in the [Maximum number of files to scan within anarchive] field.

Note: You can change the default value but this value should cover most of the archives available onthe Internet.

Default value: 10000

http://msdn.microsoft.com/library/windows/hardware/gg463125

http://msdn.microsoft.com/library/windows/hardware/gg463125

4 Menu: Antivirus


Creating an ICAP connector for the antivirus

Note: Verify if an ICAP connector does not already exist. An ICAP connector to be used internally for virusscanning should already be defined after Olfeo installation in the [Parameters] > [Architecture] page.

1. Go to the configuration page via [Parameters] > [Architecture] > [Integration].

2. Click on the link [Add connector] from the Label column.

3. Select [I use my own equipment] in the [Integration Choice] menu.

4. Enter a name describing the integration method in the [Label] field.

5. Click on [Next].

4 Menu: Antivirus


Section: Parameters

6. Choose a connection type ICAP-->Other in the [Type of connection] drop down list.

Section: Connector parameters

7. Choose the Tcp transport protocol in the [Mode] dropdown list.

8. Enter a port number to be used for the antivirus connection.The default value is: 1344

9. Click on [Finish] to save your changes.

Enabling the antivirus

1. Go to the filtering setup page using the menus [Rules] > [Users].

2. Select the [Content] tab.

3. Using the button add an analysis rule for the antivirus.

4. In the newly created rule, click on the link on the Timeslot column, then click on one of the timeslots from theLabel column.


5. In the newly created rule, if you want to specify a source click on the link from the [Source] column. Select the typeof source on which you want to make the filtering using the menu [Select].

a) If you want to specify an IP address range select [IP Ranges]. Then enter the [Start IP] address, the [End IP]

address and a [Range description]. Note that you can add one or more IP address ranges using the button .To finish, click [Ok].

4 Menu: Antivirus


b) If you want to specify a group of users, select [Users]. Then select the users by enabling the checkboxes in the[Name] column. To finish, click [Ok].

6. In the newly created rule, if you want to specify the protocol type the antivirus will perform its analysis on click onthe link from the [Flow] column. Then select one or more protocols for which you want to make the filtering, byenabling the checkboxes from the [Label] column.


• FTP• HTTP• All these protocols.

7. In the newly created rule, click on the link from the column Destination, then click on the type of destination onwhich you want to apply your antivirus rule, using the menu [Select].

a) If you want to specify the URLs using a regular expression, click on [URL (regex)] then enter the regularexpression in the [Url] field. To finish, click on [Ok].

Note: Refer to Regex Syntax on page 240 for more information on the regular expression syntax.

b) If you want to specify the URLs using a list of URLs, click on [URL Lists], then enable the checkboxes of thelists you want to select in the Label column. Once done click on [Ok].


c) If you want to specify the URLs using a list of categories, click on [Categories Lists], then enable the checkboxesof the lists you want, in the Label column. Once done, click on [Ok].


d) If you want to specify the URLs using web 2.0 lists, click on [Web 2.0 Lists], then enable the checkboxes forthe lists you want to select in the Label column. Once done, click on [Ok].


e) If you want to specify the URLs using categories, click on [Categories], then enable the checkboxes of thecategories you want to select in the Label column. Once done, click on [Ok].


8. In the newly created rule, click on the link from the Content column, to specify the size of the content type on whichthe antivirus rule should be applied.

4 Menu: Antivirus


a) If you want to apply your rule on a specific content size, choose [Size] in the [Select] menu. Then choose the[Operator] and the [Unit] and finally the content size in the [Size] field. To finish, click [Ok] to save yourchanges.

For example: > 2 MB

b) If you want to apply your rule on a specific data format, choose [Real mime-type] in the menu [Select]. In

the Label column, expand the tree of MIME types desired, using the icon . Enable the checkboxes for thecorresponding MIME types you want in the Label column. Once done, click [Ok] to save your changes.

Note: A MIME type is an identifier defining a standard data format on the internet. Using MIMEtypes you can choose the types of media that you want to assign to your rule.

9. To specify this is an antivirus application rule, click on the link from the [Action] column.

a) Then select [Antivirus] in the [Select] menu.

b) Click on [Ok] to save your changes.


Sub-menu: Log

The log menu shows you the threats detected by the antivirus integrated in the Olfeo solution.

Here is a description of the columns from the threats log:

• Date: This column shows when the threat was detected.

4 Menu: Antivirus


• Client: Here is where you can see the user or the IP address of the computers the threat originated from.• URL: The URL where the threat is.• Threats: The type of threat detected

Chapter

5Menu: Mobility Controller

Topics:

• Sub-menu: Portals• Sub-menu: Voucher Types• Sub-menu: Access Control Lists• Sub-menu: Messages• Activating the public portal• Operator portal

5 Menu: Mobility Controller


Sub-menu: Portals

The public portals allow the users to authenticate through a page sent by the Olfeo solution. Unlike other types ofauthentication, public portal user accounts management is performed by the Olfeo solution via one or more operatorsthrough a dedicated console.

Using this portal, operators create tickets for each users. A ticket is a right to use. It contains a login/password the operatorwill give to the end user as well as specific properties (time quota, volume quota, authorized timeframes, validity etc.).The number of portal operators and the associated tickets types, are unlimited and managed by Olfeo administrators.

Using public portal based authentication can be appropriate in the following situations:

• You want to delegate the creation and management of internet access to an operator.• You want the end user accounts management to be local to the Olfeo solution.• You want to link user accounts specific properties (time quota, volume quota, authorized timeslots, validity etc.).



Adding a public portal

1. Go to the public portals creation page via [Mobility controller] > [Portals].

2. Click on the [Add portal] link to add a new public portal.

Section: Portal


4. Enter a description in the field [Description].

5. Choose the messages set for the new portal from the dropdown list [Message set].

Note: If you want to create a messages set for the public portal, go here: Sub-menu: Messages on page79.



6. Choose the template set for the new portal from the dropdown list [Template set].

Note: If you want to create a templates set for the public portal, go here: Sub-menu: Messages on page79.

7. If you want to send messages containing login/password via SMS, choose the SMS Gateway in the [SMS] field.

Note: If you want to create an SMS Gateway, go here: Sub-menu: Network on page 195.

Section: Self-Registration

Self-registration allows the user to independently generate a ticket for himself when the public portal page is displayedin the browser.

Figure 4: Captive portal page in the end user computer browser

As shown in the screenshot above, the user can click on the link[Send an email containing my login information]or [Send an SMS containing my login information] so that he can himself generate a login that he will receiveautomatically.

8. If you want the self-generated accounts information to be sent via SMS, select the type of ticket to associate for self-generated accounts via SMS in the [SMS] field.

Note: To each ticket type is associated an account usage duration.

Note: In this case, the phone number entered by the user will be used as login. The user will receivethe login/password via SMS.

9. If you want the self-generated accounts to be sent by mail, select the ticket type associated to email based self-registration in the [Email] field.

Note: To each ticket type is associated an account usage duration.



Note: In this case, the email address entered by the user will be used as a login. The user will receivethe login/password by email.

10. Define the reuse period that enables the user to regenerate tickets, using the [Reuse account duration] menu.

Note: The reuse period defines the time period during which the user is authorized to regenerate thetickets automatically. During this period, the tickets generated are associated to a login (same mail or tosame phone number). After this period of time, the existing user will be renamed and a new user accountwill be created.

Section: Fields

In this section you can define the fields that can be filled by the operator to create tickets or by end-user using the self-registration feature.

11. Use the button to add a specific field that can be entered by the operator or end-user using the self-registrationfeature, then enter a title in the field from the Label column.

12. Change the fields' properties as follow:

a) Choose the field type to use, via the Field type as follow.

Note: The field type Auto-generated allows for the generation of random logins.

b) If you want the field to be editable, enable the corresponding checkbox in the Editable column.

c) If you want the field to be mandatory , enable corresponding checkbox in the Mandatory column.

d) If the field can be used as a login field, enable the corresponding checkbox from the Login column.

Sub-menu: Voucher Types

A ticket is a right to use for a public portal user. It contains the login/password as well as specific properties (time quota,volume quota, authorized timeframes, validity etc.). The voucher types are created by the administrator and becomeavailable in the list of available vouchers for the operator in the operator portal.



Add a voucher type

1. Go to the voucher type creation page via the [Mobility controller] > [Voucher types].

2. Click on the link [Add a voucher type] to create a new voucher type that can be used by an operator.

Section: Voucher



Section: Voucher validity

5. Select the type of action that allows you to validate the voucher, using the radio buttons of the Start sub-section.

3 choices are available:

• [At creation]: In this case the ticket validatiy starts at the voucher creation.• [At first connection]: In this case ticket validity starts at the end-user first connection.• [On]: In this case the voucher validity starts at a date and time.

Section: Validity

6. Select a validity time for the voucher in the Validity section.

3 choices are available:

• [Forever]: In this case the voucher has unlimited validity.• [During x days and y hours]: In this case the voucher validity corresponds to the information entered.• [Until day j and time y]: The voucher validity expires after the indicated period.

Section: Filtering policy

7. Select the URL filtering policy that should be linked to the voucher type via the dropdown list [Default URL policy].



You have 2 choices:

• Either choose a URL policy that you previously created. If you want to create a policy go here: Creating a URLsfiltering policy on page 25.

• Or choose a URL policy of the type [Inherited policy]. In this case the vouchers will inherit the higher policythat you entered in the rules engine ([Rules] > [Users] tab [Mobility Controller] column URL Filtering).

In the following example all the vouchers from the library public portal will inherit the policy: "Library policy".

Figure 5: Example for setting URL filtering policy

8. Select the protocol filtering policy that should be associated to the voucher type via the [Default protocol policy]drop down.

You have 2 choices:

• Either choose a protocol filtering policy that you have created and which should be associated to the vouchertype via the [Default protocol policy] drop-down.

• Or choose a Protocol filtering policy of the type [Inherited policy]. In this case the vouchers will inherit thehigher policy that you entered in public portals hierarchy ([Rules] > [Users] [Mobility Controller] under theProtocol Filtering column).

Figure 6: Protocol filtering policy setup example



Sub-menu: Access Control Lists

The sub-menu [Mobility Controllers] > [Access Control Lists] allows you to define the public portal operators of thepublic portal and their rights.

Note: Once the public portals operators are created, they can log in the operator portal.

Note: For more information regarding the operator portal, check: Operator portal on page 87.

Add an operator to the public portal

1. Go to Access Control Lists settings page via [Mobility Controller] > [Access Control Lists].

2. Click on the link [Add an operator profile].

Section: Operator



Section: Rights selection

5. Add rights using the button.

Window: Portals

6. Select the portals on which you want to give rights.

a) To select the portals, expand the tree from the Label column, using the icon, then enable the correspondingcheckboxes.

b) Click on [Ok] to save the changes.

Window: Right

7. Select the rights you want to assign to the operator profile.

a) To select the rights, expand the tree from the Label column, using the icon, then enable the correspondingcheckboxes.



The following rights are possible:

• [User information]

• [View passwords]: Allows the operator to view users' password.• [Edit a user]: Allows the operator to edit an existing voucher and make changes.

• [Vouchers creation]

• {List of previously created vouchers}: Allows the selection voucher types the operator can create.

• [Additional URL filtering policies]

• [Inherited policy]: The operator can assign the "Inherited policy". The policy will therefore be inheritedfrom the policy defined on the main rules engine page ([Rules] > [Users] [Mobility controllers] URLfiltering column).

• {List of previously created URL filtering policies}: Allows the operator to assign a voucher the URLfiltering policies from the list of selected URL filtering policies.

• [Additional protocol filtering policies]

• [Inherited policy]: The operator can assign to a voucher the "inherited policy" therefore inheriting thepolicy set in the main rules engine ( [Parameters] > [Users] [Mobility controllers] Protocol Filteringcolumn).

• {List of previously created protocol filtering policies}: Allows the operator to assign a voucher aprotocol filtering policy among the selected protocol filtering policies.

• [Notification media]

• [Print]: Allows the operator to print vouchers.• [Mail]: Allows the operator to send the account information by email.• [SMS]: Allows the operator to send the account notification by SMS.

b) Click on [Ok] to save the changes.

Section: Selecting the users

8. Select the users who will become the public portal operators.

a) To select the operators, expand the tree from the Name column, using the icons, then enable the correspondingcheckboxes.

9. Click on [Create] to save your changes.

Sub-menu: Messages

The sub-menu [Mobility controller] > [Messages] allows you to define the texts and the design of the pages relatedto the public portal such as:



• The login page.• The voucher printing page.• The self-registration page.• The Password recovery form.• The voucher email content.• Etc.

More precisely:

• The [Messages] tab allows you to define the texts shown to the users in accordance to the users' browsers supportedlanguages.

• The [Templates] tab allows you to add images and to reorganize the pages shown to your users.• The [Message Preview] tab allows you to view the final result of your modifications.

Creating a message set

1. Go to the creation page for a message set via the [Rules] > [Messages] > [Messages] menu.

2. Click on the link [Add a message set].

Section: Add a Message Set





Section: Languages

5. Set the default language for this message set using the Default column. This language will be used if no languagehas been assigned to users in the users list in the [Rules] > [Users] menu.

6. Click on the language of your choice by selecting it from the Language column.

Note: If you want to add a new language, click on the button.

Section: Login Form/Printed Voucher/Self-Registration/Password recovery/Send the voucher by mail/Send the voucherby SMS/Miscellaneous

7. Edit as needed the messages available in the various sections.

Here is a set of variables that you can use in your messages:

• %Req.User.Login% : Displays the user login for the associated voucher.• %Req.User.Expire.Day% : Displays the voucher expiration day.• %Req.User.Expire.Month% : Displays the voucher expiration month.• %Req.User.Expire.Year% : Displays the voucher expiration year.• %Req.User.Expire.Hours% : Displays voucher expiration hour.• %Req.User.Expire.Minutes% : Displays the voucher expiration minute.• %Req.User.ValidityStart.Day% : Displays the voucher validity start day.• %Req.User.ValidityStart.Month% : Displays the voucher validity start month.• %Req.User.ValidityStart.Year% : Displays the voucher validity start year.• %Req.User.ValidityStart.Hours% : Displays the voucher validity start hour.• %Req.User.ValidityStart.Minutes% Displays the voucher validity start minute.• %Webauth.Create.Login% : Displays the email or the phone number used to create the voucher based on the

self-registration method selected.• %Webauth.Login% : Displays the login of an already authenticated user.• %Webauth.IP% : Displays the IP address of an already authenticated user.




Creating a template set

1. Go to the creation page for a template set via the [Rules] > [Messages] > [Templates] menu.

2. Click on the link [Add a template set].

Section: Add a Template Set






Tab: Templates

6. Click on the template you want to create in the Label column.

Section: Picture 1, 2 or 3

7. If you want to upload a new image click on the [Browse] button and then select the image file.

a) Click [Ok] to store the newly added image.

Note: The newly uploaded image can be referenced in your template using the following string:

Picture 1

<?cs var:Page.Img.1 ?>

Picture 2


Picture 3


8. Edit the newly created templates set by clicking below the Label column.

Section: Elements

9. Click on the [Footer], [Self-Registration], [Mail message], [Header], [Print] or [Mobility Controller] to modifythe HTML code for the corresponding page.

a) Edit as needed the displayed HTML code.

Note: You can edit the variables, messages order or the pages content.

Below are two code examples that you can use to insert images that you previously uploaded.

<img src='<?cs var:Page.Img.1 ?>' /><div style='background-image:url(<?cs var:Page.Img.3 ?>);'> ... </div>





Previewing custom messages and template set

1. Go to the preview page to display your custom messages and templates via the [Rules] > [Messages] > [MessagePreview] menu.

Section: Option

2. Choose the language for the message set you want to display using the [Language] dropdown list.

3. Choose the message set you want to display, using the [Messages] dropdown list.

4. Choose the template set you want to display using the [Templates] dropdown list.

5. Choose the page type you want to display using the [Page type] dropdown list.

Section: Preview

6. You can see the result in the preview section.



Assigning your messages and template sets

1. Go to the main rules engine page using [Rules] > [Users] > [Mobility controllers].

Section: Users list

2. In the users list section in the Name column, click on the object you want to assign a message or template set to. If

needed, expand the users list hierarchy using the icon to display the enterprise directory, the groups or users.

Window: Users List Configuration

3. Select the language you want to assign using the [Language] dropdown list.

4. Select the messages set you want to assign using the [Message Set] dropdown list.

5. Select the templates set you want to assign using the [Templates] dropdown list.


Note: In the users' hierarchy, next to the objet you changed, the following icon will be displayed,indicating an advanced function has been configured.

Activating the public portal

1. Go to the main rules engine page via [Rules] > [Users] > [Access] tab.

2. Click the button to add a rule.



3. In the newly created rule, you can select a timeslot condition using the link in the Timeslot column. Then you willhave to select a timeslot from all the timeslots previously configured using the Label column.


4. In the newly created rule, if you want to specify a source condition click on the link from the [Source] column.Select the type of source you want to use as a condition using the [Select] dropdown list.



b) If you want to specify a group of users as condition, select [Users]. Then select the users by enabling thecheckboxes in the [Name] column. To finish, click [Ok].

5. In the newly created rule, if you want to specify a protocol type as a condition click on the link from the [Flow]column. Then select one or more protocols by enabling the corresponding checkboxes from the [Label] column.


• FTP• HTTP• HTTPS• RTSP• All these protocols.

Note: The public portal is typically used with browsers type HTTP client because it requires web pagebased user authentication that cannot be displayed by non browser HTTP clients. Thus supported protocolsfor the public portal are HTTP and HTTPS.

6. In the newly created rule, click on the link in the Destination column, then click on the type of destination for whichyou want to apply the rule via the [Select] menu.

a) You can apply the public portal to particular destinations using a regular expression. To do so click on [URL(regex)] then enter the regex expression in the [Url] field. To finish, click [Ok].

Note: Refer to Regex Syntax on page 240 for more information on the regular expression syntax.

b) If you want to apply the public portal using a URLs list, click on [URL Lists], then enable the correspondingcheckboxes for the URL lists in the Label column. Once done, click on [Ok].


c) If you want to apply the public portal to a list of categories as destination, click on [Categories Lists], then enablethe corresponding checkboxes for the desired categories lists in the Label column. Once done, click on [Ok].




d) If you want to apply the public portal to Web 2.0 Lists as a destination, click on [Web 2.0 Lists], then enablethe corresponding checkboxes for the desired Web 2.0 Lists in the Label column. Once done, click on [Ok].


e) If you want to apply the public portal to a set of categories as a destination, click on [Categories], then enablethe corresponding checkboxes for the desired categories, in the Label column. Once done, click on [Ok].


7. In the newly created rule, click on the icon from the [Action] column.

a) Select [Authentication Portal] via the [Select] menu.

b) Select the desired public portal you want to use via the [Portal] menu.

c) Click on [Ok] to save your changes.


Operator portal

To create accounts intended for public portal end users, operators uses a specific console: The operator portal.

The operator portal can be accessed via the menus [Mobility Controllers] > [Portals] then click on the [Operator'sPortal] tab.

Figure 7: The tab allows access to the public portal

Once the operator portal page is displayed, send the displayed URL to the operator so he can create the accounts.



Figure 8: Operator portal

Note: The accounts allowed to use the operator portal are defined here: Sub-menu: Access Control Listson page 78.



Operator: Creating accounts

This procedure is for operators.

1. Go to operator portal console using the URL the admin sent you.

2. Connect to the portal by entering your [Username], your [Password] and choosing your [Language].

3. Click on the [Account creation] tab.

Section: Selecting the portal

4. Select the public portal on which you want to create an account, using the radio buttons from the [Portal] list.

Section: Create a user on portal: <Portal Name>

5. Enter the login for the user in the [Login] field.

Note: If the login is automatically generated, you can optionally change it or keep it as is..

6. If desired and if the Olfeo administrator has authorized the operator to edit this field, you can change the passwordin the [Password] field.



Warning: If you are not authorized to change the password and you want this field to be modifiable,contact your Olfeo administrator. Using the menu [Mobility controller] > [Portals], the Olfeoadministrator can change the corresponding properties for the appropriate field in the fields of thecorresponding public portal to make the field editable.

7. Choose a language that will be used by the user, in the [Language] field.

8. Populate the remaining fields, particularly those related to user contact information such as ([E-mail], [Phone] ...).

Warning: Note the required fields are marked with an asterisk: .

Section: Rights assignment

9. Choose the voucher type you want to assign to the new account by selecting on of the radio buttons from the [Profile]field.

10. Check Start and Validity values that were generated for the account you are creating.

11. If you have the appropriate authorizations, you can assign a URL filtering policy by selecting it from the [URLfiltering] list.

Note: If you cannot assign a URL filtering policy because you don't have the appropriate authorization,contact your Olfeo administrator. Using the menu [Mobility Controller] > [Access Control Lists], theOlfeo administrator will change your corresponding [Operator Profile] and give you right to assign URLfiltering policies by modifying your operator profile [Additional URL filtering policies] property.

12. If you have the appropriate authorizations, you can assign a protocol filtering policy by selecting it from the [ProtocolFiltering] list.

Note: If you cannot assign a protocol filtering policy because you don't have the appropriate authorization,contact your Olfeo administrator. Using the [Mobility Controller] > [Access Control Lists], the Olfeoadministrator will change your corresponding [Operator Profile] and give you the right to assign Protocolfiltering policies by modifying your operator profile [Additional protocol filtering policies] property.

13. Click on [Create] to create the account or to [Start Over] to restart the account creation process.

14. If you want to print the voucher just created, click on the button [print the voucher] and follow the printing popupinstructions.

Note: To be able to print, your browser should allow popup windows from Olfeo. (Menu [Parameters] >[Network] > [Sms]).

15. If you want to email the voucher information click on the button [Send the voucher by email].

Note: To send the vouchers by email, the Olfeo administrator should have configured the SMTP gatewayfor the Olfeo solution (Menu [Parameters] > [Network] > [SMTP]).

a) Once the printing popup window is displayed, click on the [Print] link in the upper left corner of the windowto start printing.



b) Then give the printout to the public portal user.

16. If you want to send voucher information click on the button [Send the voucher by SMS].

Note: To send the voucher by SMS, the Olfeo administrator should have configured a SMS gateway forthe Olfeo solution (Menu [Parameters] > [Network] > [SMS]).

Viewing existing accounts information


1. Go to operator portal console using the URL the Olfeo administrator sent you.

2. Connect to the operator portal by entering your [Username], your [Password] and choosing your [Language].

3. Click on the [Account list] tab.

Section: Accounts list

4. Public portal accounts information is displayed in the following columns:

Option Description

Creator The Creator displays the public portal operator who created the account:

• The name of the operator will be displayed.• If the account was created by the end user using the self-registration process, the self-

registration method will be displayed.

Portal The Portal column displays the public portal the account belongs to.

Login The Login column displays the user login. It can be:

• The login entered by the operator.• The phone number entered by the user during the SMS self-registration process.• The email entered by the user during the email based self-registration process.



Option Description

Creation The Creation column displays the account creation date.

Start The Start column displays the initial voucher validity. It can be:

• A date.• First connection if the account is valid from the first connection.

Validity The Validity column contains the voucher validity period: It can be:

• A duration in days.• A specific date.

Active The Active column indicates if an account is active. The operator can mark an account as inactiveby enabling the corresponding checkbox in this column.

Modifying existing account information


1. Go to the operator portal console using the URL the Olfeo administrator sent you.

2. Connect to the operator portal by entering your [Login], your [Password] and selecting your [Language].

3. Click on the [Account list] tab.



Section: Accounts list

4. If you want to deactivate an account, disable the corresponding checkbox from the Active column.

a) Click on [Ok] to validate the confirmation popup.

Once deactivated, the user cannot connect anymore using this account . The user account will be displayed witha strikethrough style in the users list and can be reactivated at any time by an operator.

5. Select the account you want to modify by clicking on one of the links from the columns Creator, Portal, Login,Creation, Start, Validity.

Section: Voucher summary

6. You can modify the voucher fields such as [Password], [Login], [Language], [Phone] ...

Section: Rights Grant

7. If you want to change voucher fields such as [Start], [Validity], [URL filtering] or [Protocol filtering], click onthe [New Voucher] button.

a) Choose the voucher type you want to assign to the account by selecting one of the radio buttons from the [Profile]field.

b) If you have the appropriate authorizations, you can assign a URL filtering policy by selecting it from the [URLfiltering] list.

Note: If you cannot assign a URL filtering policy because you don't have the appropriateauthorization, contact your Olfeo administrator. Using the menu [Mobility Controller] > [AccessControl Lists], the Olfeo administrator will change your corresponding [Operator Profile] and giveyou right to assign URL filtering policies by modifying your operator profile [Additional URLfiltering policies] property.

c) If you have the appropriate authorizations, you can assign a protocol filtering policy by selecting it from the[Protocol Filtering] list.

Note: If you cannot assign a protocol filtering policy because you don't have the appropriateauthorization, contact your Olfeo administrator. Using the [Mobility Controller] > [Access ControlLists], the Olfeo administrator will change your corresponding [Operator Profile] and give you theright to assign Protocol filtering policies by modifying your operator profile [Additional protocolfiltering policies] property.

d) Click on [Modify].

8. If you want to print the voucher just created, click on the button [print the voucher] and follow the printing popupinstructions.

Note: To print, your browser needs to be set up to allow popup windows.

9. If you want to email the voucher information click on the button [Send the voucher by mail].



Note: To send the vouchers by email, the Olfeo administrator must configure a SMTP gateway for theOlfeo solution (Menu [Parameters] > [Network] > [SMTP]).

a) Once the printing popup window is displayed, click on the [Print] link in the upper left corner of the windowto start printing.

b) Then give the printout to the public portal user.

10. If you want to send voucher information via SMS click on the button [Send the voucher by SMS].

Note: To send the voucher by SMS, the Olfeo administrator must configure a SMS gateway for the Olfeosolution (Menu [Parameters] > [Network] > [SMS]).

11. Click on the [Modify] button to edit the account or [Back to list] to cancel the account modification.

Chapter

6Menu: Rules

Topics:

• Sub-menu: Users• Sub-menu: Quotas• Sub-menu: Time slots• Sub-menu: URLs lists• Sub-menu: Messages• Submenu: Internet Charters

6 Menu: Rules


Sub-menu: Users

The [Rules] > [Users] menu contains the rules engine. This is where the filtering rules, the authentication rules (captiveor public portal), as well as the internet charter activation are applied

The rules engine is composed of two distinct parts:

1. The global part of the rules engine allows you to apply general filtering rules.

2. The users list. This part allows you to apply predefined rules (filtering policies) to an Organizational Unit (OU), agroup of users, a specific user or an IP address.

rules engine

The configuration of the rules engine is done via 4 tabs ([Connection], [Access], [Preview], [Content]) in which theOlfeo admin creates filtering rules.

6 Menu: Rules


Table 3: The 4 tabs of the rules engine

Tab Description

[Connection] The [Connection] tab controls the right to connect to remote servers. This is the place the Olfeo administratorsetup filtering rules controlling connection to remote servers using SOCKS and FTP.

[Access] The [Access] tab controls the right to access remote resources (FTP base file download, videos, etc). In the[Access] tab, the configuration of the access restrictions can be done for HTTP, HTTPS, FTP and RTSP. TheOlfeo administrator can also define rules to enable user authentication via a captive portal, a public portal orusing Novell SSO. This tab also allows for the Olfeo administrator to activate an Internet charter.

[Preview] The [Preview] tab provides the capability to define filtering rules applied at the start of a download processor when Olfeo is invoked by external proxy or via the ICAP protocol. More precisely the use of the previewoption of the ICAP protocol.

In this tab the Olfeo administrator can filtering rules for contents based on MIME type (text, picture, videos,files etc.) and sizes before receiving the whole content. The main advantage of the preview tab is to be able tofilter content before downloading it and therefore consuming bandwidth.

[Content] The [Content] tab provides control of contents after it was completely received via the HTTP and FTP proxy.

In this tab you create filtering rules based on content MIME type (text, picture, videos, files etc.) or size afterreceiving the content in its entirety. In this tab you can also implement antivirus scan operation on the receivedcontent.

Warning: Note the difference between [Connection] and [Access]. You can for example block a server in[Access] therefore preventing any file download but you can connect to it via the FTP proxy and be able tobrowse the distant tree structure.

The configuration tabs for the rules engine have some common criteria:

• The choice of the timeslot.• The source which can be the client IP address, the username or his group.• The destination can be a group of categories or a group of URLs.• The action to perform. The action that can be performed depends on the tab being used.

The usage of the rules engine covers the following cases:

• Antivirus scanning of the downloaded content.• Usage of the captive or public portal to authenticate groups of users.• Control over the type of file accessed by the user regardless of the protocol used.• Filtering operation over the size of files that can be downloaded by users.• Etc.

Warning: Similar to a firewall, Olfeo rules engine applies filtering rules according to their priorities. Filteringrules are evaluated from top to bottom.

6 Menu: Rules


Configuring Filtering

1. Go to the main rules engine page using the [Rules] > [Users] menu.

2. Select the phase you want to apply a filtering rule to among [Connection], [Access], [Preview] or [Content].

Table 4: The 4 rules engine tab

Tab Description

[Connection] The [Connection] tab controls the right to connect to remote servers. This is the place the Olfeoadministrator setup filtering rules controlling connections to remote servers using SOCKS and FTP.

[Access] The [Access] tab controls the right to access remote resources (FTP based file download, videos, etc). In the[Access] tab, the configuration of the access restrictions can be done for HTTP, HTTPS, FTP and RTSP.The Olfeo administrator can also define rules to enable user authentication via a captive portal, a publicportal or using Novell SSO. This tab also allows for the Olfeo administrator to activate an Internet charter.

[Preview] The [Preview] tab provides the capability to define filtering rules applied at the start of the downloadprocess or when Olfeo is invoked by an external proxy or via the ICAP protocol. More precisely the useof the preview option of the ICAP protocol.

In this tab, you can set filtering rules to filter out content based on content MIME type (text, pictures, videos,files etc.) and content size before the content is actually received. The main advantage of the preview tab isits ability to filter out content before the content is actually received therefore saving bandwidth.

In the [Preview] tab you can specify the transfer method to use for ICAP based integration. The following3 options are available:

• [Wait for the end of the analysis]: Wait until the data has been received and analyzed before transferringto the end user.

• [Patience page]: While waiting for data transfer and analysis, display a patience page to the end userdisplaying a progress bar for data transfer and analysis.

• [Data trickling]: Data bytes are transferred to the user as soon as they went through the analysis phase.

[Content] The [Content] tab provides the capability to filter out content after it has been entirely received. It appliesto the HTTP and FTP proxy.

In this tab you create rules filtering content based on MIME type (text, picture, videos, files etc.) or sizeafter the content has been entirely received. You can also implement antivirus scanning operation on thereceived content.

3. Click the button to add a rule.

4. In the newly created rule, you can select a timeslot condition using the link in the Timeslot column. Then you willhave to select a timeslot from all the timeslots previously configured using the Label column.

6 Menu: Rules



5. In the newly created rule, if you want to specify a source condition click on the link from the [Source] column.Select the type of source you want to use as a condition using the [Select] dropdown list.



b) If you want to specify a group of users as condition, select [Users]. Then select the users by enabling thecorresponding checkboxes in the [Name] column. To finish, click [Ok].

6. In the newly created rule, if you want to specify a protocol as a condition click on the link from the [Flow] column.Then select one or more protocols by enabling the corresponding checkboxes from the [Label] column.


• FTP• HTTP• HTTPS• RTSP• All these protocols.


a) If you would like to filter the URLs by a regex regular expression click on [URL (regex)] then enter the regularexpression in the [Url] field. To finish click on [OK].


b) If you would like to filter the URLs by URLs lists click on [URLs Lists] then confirm the lists of URLs that youwant by using the checkboxes in the Label column. To finish click on [OK].


c) If you would like to filter the URLs by categories lists, click on [Categories Lists] then confirm the lists thatyou want using the checkboxes in the Label column. To finish click on [OK].


d) If you would like to filter URLs using a Web 2.0 List, click on [Web 2.0 List] then confirm the web 2.0 listsyou want, using the checkboxes from the Label column. To finish click on [OK].

6 Menu: Rules



e) If you would like to filter the URLs by categories click on [Categories] then confirm the categories you want,using the checkboxes from the Label column. To finish click on [OK].


8. In the newly created rule, click on the icon from the [Action] column, then click on the type of action you wantto apply to your rule, using the [Select] menu.

a) If you want your filtering rule to allow the corresponding traffic, select [Allow].

b) If you want your filtering rule to block the corresponding traffic, select [Deny].

c) If you want your filtering rule to apply a public or captive portal, select [Authentication portal] as action.

• Then enter the captive or public portal that you want to set up, using the [Portal] dropdown list.• If your authentication mode uses an ActiveDirectory enterprise direction and want to use the NTLM

authentication method, enable the [Use NTLM] checkbox.• To finish, click [Ok].


Users list

In this window, via the [Rules] > [Users] menu, you can apply filtering policies. But in order to apply a filtering policy tousers or groups, you need to populate Olfeo with users from your directory using the [Parameters] > [Authentification]menu.

6 Menu: Rules


Note: It is possible to manually add items in the users list. Manually adding users, users groups or IP addressescan be done instantly by clicking on the container. In order to view a manually created object you need to close

and expand the object container using the icon. Olfeo does not refresh these lists automatically in order toavoid delays of several seconds after each new entry for customers with thousands of users in the same group.

Note: To view the Olfeo users database last sync, over over the OU name.

Here is a list of icons that are used in the users list interface :

• (By OU, group or user) allows you to activate an advanced feature such as access log, audit, custom messageor custom model. (Do not log access, audit, custom messages or templates).

• (On policies) The presence of this icon means that the policy is a non-terminal policy or policy with inheritancetype. A policy is inherited when it contains the field [Fallthrough rule] set to [Upstream policy].

• (On policies) The presence of this icon means that the policy is terminal. Any context that is not included in thedeclared policy of this rule is either [Allow] or [Deny].

• (On OU/groups/users) allows a visual alert that an internet charter enabled.• The presence of this icon indicates that logging is enabled for the object in question.• The presence of this icon indicates that coaching is enabled for the object in question.• The presence of this icon indicates that the auditing mode is enabled for the object in question.

Note: To directly edit a policy, click the icon or icon.

Policies

An URL filtering policy is a set of predefined rules that you can assign to an organizational unit, to a user group, toa specific user or to an IP address.

6 Menu: Rules


The URL filtering policies can be created via the menu [URL Filtering] > [Policies].

The policies are assigned to users in the lower part of the rule engine (menu [Rules] > [Users]), more specifically inthe Protocol Filtering column.

Warning: The policies are executed only when the general rule engine has the field [Fallthrough rule] setto Apply user policy.

Figure 9: Field [Fallthrough rule]

The Olfeo solution evaluates filtering policies starting with the lowest level (the user or the IP address), and then goesupwards to the highest level (the default configuration) until it finds a filtering rule matching the request context.

6 Menu: Rules


A URLs filtering policy can inherit a policy from a higher level. To configure inheritance of a higher policy, edit thechild policy in [URL Filtering] > [Policies] and set the field [Fallthrough rule] to the value Upstream policy.

A policy whose inheritance is positioned will be displayed with the icon while a policy without inheritance will be

displayed with the icon .

Note: To facilitate navigation, if you click on the icon or you will have direct access to edit the attachedpolicy.

Default configuration

This object is used to define the parameters that will apply to all users filtered by the Olfeo solution. Any user who doesnot have a policy, or his group, or his BU, will use the default filtering policy. Assigning a default configuration policyis mandatory to ensure that unauthenticated user or user with authentication failure are filtered.

You can define:

• A default URL filtering policy.• A default protocol filtering policy.• A message set to use for all users for various Olfeo pages.• A template definition for Olfeo blocking pages (logo, ...).• Activate/Deactivate the coaching feature at global level.• Activate/Deactivate the audit mode at global level; Activate/Deactivate logging at global level.

Danger: Some configuration uses a default policy preventing internet use for unauthenticated users. Othersparameters configure a default filtering policy implementing minimal filtering ensuring legal protection andunwanted internet use for non-authenticated users or guests.

6 Menu: Rules


Configuring the default users list

1. Go to the filtering policies assignment page via [Rules] > [Users].

2. In the Directories tab click on the link [Default configuration] from the Name column.

3. Enable the desired parameters:

• [Don't Log Access]: This option prevent any recording of users' internet access.• [Audit]: This option enables the audit mode. users' internet access is recorded but no filtering is enforced. Even if

the filtering policies are evaluated, the decision applied is always to allow the corresponding traffic. This optionallows therefore to build statistics and assess the potential impact of a blocking condition.

• [Coaching]: Enable the coaching feature.

4. Choose the language to apply in the [Language] field.

5. Choose the message set to apply in the [Message Set] field.

6. Choose the templates to apply in the [Templates] field.

7. Choose the internet charter to apply in the [Internet Charter] field.


6 Menu: Rules


Editing an object from the users list


2. In the Directories tab click on a Organizational Unit (OU), a Group or an User from the Name column.

3. [Gateway]: If a gateway using the Olfeo solution has been configured, enter its IP address in the [Gateway] field.

Note: If you did not add a gateway, go to the menu: [Parameters] > [Advanced] > [Gateways].

4. [Redirection URL]: If an internet access is blocked by Olfeo, a blocking page is displayed to the user. It is possibleto create a customized Redirection URLs to redirect the user to a custom blocking page.

Note: by default on a blocking condition, Olfeo generates a redirection URL with the following format:

http://%Sys.Host%:%Sys.HTTPD.Port%/%Req.Answer.WWWModule%/?SessionID=%Session.SessionID%

Example 1: Send a redirect URL with an IP address different from the Olfeo local IP address. In the case of acustomer contacting the Olfeo solution using a NAT based IP address, the redirection URL for the Olfeo blockingpage will use the local IP address of the Olfeo which will lead to a connection failure. For the redirection to workthe solution must send a redirection URL containing the NAT based IP address therefore allowing the end-user toreach the Olfeo. To setup a custom IP address (192.168.4.1) use [Redirection URL] field :

http://192.168.4.1:%Sys.HTTPD.Port%/%Req.Answer.WWWModule%/?SessionID=%Session.SessionID%

Example 2: Send a custom a redirect URL that contains the name or place where the users are. Imagine thecase in which the customer is located in a remote branch of the parent company. When sending the redirection URL

6 Menu: Rules


to the blocking page, it may be interesting for the branch to display the user location (name of the branch) ratherthan the location of the parent company.

For the redirection to work, the Olfeo solution must send a redirection URL containing the NAT based IP addressand the end user location to contact Olfeo. If you want a custom redirection URL containing users' location name,enter it in the [Redirection URL] field with:

http://masuccursale.monenterprise.com:%Sys.HTTPD.Port%/%Req.Answer.WWWModule%/?SessionID=%Session.SessionID%

5. [Don't log access]: If you do not want to record the corresponding users browsing activity in the Olfeo database.To enable it select Enabled in the dropdown list [Don't log access].

Warning: The corresponding end users will still be subject to Olfeo filtering policies but their browsingactivity will not be record in Olfeo logs and therefore will not be visible in any analysis from the [Analysis]menu. For legal reasons, the NCSA logs are saved with the user traffic.

6. [Audit]: If you do not want to block the corresponding end users but save the browsing activity in the Olfeodatabase in the same manner as if it was filtered (blocking, overriding, etc...) enter Enabled in [Audit] dropdownlist. Once enabled, no filtering will be performed therefore no blocking page will be displayed to the correspondingusers but their browsing activity will be recorded.

7. [Coaching]: To enable the coaching feature, enter Enabled in the [Coaching] dropdown list. The coachingfeature automatically sends a periodic email to users with the feature activated. This email includes a predefined setof user specific browsing activity reports.

8. [Language]: In this field, select the language to associate to the corresponding users.

9. [Message Set]: To associate a specific message set to the corresponding users, select a message set from the[Messages] dropdown list. To create a custom messages set go to [Rules] > [Messages] > [Messages].

Note: A messages set allows you to customize the texts displayed in various pages presented to end users.

10. [Templates]: If you want to associate a custom templates set to the corresponding users, select the set from the[Templates] dropdown list. You can create a custom templates set via the [Rules] > [Messages] > [Templates]menu.

Note: A messages set allows you to customize the rendering of the various pages presented by the Olfeosolution to the end users.

11. [Internet Charter]: To associate an internet charter to the corresponding users, select the appropriate internetcharter from the [Internet Charter] dropdown list. You can create an internet charter via the [Rules] > [Internetcharters] menu.


6 Menu: Rules


Configuring a URL filtering policy

1. Go to the URL filtering policy configuration page using the menu [Rules] > [Users].

2. In the [Directories] tab or [Mobility controllers] expand the users' hierarchy in the [Name] column in order to

display the organizational units, the groups or the users for which you want to apply your policy, using the icon .

3. Click on the corresponding link from the [URL Filtering] and then select the URL filtering policy that you want.

Note: If you would like to edit the policies or to create a policy, go to the page [URL Filtering] >[Policies].

Assigning a protocol filtering policy

1. Go to the main Olfeo page used to assign filtering policy using menu [Rules] > [Users].

2. In the [Directories] tab or [Mobility controllers], expand the users' hierarchy in the [Name] column using the icon in order to display the organizational units, the groups and users you would like to apply a filtering policy on.

3. Click on the link in the [Protocol Filtering] column and select the desired protocol filtering policy.

Note: If you would like to modify existing policies or create a new policy go to the [Protocol filtering] >[Policies] page.

6 Menu: Rules


User lookup

You can lookup a specific user by entering a name or substring in the [Name filter] field and then clicking on

To clear the name filter, click on the button.

Sub-menu: Quotas

A quota is used to restrict access to categories in volume or time. When a website subject to this quota is blocked, theuser may choose to use his quota. An Olfeo information page will be displayed, informing the user about the accessto a category that is subject to a quota.

Consider the case of a time quota:

6 Menu: Rules


Figure 10: Example of an information page for a time quota

If the user confirms the opening of a session, a session will start therefore reducing the user time quota of the entireduration of the session. The session duration is counted minute by minute.

Using session with time quota allows for limiting access in time but also in terms of number of access. For example, adaily 30 minutes quota with session duration of 15 minutes will allow the user to access the URL only twice a day.

Warning: Once a quota session has been opened by a user, the total duration of the session is automaticallydeducted from the quota even if the user does not use the session in its entirety.

Creating a time quota

1. Go to the time quota creation page via the [Rules] > [Quotas] > [Quotas].

6 Menu: Rules


2. Click on the link [Add quota].

Section: Quota




5. Choose the quota frequency in the [Period] field.

6. Enter the quota duration in minutes in the [Duration] field.

7. To enforce end-users to confirm their quotas opening, enable the [Confirm to open quota] checkbox. If you do notenable this checkbox end-users will not be informed their browsing is subject to a quota.

Note: The quota opening confirmation request is only displayed when there is no active quota session.

8. To assign a specific session duration, enable the [Use session] checkbox, then enter the desired session duration inminutes in the corresponding field.

Note: If you do not specify a specific session duration, the default set by Olfeo is 1 minute (If the userdoes not generate traffic for a minute, the quota session expires).

9. Click on [Create] to save changes.

Creating a volume quota

1. Go to the volume quotas page via [Rules] > [Quotas] > [QuotaVols].

2. Click on the link [Add a volume quota].

Section: QuotaVol


6 Menu: Rules




5. Choose the quota frequency in the [Period] field.

6. Enter the volume quota in MB in the field [Volume].

7. Click on [Create] to save changes.

Using a quota

Quotas are used in filtering policies rules. To configure a filtering policy go to the [URL filtering] > [Policies] page.Edit or create the policy you want to use a quota in and on the corresponding rule you want to apply a quota to, selectyour quota as an action in the Action column.

Warning: While it's possible for an end-user to be subject to multiple quotas, a category cannot be subject tomore than one quota. If multiple quotas have been defined for a particular category, only the highest priorityrule quota will apply.

Note: It is possible to restrict a quota application to a specific timeslot (quota for non-professional suitesduring working hours but unlimited access outside the corresponding timeslot).

6 Menu: Rules


Sub-menu: Time slots

A time slot allows you to set the days of the week and hours you could apply a filtering policy on. You can, for example,be more lenient in your filtering for any browsing activity outside business hours, therefore allowing users to accessmore web sites.

Time slots allow you to adjust your policies or rules in the filtering engine.

Creating a timeslot

1. Go to the timeslot creation page via [Rules] > [Time Slots].

2. Click on the link [Add timeslot].

Section: Timeslot



6 Menu: Rules


Section: Week

5. Enter a timeslot during workdays. The syntax for timeslots is specified in the example below.

The example shows the implementation of a timeslot for professional hours. Thus, the filtering policy will be stricterfrom 7h to 12h and from 14h to18h. Outside of these timeframes, the filtering policy will not apply.

Danger: More precise timeframes, such as "7h45-12h10" are correct and can be applied, howeverthey cannot be used for statistics generation! In fact, displaying statistics with timeframe constraints willwork with full hours only!


Using a timeslot

Timeslots are used via URL filtering policy, or via rules engine.

• To use a timeslot in a policy, go to the [URL filtering] > [Policies] page. Edit the desired policy and use the timeslotin the Timeslot column for the rule you want to change.

Figure 11: Usage example in policies

• To user a timeslot in the rules engine, go to the page [Rules] > [Users] and select the timeslot in the timeslotcolumn of the rule engine.

6 Menu: Rules


Figure 12: rules engine usage example

Sub-menu: URLs lists

A URLs list is a container used to group a set of URLs that you want to define outside of the categories. This URLsList can then be included in a policy or the rule engine.

Creating a URL List

1. Go to the URLs list creation page via [Rules] > [URL Lists].

6 Menu: Rules


2. Click on the link [Add URL List].

Section: URL List




5. To add URLs to the URLs list you want to create, you have 2 options:

• you can add a list of URLs from a text file by selecting it with the button [Browse] and then clicking on:

• the [Add] button imports the content of the file in the [Urls added] field.• the [Replace] button to replace the content of the [Url added] field.

• You can enter the manually enter URLs in the [URL added] field.

Each line of your URL list will list a single URL and will end with a newline. You can also create URLs also usingregular expression syntax explained in the chapter Regex Syntax on page 240.

Here is an example of a URLs list:

.*google\.fr.*http://www.dailymotion.fr.*yahoo\.fr

6. If you want to export your URLs list to a text file, click on the [Export] button. Once the list is displayed in yourbrowser, click on [File] > [Save As] and save your file as a text file.

7. Click on [Ok] to save changes.

Using a URLs list

URL lists are used in a filtering policy, or in the main Olfeo rules engine.

• To use a URLs list in a filtering policy, go to the [URL filtering] > [Policies] page. Edit the desired policy and useyour URLs list in the Destination column for the rule you want to change

6 Menu: Rules


.• To use a URLs list in the Olfeo main rules engine, go to the [Rules] > [Users] and use the URLs list in the

Destination column for the rule you want to change in the rule engine.

Sub-menu: Messages

The [Rules] > [Messages] submenu allows you to define the texts, the rendering of :

• Blocking pages.• Quota pages.• Coaching page.

6 Menu: Rules


• Security alert page.

More specifically:

• The [Messages] tab allows you to define / change the texts displayed to end-users based on the users' browserssupported languages.

• The [Templates] tab allows you to add pictures and to adapt the rendering of the various pages presented by Olfeoto the end users.

• The [Message Preview] tab allows you to display the result of your modification.

Creating a Message Set

1. Go to the creation page for a message set via the [Rules] > [Messages] > [Messages] menu.

2. Click on the link [Add a message set].

Section: Add a Message Set



Section: Languages

5. Set the default language for this message set using the Default column. This language will be used if no languagehas been assigned to users in the users list in the [Rules] > [Users] menu.

6 Menu: Rules


6. Click on the language of your choice by selecting it from the Language column.

Note: If you want to add a new language, click on the button.

Section: Block pages/Quota/Bypass/Mail/Coaching mail/Custom/Webauth/Miscellaneous

7. Edit as needed in the corresponding sections, the messages you want to change..

Messages in messages set can you various variables :

• %Req.Category.id% : The URL category Id (useful in a javascript).• %Req.Category.Label% : The URL category name with its Alias. Each category has an Alias that can be

changed by clicking on the category you want in the menu [URL Filtering] > [Categories].• %Req.Category.LabelOlfeo% : Shows the original name of the Olfeo category (ignoring the alias).• %Req.Category.Description% : The URL category description.• %Req.Category.theme_id% : Shows theme (Security risk, Adult Content, Business Services etc.) of the Olfeo

URL category.• %Req.URL%: Shows the full URL.• %Req.ShortURL% : Shows the truncated URL up to 50 characters.• %Req.Virname% : Shows the name of the virus found.• %Rule.Cond.Whitelist.Label% : Shows the label of the URL list.• %Rule.Cond.Web20list.Label% : Shows the label of the Web 2.0 list.• %Rule.Action.Quota.Label% : Shows the name of the quota object used.• %Rule.Action.Quota.RemainingDuration% : Shows remaining quota time.• %Rule.Action.Quota.TotalDuration%: Shows the initial quota duration.• %Rule.Action.Quota.TotalVolume%: Shows the volume quota available.• %Rule.Action.Quota.Session%: Shows the quota session duration.• %Req.User%: Shows the user name.• %Req.User.Login%: Shows the user login.• %Req.Ip%: Show the user IP address.• %Sys.Hostname%: Shows the machine name.• %Req.Filename%: Shows the downloaded file name.• %Licence.Company%: Shows the company the Olfeo solution is licensed to.• %Coaching.Period%: Shows the coaching email frequency.• %Coaching.Date%: Shows the coaching email date.


6 Menu: Rules


Creating a templates set

1. Go to the template set creation page via the [Rules] > [Messages] > [Templates] menu.

2. Click on the link [Add a template set].

Section: Add a Template Set




Tab: Template

6. Click on the template you want to create in the Label column.

6 Menu: Rules


Section: Picture 1, 2 or 3

7. If you want to upload a new picture click on the [Browse] button and then select the picture file.

a) Click [Ok] to store the newly added picture.

Note: The newly uploaded picture can be referenced in your template using the following string:

Picture 1


Picture 2


Picture 3


8. Edit the newly created templates set by clicking on the corresponding entry in the Label column.

Section: Elements

9. Click on the link [Block page], [Header], [Footer] to change the HTML code and alter the selected pages rendering.

a) Edit as needed the displayed HTML code.

Note: You can edit the variables, messages order or the pages content.

Below are two code samples that you can use to insert images that you previously uploaded.

<img src='<?cs var:Page.Img.1 ?>' /><div style='background-image:url(<?cs var:Page.Img.3 ?>);'> ... </div>



6 Menu: Rules


Previewing your custom pages

1. Go to the preview page to display your custom messages set and templates set via the [Rules] > [Messages] >[Message Preview] menu.

Section: Option

2. Choose the language for the message set you want to display using the [Language] dropdown list.

3. Choose the message set you want to display, using the [Messages] dropdown list.

4. Choose the template set you want to display using the [Template] dropdown list.

5. Choose the page type you want to display using the [Page type] dropdown list.

Section: Preview

6. You can see the result in the preview section.

6 Menu: Rules


Assigning the message and template sets

1. Go to the main rules engine page via [Rules] > [Users] > [Directories].

Section: Users list

2. In the users list section in the Name column, click on the object you want to assign a messages set or templates set

to. If needed, expand the users list hierarchy using the icon to display the enterprise directory, the groups or users.

Window: Users List Configuration

3. Select the language you want to assign using the [Language] dropdown list.

4. Select the messages set you want to assign using the [Message Set] dropdown list.

5. Select the templates set you want to assign using the [Templates] dropdown list.


Note: Look for the following icon to appear to the right of the just-edited object. This icon indicatesthat an advanced function has been set.

Submenu: Internet Charters

An Internet Charter is a document defining the rules governing all the enterprise’s Internet-related activities. TheInternet charter identifies the rights, obligations and responsibilities of company employees. Implementing it protectsagainst all IT tools abuse and can be used as reference in case of a dispute.

In the Olfeo solution, the Internet Charter can be configured to be systematically presented to end-users for acceptancebefore allowing any browsing activity. It is displayed as a page in the client's browser. In order to continue browsing the

6 Menu: Rules


internet; the user must accept the policy presented by the page. Once accepted, no additional validation will be requiredas the internet charter is embodied in the filtering policies.

Figure 13: Sample Internet charter

Note: Note that if you want to update your internet charter, you will need to create a new charter. In fact,the charter that users previously agreed to cannot be changed.

6 Menu: Rules


Creating an Internet Charter

1. Go to the page for creating Internet Charters via [Rules] > [Internet Charter] > [Internet Charters] .

2. Click on the [Add an Internet chart] link.

Section: Internet Charter



Section: Messages

5. In the field [Introduction], enter a text describing the internet charter presentation.

6 Menu: Rules


Sample description:

Your browsing is subject to acceptance of the company’s Internet charter. To proceed, you must accept the applicable Internet charter.

6. In the [I have read the condition message] field, enter the text that will be displayed next to the checkbox the userwill have to enable to confirm reading the internet charter.

Example:

Confirm

7. In the [Acknowledge button] enter the text that will be displayed in the acknowledge button.

Example:

Accepted

Section: Link to the internet charter

8. In the field [Internet charter link label], enter the text to be displayed for the link pointing to the internet charter.

Example:

Click this link to read the internet charter

9. If the content of your Internet charter is on a website, in the [Hypertext link] field enter the link to access it thenclick on the radio button to the left of this field to enable the use of this option to display the internet charter.

10. If the content of your Internet charter is in a file, enter the link to access it in the [Charter file] field. Then click theradio button located to the left of the field to specify use of this option to display the Internet policy.

Note: You can use the file format of your choice (pdf, txt, etc.). Regardless, when the user clicks on thepolicy display link, the file will download to the client machine for display.

11. Click on the [Preview] button to see the results of your changes in a separate screen.

12. You can view the history of user acceptance of your Internet charter in the field [Internet chart validation history].


6 Menu: Rules


Enabling an Internet charter

1. Go to the main rules engine page using the [Rules] > [Users] menu.

Section: Directories

2. In the user list section, click on the object in the Name column to which you want to apply the Internet charter. Ifnecessary, expand the tree to show the directory, the user or group you want.

Window: User list configuration

3. From the [Internet Charter] dropdown list, select the Internet charter to apply.


Note: To the right of the object you just edited the following icon will appear, indicating that an Internetcharter has been associated to this object.

Section: rules engine

5. Click on the [Access] tab of the rules engine.

6. Add a filtering rule with the button

7. In the newly created rule, click the button in the Action column.

Window: Action

8. Choose Internet Charter in the [Select] field.


Section: rules engine

10. Click on [OK] to save the newly created rule.

6 Menu: Rules


History of Internet charter acceptance

You can view the internet charter acceptance history.

To view the history, go to the internet charter creation page via [Rules] > [Internet Charters] > [Internet Charters]. Then click on the desired charter and go to [Internet chart validation history] .

Figure 14: Example of Internet charter acceptance history.

Chapter

7Menu: Analysis

Topics:

• Submenu: Creation• Submenu: Consultation• Submenu: Diffusion lists• Submenu: Coaching• Submenu: Livelog• Submenu: Log extract

7 Menu: Analysis


Submenu: Creation

Use [Analysis] > [Creation] to define the criteria used to graphically display end users browsing data.

Two types of statistics computation can be performed: Analyses or Reports.

• Use Analyses to define a set of criteria that will be used to dynamically execute users' queries in the administrationconsole.

• Use Report to define a set of criteria that the Olfeo solution computes periodically (# every three minutes bydefault). Results display is performed almost instantly when initiated by an Olfeo administrator.

Various additional properties differentiate analysis from reports . The following table presents the pros and consof each type:

7 Menu: Analysis


Choice Advantages Limitations

Analyses

• Let you dynamically browse statistics using SQLqueries.

• Ability to save analysis criteria for later reuse.• Ability to change filters to refine results.• Possibility of keeping the last few queries in

memory.• An analysis is required to create a report.

• Response time / request executed in real time on thedatabase.

• Data retention lower than reports (10 million linesretained in the database).

• Cannot be sent automatically because the results arenot saved.

Reports

• Immediate response time.• Retention for up to 3 years.• Possibility to switch back from report to analysis.• Report can be sent automatically via email.• Results presentation can be changed.• The statistical data are defined in a database of 10

million lines by default. The data is rotated and onlythe results of statistical reports remain available.

• Reports data requires only very little space on diskbecause reports are stored in specific tables.

• Impossible to change filters.• Inability to dynamically navigate the results. As a

workaround, you can create an analysis from a report.

The [Analysis] > [Time] menu provide a way to evaluate the time spent only by end-users.

Warning: The calculated time spent is only an estimate.

Indeed, a user may open several web sites either on multiple screens or in multiple tabs. Because these sites are open atthe same time, a typical computation will add up the time spent on all sites. This computation makes no sense, becauseadding up all the time spent on each website, would result in a person spending more than 24 hours on the Internet inone day. Therefore, the Olfeo solution averages the time spent on each site when multiple sites are open simultaneously.However, it is impossible to know which site is actually being accessed by a user at a given “ time”. This computationis only provided as an estimate.

The time spent computation is complex and may require some time. Therefore options on this tab are limited.

7 Menu: Analysis


Creating a report or analysis

1. Go to the page for reports creation page via [Analysis] > [Creation] > [Creation] menu.

2. Select the type of analysis you want to perform using the [URL], [Protocol] or [Threats] radio buttons.

For information:

Criteria Description

[URL] To be used for the creation of URL filtering statistical analysis.

[Protocol] To be used for the creation of Protocol filtering statistical analysis.

[Threats] To be used for the creation of Antivirus and Web thread statistical analysis.

3. Enter a name for your report in the [Name] field.

4. Choose the criteria on which your report will be based from the [I want to see] dropdown list.

• You have selected [URL] in step 2 on page 132:

7 Menu: Analysis



[Theme] Provides statistics on Olfeo categories themes (for information a theme is a group of categories in the OlfeoURL database)

The list of themes in the Olfeo URL database is available from: [URL Filtering] > [Categories][Category] menu, section List.

[Category] Provides statistics by categories. A category is a grouping of URLs in the Olfeo database.

The list of categories in the Olfeo database is available from [URL Filtering] > [Categories] [Category]section List .

[Domain] Provides statistics on DNS domains accessed by end users.

[Action] Provides statistics on the filtering action (deny or allow) l) performed by Olfeo.

[Group] Provides statistics on end users groups.

[User] Provides statistics on end users.

[IP] Provides statistics on source IP addresses.

[Year] Provides statistics by years.

[Month] Provides statistics by months.

[Day] Provides statistics by days.

[Hour] Provides statistics by hours.

• If you selected [Protocol] in step 2 on page 132:


[Protocol] Provides statistics on protocols used.

The list of protocols detected by the Olfeo solution is available from: [Protocol Filtering] > [Protocols].

[Domain] Provides statistics on DNS domains accessed by end users.

[Action] Provide statistics on filtering actions (deny or allow) performed by the Olfeo during protocol filtering.

[Group] Provides statistics on end users groups.

[User] Provides statistics on end users.

[IP] Provides statistics on source IP addresses.





• If you selected [Threats] in step 2 on page 132:

7 Menu: Analysis



[Domain] Provide statistics on DNS domain accessed by end users and on which threats have been detected.

[Threat] Provides statistics on detected threats.

[MimeType]

Provides statistics on MIME types for detected threats.

[Action] Provides statistics on filtering action (allow, deny) performed by the Olfeo solution on detected threats.

[Group] Provide statistics on end users group for which threats have been detected.

[User] Provide statistics on end users for which threats have been detected.

[IP] Provide statistics on source IP addresses for which threats have been detected.





5. Enter a criteria to provide the first level of detail in your analysis/reports in the [I detail this result by] dropdown list.

Note: The list of criterias to choose for the first level of detail is identical to the criteria presented forstep 5 on page 134.

6. Select the data unit to use for displaying the data on your analysis/report in the [I put the result in].

The data unit can be selected from the following list of available choices:

• [Hits]: A hit is an access to a resource (picture, HTML, JavaScript, CSS, etc.) over HTTP by an HTTP client.For example a page containing three pictures will result in 4 hits (1 for the page itself and 3 for the pictures).

• [Page count]: The page count equals to the number of pages accessed by the HTTP client.• [Volume]: Volume of data transferred in bytes.

7. If you want to restrict the data displayed to a subset of the results, select the number of results to display from the[I limit the result to] dropdown list.

8. Enter the start date for the statistical computation by clicking on the link in the [From] field.

9. Enter the end date for the statistical computation by clicking the link in the [To] field

Section: Filter

10. You can enter additional filters as additional criteria by clicking on the button.

a) To configure a user group filter, select [Group] in the [Select a filter type] dropdown list. Next, expand the

group tree in the [Name] column by clicking the button and select the groups you want to filter on. Oncedone, click the [Ok] button.

b) To configure a DNS domain filter, select [domain] in [Select a filter type] dropdown list. Next, in the [domain]field, enter the DNS domain name you want to filter on (use the REGEX syntax described here: Regex Syntaxon page 240). Once done, click the [Ok] button.

7 Menu: Analysis


c) To configure an IP address filter, select [IP] in the [Select a filter type] dropdown list. Next, in the [IP] fieldenter the IP address you want to filter on. Once done, click on the [Ok] button.

d) To configure an action filter, select [Action] in the [Select a filter type] dropdown list. Choose the actionyou want to filter on by enabling the corresponding checkboxes in the Label column. Once done, click on thebutton [Ok].

e) To configure a user's filter, select [User] in the [Select a filter type] dropdown list. Next, expand the user

tree in the [Name] column, using the buttons, then select the users you want to filter on. Once done, clickthe [Ok] button.

f) To configure a categories filter, select [Categories] in the [Select a filter type] dropdown list. Next, expand

the category tree in the [Label] column, using the buttons, then choose the categories you want to filter on.Once done, click the [Ok] button.

11. Enable the checkbox in the NOT column to configure an exclusion type filter.

Section: Graphic display

12. Select the statistics display type to use:

Warning: Clicking on the display type buttons triggers the statistical computation. A complex statisticalcomputation can cause a high processor and I / O load. If the list of criteria specified requires processinga large volume of data, producing the results for display can take a long time.

Option Description

This button triggers an HTML graphical display:

This button triggers a simple bars graph display:

7 Menu: Analysis


Option Description

This button triggers a stacked bars graph display:

This button triggers a pie charts display:

13. To save your statistics computation criteria, click the [Create a Report] button if you want to create a report orthe [Create an Analysis] button if you want to create an analysis.

Note: Go here to learn the differences between a Report and an Analysis . Submenu: Creation onpage 130

Note: You can refer back to your saved report or analysis using the menu [Analysis] > [Consultation]menu.

7 Menu: Analysis


Performing a time spent analysis

1. Go to the time spent analysis page via [Analysis] > [Creation] > [Time] menu.

2. Select the detailing criteria to use for the analysis in from the [I detail this result by] dropdown list.

3. If you want to limit the results displayed to a subset of the results, select the number of results entries to displayfrom the [I limit the result to] dropdown list.

4. Enter the start date for the statistical computation by clicking on the link in the [From] field.

5. Enter the end date for the statistical computation by clicking the link in the [To] field

Section: Filter

6. You can enter additional filters as additional criteria by clicking on the button.

a) To configure a categories filter, select [Categories] in the [Select a filter type] dropdown list. Next, expand

the category tree in the [Label] column, using the buttons, then choose the categories you want to filter on.Once done, click the [Ok] button.

b) To configure a user's filter, select [User] in the [Select a filter type] dropdown list. Next, expand the user

tree in the [Name] column, using the buttons, then choose the users you want to filter on. Once done, clickthe [Ok] button.

c) To configure a theme filter, select [Theme] in the [Select a filter type] dropdown list. Then select themes youwant to filter on. Once done, click the [Ok] button.

7 Menu: Analysis


d) To configure a timeslot filter, select [Timeslot]. Then select the corresponding timeslots you want to filter on.Once done, click the [Ok] button

7. Enable the checkbox in the NOT column to configure an exclusion type filter.




Note: For more information on graphic display, go here: Creating a report or analysis on page 132.

Submenu: Consultation

The [Analysis] > [Consultation] page let you access and display your saved reports and analysis.

You can disable a report by clicking on the icon. A report is considered inactive when its corresponding icon appears

grayed out: .

You can also mark an analysis or a report as a favorite using the icon.

7 Menu: Analysis


Note: An analysis added to the currently logged Olfeo administrator favorite appears with a icon. A report

added to the currently logged Olfeo administrator appears with a icon

Displaying a report

1. Go to the reports consultation page via the [Analysis] > [Consultation] > [Report] menu.

Tab: Report

2. Click on the report name in the Name column or select the date you want to display the report for in the QuickAccess column.

7 Menu: Analysis


Figure 15: Date access shortcurt

Note: If you select a time period in the dropdown list from the Quick Access column, the correspondingreport for that time period will be displayed. The start date [From] field and end date [To] field willbe set in accordance to the time period selected.

Tab: Open Report

3. If required, change the fields [Name] , [I detail this result by], [I put this result in] and [I limit the resultto] to refine your report display.

Note: For more information about each of these fields, go here: Creating a report or analysis on page132.

4. Select the start date for your report by selecting the date from the [Start] dropdown list.

5. Select the end date for your report by selecting the date from the [Stop] dropdown list.

Section: Filter

6. Modifiable filter criteria can be changed, including the checkbox from the NOT column allowing you to set anexclusion type filter.

Warning: Not all filter criteria can be changed. In fact, this is one of reports limitations as explainedhere: Submenu: Creation on page 130.

Note: If you are limited by the number and type of modifiable criteria, you can also go back to an analysis[Creation] mode by clicking the [Create] button. In this situation, you go back to an analysis [Creation]page with all report criteria set.



7 Menu: Analysis



Option Description

This button triggers an HTML graphical display:

This button lets you display simple bar graphs


7 Menu: Analysis


Option Description


8. The graphical representation displayed, you can use the [Print] button to print the page or the [Export] buttonto export the results to a csv file.


Note: The csv is a text format in which fields are separated by semicolons. This file can easily beimported in Excel.

9. if you changed any fields and want to save those changes, click on the [Ok] button. Otherwise, click on the [Cancel]button.

7 Menu: Analysis


Setting the report retention period

1. Go to the reports consultation page via the [Analysis] > [Consultation] > [Report] menu.

Tab: Report

2. In the Name column, click the report you want to display.

Tab: Open report

3. Click the [Parameters] button to access the page to set the report retention period.

Tab: Reports retention period

4. Set the daily, weekly, or monthly reports retention periods using the corresponding [Daily Report] , [WeeklyReport] and [Monthly Report] dropdown lists.


7 Menu: Analysis


Displaying an analysis

1. Go to the analysis display page via the [Analysis] > [Consultation] > [Analysis] menu.

Tab: Analysis

2. Click on the analysis name in the Name column for the analysis you want to display.

Tab: Open Analysis

3. If required, set the [Name] , [I want to see] , [I detail this result by] , [I put this result in] and [I limit theresult to] field to refine analysis.

Note: For more information about each of these fields, go here: Creating a report or analysis on page132.

4. Enter the start date by clicking on the link in the [From] field to set your analysis start date.

5. Enter the end date by clicking the link in the [To] field to set your analysis end date.

Section: Filter

6. Modifiable filter criteria can be changed, including the checkbox from the NOT column allowing you to set anexclusion type filter.

7 Menu: Analysis


Warning: Compared to reports, all filter criteria can be change.




Option Description

This button lets you display an HTML graphic:

This button triggers a simple bars graph display:


7 Menu: Analysis


Option Description


8. The graphical representation displayed, you can use the [Print] button to print the page or the [Export] buttonto export the results to a csv file.


Note: The csv is a text format in which fields are separated by semicolons. This file can easily beimported in Excel.

9. If you made changes to fields and you want to keep the changes, click on the [OK] button. To discard the changes,click on the [Cancel] button. To create a new analysis based on criteria stored in the current analysis, click the[Clone] button.

Submenu: Diffusion lists

The [Analysis] > [Diffusion lists] page lets you configure mailing lists for your statistical reports automateddistribution.

7 Menu: Analysis


You can configure diffusion list as follows:

• A set of reports to be distributed.• A set of recipients to receive the reports.• The reports distribution frequency (daily, weekly, and monthly.)

To disable a diffusion, click on the icon. A diffusion is deactivated when its icon appears grayed out: .

Creating a diffusion list

1. Go to the diffusion list page via the [Analysis] > and [Diffusion lists].

Section: Diffusion

2. Enter a name describing the diffusion in the [Label] field.

Section: Email

3. Enter the subject to be used when sending email in the [Subject] field

7 Menu: Analysis


4. Select diffusion email [Recipients] by enabling the corresponding checkboxes in the [Send]column.

Note: Recipients displayed are the list of Olfeo administrators previously created using the [Parameters] > [Administrators] > [Administrators] page.

5. Enter additional recipients for the reports diffusion in the [Additional Emails] field.

Note: To enter additional email addresses, separate them with a comma. Example:[email protected], [email protected]

Section: Transmission frequency

6. Select how frequently you want to distribute your reports by enabling the corresponding [Daily] , [Weekly] or[Monthly] checkboxes.

Section: Available reports

7. Select the reports you want to send by enabling corresponding checkboxes in the Send column.


Warning: The automated diffusion time is specified in the [Parameters] > [Network] > [SMTP] .To change the diffusion time, go here: Configuring SMTP on page 197.

7 Menu: Analysis


Submenu: Coaching

Use the [Analysis] > [Coaching] menu to select the coaching reports frequency and select the coaching reports to send.

On this page, you can also perform coaching report send test to a particular user. This is useful for checking correctsettings and validating the coaching feature is operational.

7 Menu: Analysis


Configuring coaching

1. Go to the coaching configuration page via the [Analysis] > [Coaching] menu.

Section: Frequency

2. Enable the corresponding checkboxes to enable [Daily] , [Weekly] or [Monthly] coaching emails.

Section: Report

3. Enable the various pre-defined reports you want to send as part of the coaching email.

• [By theme in page count] : the end-user will be sent a report of his browsing activity sorted by theme.• [By categories in page count]: the end-user will be sent a report of his browsing activity sorted by categories

in page count.• [By user department categories in page count] : the end-user will be sent a report of the top 20 categories

accessed by his group or service members.• [Top 20 most used Internet domains]: the end-user will be sent a report of this top 20 internet domains.• [Top 20 Internet domain bandwidth utilization]: the user will be sent a report of his top 20 bandwidth

utilization domains (volume expressed in kilobytes.)• [Most blocked Categories]: the user will receive a report of the user’s most blocked categories.

Below is an example of a coaching report of type [By categories in page count] :

7 Menu: Analysis


Figure 16: Sample coaching report of type [By categories in page count]

Section: Testing the coaching feature

4. Using the [Test user] dropdown list, select a user to send the coaching reports to.

5. Press the [Test] button to send the enabled coaching reports to selected test user.

Note: For the Olfeo solution to send emails, you must have configured first an SMTP gateway. Toconfigure an SMTP gateway, go here: Configuring SMTP on page 197.

6. Once you confirmed the coaching feature is operational, click the [Ok] button to save the changes.

7 Menu: Analysis


Enabling the coaching feature


2. In the Directories tab click on a Organizational Unit (OU), a Group or an User from the Name column.

3. Set coaching to Enabled in [Coaching] field.


7 Menu: Analysis


Submenu: Livelog

The [Analysis] > [Livelog] page displays the filtering operations performed by the Olfeo solution. More specifically,this feature let you visualize the flows of URLs, protocols and files handled by the Olfeo solution as well as the associatedfiltering operations.

Note: The [Livelog] function is indispensable because it provides a way for Olfeo administrators to confirmthe Olfeo solution filtering functions are operational with respect to a user, a group, or your entire company.

The following information is displayed on the [Livelog] page:

7 Menu: Analysis


Column Description

Date This column displays the time the user http hit was processed by the Olfeo solution.

Type This column displays the type of traffic and therefore the type of filtering applied. The three possible for thiscolumn values are:

• URL for URL filtering.• Proto for protocol filtering.• File for file filtering (filtering related to the antivirus, the file size, the MIME types, etc.)

User This column displays the user who originated the traffic. The User column displays on these three possible values:

• Full Name: Full users name for authenticated users.• Unknown user: <Login> : An unknown user correctly authenticated by Olfeo who has not been synchronized

as part of the user synchronization when configuring an enterprise directory.• Empty: The value is blank for IP ranges or non authenticated users.

Warning: The user authentication/identification is highly dependent on the integration andauthentication choices. Both subjects are covered in detail in the Olfeo Integration Guide . Werecommend referring to this guide for more information about user identification.

IP This column displays the IP address of the machine originating the flow.

Category The content of this column depends on the type of flow. The two possible values in this column are:

• For URL filtering: Olfeo category name the URL belongs to.

Note: For more information about category lists, go here:Sub-menu: Categories Group on page16.

• For protocol filtering: Name of the identified Protocol .

Note: For more information about protocol lists, go here:Sub-menu: Protocols on page 30.

7 Menu: Analysis


Column Description

Action This column displays the Olfeo filtering action applied. The possible values are:

• Denied: The flow was denied according to your filtering policies. In case of a URL filtering the end user willreceive a blocking page informing the end user of the blocking condition.

• Allowed: The Olfeo solution allowed the flow in accordance to your filtering policies.• Audit: The audit mode simulates filtering operations while still allowing all flows . This mode allow for

collecting statistics without actually enforcing filtering policies. This particular audit mode is a valuable toolto initially collect statistics and adjust your filtering policies before enabling your policies enforcement.

Note: Audit mode entries are graphically displayed using strikethrough text in the Actioncolumn. Below is an example of the audit mode display from the [Analysis] > [Livelog].

Figure 17: Sample audit mode display.

Note: To enable the audit mode, go here:Editing an object from the users list on page 105.

Policy This column displays the filtering policy applied to the flow.

Note: For more information about the user policy:

• For URL Filtering, go here:Sub-menu: Policies on page 23.• For protocol filtering, go here:Assigning a protocol filtering policy on page 33.

Domain This column displays:

• For URL filtering: the accessed domain name or IP address.• For protocol filtering: the accessed IP address and TCP port.

• Date: This column display the date and time the Olfeo solution processed the flow..• Type : This column displays type of traffic and therefore the type of filtering applied. The three possible values are:

• URL for URL filtering.• Proto for protocol filtering.• File for file filtering (filtering related to the antivirus, the file size, the MIME types, etc.)

• User: This column displays the user originating the flow. The User column will display one of the three followingvalues:

• Full Name: Full users name for authenticated users.• Unknown user: <Login> : An unknown user correctly authenticated by Olfeo who has not been synchronized

as part of the user synchronization when configuring an enterprise directory.• Empty: The value is blank for IP ranges or non authenticated users.

Warning: The user authentication/identification is highly dependent on the integration and authenticationchoices. Both subjects are covered in detail in the Olfeo Integration Guide . We recommend referringto this guide for more information about user identification.

7 Menu: Analysis


• IP : This column contains the IP address of the machine sending the flow.• Category: The contents of this column varies depending on the type of flow. The two possible values in this column

are:

• For URL filtering: Olfeo category name the URL belongs to.

Note: For more information about category lists, go here:Sub-menu: Categories Group on page 16.

• For protocol filtering: Name of the identified Protocol .

Note: For more information about protocol lists, go here:Sub-menu: Protocols on page 30.

• Action: This column displays the filtering action applied to the flow. The possible values are:

• Denied: The flow was denied according to your filtering policies. In case of a URL filtering the end user willreceive a blocking page informing the end user of the blocking condition.

• Allowed: The Olfeo solution allowed the flow in accordance to your filtering policies.• Audit: The audit mode simulates filtering operations while still allowing all flows . This mode allows for

collecting statistics without actually enforcing filtering policies. This particular audit mode is a valuable toolto initially collect statistics and adjust your filtering policies before enabling your policies enforcement.

Note: Audit mode entries are graphically displayed using strikethrough text style in the Actioncolumn. Below is an example of the audit mode display from the [Analysis] > [Livelog] page.

Note: To enable the audit mode, go here:Editing an object from the users list on page 105.

• Policy: This column displays the filtering policy applied.

Note: For more information about the user policy:

• For URL Filtering, go here:Sub-menu: Policies on page 23.• For protocol filtering, go here:Assigning a protocol filtering policy on page 33.

• Domain : This column displays :

• For URL filtering: the accessed domain name or IP address.• For protocol filtering: the accessed IP address and TCP port.

7 Menu: Analysis


Submenu: Log extract

Use the [Analysis] > [Log extract] page to extract browing history from Olfeo RAW log file in CSV format. OlfeoRAW log files are Olfeo proprietary log files recording all traffic and filtering operations performed by the Olfeosolution.

The [Analysis] > [Log extract] is essential for extracting browsing history from the Olfeo solution.

The [Analysis] > [Log extract] feature let you specify various parameters, such as:

• The extraction start and end dates.• The time zone the extracted dates will be converted to.• Search fields as well as filters for refining results.

7 Menu: Analysis


Note: Note that there are more than 150 usable fields to be used in the extraction. Examples: User-Name, Url, Mac-User, User-Id, Date, Action, Virus-Name, Destination Port, Date, MIME-Type, Proto-Id, etc.) ).

• The field separator required by the CSV format.• The name of the CSV file to be provided by the Olfeo administration console.

Note: The [Analysis] > [Log extract] feature has a preview option useful to test and adjust your searchand filter criteria.

Extracting statistics

7 Menu: Analysis


1. Go to the statistics extraction page [Analysis] > [Log extract].

Section: Extraction settings

2. Enter the start date for your extraction in the [Date min] field.

Example:

• today• yesterday• today - 3 days• last week• 2011-05-16 15:06:20

3. Enter the end date for your extraction in the [Date max] field.

4. In the [Timezone] dropdown list, select the time zone to convert the browsing date and time to.

Example: Paris or UTC (Coordinated Universal Time)

5. Enter your Csv file fields separator, character or characters string, in the [Separator] field.

Example: ;

6. Enter the file name to use for the generated CSV file in the [Generated file] field.

Section: Attributes Selection

7. Click on the button to add an attribute to the list of attributes to extract.

a) In the newly created line, select the attribute from the dropdown list in the Attribute column field.

7 Menu: Analysis


Table 5: List of possible attributes

Attribute Description

Category-Id Olfeo category identifier.

Date Date in a readable format generated from the UTC timestamp.

Destination port Destination TCP port

Domain DNS Domain.

File-Name Name of the downloaded file.

Group-Id Olfeo user group identifier.

LogTypes Boolean informing if the request is logged or not.

Monitoring Boolean informing if the audit function is enabled or not.

Matched-Policy-Id Policy identifier for the applied policy.

MIME-Type MIME type of the analyzed file.

Name Current user name if it still exists in the database; if not, the user name at the time of the request.

Peer Request source IP address.

Proto-Id Qosmos protocol identifier number

Proto-Volume-Upload

Total packets sent by Squid.

Proto-Volume-Download

Total packages downloaded through Squid.

Proxy-Cache-Answer

Response of Squid cache.

Proxy-Id Olfeo identifier of the dynamic proxy object that handled the query.

Quota-Id Olfeo identifier of the dynamic quota object constraining the application.

Req-Answer-Reason Number corresponding to the type of action performed (override, quota, timeslot, allowed, denied,etc.).

Req-Status Number indicating the query status if it has been allowed (1), denied (2), or redirected (3) (0, ifan unknown case).

Req-Type Request type (Req-Type-Url, Req-Type-Proto-Type Req-File, Req-Type-Ip).

Size Squid cache size.

Source-Port Source port of the packet.

Timestamp Number of seconds since EPOCH in UTC.

Timestamp-Tz Number of seconds since EPOCH in local time.

Upload-As-Unknown

Boolean indicating if recovery is done for this domain.

Url URL of the request.

Url-Id Squid query identifier (used to maintain an association between the different queries conveyed bysquid-wrapper).

User-Id Olfeo user identifier.

User-Ip Query source IP address.

User-Mac Query source MAC address.

7 Menu: Analysis


Attribute Description

Username Username recovered by Squid.

Virus-Name Name of the detected virus.

Example: User-Mac (to extract all MAC addresses originating from users).

b) In the newly created line, to set up a filter associated with the attribute set, enter the filter value in the valuecolumn field.

Note: You can use the following replacement characters when writing regular expressions:

Replacement character Semantic

* Matches any character set.

? Matches any single character.

[seq] Matches any character in seq.

[!seq] Matches any character that is not contained in seq.

For example, if you selected User-Mac in the Attribute column, you can enter: 00:50:56:01:05: d4.

8. Optionally, with the button, delete the lines of attributes that you do not want to use.

9. Click on the [Preview] to view a sample of the final result in the preview screen.

Section: Preview

10. View sample result and as necessary change the extraction parameters, attributes or filters to improve the final result.

11. Click on the [Download] button to download the final . Csv file.

Chapter

8Menu: Parameters

Topics:

• Submenu: Architecture• Submenu: Authentication• Submenu: High Availability• Submenu: Administrators• Sub-menu: Network• Submenu: System• Submenu: Monitoring• Submenu: Updates• Submenu: Backup• Submenu: Advanced• Submenu: Support

8 Menu: Parameters


Submenu: Architecture

Warning: The [Parameters] > [Architecture] menu relates to the integration choice and authenticationarchitecture covered in the Olfeo Integration Guide. We recommend referring to this guide for moreinformation about integration and authentication.

The [Parameters] > [Architecture] > [Integration] page lets you create connectors for the purpose of:

• Interfacing with a third-party equipment using a specific protocol.• Interfacing with another feature of the Olfeo solution (e.g., antivirus.)• Capturing the network.

The [Parameters] > [Architecture] > [Proxy.pac] provides a way to host one or more “ proxy.pac” files to be usedby end-users desktops. The “ proxy.pac ” files can be used to automate browsers explicit proxy configurations but alsoto achieve the dynamic proxy selection the browser level.

Note: This central “ proxy.pac ” management on the Olfeo solution eliminates the need for a web serverto host these files.

Warning: The Olfeo solution does not provide any way to implement proxy.pac access control. It is thereforeimperative to manage / create your proxy.pac properly to prevent your users from bypassing your proxy ifthey can change proxy properties in their browsers.

Creating a connector

Create a connector for integration with OPSEC compatible equipment

1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu.

2. Click on the [Add connector] link from the Label column.

3. Select [I use my own equipment] in the [Integration Choice] dropdown list.

8 Menu: Parameters



5. Click on [Next].

Section: Parameters

6. Select Check Point as a connector type from the [Type of connection] from the dropdown list.


7. Choose the Tcp transport protocol from the [Mode] dropdown list.

8. Enter the port number 18182 that will be used as the connector listening endpoint.


Creating a connector to integrate with WISP compatible equipment





5. Click on [Next].

Section: Parameters

6. Select the connection type Cisco from the [Type of connection] menu.


7. Select the Tcp transport protocol from the [Mode] dropdown list.

8. Enter the port number that will be used as listening endpoint for your connector.Default value: 15868


Creating a connector to integrate with WISP compatible equipment





5. Click on [Next].

Section: Parameters


8 Menu: Parameters




8. Enter a port number to be used as a listening endpoint by the connector.The default value is: 1344


Creating a connector to integrate with ICAP





5. Click on [Next].

Section: Parameters

6. Choose a connection type Netasq in the [Connection type] menu.



8. Enter a port number as a listening endpoint for the Netasq connector.Example: 1345


Creating a connector to integrate Olfeo protocol compatible products





5. Click on [Next].

Section: Parameters

6. Choose a connection type Squid in the [Connection type] menu.



8. Enter a port number to be used as a listening endpoint by the connector.Default value: 5555

8 Menu: Parameters



Creating an ICAP connector for the antivirus

Note: Verify if an ICAP connector does not already exist. An ICAP connector to be used internally for virusscanning should already be defined after Olfeo installation in the [Parameters] > [Architecture] page.

1. Go to the configuration page via [Parameters] > [Architecture] > [Integration].

2. Click on the link [Add connector] from the Label column.

3. Select [I use my own equipment] in the [Integration Choice] menu.


8 Menu: Parameters


5. Click on [Next].

Section: Parameters



7. Choose the Tcp transport protocol in the [Mode] dropdown list.

8. Enter a port number to be used for the antivirus connection.The default value is: 1344


Creating a connector for network capture

1. Got to the configuration page via the [Parameters] > [Architecture] > [Integration] menu.


a) Enter a name describing the integration method in the [Label] field.

b) Select [I capture network traffic] from the dropdown list [Integration Choice].

3. Click on the [Next] button.


4. In the [Capture Link] dropdown list, choose the interface for the br(x) network bridge (forexample, br0) on which the network capture will be performed.

5. In the [Injection Link] dropdown list, select the network interface over which the blocking frames willbe sent.

6. If you capture network traffic tagged with 802.1q vlans id and you want inject blocking packets with the same 802.1q vlans ids, enable the [Copy the 802.1q headers in injected packets] checkbox.

Warning: Ensure that in your network configuration you have set the interfaces in the correspondingvlans.

7. In the [Source MAC] dropdown list, select the MAC address that will be used for injected frames containingblocking pages.

Choose between the following two options:

• [Impersonate router] let you use the destination router MAC address as source MAC for injected frames.

Danger: Some switches with port security features consider seeing the same MAC address (router)on multiple port as a security violation. Depending on their port security configuration, this detectionmay result in the corresponding switch ports shutdown.

• [Injection Interface] lets you send the injected frames using the injection interface MAC address.

8 Menu: Parameters


Note: In contrast to the previous option, this mode is not subject to switch port security problembecause the router's MAC address is not used.

8. If you wish to ignore HTTP and HTTPS traffic, enable the [Don't capture URL traffic] checkbox.

9. To disable protocol filtering, enable the [Don't capture protocol traffic].


8 Menu: Parameters


Adding a proxy.pac

1. Go to the configuration page via the [Parameters] > . [Architecture] > [Proxy.pac] menu.

2. Click on the link [Add proxy.pac] in the Label column.



8 Menu: Parameters


5. In the field [Content]field, enter the JavaScript code for your proxy.pac.

If you are not familiar with the proxy.pac technology and its javascript code, please refer to the following:

• Proxy.pac file format• Automatic proxy configuration with Internet Explorer

6. Click on the [Create] button to save your proxy.pac

Implementing a proxy.pac

1. Go to the configuration page via the [Parameters] > [Architecture] > [Proxy.pac] menu.

2. Copy the proxy.pac’s URL provided by Olfeo from the URL field. This line is to be used in the browsersconfiguration.

Example: http://192.168.17.197:9123/proxypac/?id=576

3. Use the copied Proxy.pac URL to configure your http clients / browsers.

Submenu: Authentication

Warning: The [Parameters] > [Authentication] menu is related to the integration and authenticationarchitectures you selected. Integration and authentication are the subject of the Olfeo Integration Guide.Please refer to this guide for more information on integration and authentication.

The [Parameters] > [Authentication] > [Directory] menu allows you to register enterprise directories with theOlfeo solution for the purpose of authentication and users synchronization.

http://web.archive.org/web/20060424005037/wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

http://technet.microsoft.com/en-us/library/dd361918.aspx

8 Menu: Parameters


If you are using an Active Directory Enterprise Directory, you can join the Olfeo solution to the corresponding Windowsdomain using the [Parameters] > [Authentication] > [Windows domain join]

Warning: Joining the Windows domain is a requirement if your are planing to use the Microsoft (NTLM,Kerberos) proxy transparent authentication methods.

You can also refer to the Olfeo Integration Guide for more information.

The [Parameters] > [Authentication] > [Authentication Mode] allows you to setup Authentication Modes.

The authentication modes refer to set of enterprise directories that can be used in authentication methods with Olfeo.

During an authentication operation, Olfeo will sequentially query each enterprise directories that are part of anauthentication mode in order to authenticate the user.

In Authentication Mode you can add a default guest login account. This default login will allow you to log, foreach authentication mode , traffic linked to users that are not authenticated but are allowed to browse. In order to usea guest account, it must be present or have been manually created in the corresponding directories.

Note: For more information about the users list of users, go here: Users list on page 100.

8 Menu: Parameters


Adding an Active Directory enterprise directory and synchronizing the users

Note: Synchronizing the users from the enterprise directory allows for the identification of users in order toapply a corresponding filtering policy and to record their browsing traffic in their names.

1. Go to the enterprise directory configuration page via [Parameters] > [Authentication] > [Directory].

2. Click on [Add directory].

Section: Configuring the directory

3. Enter a name in the field [Directory label].

Section: Connection

4. Choose Active Directory in the [LDAP Type] dropdown list.

5. Enter the directory’s IPv4 address or the dns name in the [Hosts] field.

8 Menu: Parameters


6. To use LDAP over SSL for communication with the enterprise directory, enable the [LDAPs] checkbox.

7. To have groups and users synchronized using a single query, enable the [Disable paging] checkbox.

Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeorecommends keeping the pagination mode enabled, as this mode preferable to synchronize large enterprisedirectories.

8. For the specified host machine, enter the TCP listening Port.

Note: The default port for LDAP directories is 389.

9. Click on the [Test and get basedn] button. This button will be available for Active Directory enterprise directoriesonly and will not only test the connection to the enterprise directory server but will also retrieve the Base DN.

If successful:

• The text Connection Success will appear to the right of the [Test and get basedn] button.• The field [Basedn] will automatically populated with the retrieved base DN information.

10. In the [Binddns] field, enter the login of the user with the appropriate authorizations to connect andretrieve the list of users from the enterprise directory.

Warning: A Binddn follows the syntax: login@domain

Example: [email protected]

11. Enter the Password for this user in the [Password] field.

12. Click on [Finish] to save the directory connection settings.

Result: The page is reloaded.

Section: Connection

13. To specify a timeout for query with the directory, enter the timeout value in seconds in the [Time out] field.

For example: 60 seconds

14. To schedule automatic synchronization of the enterprise directory, enable the [Planning] checkbox and enter thesynchronization time.

• Syntax example #1, each night at 01h05: 01 : 05• Syntax example #2, every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15• Syntax example #3, every half hour on the hour: * : */30

The syntax for the synchronization planning for the same syntax as crontab. Please refer to the crontab(5) manualfor more information.

Section: Domain

8 Menu: Parameters


This section is specific to Microsoft Active Directory enterprise directories. These fields are required for joining lateron the Olfeo solution to your Active Directory domain and therefore to be able to use the transparent authenticationmethods based on Kerberos and NTLM .

15. Enter the name of your Active Directory domain in the [Domain] field.

For example: mycompany.com

16. In in the [Workgroup] field, enter the Netbios name for your domain in CAPITAL LETTERS.

For example: MYCOMPANY

17. If you use an NTP server separate from the Active Directory server, enable the [Use a separate NTP server]checkbox.

Warning: The NTP server must be configured in the NTP servers field, using the [Parameters] >[System] > [Date] menu.

18. If you use a DNS server separate from your Active Directory server, enable the [Use a separate DNS server].

Section: Advanced (group)

19. If you want to restrict the users groups synchronization to a subset of your enterprise directory, enter a base DNin the field [Group BaseDN].

Example: ou=hq, o=Mycompany, c=FR

20. If you want to restrict the users groups synchronization to LDAP groups of a specific object type enter the LDAPobjectclass in the [Group Class] field.

For example: organizationalUnit

21. If you want to use a specific group object LDAP attribute different from CN as label for the group in Olfeo,enter the name of his attribute in the Group Label Attribute field.

For example: name

22. If your groups are also organizational units, enable the [Group is container] checkbox. Therefore the groupssynchronized will be objects with this property.

23. If groups memberships is specified for users as attribute, enable the [Group is user attribute] checkbox. Eventhough it is available, this option is rarely used because group membership specification using user attribute is rarelyused.

24. If you want to use a specific group object attribute to be used for the group name in Olfeo statistics, enter the nameof this attribute in the [Field to use as label for groups].

Section: Advanced (user)

25. To limit the scope of user objects search to a specific subset of the enterprise directory, enter the corresponding baseDN in the [BaseDN user] field.

26. If the Olfeo filtering policy identifier to use for users is stored in a user object attribute, enter the attributename in the [Policy Id Attribute] field.

8 Menu: Parameters


27. To limit the synchronization of users objects to LDAP objects of a specific class, enter the object class namein the User Class field.

28. To use an LDAP attribute as a primary key to uniquely identify users, enter the attribute name in the [LDAP attributefor primary key] field.

29. To use a specific LDAP attribute as login.

30. To use a specific user LDAP object attribute as the user name, enter the attribute in the [LDAP attribute for name]field.

Section: Group list

31. To retrieve the list of users groups available in your enterprise directory based on the advanced criteria defined inthe prior sections, click on the [Synchronize available groups] button

32. Select the groups to be used for users synchronization from the list of available groups and add them to the[Synchronized groups] list.

To add or remove a group, use the or buttons.

33. Set the synchronization priority of groups by controlling their positions in the [Synchronized groups] list.

To control the synchronization priority, select a group and use the or buttons to move it up or down inthe list.

Warning: The order in which groups are synchronized is important because one user can belong toseveral directory groups.

Section: User List

34. Synchronize the users belonging to the [Synchronized groups] list using the [Synchronize users] button.

Result: A message indicating the number of users synchronized.


8 Menu: Parameters


Adding a LDAP compatible enterprise directory and synchronizing thecorresponding users

1. Go to the enterprise directory configuration page via [Parameters] > [Authentication] > [Directory].

2. Click on [Add directory].

Section: Configuring the directory

3. Enter a name in the field [Directory label].

Section: Connection

4. Choose the type of directory you are using, in the [LDAP Type] dropdown list.

Note: If you have an OpenLdap directory, choose [OpenLDAP or generic server].

5. Enter the directory’s IPv4 address or the dns name in the [Hosts] field.

6. To use LDAP over SSL for communication with the enterprise directory, enable the [LDAPs] checkbox.

7. To have groups and users synchronized using a single query, enable the [Disable paging] checkbox.

8 Menu: Parameters


Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeorecommends keeping the pagination mode enabled, as this mode is preferable to synchronize largeenterprise directories.

8. For the specified host machine, enter the TCP listening Port.

Note: The default port for the LDAP directories is 389.

9. In the [Binddns] field, enter the login of the user with the appropriate authorizations to connect andretrieve the list of users from the enterprise directory.

Warning: A Bind DN LDAP uses this syntax: CN=admin,DC=olfeo-test,DC=net

10. Enter the Password for this user in the [Password] field.

11. Enter the Base DN of the directory in the [Basedn] field.

Warning: A LDAP Base DNfollows the syntax: DC=olfeo-test,DC=net

12. Click on [Finish] to save the directory connection settings.

Result: The page is reloaded.

Section: Connection

13. To specify a timeout for enterprise directory queries, enter the timeout value in seconds in the [Time out] field.

For example: 60 seconds

14. To schedule automatic synchronization of the enterprise directory, enable the [Planning] checkbox and enter thesynchronization time.

• Syntax example #1, each night at 01h05: 01 : 05• Syntax example #2, every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15• Syntax example #3, every half hour on the hour: * : */30

The syntax for the synchronization planning for the same syntax as crontab. Please refer to the crontab(5) manualfor more information.

Section: Advanced (group)

15. If you want to restrict the users groups synchronization to a subset of your enterprise directory, enter a base DNin the field [Group BaseDN].

Example: ou=hq, o=Mycompany, c=FR

16. If you want to restrict the users groups synchronization to LDAP groups of a specific object type enter the LDAPobjectclass in the [Group Class] field.

8 Menu: Parameters


For example: organizationalUnit

17. If you want to use a specific group object LDAP attribute different from CN as label for the group in Olfeo,enter the name of his attribute in the Group Label Attribute field.

For example: name

18. If your groups are also organizational units, enable the [Group is container] checkbox. Therefore the groupssynchronized will be objects with this property.

19. If groups memberships is specified for users as attribute, enable the [Group is user attribute] checkbox. Eventhough it is available, this option is rarely used because group membership specification using user attribute is rarelyused.

20. If you want to use a specific group object attribute to be used for the group name in Olfeo statistics, enter the nameof this attribute in the [Field to use as label for groups].

Section: Advanced (user)

21. To limit the scope of user objects search to a specific subset of the enterprise directory, enter the corresponding baseDN in the [BaseDN user] field.

22. If the Olfeo filtering policy identifier to use for users is stored in a user object attribute, enter the attributename in the [Policy Id Attribute] field.

23. To limit the synchronization of users objects to LDAP objects of a specific class, enter the object class namein the User Class field.

24. To use an LDAP attribute as a primary key to uniquely identify users, enter the attribute name in the [LDAP attributefor primary key] field.

25. To use a specific LDAP attribute as login.

26. To use a specific user LDAP object attribute as the user name, enter the attribute in the [LDAP attribute for name]field.

Section: Group list

27. To retrieve the list of users groups available in your enterprise directory based on the advanced criteria defined inthe prior sections, click on the [Synchronize available groups] button

28. Select the groups to be used for users synchronization from the list of available groups and add them to the[Synchronized groups] list.

To add or remove a group, use the or buttons.

29. Set the synchronization priority of groups by controlling their positions in the [Synchronized groups] list.

To control the synchronization priority, select a group and use the or buttons to move it up or down inthe list.

Warning: The order in which groups are synchronized is important because one user can belong toseveral directory groups.

8 Menu: Parameters


Section: User List

30. Synchronize the users belonging to the [Synchronized groups] list using the [Synchronize users] button.

Result: A message indicating the number of users synchronized.


Joining the Olfeo solution to the Windows domain

Warning: Joining the Olfeo solution to the Windows domain ensure that Olfeo will be able to senduser authentication request to the Windows Domain controller required for the NTLM and Kerberosauthentication. In order to join the Olfeo solution to the Windows domain you must user a user account withthe necessary rights to register a workstation to the domain.

Warning: If you plan to join two or more Olfeo installations to the Windows domain, you need to ensurethey all use different dns names. Olfeo machine name is available from the [Parameters][Network][Server]menu. To change the name please refer to the procedure documented in the Olfeo Installation Guide.

1. To join Olfeo to a Windows domain use the [Parameters] > [Authentication] > [Windows domain join].

Section: Authentication

2. In the [AD servers] dropdown list, select the previously registered ActiveDirectory enterprise directory.

3. Enter the Windows domain account with the appropriate rights in the [AD Login (for joining)] field.

Warning: Use the following syntax: login@domain


4. Enter the user password in the [AD Password] field.

5. Click on the [Join domain] button.

8 Menu: Parameters


Warning: An Olfeo installation can only be joined to a single Windows domain. If you want to performauthentication across Windows domain boundaries, you need to make sure you have the proper Windowsdomains trust relationships in place.

Result: The [Status] message appears, specifying the name of the LDAP server to which the Olfeo solution hasbeen joined.

Grouping and prioritizing authentications in a mode

1. Go to the mode settings page via [Parameters] > [Authentication] > [Authentication Mode].

Section: Authentication mode

2. Enter a name that describing the authentication mode in the [Label] field.


Section: Properties

4. Add an authentication solution using the button.

Perform this step as many times as needed to add all the needed authentication solutions.

a) In the newly created line, click on the link "---" of the Backend Type column.

b) Select the [LDAP] module.

c) Select the directory you want from the [Select a directory] list.

d) Click on [Ok] to save your changes.

5. To add a guest account to be used as default login, add an authentication solution using the button.

a) In the newly created line, click on the link "---" of the Backend Type column.

8 Menu: Parameters


b) Select the [Guest] module.

c) Enter the guest user ID in the [User ID] field.

Note: The guest account must be present in a directory or have been manually added to the list ofusers. For more information about the user list, go here: Users list on page 100.

d) Click on [Ok] to save your changes.

6. Using the arrows and ,set the priority order for your authentication solutions.

7. To delete an authentication solution, click the button next to the corresponding line.


Submenu: High Availability

Warning: The [Parameters] > [High Availability] menu is related to the notion of Olfeo domain andclusters covered in the Olfeo Integration Guide. We recommend you to refer to this guide for moreinformation about Olfeo high availalibity concepts.

The [Parameters] > [High Availability] > [Olfeo Domain Management] menu lets us create an Olfeo Domain. AnOlfeo domain is a logical set of Olfeo installation with one installation identified as the Master. This Master Olfeoinstallation manages the global configuration for the entire Olfeo domain installations. Any modification to the globalconfiguration is automatically propagated from the Master installation to the various Olfeo installations members ofthe Olfeo domain.

On the non-master installations, also called slaves, many menus will be removed from their graphical user interfacebecause the corresponding configuration will be solely managed by the Olfeo Master installation. However some menuswill remain available because they pertain to local configuration elements (network, ...). The only available menus onthe slave installations are:

• [Analysis]

• [Livelog].

• [Parameters]

• [Authentication] (But only the menu for joining an Olfeo installation to the Windows domain because theenterprise directories registration page is part of the global configuration)

• [Network] (DNS configuration, SMTP, SMS, outgoing HTTP proxy.)• [System] (Services start/stop, NTP configuration, Olfeo administration console's certificates configuration).

8 Menu: Parameters


• [Monitoring] (local log, Olfeo local state, automated tasks).• [Updates].• [Backup] (Mount point configuration, backup tasks and backups list)• [Advanced] (Blocking page redirection definition only)• [Support].

In an Olfeo domain, the Olfeo Master centralizes the logs and statistics. When the Olfeo Master is not available, thelogs and statistics information are temporarily stored on Olfeo Slaves and automatically transferred to the Olfeo Masteronce it becomes available. It is also possible to configure one or more logs secondary server as backups to store a replicaof the logs stored on the Olfeo Master.

The [Parameters] > [High availability] > [Clusters] menu lets you configure and manage Olfeo clusters. An Olfeocluster ensures availability of Olfeo services by means of virtual IP addresses. A virtual IP address is assigned to eachOlfeo cluster node. Should an Olfeo cluster node become unavailable, its virtual IP address is failed over to anothernode in the cluster. In normal operation, an Olfeo cluster can be used as an active/active or active/passive cluster.

The submenu [parameters] > [High availability] > [Log replication] menu allows for the assignation of the secondarylogs server role to one of more Olfeo domain members. Assigning the secondary logs server role to an Olfeo domain

8 Menu: Parameters


member will trigger the replication of all logs from the Olfeo master to each secondary logs servers. Should the Olfeomaster become unavailable, the logs will remain accessible from the secondary logs servers. Once the Olfeo Masterbecomes available again, the secondary logs server will automatically synchronized the missing logs.

In an Olfeo domain, the secondary logs servers are kept in a list distributed to all Olfeo domain members. Thereforeeach Olfeo domain members will run down this list to identify the server to send its logs to should the Olfeo Masterbecome unavailable.

Warning: Configuring an Olfeo secondary logs server will immediately trigger the replication of the logsstored on the Olfeo Master. Considering all the logs are replicated, you need to ensure the secondary logsservers have enough storage space for the replication to work.

Warning: It is preferable to configure this during off hours or during the Olfeo solution initial deployment.

Creating an Olfeo Domain

1. If the authentication architecture requires you to join your Olfeo Solution to the Windows domain, perform theprocedure before creating the Olfeo domain.

Note: For more information about joining the Windows domain, go here: Adding an Active Directoryenterprise directory and synchronizing the users on page 173 and Joining the Olfeo solution to theWindows domain on page 180.

2. Log on the “Master” machine.

3. Go to the configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management].

(Master) Section: Olfeo Domain

4. Click on the [Create a new Olfeo domain] button, then wait for the Olfeo domain to be created.

8 Menu: Parameters


Joining an Olfeo domain

Figure 18: “Master” machine

Figure 19: “Slave” machine


2. Go to the configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management].

(Master) Section: Nodes list

3. Click on the link [Add a host to the domain].

(Master) Section: Parameters

4. Enter a name in the field [Name] to describe the new member of the Olfeo domain.

5. Enter the new member’s IP address in the [IP address] field.

6. Click on the [Create] button.

(Master) Section: Nodes list

7. In the Nodes list note the member ID corresponding to the new Olfeo Domain member.

(Slave) Section: Olfeo domain

8. Log in to the “Slave” machine.

9. Go to the domain configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management].

8 Menu: Parameters


10. Click on the link [Join an Olfeo domain].

(Slave) Section: Join an Olfeo domain

11. Enter the [Member ID] in the corresponding file field. This member ID number also appears on the “Master”machine’s list of domain members (refer to step 7 on page 185.)

Example: 81012288

12. Enter the IP address of the Master machine in the [Master's IP address] field.

13. Click on the button [join domain] then wait until the machine has joined the domain.

Warning: After joining the Olfeo domain is completed, the Olfeo Administration Console will displaythe login page.

Note: When a slave machine has been joined to an Olfeo Domain, most of the Olfeo AdministrationConsole menus will become inaccessible. The only menus remaining are those related to the machinelocal configuration ([Analysis], [Parameters]).

Figure 20: Example of an administration console from a slave machine joined to an Olfeo domain.

(Slave) Section: Olfeo domain

14. To make sure that your Olfeo is correctly joined to an Olfeo domain, go to the Olfeo domain configuration page via[Parameters] > [High Availability] > [Olfeo Domain Management] and verify that the phrase “You are currentlyjoined to a domain” is displayed.

Note: On the Master machine’s Notes list for the Olfeo domain , the machine joined to the domain mustbe in the “Online” state.

8 Menu: Parameters


Creating a cluster


2. Go to the configuration page for clusters via [Parameters] > [High Availability] > [Clusters].

(Master) Section: High Availability Parameters

3. In the [Notification Email address] field, enter the Destination email address where you want to receivenotification emails about cluster node failover/failback.

4. In the [Email sender] field, enter the sender email address for the failover/failback email notifications.

5. Click on the [Add cluster] link.


6. Enter a name identifying your cluster in the field [Name].

7. Enter a description for your cluster in the [Description] field.

8. Enter a password in the [Password] field. This password is a shared secret between cluster nodes allowing themto securely communicate with each other.

9. Enter a number between 1 and 254 in the [First vrrp_id] field. The first VRRP identifier is used for cluster nodemanagement.

Warning: Other devices on your network are likely to use VRRP. To avoid conflicts, do not use a VRRPID already in use.

10. Select the network interface for all cluster members that will be used to send cluster node heartbeat messages usedto monitor nodes viability. The same network interface will be used on all cluster node and must be selected fromthe [Network Interface] dropdown list.

8 Menu: Parameters


Section: Selecting Cluster Members

11. Select the Olfeo Domain machines that will be used as cluster members by enabling the button from the Activecolumn.

Note: For a machine part of the Olfeo cluster, the corresponding icon should be .

12. For each machine part of the Olfeo cluster, enter a virtual IP address in the [Virtual IP] column.

Note: These virtual IP addresses will be the IP addresses the end users machines will use to access theOlfeo services.

Note: Remember the virtual IP address of a machine will be failed over to another node in case of anote or proxy failure.


Adding a secondary logs server


2. Go to the secondary logs servers configuration page via [Parameters] > [High Availability] > [Log replication]menu.


3. From the [Not log server] list, select one or more Olfeo domain members you want to give the secondary logsserver role to.

8 Menu: Parameters


4.Click on the arrow to add the selected Olfeo domain members to the [Log server] list.


Submenu: Administrators

Danger: Never delete the original Olfeo administrator because he is at the root of the administratorshierarchy! For more information, see chapter Olfeo Rights Principle on page 190.

The [Parameters] > [Administrators] > [Administrators] menu lets you create Olfeo Administrators and assignspecific administrator rights to them. The rights to the Olfeo solution management and operation are applicable to:

• The contents of BUs or Olfeo solution users groups.• The menus or submenus that can be viewed or changed from the Olfeo administration console.

In the submenu[Parameters] > [Administrators] > [Administrators] menu, each administrator can view his parentadministrator's name in the hierarchy in the column labeled Manager.

Note: For more information, see chapter Olfeo Rights Principle on page 190.

8 Menu: Parameters


[Parameters] > [Administrators] > [My Preferences] menu lets view and change properties of your currentadministrator. This is a shortcut equivalent to using [Parameters] > [Administrators] > [Administrators] and thenselecting your account.

Olfeo Rights Principle

Figure 21: Example of the rights hierarchy

8 Menu: Parameters


In Olfeo, each administrator is inserted in a tree based hierarchy each administrator is at a node and is the parentadministrators of each direct descendant's nodes. In the image below:

• The admin1a and admin1b administrators were created by admin1 administrator who was created by the globaladmin.

• The admin2a and admin2b administrators were created by the admin2 administrator who was himself created bythe global admin.

Danger: Never delete the global administrator because he is the root of the entire hierarchy!

Danger: Never delete an administrator with descendants from the hierarchy! Indeed, once deleted, thedescendants administrators become orphans and can no longer be re-attached to the main hierarchy.

In his daily work, an administrator is required to handle a set of objects (filtering policies, quotas, URL lists, categorylists, messages, public portals and their configuration, etc.). In the Olfeo solution, an administrator can by default seeonly his own objects and those created by his hierarchy.

For example, in the image below, admin1a can view only his objects, those of admin1 and those of the global admin.admin1a cannot view the objects of admin1b or those from the branch to which admin2 belongs.

Figure 22: Objects visible to admin1a

In the Olfeo solution, there is, however, an option allowing an administrator to see objects from the same branch and alladministrators at the the same hierarchy level. However, this option needs to be activated at the administrator parentadministrator level.

In the previous example, admin1a asks admin1 to enable [Object sharing mode] using the [Parameters] >[Administrators] as shown in the following screenshot.

8 Menu: Parameters


Figure 23: Enabling the [Object sharing mode] by admin1

As shown in the following image, once the [Object sharing mode] enabled by admin1, admin1a will be able to viewadmin1b objects .

Figure 24: Objects visible for admin1a because admin1 enabled [Object sharing mode]

8 Menu: Parameters


Adding an administrator

1. Go to the administrators management page via [Parameters] > [Administrators] > [Administrators].

2. Click on the [Add an administrator] link.

Section: Administrator

3. Enter the login of the administrator that you want to create, in the [Login] field.

Example: admin2

4. Enter the name of the administrator you want to create, in the [Name] field.

Example: Administrator2

5. Enter the email of the administrator that you want to create, in the [Email] field.

6. Enter the password for the administrator you are creating in the [Password] field.

7. Select the language for the Olfeo Administration Console for this administrator in the [Language] dropdown list.

8. In the [Default page] dropdown list, select the Olfeo Administration Consoleto use as a welcome page when theadministrator logs in the Administration Console.

Example: Live log.

9. If you want all objects from the hierarchy below this administrator to be shareable, enable the [Object sharingmode] checkbox.

8 Menu: Parameters


Note: For more information on the Olfeo administrator hierarchy, rights and the object sharing mode,go to : Olfeo Rights Principle on page 190.

10. Click on [Create] to create the administrator.

Adding rights to an administrator

1. Open the administrator rights assignation page via [Parameters] > [Administrators] > [Administrators].

Section: Rights

2. Add a type of right using the button.

a) To create an administrator with all rights click on [admin] in the Label column.

• Next, check that the [Global administrator] field it is selected, then click [Ok].• To finish, click the link [All rights] from the Label column.

Warning: [Coaching]: To enable the coaching feature, enter Enabled«5» in the «6»[Coaching]«7»dropdown list. The coaching feature automatically sends a periodic email to users with the featureactivated. This email includes a predefined set of user specific browsing activity reports.

b) To specify rights on Organizational Units or Users Groups from the Users list from the rules engine page clickon the [Groups] link.

8 Menu: Parameters


• Next, expand the users' tree using the icon. Then enable all the checkboxes for the BUs and Users Groupsyou want to assign rights on. Confirm your selection by clicking [Ok].

• Select the type of right you want to assign to the administrator by clicking on the corresponding link in theLabel column.

Right Description

[All rights] Grants all rights.

[Read only] Grants read-only rights on the users list from the rules engine page.

[Modify] Grants modification rights on the users list from the rules engine page.

[Analysis] Grants the right to produce statistics for the selected users' population from the userslist of the rules engine page.

Note: Once this right is assigned to an administrator, the [Analysis] >[Creation], [Analysis] > [Consultation] and [Analysis] > Diffusion lists]become accessible to him.

[Assign a policy] Grants the right to assign filtering policies (URLs and protocols) to users in the userslist of the rules engine page.

c) To change the contents of the menus and submenus of the Olfeo admin console, so they can be viewed or editedclick on the [Groups] link.

• Expand the tree structure using the icon then enable the corresponding checkboxes for the desired menusor submenus. Confirm your selection with [OK].

• Select the type of right you want to assign to the administrator by clicking on the corresponding link fromthe Label column.

Right Description

[Read-Only] Makes a menu accessible but does not grant the right to modify its content.

[Modify] Makes a menu accessible and grants the right to modify its content.

3. Click on [Create] to save the new administrator rights.

Sub-menu: Network

The [Parameters] > [Network] sub-menu allows you to configure your Olfeo solution network support. More preciselyyou, using this menu, you can configure:

• The DNS server for your Olfeo.• The SMTP server for your Olfeo.

8 Menu: Parameters


• The SMS Gateway for your Olfeo.• The HTTP proxy to be used by your Olfeo solution in case the Olfeo solution is requiring a proxy to access the

internet.

Using the menu [Parameters] > [Network] > [Network Tests], you can test your network configuration.

DNS Configuration

1. Go to the DNS configuration page via [Parameters] > [Network] > [DNS].

Section: DNS

2. Enter the IP addresses of the DNS servers you want Olfeo to use in priority order in the [DNS Servers list] field.

Note: Use commas as the field separator.

3. Enter the DNS domain to be used by Olfeo in the [DNS Domain list].


8 Menu: Parameters


Configuring SMTP

1. Go to the SMTP configuration page via the [Parameters] > [Network] > [SMTP] menu.

Section: SMTP

2. Enter the SMTP server name or IP address in the [Server Name] field.

3. Enter the TCP port of the SMTP server in the [Port] field.

4. Enter the email address that the Olfeo solution will use as sender in the [Mail from] field.

Section: Diffusion

5. Enter the time at which automatic distributions are to be made in the [Send Time (UTC)] field.

Note: The diffusion time applies to both statistical reports and coaching messages.

Example: 03:00


8 Menu: Parameters


SMS Configuration

Note: Olfeo does not directly send SMS messages. Instead, to send SMS messages, Olfeo requires theconfiguration of a “Mail To SMS” service. Based on this configuration, Olfeo sends specially emails with aspecific format to the mailtosms service and the service translate them to SMS messages.

Warning: The following documentation presents a typical configuration for “Mail To SMS” service. Someoperators, however, may require a more specific configuration. If needed you can adapt the SMS serviceconfiguration to your operator requirements.

1. Go to the SMS gateways configuration page via [Parameters] > [Network] > [SMS].

2. Click on the[Add an SMS gateway] link.

8 Menu: Parameters


Section: Mail-SMS Gateway



Section: Generated email configuration

5. In the [Sender] field, enter the email address that will be used as sender for the emails sent to your SMSservice provider.

Note: If this field is left empty the [Sender] field from the [Parameters] > [Network] > [SMTP] willbe used instead.


6. Enter your operator recipient email address in the [Recipient] field.


7. Enter the email Subject in the format requested by your operator in the [Subject] field.

The syntax to use is typically the following:

SMSaccount:SMSuser:Password:Sender:%sms.recipient%

• SMSaccount: the account name provided by your SMS service provider.• SMSuser: the user associated to the SMSaccount with SMS sending capability.• Password : The SMS user password.• Sender : The sender who will be displayed as the SMS sender. Enter a name or phone number.• %sms.recipient% is a mandatory variable for SMS recipient’s phone number. This variable is permanent and

cannot be replaced.

Example: sms-oo5555-1:operator:password:MYCOMPANY:%sms.recipient%

8. In the [Reply To] field, enter the email address your SMS service provider will send messages in case offailed SMS delivery.


9. Enter the email content in the [Email text] field.

The email content test must at least contain:

• The %sms.message% variable. This mandatory variable will be a placeholder for the SMS service provider toinsert the SMS message.

• Predefined text that all messages will contain (such as a signature).

10. Click [Create] to save your SMS gateway configuration.

8 Menu: Parameters


Sending a test SMS

1. Go to the SMS gateways configuration page via [Parameters] > [Network] > [SMS].

2. In the Label column, click on the SMS gateway link that you want to test.

Section: Sending a test SMS

3. Enter the recipient’s phone number in the [Recipient] field.

Note: Use international format for the phone number syntax.

Example: +33612345678 (where 33 is the country prefix for France).

4. Enter the message content in the [Message] field.

5. Click on [Test] to send a test SMS.

6. Check the message was correctly sent to your SMTP server and that the result displays successful as shown in theabove screenshot.

Warning: The successful send of the SMS does not mean it was delivered. Check the message wascorrectly received in order to complete the test.

Configuring the HTTP proxy

If Olfeo requires a HTTP Proxy to connect to the internet, use the [Parameters] > [Network] > [HTTP] page toconfigure it.

Note: An Internet connection is required for Olfeo automatic databases (Virus, URLs, ...) updates, URLdynamic filtering, automatic license update and software update.

8 Menu: Parameters


1. Go to the HTTP Proxy configuration page via [Parameters] > [Network] > [HTTP].

Section: HTTP

2. Enable the [Use proxy] checkbox.

3. Enter the proxy’s IP address in the [Server] field.

4. Enter the HTTP proxy’s TCP port in the [Port] field.

5. If the outgoing HTTP proxy requires an authentication, enable the [Use authentication] checkbox.

a) Enter the login required for proxy authentication in the [Login] field.

b) Enter the corresponding password in the [Password] field.


Testing your network configuration

1. Go to the Network Test page via [Parameters] > [Network] > [Network Tests].

2. To ping a destination server from the Olfeo solution:

a) Enter the destination IP address or the server name in the field in the Test Parameter column.

b) Click on the [Run Test] link from the Action column.

c) Check the result is displayed as Successful in the Test Result column.

3. To perform a DNS resolution test from the Olfeo solution:

a) Enter the destination FQDN name to be resolved in the corresponding Test Parameter column.



4. To test the Olfeo solution can perform HTTP requests:

a) Enter a URL in the field in the Test Parameter column.


8 Menu: Parameters



5. To test the Olfeo solution can send emails:

a) Enter an email address in the field in the Test Parameter column.



Submenu: System

The [Parameters] > [System] > [Services] page provides a way to start or stop Olfeo solution's services as well asautomatically start those services.

The [Parameters] > [System] > [Date] page provides a mechanism to synchronize your Olfeo date and time with oneor more NTP servers.

8 Menu: Parameters


The [Parameters] > [System] > [Archive] page lets you enable both NCSA and Olfeo RAW logs format as well asremove some information from these logs.

RAW logs are Olfeo proprietary binary log files grouping all browsing information and processed by Olfeo. The RAWlogs include all URL, protocol and file information processed by Olfeo and the filtering operations performed. OlfeoRAW logs are essential in order to generate [Analysis].

NCSA logs are text log files, as opposed to RAW files. These NCSA logs follows the format specified by the NationalCenter for Supercomputing Applications (NCSA) during the development of their Web NCSA HTTPd server. Olfeosupports this universal format, which is not enabled by default, therefore allowing to create logs files in text format thatyou can process using third-party log files processing product compatible with this NCSA format.

The [Parameters] > [System] > [Console] lets you configure HTTPS access to the Olfeo Administration Console.HTTPS provide an encrypted communication channel between your Olfeo Administration machine and the OlfeoAdministration Console.

8 Menu: Parameters


Stop/Start Configuration

1. Go to the services configuration page via [Parameters] > [System] > [Services] page.

2. To stop or start a service, click on the [Stop] or [Start] link for the corresponding service in the Action column.

These are the Olfeo services

• URL filtering service: Manages everything related to filtering in the Olfeo solution.• SNMP Monitoring Service: Handles SNMP queries initiated by monitoring applications. For more information

about monitoring, refer to: Submenu: Monitoring on page 208.• RTSP Proxy: Proxy for RTSP flows (Real Time Streaming Protocol). For more information concerning Olfeo

RTSP proxy, refer to: Sub menu: RTSP on page 56.• Logging Service: Handles Olfeo logs writing operations. If this service is stopped, the operations Submenu:

Livelog on page 153 ([Analysis] > [Livelog]) will also become unavailable.• [ClamAV daemon]: Olfeo antivirus service.• [Network Time Protocol]: Handles Olfeo clock synchronization using the NTP protocol.• [Proxy service ]: Olfeo HTTP proxy service.

• A service currently start will display a [Stop] link in the Action column.• A stopped service will display a [Start] link in the Action column.

The other possible states for the column are:Action are:

• disabled : The service is not available.• error : The service has encountered an error (When you move your mouse over the service state, a tool tip will

give more information about the error).

3. To automatically start a service when Olfeo starts, enable the checkbox in the [Enable at boot] column.

8 Menu: Parameters


Configuring the NTP synchronization

Warning: You may notice a lag of 1 to 2 hours, depending on daylight saving time, between the Olfeotime and your local time. This time difference is normal! Olfeo uses international UTC standard time inorder to facilitate the use of time related objects or functions (timeslots, statistics, ...). This time difference isobservable in Olfeo livelog as those logs also uses UTC time. For obvious reason, it is not recommended toalter Olfeo time because of the impact it could have on time related objects or features. For example changingOlfeo timezone to "Paris" time you could end up filtering in the time range 11 am - 8 pm if you used a timeslotspecified as 9 am - 6 pm.

Warning: Remember that all clocks drift: for NTLM authentication, you need to ensure your Olfeo andActiveDirectory times do not differ by more than 5 minutes.

1. Go to the NTP configuration page via [Parameters] > [System] > [Date].

Section: Date

2. In the [NTP Servers] field, enter the addresses or fqdn of the NTP servers you want to use for time synchronization.


8 Menu: Parameters


Configuring logs archiving

1. Go to the logs configuration page via [Parameters] > [System] > [Archive].

Section: Enable Statistics

2. Enable the [Enable statistics] checkbox in order to activate the generation of Olfeo proprietary RAW log files.

Olfeo RAW log files are proprietary binary files grouping all information received and processed by Olfeo. TheRAW log files contain all URLs, protocols and files flows sent to Olfeo and filtering decisions applied.

Warning: The RAW logs files are essential for generating statistics and reports from the [Analysis]menu.

3. To prevent recording users' user names in the Olfeo RAW log files, enable the [Don't log users] checkbox.

Note: If the [Don't log users] is enabled, it will be impossible to perform per user statistical analysis.

4. To prevent recording users' groups in the Olfeo RAW log files, enable the [Don't log groups] checkbox.

Note: If the [Don't log groups] is enabled, it will be impossible to perform per group statistical analysis.

5. To prevent recoding users' IP addresses in the Olfeo RAW log files, enable the [Don't log ips] checkbox.

8 Menu: Parameters


Note: If the [Don't log ips] is enabled, it will be impossible to perform per IP ranges statistical analysis.

6. To deactivate timespent analysis in the RAW log files, enable the [Disable timespent statistics] checkbox.

Note: If the [Disable timespent statistics] checkbox is enabled, it will be impossible to performe timespent statistical analysis.

Section: Enable NCSA

7. To generate NCSA format log files, enable the [Enable NCSA] checkbox.

NCSA logs are text log files, as opposed to Olfeo RAW log files. These NCSA log files follow the format specifiedby the National Center for Supercomputing Applications (NCSA) during the development of their Web NCSAHTTPd server. Olfeo supports this universal format, which is not enabled by default, therefore allowing to createadditional logs files in text format that you can process using third-party log files processing products compatiblewith this NCSA format.

8. To prevent recording users' usernames in the NCSA log files, enable the [Don't log users] checkbox.

9. To prevent recording users' IP addresses in the NCSA log files, enable the [Don't log ips] checkbox.

10. Choose the language for the NCSA log files in the [Language] dropdown list.


Enabling Olfeo administration console HTTPS access

1. Go to the Olfeo Administration Console access mode configuration page via [Parameters] > [System] > [Console].

Section: Web Server Mode

2. To enable Olfeo Administration Console access mode to HTTPS using the Olfeo pre-generated and self-signedcertificate, click on the [Switch to HTTPS mode with default key] button.

3. To use a certificate other than the Olfeo's default one:

a) Select your SSL certificate in the [SSL Certificate] field, using the [Browse...] button.

8 Menu: Parameters


b) Select your SSL private key in the [SSL Key] field, using the [Browse...] button.


Submenu: Monitoring

The [Parameters] > [Monitoring] > [Logs] page displays Olfeo system log typically composed of informational anderror messages.

8 Menu: Parameters


The [Parameters] > [Monitoring] > [Status] page provides a way to review Olfeo solution status in terms of:

• Storage list (memory buffers, physical memory utilization, swap space consumption, fixed and remote volumesavailable/consumer space).

• System parameters (uptime, number of processes, number of TCP connections, CPU load)• Process list (Top processes with memory consumption)

8 Menu: Parameters


The [Parameters] > [Monitoring] > [Snmp] page provides a way to restrict access to Olfeo SNMP information to alist of SNMP clients and SNMP communities.

The [Parameters] > [Monitoring] > [Syslog] page allows the Olfeo administrator to configure one or more syslogservers. Once configured, Olfeo will send entries of its events logs to the configured syslog servers.

The [Parameters] > [Monitoring] > [Tasks] lets you view Olfeo automated tasks. On this page, you can view the task's:

• The task name.• Tasks execution frequency (cron syntax).

Note: For more information about the cron syntax, go to: Cron.

• Tasks Last Start and Last End dates.

The [Parameters] > [Monitoring] > [Tasks] lets manually triggers task execution.

http://en.wikipedia.org/wiki/Cron

8 Menu: Parameters


Enabling email based system notifications

1. Go to the system log page via [Parameters] > [Monitoring] > [Logs].

Section: Logs mails

2. If you want the currently logged in Olfeo Administration to receive system event messages, enable the [Send alertemails to ...] checkbox.

3. If you want send system event messages to other email adresses, enter their email addresses separated by a commain the [Additional mailing lists] field.


8 Menu: Parameters


Filtering system events by type

1. Go to the system log page via [Parameters] > [Monitoring] > [Logs].

2. In the Level column, click on the message type you want to filter on.

Example: info

3. To cancel and event type filter and display all event type messages again, click on the [Show all] link at the bottomof the page.

8 Menu: Parameters


Configuring SNMP agents' access to Olfeo

1. Got to the SNMP access configuration page via [Parameters] > [Monitoring] > [Snmp].

2. In the [IP allowed] enter the IP addresses allowed to send SNMP queries to Olfeo.

3. Enter the SNMP community the SNMP agents must be part of to be able to send SNMP queries to Olfeo.

Example: public


Adding a syslog server

1. Go to the syslog configuration page via [Parameters] > [Monitoring] > [Syslog].

Section: Syslog

2. Enter a name for your syslog server in the [Label] field.

3. Enter a description for your syslog server in the [Description] field.

8 Menu: Parameters


Section: Parameters

4. Enter your syslog server IP address in the [Server] field.


Forcing execution of a scheduled task

1. Go to scheduled tasks page via [Parameters] > [Monitoring] > [Tasks].

Section: Tasks

2. In the [Task to execute] dropdown list, select the task you want to trigger.

3. Click on the [Run Task] button.

Section: Tasks

4. Check your task last execution result status in the Tasks section.

8 Menu: Parameters


Submenu: Updates

The [Parameters] > [Updates] > [Software] page display the list of Olfeo components packages, their versions as wellas the available updates. Use this submenu to update your Olfeo installation.

The [Parameters] > [Updates] > [Database] allows you to view Olfeo URL and antivirus databases versions.

8 Menu: Parameters


The [Parameters] > [Updates] > [Subscription] page displays the status of your Olfeo licenses as well as your technicalsupport contract and your active or expired OlfeoBox warranties.

The [Parameters] > [Updates] > [Credentials] page lets you enter your Olfeo license identifier and password in orderto activate your license.

8 Menu: Parameters


Updating Olfeo

1. Go to the [Parameters] > [Updates] > [Software] page.

2. Click on the [Install updates] button.

3. Wait for the update to complete.

4. Once the update is complete, you will have to log back in the Olfeo Administration Console.

8 Menu: Parameters


Manually updating the Olfeo URL database

Olfeo automatically and transparently updates its URL database every 15 minutes. To perform a manual update youcan use the following procedure.

1. Go to the [Parameters] > [Updates] > [Database] page.

2. Click on the [Olfeo - URL Base] link in the Label column.

3. Click on the [Complete Update] button to perform a complete URL database update or click on [IncrementalUpdate] button to perform an incremental update.

The update will run in the background.

4. Click on the [Ok] button.

Configuring Olfeo URL database automatic update

8 Menu: Parameters


1. Go to the [Parameters] > [Updates] > [Database] page.

Section: Parameters

2. To periodically report to Olfeo systems a list of unknown URLs your Olfeo solution recorded, enabled the [Allowinformation upload to Olfeo] checkbox.

3. To enable Olfeo URL database automatic and transparent update, enable the [Use automatic synchronization]checkbox.


Entering your Olfeo license

1. Go to the [Parameters] > [Updates] > [Credentials].

2. In the [Login] and [Password] fields, enter your license identifiers you received from Olfeo.

Note: Your license identifiers are typically delivered in shipping documentation in the "Code detéléchargement et de mise à jour" section of the document.

3. Click on the [Ok] button.

4. To activate your license and review your license information go to the [Parameters] > [Updates] > [Subscription]page , then click on the [Update licence] button.

8 Menu: Parameters


Renewing your license

1. Go to the [Parameters] > [Updates] > [Subscription] page

Section: Software

2. Click on one of the [Renew ] links from the Action column.

3. An email window should popup, write down your renewal request and specifics and send your email to Olfeocustomer service :

When renewing one or more Olfeo products:

Customer Name :Olfeo Products Requested :Requested Start Date :Requested End Date :Number of Licenses Requested :Total Number of Users :

When renewing Olfeo direct Technical Support :

Requested Start Date :Requested End Date :Current Number of Licenses :

8 Menu: Parameters


When renewing an OlfeoBox Warranty

Requested Start Date :Requested End Date :OlfeoBox Model :OlfeoBox Serial Number :

Submenu: Backup

The [Backup] > [Destinations] page lets you define mount point, also called destinations, that will be used as backupsdestinations. Olfeo backups require to manually create CIFS or NFS mount point to be used as a destination before anyother backup configuration.

The [Backup] > [Backup tasks] page allows you to define backup tasks to be performed. Although backup tasks canbe scheduled, you can also perform a manual backup using the [Backup] > [Backup tasks] page.

Note: Olfeo backups are considered “hot” backups because they do not cause any service interruption.

8 Menu: Parameters


The [Backup] > [Backup listing] page lets you view the latest backup operations performed and to manually run arestore operation.

Note: Olfeo restore operations are considered cold operations because they will trigger Olfeo services restart.

Creating a CIFS mount point in Olfeo

1. Open a terminal or SSH access to Olfeo using the root username.

2. Create the directory to use as your mount point for your CIFS share.

Warning: For an Olfeo virtual appliance or a software installation, the mount point directory to createmust be under Olfeo chroot /opt/olfeo5/chroot/ directory.

Example for Olfeo Box:

root@myolfeo:~# mkdir /mnt/cifs

Example for avirtual appliance or a software installation:

root@myolfeo:~# mkdir /opt/olfeo5/chroot/mnt/cifs

3. Edit the /etc/fstab file with the editor of your choice

root@myolfeo:~# vi /etc/fstab

4. Enter the line that permanently mounts your remote CIFS share and then save the change.


//server_partage/partage /mnt/cifs/ cifs credentials=/root/.smbcredentials,iocharset=utf8,file_mode=0777,dir_mode=0777,auto 0 0

Example for a virtual appliance or a software installation:

//server_partage/partage /opt/olfeo5/chroot/mnt/cifs/ cifs credentials=/root/.smbcredentials,iocharset=utf8,file_mode=0777,dir_mode=0777,auto 0 0

Where:

• server_partage is the name or IP address of the server providing CIFS share.• share is the name of the CIFS share.• /mnt/cifs/ or /opt/olfeo5/chroot/mnt/cifs/ is the directory where the CIFS file system will be mounted.• /root/.smbcredentials is the name of a hidden file that will contain the username and password for accessing

the share.

Note: You will need to create this file later.

5. Edit the file given in the settings for the credentials attribute provided on the /etc/fstab mount line (/root/.smbcredentials in the preceding example).

8 Menu: Parameters


6. Enter the username and password of the user authorized to access the share and then save the change.

Example:

username=james password=mypassw0rd

7. Remove any read and write permission on this file for any users except the root user to prevent users from accessingor changing the username/password pair.

root@myolfeo:/# chmod 700 /root/.smbcredentials

8. Mount the remote files system using the mount command.

Example:

mount //server_partage/partage

Warning: If your system does not know how to mount CIFS share, it is probably because you do nothave the smbfs debian package installed.

Example: apt-get install smbfs

Mounting an NFS share in Olfeo

1. Open a terminal or SSH access to Olfeo using the root username.

2. Create the directory where you will mount the remote NFS share.

Warning: For an Olfeo virtual appliance or a software installation, the mount point directory to createmust be under Olfeo chroot /opt/olfeo5/chroot/ directory.


root@myolfeo:~# mkdir /mnt/nfs

Example for avirtual appliance or a software installation:

root@myolfeo:~# mkdir /opt/olfeo5/chroot/mnt/nfs

3. Edit the /etc/fstab file with the editor of your choice

root@myolfeo:~# vi /etc/fstab

4. Enter the line required to permanently mount your NFS share and then save the change.


server_partage:/partage/ /mnt/nfs/ nfs defaults,user,auto,noatime,intr 0 0

Example for a virtual appliance or a software installation:

server_partage:/partage/ /opt/olfeo5/chroot/mnt/nfs/ nfs defaults,user,auto,noatime,intr 0 0

8 Menu: Parameters


Where:

• server_partage is the name or IP address of the server providing the NFS share.• shareis the name of the NFS share.• /mnt/nfs/ or /opt/olfeo5/chroot/mnt/nfs/: Directory where the NFS file system will be mounted.

5. Mount the remote filesystem using the mount command.

Example:

mount server_partage:/partage/

Configuring a Backup Destination in Olfeo

1. Go to the [Backup] > [Destinations] page.

Section: Destination



Section: Parameters

4. Enter the directory for your CIFS or NFS mount point in the [Location] field.

Note: If you have a virtual appliance or a software solution you need to enter the directory withinOlfeo chroot.

Example: If you have entered /opt/olfeo5/chroot/mnt/cifs/ in /etc/fstab, you need toenter /mnt/cifs in the [Location] field.

Or if you have entered /opt/olfeo5/chroot/mnt/nfs/ in /etc/fstab, you need to enter /mnt/nfs in the [Location] field.


8 Menu: Parameters


Creating a Backup Task

1. Go to the [Backup] > [Backup tasks] page.

Section: Task



Section: Parameters

4. Using the checkboxes in the [module] field, select the data you want to save as part of your Olfeo backup:

You can choose from the following types of data:

• Global data: Global data refers to the data of a machine that is not part of an Olfeo domain or those of a Mastermachine in the Olfeo domain.

8 Menu: Parameters


Backup Description

Statistics data All the RAW and NCSA logs (traffic data and processed data) used for statistics.

Charter and Parameters Internet charter configured by the Olfeo Administrators and the correspondingglobal settings.

Statistics configuration All reports and analysis defined by Olfeo Administrators.

• Local data: Local data pertain to Olfeo domain machines specific data.

Backup Description

Local configuration Olfeo local configuration elements (IP address, DNS, domain, ...)

5. Select a previously configured destination from the [Destination] dropdown list.

Section: Planning

6. Select the time of day (UTC time) for the backup task in the [Hour (UTC)] field.

Example: 23:00

7. Select your backup frequency.

• None: No frequency.• Daily• Weekly

• For a weekly backup frequency, select the day of the week you want your backup task to run. Use thecheckboxes from the [Periodicity] field to select the day of the week.

• Monthly

• For a monthly backup, select the day of the month you want your backup task to run. Enter the date in the[Every ... of the month] (e.g.: 5) field.

8. To configure a retention for your backup tasks, enable the [Cleaning] checkbox.

a) Then enter the number of backup tasks to keep in the [maximum kept backups].

9. Click [Create] to save your backup task.

Manually running a backup task

1. Go to the [Backup] > [Backup tasks] page.

2. Identify the backup task you want to run and click on the corresponding [Execute] link from the Action column.

3. Wait for the backup operation to complete.

8 Menu: Parameters


4. Verify the backup task completed successfully using the [Backup] > [Backup listing] page.

Restoring a backup

1. Go to the [Backup] > [Backup listing] page.

2. Identify the backup you want to restore and click on the [Restore] link.

Warning: The elements Charter and parameters and Local Configuration can be restored independently;however, it is recommended to restore the Statistics data and Statistics configuration together becauseof their inherent dependency.

3. Verify the information from the [Label], [Date (UTC)] and [Elements to restore].

Danger: A restore is a cold and destructive operation. Any restore operation will overwrite existing data.

4. Click [Ok] to start the restore process.

Note: The restore operation may require restarting some Olfeo services. Consequently, theAdministration Console may become unavailable and require and reconnection.

Backing up legal traffic logs (RAW and NCSA)

The RAW and NCSA log files contains all users traffic. Olfeo RAW log files are proprietary and binary logs whileNCSA log files contains a subset of the information available in the RAW log files but follow a text file format.

Warning: Because of their inherent size, the RAW and NCSA log files are never saved using Olfeo backups.However the following can be implement to perform this kind of backup operation.

1. Mount a new CIFS or NFS share directory using procedures Creating a CIFS mount point in Olfeo on page 222or Mounting an NFS share in Olfeo on page 223.

2. Open a terminal or SSH session to your Olfeo.

3. If your Olfeo is a virtual appliance or software installation, enter the Olfeo chroot.

chroot /opt/olfeo5/chroot/

8 Menu: Parameters


4. Edit the cron table using the following command:

crontab -e

5. Enter a task to be executed every 3 minutes used to synchronize the Olfeo log files directory with your mount point.You can for example use the rsync command to perform this synchronization.

If your mount point was CIFS based type step 1:

*/3 * * * * rsync -avz /opt/olfeo5/data/log/ /mnt/cifs/ >> /var/log/rsync_raw.log

If your mount point was NFS based type step 1:

*/3 * * * * rsync -avz /opt/olfeo5/data/log/ /mnt/nfs/ >> /var/log/rsync_raw.log

Note: If you enabled the creation of NCSA log files and also want to backup them up, create a new shareat step 1 and create an automated task in the crontab using /opt/olfeo5/data/ncsa/ as the sourcedirectory for synchronization.

If your mount point was CIFS based type step 1:

*/3 * * * * rsync -avz /opt/olfeo5/data/ncsa/ /mnt/cifs_ncsa/ >> /var/log/rsync_ncsa.log

If your moint point was NFS based type step 1:

*/3 * * * * rsync -avz /opt/olfeo5/data/ncsa/ /mnt/nfs_ncsa/ >> /var/log/rsync_ncsa.log

6. Save your crontab changes as in vi using "Esc"+":wq!".

Your automated backup task is now in place.

Submenu: Advanced

8 Menu: Parameters


The [Parameters] > [Advanced] > [Redirection] page provides a way for you to store blocking pages on an serverdifferent from Olfeo and to redirect your end users to this server to retrieve the blocking pages.

The [Parameters] > [Advanced] > [ICAP] allows you to specify additional parameters to use for integration with thirdparty product using the ICAP protocol.

Danger: Any change on this page should not be done without recommendations from Olfeo Support.

The [Parameters] > [Advanced] > [Gateways] page lets you define gateways to be used to define URL filtering policyfor a central filtering Olfeo and multiple remote sites accessing the central filtering solution via gateways.

This page allows you to define a gateway for each remote site and associate a URL filtering policy and specific blockingpage redirection to each one.

The [Parameters] > [Advanced] > [Auto Populate User] page should be used for automatic creation of Olfeo userswhen encountering unknown users or IP addresses.

The

8 Menu: Parameters


Menu[Parameters] > [Advanced] > [Support] provides technical support tunnel management operations. Thetechnical support tunnel offers the capability for Olfeo Technical Support personnel to remotely access your Olfeoproviding them a way to access Olfeo via a terminal session, using the Olfeo Administration Console and also to beable to perform filtering test using your Olfeo.

Redirecting Olfeo Blocking Pages

1. Go to blocking pages redirection configuration page via [Parameters] > [Advanced] > [Redirection].

8 Menu: Parameters


Section: Redirection

2. Select the redirection method from the [Redirection Mode] dropdown list.

Two options are available:

• Automatic: The default redirection mode. The automatic redirection mode configure Olfeo to handle blockingpages requests.

• Static: This redirection mode configures Olfeo to redirect end users to an external server to handle blocking pagesrequests. The external server IP address and TCP port should be entered in the [Static host] and [Port] fields.

a) If [Static] is selected as the [Redirection Mode] enter the external server IP address in the [Static host] fieldand the external server TCP port to use in the [Port] field.

3. The redirection URL returned by Olfeo on a blocking condition can be changed. If so desired, enable the[Redirection URL] checkbox and enter the redirection URL in the [Redirection URL] field.

Configuring a gateway

In a distributed architecture with end users on remote sites and a centralized filtering, it may be interesting to define aURL filtering policy for each remote site. The gateway feature can then be used for such purpose.

The [Parameters] > [Advanced] > [Gateways] page provides a way to define multiple gateways, one for each remotesite and associate a URL filtering policy and a blocking pages redirection setting for each one of them.

1. Go to the gateways creation page via [Parameters] > [Advanced] > [Gateways].

2. Click on the [Add gateway] link.

Section: Gateway

This section applies exclusively to integrations using connectors (coupling or capture integration types). Refer to theOlfeo Integration Guide for more information).

8 Menu: Parameters


Figure 25: Coupling based Integration

Figure 26: Bridging based Capture Integration

8 Menu: Parameters


Figure 27: Port Mirroring based Capture Integration

In a coupling based integration type, Olfeo can integrate with third party products using different protocols such asICAP, OPSEC, WISP or even the Olfeo protocol. Communicating with Olfeo, the third party product can potentiallysend various types of information, such as:

• Its IP address.• The login used by the third party product (in the case of an Olfeo connector).

In the case of capture integration, Olfeo receives the traffic’s VLAN.


4. In the [Server] field, enter the IP address, the login used by the third party product, or the VLAN to create yourgateway,

This information will let you define your gateway in order to limit access to your BUs or to your groups by insertingthis gateway in the list of users (refer to Editing an object from the users list on page 105 for more information).

Example: 192.168.3.4


Once the gateway configured, two situations may occur:

• The third party product uses a good IP address or login; or, in the case of capture integration, it uses the appropriateVLAN. In this situation, Olfeo will apply the URL filtering associated to the gateway as all as the underlying usersURL filtering policy.

• The third party product uses an unhandled IP address or login; or, in the case of a capture integration, a VLAN nothandled by any configured gateways. In this situation, Olfeo will not apply any gateway URL filtering policy or theunderlying user's policy list. It will only apply the URL filtering policy raking higher or at the same hierarchicallevel than the gateway in the users list.

5. In the [URL Policy] dropdown list, select the URL filtering policy to associate to the gateway.

Note: To create a URL filtering policy, go here: Creating a URLs filtering policy on page 25.

8 Menu: Parameters


6. If you want your blocking pages to be serviced by an external server for your gateway, enable the [Redirection IP]checkbox and enter the IP address.

7. Click [Create] to save your gateway.

8. Add your gateway in the users list as explained in Editing an object from the users list on page 105.

Auto Populating Users

Note: This page allows you to configure Olfeo behavior when it encounters unknown users or IP addresses.

1. Go to the Users Auto Populating configuration page via [Parameters] > [Advanced] > [Auto Populate User].

Section: Automatic creation

2. If you want Olfeo to auto-populate users for unknown users, enable the [Automatic creation by login] checkbox.

3. If you want Olfeo to auto-populate IP addresses for unknown IP addresses, enable the [Automatic creation by IP]checkbox.

4. Auto-populated users and IP addresses will be created in the Olfeo users list. To configure the Organizational Unit(OU) Olfeo will use for auto-populate users and IP addresses, enter the OU in the Default Bu field.

5. You can also configure the group to be used when auto-populating users and IP addresses. Enter the group in theDefault Group field.


8 Menu: Parameters


Submenu: Support

The [Parameters] > [Support] provides Olfeo Administrator the capability to configure and manage an SSH basedTechnical Support tunnel. The tunnel can only be used by Olfeo Technical Support personnel to gain remote accessover an encrypted tunnel to your Olfeo.

8 Menu: Parameters


Opening a Technical Support Tunnel

Section: Olfeo Technical Support

1. To configure an SSH based tunnel allowing Olfeo Technical Support to remotely access your Olfeo:

a) Enter the Olfeo Technical Support Server public IP address in the [Support IP address] field. This IP addressshould have been communicated to you by Olfeo Technical Support.

b) In [Outgoing port] field, enter the outgoing source TCP port number Olfeo will use to communicate with itsTechnical Support public Server.

c) Enter the destination TCP port number to use on the Olfeo Technical Support server. This TCP port should becommunicated to you by your Olfeo Technical Support contact and should be entered in the [Remote port] field.

d) Click on the [Connection] to initiate the Olfeo Technical Support tunnel connection.

If the connection is correctly established, the [Status] field should display Activated.

Section: Partner Technical Support Tunnel

2. To configure a Technical Support SSH based tunnel to be used exclusively your Olfeo partner:

a) Enter the IP address provided to you by your Olfeo partner in the [Support IP address] field.

8 Menu: Parameters


b) Enter the outgoing TCP source port to be used when establishing a connection with your Olfeo partner serverin the [Outgoing port] field.

c) Enter the destination Olfeo partner server TCP port in the [Remote port] field.

d) Click on the [Connect] button to initiate the connection to the Olfeo partner Technical Support tunnel server.

If the connection is correctly established, the [Status] field should display Activated.

3. Click on the [Information feedback] button to display information about your Olfeo installation.

Note: This information can be provided, if requested, to your Olfeo or Olfeo Partner Technical Support.

Chapter

9Syntax

Topics:

• Regex Syntax

9 Syntax


Regex Syntax

Regex or regular Expression can be used to create patterns according to your needs. Regex use the following syntaxlike this:

• . : Refers to any symbol.• [abc] : Refers to letter a or b or c.• * : Refers to a repetition (0, 1 or more times the symbol before).• + : Refers to a repetition (1 or more times the symbol before).• ? : Refers to a repetition (0 or 1 of the symbol before).• ^ : Refers to a symbol of "beginning of char string".• $ : Refers to the end of a char string.• () : Refers to a group of symbols.• | : Refers to the logic symbol "or".• \ : Allows to protect a character.

Examples:

• "porte(manteau)?": Match "porte" and "portemanteau" but not "manteau".• ".*": Match any char string.• "[bB]ateau": Match "bateau" and "Bateau".• "(chaise|porte)": Match "chaise" or "porte".• "monsite\.fr" match "monsite.fr" but not "monsiteXfr.com".

Warning: Beware the "." substitutes any character, it does not match the dot separator in a domain name.

Examples:

• ".*yahoo.*" matches all urls that contain yahoo• "www\.yahoo\..*" matches all addresses that begin with www.yahoo. (e.g.: www.yahoo.fr, www.yahoo.com, ...).

Documents

Olfeo Solution€¦ · eMail: [email protected] Phone: +33 (0)1.78.09.68.01 URL Reclassification Service This email address is made available by Olfeo. You can use it to request a