iPrism Administration Guide - EdgeWave
iPrism Administration Guide - EdgeWave
iPrism Administration Guide - EdgeWave
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
800•782•3762<br />
www.stbernard.com<br />
<strong>Administration</strong> <strong>Guide</strong><br />
Version 6.0
©2001 – 2008 St. Bernard Software Inc. All rights reserved. The St. Bernard<br />
Software logo, <strong>iPrism</strong> and iGuard are trademarks of St. Bernard Software Inc. All<br />
other trademarks and registered trademarks are hereby acknowledged.<br />
Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, MS, Windows,<br />
Windows NT/2000, Windows Terminal Server are either registered trademarks<br />
or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.<br />
Netscape Navigator ® is a registered trademark of Netscape Communications<br />
Corporation.<br />
Other product and company names mentioned herein may be the trademarks of<br />
their respective owners.<br />
The <strong>iPrism</strong> software and its documentation are copyrighted materials. Law<br />
prohibits making unauthorized copies. No part of this software or documentation<br />
may be reproduced, transmitted, transcribed, stored in a retrieval system, or<br />
translated into another language without prior permission of St. Bernard<br />
Software, Inc.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Contents<br />
Introduction ....................................................................................................................... 1<br />
Welcome .................................................................................... 1<br />
About this Manual ...................................................................... 2<br />
Who Should Use this Manual?................................................... 2<br />
Overview................................................................................ 2<br />
Technical Support ...................................................................... 3<br />
Installation Notes ....................................................................... 4<br />
Chapter 1 The Big Picture......................................................................... 5<br />
How <strong>iPrism</strong> Fits Into Your Network............................................. 5<br />
Proxy Mode ........................................................................... 5<br />
Bridge (Transparent) Mode.................................................... 8<br />
Using the Management Interface .......................................... 10<br />
How <strong>iPrism</strong> Works...................................................................... 10<br />
What’s New in <strong>iPrism</strong> 6.0?..................................................... 11<br />
The Filtering Database .......................................................... 12<br />
Getting Past Blocked Sites .................................................... 18<br />
Summary.................................................................................... 21<br />
Chapter 2 Overview of <strong>iPrism</strong> Software .................................................. 23<br />
Logging In .................................................................................. 24<br />
Using the Appliance Manager.................................................... 27<br />
Configuring your <strong>iPrism</strong> ......................................................... 30<br />
Web Interface............................................................................. 48<br />
Reports Manager................................................................... 49<br />
Add Web Sites Buttons.......................................................... 50<br />
System Admin Tools Buttons................................................. 50<br />
Chapter 3 Managing Internet Access ...................................................... 55<br />
How <strong>iPrism</strong> Filters Internet Activity ............................................ 55<br />
Introduction to Profiles........................................................... 56<br />
Profiles and ACLs.................................................................. 57<br />
Putting Your Profile to Work................................................... 58<br />
Creating Profiles ........................................................................ 60<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
i
Creating a Profile ................................................................... 60<br />
Scheduling ACLs Within a Profile .......................................... 65<br />
Copying a Profile.................................................................... 69<br />
Deleting a Profile.................................................................... 70<br />
Creating Access Control Lists (ACLs) ........................................ 70<br />
Creating a New ACL .............................................................. 71<br />
Special Filtering Categories (Locally Defined / Other) ........... 80<br />
Viewing ACL Filtering Properties ........................................... 81<br />
Editing ACL Settings .............................................................. 82<br />
Deleting an ACL..................................................................... 83<br />
Lock ACL.................................................................................... 84<br />
Assigning Profiles....................................................................... 88<br />
How <strong>iPrism</strong> Uses Profiles....................................................... 88<br />
Authentication Systems and Assigning Profiles to Users....... 89<br />
Assigning Profiles to a Set of IP Addresses (Workstations)... 89<br />
Assigning Profiles to Remote or Mobile Users....................... 92<br />
Chapter 4 Blocked Pages and Overrides................................................. 97<br />
Access Denied Page Options..................................................... 97<br />
Using Override Privileges........................................................... 99<br />
Overriding a Blocked Web Site .............................................. 99<br />
Using Access Requests.............................................................. 104<br />
Managing Override Access ........................................................ 107<br />
The Override Management Page........................................... 108<br />
Revoking a Single Override ................................................... 108<br />
Revoking All Overrides........................................................... 108<br />
Chapter 5 Fine Tuning Your Web Filtering............................................... 111<br />
Controlling Access to Individual Web Sites ................................ 111<br />
Changing a URL’s Rating with Custom Filters ....................... 112<br />
Controlling URLs with Locally Defined Categories................. 112<br />
Submitting Sites to St. Bernard for Review ............................ 114<br />
Changing the Access Denied and Authentication Pages ........... 116<br />
Using the HTML Template Manager ...................................... 117<br />
ii<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Making “Quick Changes” to the Access Denied Page........... 123<br />
Changing the “Other” pages .................................................. 125<br />
Chapter 6 Users and Authentication ....................................................... 129<br />
Setting up Local Authentication ................................................. 131<br />
Creating User Accounts on the <strong>iPrism</strong>................................... 131<br />
Editing Administrative Privileges ........................................... 135<br />
Creating a new Administrative Profile.................................... 137<br />
Adding a New Administrative Profile ..................................... 141<br />
Deleting an Administrative Profile.......................................... 141<br />
Importing User Accounts into <strong>iPrism</strong>...................................... 141<br />
Editing User Accounts ........................................................... 141<br />
Choosing an Authentication Mechanism.................................... 142<br />
Assigning an Authentication Mechanism to an IP address range 142<br />
Auto-Login Details ................................................................. 146<br />
Communicating with an LDAP Server ................................... 150<br />
Communicating with a<br />
Microsoft Windows Authentication<br />
Server (NTLM)....................................................................... 159<br />
Mapping Groups to <strong>iPrism</strong> Resources................................... 168<br />
Authentication from the User’s Perspective............................... 177<br />
Logging in and out using the web interface ........................... 180<br />
Chapter 7 Email Alerts .............................................................................. 183<br />
Creating and Configuring an Email Alert ............................... 184<br />
Editing an Email Alert ............................................................ 187<br />
Deleting an Email Alert .......................................................... 187<br />
Chapter 8 Network Management.............................................................. 189<br />
Accessing <strong>iPrism</strong>’s Network Settings......................................... 189<br />
Changing <strong>iPrism</strong>’s Identity (Host Name)................................ 190<br />
Changing Network Interface Settings .................................... 191<br />
Enabling the Co-Management Network................................. 192<br />
Changing the Name Server Configuration............................. 193<br />
Changing <strong>iPrism</strong>’s Default Route........................................... 195<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
iii
Communication with Other IP Networks..................................... 195<br />
About Static Routes................................................................ 195<br />
Enabling RIP Updates in <strong>iPrism</strong>............................................. 196<br />
Adding a Static Route............................................................. 196<br />
Editing or Deleting a Static Route .......................................... 199<br />
Configuring SMTP Relay Settings.............................................. 199<br />
Using a WCCP Router with <strong>iPrism</strong> ............................................. 200<br />
Setting Up a Parent Proxy......................................................... 200<br />
Setting Up a Parent Proxy...................................................... 201<br />
Using a Proxy for Filter and System Updates ............................ 203<br />
Changing <strong>iPrism</strong>’s Port Assignments ......................................... 204<br />
Changing <strong>iPrism</strong>’s Proxy Port ................................................ 204<br />
Transparent Mode Redirected Ports ...................................... 206<br />
Secured Site Access (HTTPs Ports) ...................................... 206<br />
Creating Filter Exceptions .......................................................... 207<br />
Specifying a Filter Exception.................................................. 208<br />
Chapter 9 Central Management ................................................................ 211<br />
Before You Begin ................................................................... 211<br />
Setting up a Master/Slave Arrangement ................................ 212<br />
Designating Slave Devices .................................................... 212<br />
Configuring the Master <strong>iPrism</strong> Server .................................... 213<br />
Adding a Slave to a Shared Configuration............................. 215<br />
Removing a Slave from a Shared Configuration.................... 215<br />
Changing the Master <strong>iPrism</strong> Device....................................... 215<br />
Forcing Slave Updates........................................................... 216<br />
Using Standalone Mode with Configuration Sharing.............. 216<br />
Chapter 10 System Settings ....................................................................... 217<br />
System Date and Time ............................................................... 217<br />
To Manually Set the Date and Time ....................................... 217<br />
Setting the Date to use the Network Time Protocol ............... 219<br />
Bypass Authentication................................................................ 220<br />
System Updates ......................................................................... 221<br />
iv<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Filter List Updates.................................................................. 221<br />
Checking <strong>iPrism</strong>’s Filter List Status........................................ 223<br />
System Software Updates ..................................................... 224<br />
Protecting Against DoS Attacks............................................. 226<br />
Anti-spoof detection............................................................... 226<br />
Configuring Filter List Failure Options ................................... 227<br />
Backing Up and Restoring <strong>iPrism</strong> Settings ................................ 228<br />
Backing Up ............................................................................ 228<br />
Restoring ............................................................................... 230<br />
Registration Information............................................................. 231<br />
Editing Registration Information ............................................ 231<br />
Using SSL Encryption............................................................ 233<br />
Managing <strong>iPrism</strong> Updates with the HotFix Manager.................. 234<br />
Using the HotFix Manager..................................................... 236<br />
Managing Multiple <strong>iPrism</strong> Units.................................................. 242<br />
<strong>iPrism</strong> in a Load Balancing Environment............................... 242<br />
Chapter 11 <strong>iPrism</strong> System Reports............................................................ 245<br />
Exporting Events Using Syslog.................................................. 246<br />
Determining the Number of Records in the Database........... 249<br />
Deleting Access Event Records ............................................ 249<br />
Audit Log.................................................................................... 250<br />
<strong>iPrism</strong> Status .............................................................................. 251<br />
<strong>iPrism</strong> Security Log .................................................................... 253<br />
About <strong>iPrism</strong> Tab........................................................................ 255<br />
Chapter 12 The Filter Manager ................................................................... 257<br />
Automatically Rating Unrated URLs .......................................... 259<br />
Sending Unrated Sites to iGuard for Rating .......................... 260<br />
Manually Rating Unrated URLs from iGuard ......................... 261<br />
Modifying URLs ..................................................................... 265<br />
Custom Filters............................................................................ 266<br />
Custom Filter Management ................................................... 266<br />
Editing or Removing a Custom Filter..................................... 269<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
v
Import / Export Custom Filters.................................................... 273<br />
Exporting Custom Filters........................................................ 273<br />
Importing Custom Filters........................................................ 275<br />
Pending Access Requests ..................................................... 276<br />
Unblocking Blocked and Overridden Pages............................... 280<br />
Unblocking Recently Blocked Pages ..................................... 281<br />
Unblocking Recently Overridden Pages ................................ 282<br />
Viewing and Deleting Current IP-Host Map Entries.................... 284<br />
To view and delete current IP-Host Map Entries .................... 284<br />
Checking Site Ratings ................................................................ 285<br />
Checking a Site’s Rating ........................................................ 285<br />
Filter Manager Options............................................................... 287<br />
Chapter 13 Partitions and Delegation ........................................................ 291<br />
Partitions .................................................................................... 291<br />
Setting up Partitions............................................................... 292<br />
Partition Type ......................................................................... 293<br />
Partitions ................................................................................ 293<br />
Viewing................................................................................... 293<br />
Delegation .................................................................................. 296<br />
Defining Delegation................................................................ 297<br />
Setting Administrator Privileges ............................................. 299<br />
Managing Policies as a Delegated Partition Administrator......... 304<br />
Appendix A: Filtering Categories.......................................................................................... 307<br />
iGuard Site Rating Categories.................................................... 308<br />
Questionable.......................................................................... 308<br />
Foreign Language.................................................................. 312<br />
Society ................................................................................... 312<br />
Business................................................................................. 317<br />
Sex......................................................................................... 322<br />
Health..................................................................................... 324<br />
Recreation.............................................................................. 326<br />
Internet (Web) ........................................................................ 333<br />
vi<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Education............................................................................... 339<br />
Security Exploits .................................................................... 342<br />
Appendix B: Configuring Browsers for Authentication ......................................................345<br />
Configuring Browsers for Authentication.................................... 345<br />
Configuring Netscape Navigator for Authentication............... 346<br />
Configuring Internet Explorer for Authentication.................... 347<br />
Appendix C: <strong>iPrism</strong> Error Messages.....................................................................................351<br />
<strong>iPrism</strong> List Update Error ........................................................ 351<br />
<strong>iPrism</strong> List Error ..................................................................... 353<br />
<strong>iPrism</strong> Filter Service Expired Error ........................................ 354<br />
Access Denied Error.............................................................. 355<br />
Authentication is Required Error............................................ 356<br />
Connection Failed Error......................................................... 357<br />
Unable to Determine IP Address Error .................................. 358<br />
Invalid Request Error............................................................. 360<br />
Invalid URL (Error)................................................................. 361<br />
<strong>iPrism</strong> is in the Process of Reconfiguring Itself (Error) .......... 362<br />
Zero Sized Reply (Error)........................................................ 363<br />
Write Error / Broken Pipe....................................................... 364<br />
Appendix D: Importing/Exporting User Data........................................................................365<br />
Importing User Data into <strong>iPrism</strong> ................................................. 365<br />
Step 1: Prepare the User List For Import............................... 366<br />
Step 2: Import the User List into <strong>iPrism</strong> ................................. 367<br />
Exporting Local User Data from <strong>iPrism</strong>...................................... 369<br />
Exporting User Account Data ................................................ 370<br />
Index ................................................................................................................................... 437<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
vii
viii<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Welcome<br />
Introduction<br />
This chapter introduces you to the <strong>iPrism</strong> Administrator’s <strong>Guide</strong> and how<br />
information is arranged and presented in this manual. This chapter also<br />
provides contact information for St. Bernard Software Technical Support, as<br />
well as installation tips for setting up <strong>iPrism</strong>.<br />
This manual does not include installation instructions. Please refer to the<br />
<strong>iPrism</strong> Installation <strong>Guide</strong> if you have not yet connected the <strong>iPrism</strong> to your<br />
network.<br />
Welcome<br />
Welcome to the <strong>iPrism</strong> Internet filtering appliance, the comprehensive<br />
Internet access management solution. The <strong>iPrism</strong> server appliance allows<br />
you to monitor, block and report on your organization’s Internet usage and<br />
is a critical tool for enforcing an Acceptable Use Policy (AUP).<br />
In addition to monitoring and blocking HTTP traffic, <strong>iPrism</strong> also allows you<br />
to filter Peer to Peer (P2P) and Instant Messaging (IM) traffic.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
1
About this Manual<br />
This manual explains how <strong>iPrism</strong> works and how it operates within the<br />
framework of a network. It’s important to have a thorough understanding of<br />
the <strong>iPrism</strong> appliance itself, as well as the bigger picture of how it functions<br />
within your network environment, in order to get the best performance<br />
possible from your appliance. This manual includes a detailed Table of<br />
Contents and an index to help you navigate to the information you need.<br />
Who Should Use this Manual?<br />
This manual was written for network administrators or those who are<br />
fulfilling that duty for their organizations. The requirements for<br />
understanding this manual include:<br />
• An understanding of TCP/IP networking<br />
• Knowledge of your network’s topology<br />
• The ability to configure networking settings on Windows workstations<br />
Overview<br />
Introduction gives you an introduction to the <strong>iPrism</strong> and the<br />
documentation to follow.<br />
Chapter 1: The Big Picture shows you how <strong>iPrism</strong> fits into your network,<br />
as well as giving you an overview of the capabilities of this system.<br />
Chapter 2: Overview of <strong>iPrism</strong> Software describes the major software<br />
components that <strong>iPrism</strong> uses, including Anti-Virus (AV) Scanning and IM<br />
Hybrid Filtering, and how they fit together.<br />
Chapter 3: Managing Internet Access shows you how to manage access<br />
to the Internet through the use of profiles and access lists.<br />
Chapter 4: Blocked Pages and Overrides explains what <strong>iPrism</strong> does when<br />
it blocks a page and how this block can be temporarily or permanently<br />
overridden.<br />
2<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Technical Support<br />
Chapter 5: Fine Tuning Your Web Filtering shows you how you can<br />
augment and fine tune <strong>iPrism</strong> web filtering.<br />
Chapter 6: Users and Authentication shows you how to create local<br />
<strong>iPrism</strong> users, as well as how to configure <strong>iPrism</strong> to use an external NTLM<br />
(Windows) or LDAP authentication database.<br />
Chapter 7: Email Alerts tells you how you can set up email alerts, so that<br />
you can receive an email notification of high network usage or other<br />
unusual conditions that require your attention.<br />
Chapter 8: Network Management describes in detail how to configure the<br />
<strong>iPrism</strong>’s network interface and other network-related settings.<br />
Chapter 9: Central Management describes the system configuration<br />
settings available to the administrator.<br />
Chapter 10: System Settings explains how to change <strong>iPrism</strong>’s internal<br />
settings and set your preferences for common <strong>iPrism</strong> activities.<br />
Chapter 11: <strong>iPrism</strong> System Reports contains information about the<br />
various configuration-based reports that can be generated. (For network<br />
traffic reports (Web, IM, P2P) see the <strong>iPrism</strong> Reporter’s <strong>Guide</strong>.)<br />
Chapter 12: The Filter Manager describes how to create custom filters to<br />
augment <strong>iPrism</strong>’s extensive filter database.<br />
Chapter 13: Partitions and Delegation describes how to set up and use<br />
partitions and delegation within <strong>iPrism</strong>.<br />
Technical Support<br />
If you are unable to resolve your issue using the manual, please contact the<br />
St. Bernard Software <strong>iPrism</strong> support team. When contacting tech support,<br />
please be sure to include all relevant information about how the <strong>iPrism</strong> is<br />
configured on your network (e.g., topology, other hardware, networking<br />
software, etc.). Have your <strong>iPrism</strong> serial number and registration key<br />
information handy. Also, in order to help our support staff solve your<br />
problem, it is helpful if you can send us a network diagram showing the<br />
basic hardware that is in use on your network.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
3
Support Web site: http://www.stbernard.com/products/support/iprism/<br />
Installation Notes<br />
Important: This manual assumes that you have already connected<br />
the <strong>iPrism</strong> appliance to your network using the instructions in the<br />
<strong>iPrism</strong> Installation <strong>Guide</strong>.<br />
There are a few situations that can complicate an <strong>iPrism</strong> installation that are<br />
not addressed in the <strong>iPrism</strong> Installation <strong>Guide</strong>, such as:<br />
• If other proxy servers are configured on your network.<br />
• If you have a WAN serviced by a router that is also the Internet router.<br />
• If you have a unique network setup, and you are unsure of its ability<br />
to interact with <strong>iPrism</strong>.<br />
If one or more of these conditions exist on your network and you are not<br />
able to get <strong>iPrism</strong> to function properly, check the following locations for<br />
assistance:<br />
• Your <strong>iPrism</strong> installation CD: The support documents included on the<br />
CD describe how to set up <strong>iPrism</strong> under atypical circumstances.<br />
• The St. Bernard Software website: This site contains the very latest<br />
support information for <strong>iPrism</strong>.<br />
http://www.stbernard.com/products/support/iprism/support_iprism.asp<br />
If you are still unable to find a solution, you may request assistance with<br />
your installation from St. Bernard Software’s technical support team. (See<br />
“Technical Support” on page 3.)<br />
If your network uses a firewall or other device that masks IP addresses, it is<br />
important to install <strong>iPrism</strong> inside the firewall/device. Otherwise, it may<br />
prevent <strong>iPrism</strong> from tracking individual users on the network, in which case<br />
it will not be possible to perform user tracking. If you are unable to<br />
configure <strong>iPrism</strong> inside the firewall, some <strong>iPrism</strong> features will not be<br />
available to you.<br />
4<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Fits Into Your Network<br />
Chapter 1<br />
The Big Picture<br />
This chapter describes how <strong>iPrism</strong> works and provides an overview of its<br />
features and capabilities.<br />
How <strong>iPrism</strong> Fits Into Your Network<br />
The <strong>iPrism</strong> system can be configured in either proxy mode or bridge<br />
(transparent) mode.<br />
Proxy Mode<br />
Proxy mode (Figure 1) is the simplest, and is the preferred mode in which to<br />
operate an <strong>iPrism</strong> when testing. In proxy mode, the <strong>iPrism</strong> uses a single<br />
internal interface to connect to the Internet. Only one (1) network (NIC)<br />
connection is used, as only the internal interface is connected to the local<br />
network. The <strong>iPrism</strong> acts as a filtering web proxy; web and IM network<br />
traffic that is explicitly directed to the <strong>iPrism</strong> is filtered.<br />
In this configuration, http and https requests are sent to the <strong>iPrism</strong> as proxy<br />
requests. The <strong>iPrism</strong> determines if the request should be allowed or blocked<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
5
The Big Picture<br />
and, if it is allowed, forwards the request to the Internet. The reply goes<br />
back through the <strong>iPrism</strong> proxy to the user.<br />
In this mode, the <strong>iPrism</strong> is not able to detect or regulate P2P traffic. Also,<br />
the users can easily bypass the <strong>iPrism</strong>’s filtering by removing their proxy<br />
setting.<br />
Proxy mode is best for testing, as since the <strong>iPrism</strong> is not placed in a<br />
network-critical location, any problems that occur will not jeopardize your<br />
company’s entire access to the Internet. You can fine-tune the profile and<br />
network settings and test the results before moving the system into a<br />
network-critical environment.<br />
It also provides a way to demonstrate the capabilities of the <strong>iPrism</strong> before it<br />
is deployed for all users.<br />
If you choose to deploy the system in proxy mode, all you have to do is to<br />
make the <strong>iPrism</strong> a proxy server for all your users. (This can be done through<br />
group policy settings, or through a system administrator edict.) You must<br />
also change your firewall rules to allow only the <strong>iPrism</strong> to access the<br />
Internet, preventing anyone who didn’t change their proxy settings from<br />
directly accessing the Internet.<br />
6<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Fits Into Your Network<br />
FIGURE 1. Deploying <strong>iPrism</strong> in Proxy Mode<br />
Refer the <strong>iPrism</strong> Installation <strong>Guide</strong> for detailed information.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
7
The Big Picture<br />
Bridge (Transparent) Mode<br />
In bridge (transparent) mode, the <strong>iPrism</strong> is an “in-line installation” which<br />
has 2 network (NIC) connections. This mode is recommended for<br />
deployment.<br />
All network traffic destined for the Internet (e.g., email and web) flows<br />
through the <strong>iPrism</strong>, and a single IP address is used by both interfaces.<br />
<strong>iPrism</strong> filters web and IM/P2P traffic only. It is best to position <strong>iPrism</strong><br />
between the outbound Internet connection and an internal switch to limit<br />
traffic handling to outbound Internet traffic. This is the preferred mode in<br />
which to deploy and operate an <strong>iPrism</strong> (see Figure ).<br />
8<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Fits Into Your Network<br />
FIGURE 2. Deploying <strong>iPrism</strong> in Bridge (Transparent) Mode<br />
Note: The <strong>iPrism</strong> can also act as a filtering web proxy when in bridge<br />
(transparent) mode. Users can configure their browsers to point at the<br />
<strong>iPrism</strong>, just as they do in proxy mode, although the <strong>iPrism</strong> is configured in<br />
bridge (transparent) mode. Web and IM/P2P traffic will be filtered for these<br />
users.<br />
For instructions on how to configure a browser to point at the <strong>iPrism</strong>, see<br />
Appendix C of the <strong>iPrism</strong> Installation <strong>Guide</strong>.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
9
The Big Picture<br />
Note: Older versions of <strong>iPrism</strong> (Versions 3.6 and earlier) had an additional<br />
mode called Router mode. This mode had been discontinued. Bridge<br />
(transparent) mode is now used in all situations where the <strong>iPrism</strong> is used in<br />
an in-line network environment.<br />
Using the Management Interface<br />
The <strong>iPrism</strong> has a third network interface called the Management Interface.<br />
Normally you can administer your <strong>iPrism</strong> from any system connected to the<br />
internal network. You can configure the system to only accept configuration<br />
from the management interface. This allows you to create a secure sub-net<br />
from which to control your <strong>iPrism</strong>.<br />
It also provides you with a secure way of transferring logging data from the<br />
<strong>iPrism</strong> to a management workstation. When you configure the <strong>iPrism</strong> to<br />
send you periodic reports or logging information, the information is<br />
transmitted in “plain text”. This means that anyone with a sniffer attached to<br />
your network could see that data. If you want to make your network<br />
extremely secure you can use the management interface to transfer this data<br />
on a secure network.<br />
The management interface is only needed if you require a high level of<br />
security. For more information on its configuration and use, see “Changing<br />
Network Interface Settings” on page 191.<br />
How <strong>iPrism</strong> Works<br />
In the simplest terms, <strong>iPrism</strong> is a filtering device that examines your<br />
Internet traffic stream for HTTP, HTTPS IM, and P2P traffic. In the case of<br />
HTTP requests, each URL request is checked against a database in which<br />
URLs are classified into fixed categories, based on their content. The<br />
client’s web request may be blocked or monitored by <strong>iPrism</strong>, depending on<br />
which categories the <strong>iPrism</strong> administrator has elected to place limits<br />
according to the rules in the user’s Web Access Profile.<br />
There are two independent type of blocking rules. The Web Access Profiles<br />
(Profiles) control web traffic, and the IM/P2P Profiles controls IM and P2P<br />
10<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Works<br />
traffic. For detailed information on profiles, refer to Chapter 3: Managing<br />
Internet Access.<br />
What’s New in <strong>iPrism</strong> 6.0?<br />
New features in <strong>iPrism</strong> 6.0 include enhanced system configuration utilities,<br />
IM Filtering, and Anti-Virus (AV) Scanning.<br />
IM Filtering<br />
<strong>iPrism</strong>’s IM filtering capabilities have been enhanced to allow you to both<br />
block and report on email and IM traffic. This is done by redirecting<br />
allowed IM traffic within your network to the filtering/archiving service at<br />
St. Bernard data centers. By subscribing to this service, you can provide an<br />
IM audit trail (reporting), block spam, viruses and phishing exploits, protect<br />
your network from email-borne threats, and protect both inbound and<br />
outbound email.<br />
For more information on setting up IM filtering, see page 42.<br />
Note: Bridge (transparent) mode (use of both the Internal and External<br />
NICs) is required for intercepting IM traffic. This is a standard IM filtering<br />
requirement, and not related to the hybrid filtering service. For information<br />
about bridge mode, see “Bridge (Transparent) Mode” on page 8. For<br />
information about the hybrid filtering service, see “To provision hybrid<br />
filtering” on page 43.<br />
Anti-Virus (AV) Scanning<br />
<strong>iPrism</strong> has been enhanced to provide virus detection and prevention via<br />
Anti-Virus (AV) scanning and reporting for HTTP traffic. AV is enabled by<br />
default for new installations (newly shipped appliances).<br />
When users try to access a virus file via HTTP, they will be notified that the<br />
page is blocked.<br />
This prevents the introduction of viruses, and identifies virus sources using<br />
the following reporting categories:<br />
• Virus<br />
• Worm<br />
• Other Malware<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
11
The Big Picture<br />
For further details about AV Scanning, see page 38.<br />
Anonymizers<br />
Anonymizer functionality can now be blocked and reported. Generally, the<br />
actual URL is returned, as well as the following:<br />
• probable.ultrasurf.stub is reported for unsure anonymizers.<br />
• probable.googlewebaccelerator.stub is reported for Google<br />
Accelerator traffic.<br />
• The ultrasurf domain is reported when the behavior of the UltraSurf<br />
proxy is detected.<br />
• The google-web-accelerator domain is reported when Google web<br />
accelerator traffic is detected.<br />
• The http-proxy domain is reported when http-proxy traffic is detected<br />
on port 80.<br />
• Proxy URLs are collected and message groups are monitored daily for<br />
new anonymizers.<br />
• Manual searches for anonymizers are conducted using top search<br />
engines and a keyword list.<br />
The Filtering Database<br />
The process by which URLs are evaluated and categorized is called iGuard.<br />
As part of the iGuard process, each website in question is submitted to an<br />
Internet analyst who reviews the site and makes the appropriate category<br />
designations (e.g., adult, nudity, profanity, government, religion, drugs,<br />
games, etc.). In order to ensure that each <strong>iPrism</strong> unit is always operating<br />
with the very latest filtering database, the <strong>iPrism</strong> appliance automatically<br />
connects to St. Bernard’s server daily and downloads the most recent<br />
filtering database files.<br />
Deciding What Gets Blocked<br />
The first step in setting up your filter is to create a Access Control List<br />
(ACL). This is a list which tells <strong>iPrism</strong> what to do for each category of<br />
website. For example, you wish to block access to website of an “adult”<br />
nature (and monitor any attempt to access them), monitor any accesses to<br />
12<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Works<br />
site categorized as “adult” (and allow the user to access them), and let all<br />
other request through unmonitored and unblocked.<br />
To do this you need to create an ACL with the following settings:<br />
Category Monitor Blocked<br />
adult Yes Yes<br />
nudity Yes No<br />
everything else No No<br />
To create a ACL, start the <strong>iPrism</strong> configuration program, select the Access<br />
section, then the Profiles tab. In the Access Control section, click “New” to<br />
create a new ACL.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
13
The Big Picture<br />
FIGURE 3. Blocking setup in an ACL<br />
The ACL controls what is blocked and monitored. The <strong>iPrism</strong> system needs<br />
to know when to apply the ACL and who to apply it to.<br />
The schedule controls when an ACL is applied. Suppose the company<br />
policy is “No Shopping during working hours, but during lunch and after<br />
work, anything goes.” To implement this policy, we first create an ACL<br />
called “No Shopping” which blocks all shopping and online auction sites.<br />
We also create an ACL called “Wide Open” which does not block any sites.<br />
Next, we define a schedule that tells <strong>iPrism</strong> when to apply each of our two<br />
access lists, as shown in Figure 4.<br />
14<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Works<br />
FIGURE 4. Profiles and Scheduling<br />
In our example, we’ve created a schedule that applies to the entire company<br />
(Profile name = TheCompany). But sometimes you need to give different<br />
users different access rights. For example, the Purchasing department may<br />
legitimately need access to online shopping, and Finance may need access<br />
to online gambling. In addition, upper management and <strong>iPrism</strong><br />
administrators may have access to everything.<br />
The <strong>iPrism</strong> system uses two different types of profiles:<br />
• Web Profiles (called “Profiles”) are used to filter web surfing or HTTP<br />
traffic.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
15
The Big Picture<br />
• IM/P2P Profiles filter IM and P2P usage.<br />
Each profile is associated with a group of users. One way of identifying<br />
users is by the IP address of the machine they are using. For example, you<br />
can define a profile called “Sales” which contains all the addresses in the<br />
range 192.168.77.0 to 192.168.77.255.<br />
Users can also be identified by a user name and password through an<br />
authentication process. There are a number of authentication systems<br />
available including NTLM (for Microsoft Windows users) and LDAP (for<br />
UNIX, Linux, and Novell users).<br />
Finally, you can manually add users to your <strong>iPrism</strong>. In practice, manual<br />
creation is usually only done for <strong>iPrism</strong> administrators and subadministrators.<br />
Assigning Profiles<br />
Now that have set up profiles, you need to learn how to associate a profile<br />
with the people to which it applies. The simplest way of doing this is to<br />
assign a profile to a set of IP addresses. Anyone using a machine which has<br />
one of these addresses will be assigned the same profile. This is useful when<br />
you have a lot of public or lab machines and wish to apply the same profile<br />
to everyone in the room. For example, if you’re running a school, you can<br />
assign a profile called “KidSafe” to all the machines in the student lab, and<br />
assign a profile called “NoBlocking” to the teacher’s offices.<br />
You can also assign profiles to a set of authentication users. (Authentication<br />
means that you have a username to work with which has been validated by a<br />
password.) Although each web access message contains the IP address of<br />
the computer making the request, there is no user identification included in<br />
the message. 1<br />
The <strong>iPrism</strong> system interfaces with Windows NTLM authentication as well<br />
as LDAP which is used UNIX, Linux, Novel. If you want to use “user<br />
level” authentication, Chapter 6: Users and Authentication contains simple,<br />
step-by-step instructions which will help you get your <strong>iPrism</strong> working with<br />
1. This is not always true. If you configure your <strong>iPrism</strong> and user computers just right, you<br />
can create a system where each web access message will contain user identification. This<br />
complex form of configuration is discussed in Chapter 6: Users and Authentication.<br />
16<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Works<br />
your existing authentication system. However, this situation is beyond the<br />
scope of this section.<br />
Assigning a Profile to a set of IP addresses<br />
The network to profile mapping dialog can be found in the Access section’s<br />
Network tab, as shown in Figure 5.<br />
FIGURE 5. Network to Profile mapping GUI<br />
In this example, we are defining a subnet for 192.168.x.x (IP range<br />
192.168.0.0 to 192.168.255.255). For web access, the profile<br />
“TheCompany” is used and for IM/P2P traffic the profile “BlockIMP2P”<br />
applies.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
17
The Big Picture<br />
No user level authentication is required in proxy or bridge (transparent)<br />
mode.<br />
At the top is a list of IP ranges. When <strong>iPrism</strong> sees network traffic, it will go<br />
down the list looking for a range which matches the IP address associated<br />
with the network request. If this address is on the 192.168.x.x network, the<br />
first entry in the list is matched, and profiles associated with that entry are<br />
used.<br />
If another address is making the request, the system falls through to the<br />
second entry which matches everything and uses it. For more information<br />
on configuring profiles for your network, see “Introduction to Profiles” on<br />
page 56.<br />
Getting Past Blocked Sites<br />
Users that have been granted the proper administrative privileges in <strong>iPrism</strong><br />
have options when they encounter a blocked site. There is an Override/<br />
Request Access button on the Access Denied URL that provides two<br />
different options for getting to a page that is being blocked by <strong>iPrism</strong>.<br />
The first option, Override, prompts you to login with your administrative<br />
password. Users can then specify whether they want to override just the<br />
blocked page, the entire domain, or the whole blocked category (see<br />
Figure 6). They can then select how long they want the override access to<br />
last before <strong>iPrism</strong> resumes normal blocking.<br />
If the user’s request to unblock a site is granted, that site will be unblocked<br />
for all users if you are using a custom filter to grant access (see “Custom<br />
Filters” on page 266 for information on how to do this).<br />
18<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Works<br />
FIGURE 6. Override Options<br />
The second option for gaining access to a blocked page is called an Access<br />
Request. When a user requests access, they can use <strong>iPrism</strong>’s interface to<br />
send a message to the administrator and explain why they need access to the<br />
blocked site. The administrator reviews these requests and makes a decision<br />
as to whether the individual user request will be approved (see Figure 7).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
19
The Big Picture<br />
FIGURE 7. Request Access Page<br />
20<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Summary<br />
Summary<br />
The <strong>iPrism</strong> is the award-winning Internet filtering solution that secures your<br />
organization from Internet-based threats such as malware, spyware, IM,<br />
P2P, and inappropriate content, and helps you enforce your acceptable use<br />
policies through user groups, profiles, and access control lists (ACLs). It is<br />
designed to be simple to use and administer, yet flexible enough handle<br />
even the most demanding situations.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
21
The Big Picture<br />
22<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 2<br />
Overview of <strong>iPrism</strong><br />
Software<br />
The primary method of administering the <strong>iPrism</strong> is through the Appliance<br />
Manager. This program is available from the installation CD, and is also<br />
available online through your <strong>iPrism</strong> after you have gone through the initial<br />
configuration and assigned an IP address.<br />
The <strong>iPrism</strong> also provides you with a web interface which allows you to<br />
temporally unblock sites, add sites to the database, manage HotFixes, and<br />
customize the look and feel through the use of HTML templates.<br />
For the users, the <strong>iPrism</strong> will remain mostly invisible. The system may<br />
require them to authenticate themselves, and if they encounter a blocked<br />
site it allows them to request that it be unblocked. But for the most part, it<br />
just sits in the background and only shows up when they try to access a<br />
blocked site.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
23
Overview of <strong>iPrism</strong> Software<br />
Logging In<br />
To log in to <strong>iPrism</strong>:<br />
1. Open the Appliance Manager.<br />
2. Double-click the <strong>iPrism</strong> icon and select the tool that you want to use<br />
from the context menu (see “To manage an application, right click the<br />
appliance you wish to manage and select the desired tool, or select the<br />
appliance you wish to manage, then click Manage Selected Appliance.”<br />
on page 27 for more information).<br />
You can also click Manage Selected Appliance and choose a menu<br />
option.<br />
24<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Logging In<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
25
Overview of <strong>iPrism</strong> Software<br />
3. Type your <strong>iPrism</strong> username and password and click Log In. In a few<br />
moments, the tool you selected in Step 2 will open.<br />
Note: If you have chosen the System Configuration tool, only one user can<br />
be logged in at a time. If a user is already logged in, the SuperUser can<br />
terminate the other session and proceed to log in. If this happens, the other<br />
user receives a warning, then their session is closed.<br />
26<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
Using the Appliance Manager<br />
The Appliance Manager allows you to manage and administer the <strong>iPrism</strong>.<br />
When you start the Appliance Manager, it will automatically search for the<br />
<strong>iPrism</strong> appliances on your network, and will locate any <strong>iPrism</strong> appliances<br />
that are connected by their either the Internal or Management interface to<br />
your network. 2<br />
To manage an application, right click the appliance you wish to manage and<br />
select the desired tool, or select the appliance you wish to manage, then<br />
click Manage Selected Appliance.<br />
The management tools are as follows:<br />
• System Configuration: Launches the System Configuration tool. This<br />
tools allows you to change network and other system settings, assign<br />
profiles, create users, and create access lists.<br />
• Reports Manager: Produces reports. (See the <strong>iPrism</strong> Reporting <strong>Guide</strong><br />
for more information.)<br />
• Filter Manager: Starts your Internet browser and points it to the webbased<br />
filter management tool. This tool allows you to selectively block<br />
and unblock sites, and create temporary overrides for blocked sites (see<br />
“The Filter Manager” on page 257).<br />
• HTML Template Manager: Starts your Internet browser and points it<br />
to the web-based HTML Template Manager. This tool allows you to<br />
define customized pages that are seen by normal <strong>iPrism</strong> users when a site<br />
is blocked, when a user wishes to request access to a blocked site, and<br />
other user interactions (see “Using the HTML Template Manager” on<br />
page 117).<br />
• System Diagnostics: Allows you to test network connectivity, system<br />
health, the rating of a given URL, and user authentication (i.e., can you<br />
connect to the NTLM domain). It also contains tools which are useful to<br />
technical support and can aid in diagnosing problems with your system.<br />
2. The <strong>iPrism</strong> must be on the same subnet as your workstation to be automatically discovered.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
27
Overview of <strong>iPrism</strong> Software<br />
• HotFix Manager: Starts your Internet browser and points it to the webbased<br />
HotFix Manager. Note: This tool should only be used under the<br />
direction of Technical Support.<br />
Managing the List of Applications<br />
When first started, the Appliance Manager will scan the local subnet for<br />
<strong>iPrism</strong>s and automatically display these systems in the main window.<br />
Sometimes it is necessary to manage appliances which are on a different<br />
subnet. In this case, the Appliance Manager must be configured to access<br />
these systems. From the main window, select an appliance and click<br />
Manage Selected Appliance.<br />
FIGURE 8. Manage Appliance List<br />
Clicking Add creates a new blank entry. You can then enter the IP address<br />
and HTTP port number of a remote appliance. The default port number for<br />
28<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
an <strong>iPrism</strong> system is 80. It can be changed using the Configuration Tool.<br />
After an <strong>iPrism</strong> has been added to this list it can be managed normally.<br />
The Description field allows you to supply a description of the system.<br />
This description will appear in place of the IP address on the main screen.<br />
To remove an entry from the list, select the entry to be removed and click<br />
Remove.<br />
Appliance Manager Options<br />
Selecting Options allows you to configure the options for the Appliance<br />
Manager (see Figure 9).<br />
FIGURE 9. Appliance Manager Options<br />
The options under the General tab are:<br />
• Show Help Balloons — When checked, help tips will be displayed by<br />
the software for some features.<br />
• Close Manager after launching appliance tool — If checked, the<br />
Manager itself will exit after you access a configuration interface from<br />
the appliance. If unchecked, the Manager will remain active until you<br />
exit. (Note: Closing the Manager also closes the Java Console.)<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
29
Overview of <strong>iPrism</strong> Software<br />
• Enable Java Console — If selected, a Java Console (a troubleshooting<br />
tool) will be shown when accessing a configuration interface of the<br />
appliance. This is generally used under the direction of Technical<br />
Support.<br />
Since communication with your appliance is done using the HTTP Protocol,<br />
the Appliance Manager must be able to access the HTTP Port of the<br />
appliance. If your appliance is located across an HTTP proxy from your<br />
workstation, enter the IP address and Port using the dialog in the Proxy tab<br />
(see Figure 10).<br />
FIGURE 10. Proxy Settings<br />
Configuring your <strong>iPrism</strong><br />
The configuration tool is the main utility used to set up your <strong>iPrism</strong>. It is<br />
divided into two distinct areas: sections (along the left sidebar) and the<br />
configuration window (on the right). Most sections consist of a familiar<br />
multi-tabbed window; click a tab to view its associated window.<br />
The sections buttons are always in view, so you can easily switch between<br />
different sections. The bottom of the Configuration window is reserved for<br />
<strong>iPrism</strong>’s built-in help system. After clicking on the Help icon, move your<br />
30<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
mouse pointer over a field to view its description at the bottom of the<br />
window.<br />
User Settings<br />
The six tabs in the Users section (see Figure 11) are used to create or edit<br />
local user accounts, change a user’s access rights, and set up<br />
communication with external authentication servers.<br />
• Local — Add or delete users, change a local user’s profile, and set<br />
administrative privileges.(See “Setting up Local Authentication” on<br />
page 131.)<br />
• LDAP — Configures <strong>iPrism</strong> to communicate with an external LDAP<br />
server for authentication. (See “Communicating with an LDAP Server”<br />
on page 150.)<br />
• Windows —Configures <strong>iPrism</strong> to communicate with an external<br />
Microsoft Windows NTLM server for authentication. (See<br />
“Communicating with a Microsoft Windows Authentication Server<br />
(NTLM)” on page 159.)<br />
• Profile Mapping — Assigns filtering profiles to groups. (See “Step 1:<br />
Mapping Groups to Profiles” on page 170.)<br />
• Privilege Mapping — Assign administrative privileges to groups. (See<br />
“Step 2: Mapping Groups to Privileges” on page 174.)<br />
• Import/Export — Import an existing list of users from a text file, or<br />
export <strong>iPrism</strong>’s user list to a text file. (See “Importing/Exporting User<br />
Data” on page 365.)<br />
Note: For more information about LDAP and Windows/NTLM<br />
authentication, see Chapter 6: Users and Authentication.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
31
Overview of <strong>iPrism</strong> Software<br />
FIGURE 11. User Settings<br />
Access Settings<br />
The Access section includes six different tabs (see Figure 12). Each of these<br />
controls a different facet of <strong>iPrism</strong> access, such as building access control<br />
lists, constructing profiles, managing network assignments, and more.<br />
32<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
FIGURE 12. Access Settings<br />
• Profiles: Constructs new profiles for web access. Profiles are the<br />
instruction sets that tell <strong>iPrism</strong> what type of content to block and when.<br />
Actually, to be precise, a Profile is a list of access control lists (Acts) and<br />
a schedule indicating when each one is to be applied. The ACL contains<br />
a list of specific categories to block or monitor. (See “Creating Profiles”<br />
on page 60.)<br />
• IM/P2P Profiles: Constructs new profiles for IM and P2P access. (See<br />
“Creating Profiles” on page 60.)<br />
• Networks: Assigns network-based profiles and authentication settings<br />
(as opposed to individual user profiles). It supports individual<br />
workstations or a range of IP Addresses. (See “Assigning Profiles to a<br />
Set of IP Addresses (Workstations)” on page 89.)<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
33
Overview of <strong>iPrism</strong> Software<br />
• Filter Exceptions: Designates workstations or servers that you do not<br />
want to use <strong>iPrism</strong> as a filter. Workstations that do not use <strong>iPrism</strong> as a<br />
filter will not be filtered or monitored. (See “Creating Filter Exceptions”<br />
on page 207.)<br />
• Override Management: Allows the <strong>iPrism</strong> administrator to revoke<br />
specific overrides to users. Override sessions are only available to users<br />
that have been assigned administrative privileges. (See “The Override<br />
Management Page” on page 108.)<br />
Report Settings<br />
The Reports section is used to configure and view <strong>iPrism</strong> and ERS reports,<br />
such as information about the health of the system, the filtering rate, and<br />
other internal information.<br />
You can also subscribe to reports on the web, IM, and P2P traffic; see<br />
“Hybrid Settings” on page 42.<br />
The Reports section contains six tabs as shown in Figure 13.<br />
34<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
FIGURE 13. Report Settings<br />
• Preferences — Enables the logging (syslog) features in <strong>iPrism</strong> and<br />
allows you to purge log data from the system. The screen also contains<br />
statistics concerning the number of events stored in the reporting<br />
database. At the bottom of the screen, the “Reporting System” sub-panel<br />
allows you to select where you want your reporting data to be collected<br />
and processed.<br />
• Status — Provides information about <strong>iPrism</strong>’s system status and<br />
utilization statistics. (See “Audit Log” on page 250.)<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
35
Overview of <strong>iPrism</strong> Software<br />
• Security Log — Displays <strong>iPrism</strong>’s security log, which lists information<br />
about the current filter list, the date and time <strong>iPrism</strong> was last updated and<br />
backed up, and a log of unauthorized IP accesses. (See “<strong>iPrism</strong> Security<br />
Log” on page 253.) Entries are also generated when the reporting<br />
system sends a report to a user via FTP or Email.<br />
• Audit Log — The Audit Log tracks changes made to policies, including<br />
who made them and when. (See “Audit Log” on page 250.)<br />
• Email Alerts — Sets up notification messages, called “Email Alerts” or<br />
“Triggers.” Email Alerts can be set up for many different events in<br />
<strong>iPrism</strong>, ranging from the activity of a single user to the total amount of<br />
activity associated with a particular category, or when bandwidth<br />
thresholds have been reached. (See “Creating and Configuring an Email<br />
Alert” on page 184.)<br />
• About — Displays the version of your current <strong>iPrism</strong> software and<br />
displays the contact information for St. Bernard Software. (See “About<br />
<strong>iPrism</strong> Tab” on page 255.)<br />
System Settings<br />
The System section contains seven tab windows, each allowing you to<br />
configure some aspect of <strong>iPrism</strong>’s inner workings. These are primarily<br />
hardware settings that affect <strong>iPrism</strong>’s identity on the network and how it<br />
interoperates with other equipment on the network (see Figure 14).<br />
36<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
FIGURE 14. System Settings<br />
• Networking — Configures <strong>iPrism</strong>’s interfaces (Internal/External/<br />
Management) and define its identity on the network. This includes<br />
options to define the name server, routing, SMTP relay, and WCCP<br />
router. You can also configure static routes from here. (See “Accessing<br />
<strong>iPrism</strong>’s Network Settings” on page 189.)<br />
• Preferences — Configures <strong>iPrism</strong> behaviors, including when to check<br />
for filter updates and system updates, when to backup. The supervisor’s<br />
password can also be changed here.<br />
• Ports — Specifies <strong>iPrism</strong>’s Proxy port and Configuration port. You can<br />
also add or delete Redirect ports and HTTPS ports. (See “Changing<br />
<strong>iPrism</strong>’s Port Assignments” on page 204.)<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
37
Overview of <strong>iPrism</strong> Software<br />
• Proxy — Allows for the specification a different URL for <strong>iPrism</strong>’s<br />
“Access Denied” page. You may also designate a Proxy Parent host, or<br />
configure a proxy for filter list updates or system updates. (See “Setting<br />
Up a Parent Proxy” on page 200.)<br />
• Backups — Backup the current <strong>iPrism</strong> configuration settings, restore a<br />
previously saved configuration, or adjust “backup warning” preferences.<br />
(See “Backing Up and Restoring <strong>iPrism</strong> Settings” on page 228.)<br />
• Registration — Manages the vital information about your <strong>iPrism</strong><br />
subscription. This includes the <strong>iPrism</strong> registration key, serial number,<br />
and expiration date. It is also where you can create an SSL certificate.<br />
You will need to revisit this page whenever you receive a new license<br />
key. (See “Registration Information” on page 231.)<br />
• Central Mgmt. — Manage multiple <strong>iPrism</strong> units running in tandem.<br />
(See “Managing Multiple <strong>iPrism</strong> Units” on page 242.)<br />
Note: If you are or plan to be using partitions, see Chapter 13: Partitions<br />
and Delegation.<br />
Global Settings<br />
<strong>iPrism</strong> has been enhanced to provide virus detection and prevention via<br />
Anti-Virus (AV) scanning and reporting for all HTTP traffic. All traffic will<br />
be analyzed against a frequently updated definition list (see Appendix A:<br />
Filtering Categories). AV is enabled by default for new installations (newly<br />
shipped appliances). This prevents the introduction of viruses, and identifies<br />
virus sources using the following reporting categories:<br />
• Virus<br />
• Worm<br />
• Other Malware<br />
To modify AV settings, select Global. The Lock ACL tab opens by default;<br />
here you can modify category settings.<br />
Note: Lock ACL allows you to lock category settings which no one can<br />
modify. Locks will be applied to all existing and new ACLs, and overrides<br />
any profile configurations (ie., Lock ACL takes priority regardless of how a<br />
profile is configured).<br />
38<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
FIGURE 15. Global Settings tabs<br />
To modify the Web Lock Access Control List (ACL):<br />
1. Click Edit next to Web Lock ACL.<br />
2. Check Monitor or Block next to the categories you want to monitor or<br />
block, or you can monitor or block all categories by clicking Toggle All.<br />
3. Click OK to save your changes.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
39
Overview of <strong>iPrism</strong> Software<br />
FIGURE 16. Web Lock ACL<br />
To modify the IM/P2P Access Control List (ACL):<br />
1. Click Edit next to IM/P2P Lock ACL.<br />
2. Check Monitor or Block next to the categories you want to monitor or<br />
block, or you can monitor or block all categories by clicking Toggle All.<br />
3. Click OK to save your changes.<br />
40<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
FIGURE 17. IM/P2P ACL<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
41
Overview of <strong>iPrism</strong> Software<br />
To verify whether AV is enabled, select the AV Scanning tab and verify that<br />
Enable AV Scanning is checked.<br />
Note: Regardless of whether AV Scanning is enabled, you will still need to<br />
block viruses, worms and other malware via profiles. See “Profiles and<br />
ACLs” on page 57 for more information.<br />
To turn AV Scanning off, uncheck Enable AV Scanning.<br />
FIGURE 18. Enable/Disable AV Scanning<br />
Hybrid Settings<br />
To provide an IM audit trail (monitoring, filtering, and reporting), allowed<br />
IM traffic (i.e., not blocked by <strong>iPrism</strong>) within the customer network can be<br />
redirected to the IM filtering/archiving service at St. Bernard data centers.<br />
42<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
To provision hybrid filtering<br />
To provision hybrid filtering, complete the following steps:<br />
1. Select Hybrid.<br />
2. Select the IM Settings tab and click Provision.<br />
Note: For your convenience, you can also provision IM hybrid filtering<br />
from the Access section. Select Access, select the IM/P2P Profiles tab,<br />
then select Provision.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
43
Overview of <strong>iPrism</strong> Software<br />
FIGURE 19. IM Hybrid Settings<br />
3. Once you have selected Provision, you will be taken to a website for<br />
instructions on how to contact <strong>iPrism</strong> Sales. Customer information is<br />
needed for data center provisioning and key creation. An email with<br />
instructions will be sent to you. Once this is done, you may proceed to<br />
step 4.<br />
4. Enter the validation key given to you in step 3, and click Submit.<br />
5. Check the boxes next to the protocols you want to provision:<br />
• AIM<br />
• MSN<br />
• Yahoo<br />
To set up a email filter<br />
You can filter out spam, viruses, malware and other unwanted messages by<br />
redirecting allowed IM traffic within your network to the filtering/archiving<br />
service at St. Bernard data centers.<br />
1. Select the Email Filter tab.<br />
2. Click Learn More to be taken to website with instructions on how to set<br />
up email filtering.<br />
44<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
FIGURE 20. Email Filtering Setup<br />
Exit<br />
After editing <strong>iPrism</strong>’s setting in the configuration interface, you must<br />
properly save and exit from the interface in order for your changes to be<br />
applied. To do this, click Exit and choose the desired exit option.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
45
Overview of <strong>iPrism</strong> Software<br />
FIGURE 21. Exit Dialog<br />
• Save & Exit — Saves any changes you made in the <strong>iPrism</strong> configuration<br />
interface and close the software.<br />
• Abort — Closes the <strong>iPrism</strong> configuration interface without saving any<br />
changes you made.<br />
• Shutdown — Power down <strong>iPrism</strong>. For example, this option should be<br />
selected if you are preparing to move the <strong>iPrism</strong> appliance to a different<br />
physical location. If you choose this option accidentally, you will need to<br />
manually reboot <strong>iPrism</strong> to make it operational again. To do this, use the<br />
power switch on the <strong>iPrism</strong> appliance to power the unit off. Wait at least<br />
15 seconds, then power it back on again. Allow two minutes for <strong>iPrism</strong><br />
to reboot.<br />
46<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using the Appliance Manager<br />
• Reboot — Shut down and restart the <strong>iPrism</strong> server. The <strong>iPrism</strong><br />
configuration interface will not be accessible while the unit is rebooting.<br />
Allow two minutes for <strong>iPrism</strong> to reboot.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
47
Overview of <strong>iPrism</strong> Software<br />
Web Interface<br />
In addition the interface supplied by the Appliance manager, the <strong>iPrism</strong> has<br />
a web-based interface which allows access to some other features. To access<br />
this interface, simply type in the address of your <strong>iPrism</strong> into your browser<br />
URL field.<br />
The web interface allows the administrator to temporally unblock sites, add<br />
sites to the database, manage HotFixes, and customize the look and feel<br />
through the use of HTML templates. When you surf to the <strong>iPrism</strong> system,<br />
the main web page is displayed as shown in Figure 22.<br />
FIGURE 22. Main Web Page<br />
The web interface main menu is divided into three sections:<br />
• Reports Manager: Opens a page which allows you to download a copy<br />
of the <strong>iPrism</strong> Appliance Manager program. This program allows you to<br />
access reports on the <strong>iPrism</strong>. (On older versions of the <strong>iPrism</strong>, this button<br />
48<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Web Interface<br />
would start a web-based reporting system. This has been replaced with<br />
the Reports Manager tool, which is started from the Appliance<br />
Manager.)<br />
Note: Use of this feature is discouraged. It is recommended that you<br />
start the Reporting tool from the Appliance Manager.<br />
• The two Add Web Sites buttons allow you to manually submit websites<br />
to be blocked in future filter updates.<br />
• The five System Admin Tools buttons provide access to <strong>iPrism</strong>’s main<br />
configuration software and several other utilities. In addition to setting<br />
up <strong>iPrism</strong>, these tools allow you to perform diagnostic testing on your<br />
network, create custom filters to block/unblock specific websites,<br />
manage <strong>iPrism</strong> updates (HotFixes), and customize aspects of the <strong>iPrism</strong><br />
interface.<br />
Note: The Reports Manager, Configure <strong>iPrism</strong>, and <strong>iPrism</strong> Diagnostics<br />
all take you to a page which allows you to download a copy of the<br />
Appliance Manager. The web-based programs which formerly were started<br />
by these buttons are now located in the Appliance Manger. Use of these<br />
buttons is discouraged; they remain to help legacy users manage the system.<br />
Reports Manager<br />
The reporting system is now accessed through the Appliance Manager. If<br />
you do not have the Appliance Manager installed, this button takes to a page<br />
which allows you to download this program. (For information on the<br />
reporting system, see <strong>iPrism</strong> System Reports.)<br />
You can also use the “Web Start” feature of this page to start the Reporting<br />
application directly. (Although you have to go through a number of security<br />
checks before the application can actually start.) Whether you start the<br />
application through the Appliance Manager or through Web Start, the same<br />
application is run.<br />
For <strong>iPrism</strong>s using the mERS option for reporting, you will see a mERS<br />
Reports Manager button. This button performs the same function as the<br />
Reports Manager button described above, except that it allows you to access<br />
the mERS reporting system.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
49
Overview of <strong>iPrism</strong> Software<br />
Add Web Sites Buttons<br />
Although <strong>iPrism</strong>’s URL database is vast, there are new websites continually<br />
being created, so it reasonable that some sites may not be initially included<br />
in <strong>iPrism</strong>’s filter list. The buttons in this area provide two different ways<br />
that you can suggest sites to St. Bernard Software should you encounter a<br />
website that you feel should be included in <strong>iPrism</strong>’s URL database.<br />
Email to <strong>iPrism</strong> Support<br />
This button displays the URL Submission page in your web browser. This<br />
page provides instructions (and email links) for submitting URLs for<br />
consideration into the URL database. (See “Submitting Sites via Email” on<br />
page 115.)<br />
On-the-Fly While You Surf<br />
This button open an HTML page which instructs you to enable “quick<br />
submit” capability into your web browser. This will put a bookmark in your<br />
browser that allows you to instantly submit a website to St. Bernard<br />
Software while you surf the web. (See “Submitting Sites with Quick Submit<br />
– While You Surf!” on page 115.)<br />
System Admin Tools Buttons<br />
These buttons are all associated with configuring <strong>iPrism</strong> and providing<br />
various ways to test communications across your networking environment.<br />
The primary tool here is the Configuring <strong>iPrism</strong> button, which launches<br />
the <strong>iPrism</strong> System Configuration tool. Because this tool is the primary<br />
<strong>iPrism</strong> System Configuration tool, the remainder of this section includes an<br />
overview of this program.<br />
In order to access any of <strong>iPrism</strong>’s system administrator tools, you must have<br />
sufficient administrative privileges. You will be prompted to log in<br />
immediately after clicking any one of these buttons.<br />
Configure <strong>iPrism</strong><br />
Like reporting, configuration is handled by a Java program. You can use<br />
this page to download the Appliance Manager, which can be used to access<br />
the program, or to start the program directly with “Web Start”.<br />
50<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Web Interface<br />
<strong>iPrism</strong> Diagnostics<br />
Diagnostics are also handled by a Java program. You can use this page to<br />
download the Appliance Manager, which can be used to access the<br />
program, or to start the program directly with “Web Start”.<br />
Block / Unblock Site<br />
This button provides access to <strong>iPrism</strong>’s Filter Manager interface, which<br />
performs several distinct functions via an HTML interface as shown in<br />
Figure 23.<br />
FIGURE 23. The Filter Manager Interface (Block / Unblock Site)<br />
The Filter Manager, as its name implies, gives you unique control over<br />
<strong>iPrism</strong>’s filtering capability. From here, you can send unrated, frequently<br />
accessed URL sites to iGuard for rating, as well as review and manually rate<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
51
Overview of <strong>iPrism</strong> Software<br />
URL sites that cannot automatically be determined. You can create “custom<br />
filters” that can be used to block access to any web page, regardless of<br />
whether it is included in <strong>iPrism</strong>’s URL database. This is also where you<br />
process requests from network users (called “Override requests”), which<br />
lets you grant access to blocked web pages on a case-by-case basis. You can<br />
also issue a general override, which allows all users to access a web page<br />
(or site) which would otherwise be blocked by the active filtering profile.<br />
And there is even a tool where you can enter a website’s URL to see how<br />
that site is rated by <strong>iPrism</strong>’s URL database.<br />
For more information about all of these tools, see “The Filter Manager” on<br />
page 257.<br />
HotFix Manager<br />
The HotFix Manager button gives you access to the HotFix Manager<br />
interface, which makes it easy to keep track of updates and patches (called<br />
“HotFixes”) for your <strong>iPrism</strong> software. With the HotFix Manager you can<br />
instantly check for new HotFixes, view available HotFixes, and see which<br />
ones have already been installed on your <strong>iPrism</strong>. You can also use it to<br />
uninstall an active HotFix.<br />
The HotFix interface also makes it easier to manually install a private<br />
HotFix, which is sometimes required by <strong>iPrism</strong>’s Technical Support staff.<br />
For more information about the HotFix Manager, see “Managing <strong>iPrism</strong><br />
Updates with the HotFix Manager” on page 234.<br />
HTML Template Manager<br />
This button opens the HTML Template Manager which allows you to<br />
completely customize the look of <strong>iPrism</strong>’s Authentication Page, Access<br />
Denied Page, Logout, Override, Request Access, Anti-spoof, and selected<br />
Error pages.<br />
• The Authentication Page is the “log in” page that appears when a user<br />
starts a new browsing session or needs to re-activate a session that has<br />
expired. The Authentication Page prompts users to enter their <strong>iPrism</strong>/<br />
network user name and password.<br />
Note: Authentication only occurs when a manual authentication method<br />
52<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Web Interface<br />
has been enabled in <strong>iPrism</strong>. Depending on how you have <strong>iPrism</strong><br />
configured, authentication may occur invisibly or not at all.<br />
• The Access Denied Page appears whenever a user tries to access a<br />
website that is being blocked by <strong>iPrism</strong>’s current filtering profile. The<br />
default Access Denied page simply notifies the user that “their<br />
organization has chosen to limit viewing of the site due to the rating of<br />
its content”.<br />
• The Logout page is used by the user to log out of the system.<br />
• The Override and Request Access pages are displayed when a site is<br />
blocked and the user is given the ability (depending on profile settings)<br />
to override the page or request access to it.<br />
• The Anti-Spoof page appears when the <strong>iPrism</strong> detects a spoofing attempt<br />
and wishes to warn the user about it.<br />
• Error Pages are displayed when an error is detected. (Not all error pages<br />
use the template manager.)<br />
These HTML pages cover most interactions that users will have with<br />
<strong>iPrism</strong>, so it is understandable that an organization may choose to customize<br />
these pages to reflect their own corporate image and promote their own<br />
Internet usage policies. For more information about the HTML Template<br />
Manager, see “Using the HTML Template Manager” on page 117.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
53
Overview of <strong>iPrism</strong> Software<br />
54<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Filters Internet Activity<br />
Chapter 3<br />
Managing Internet<br />
Access<br />
This chapter describes how <strong>iPrism</strong>’s filtering mechanism works, and<br />
provides detailed procedures for creating and implementing your own<br />
filtering profiles. Instructions for controlling access to specific websites and<br />
other Internet services is also provided.<br />
How <strong>iPrism</strong> Filters Internet Activity<br />
As described earlier in this book (see “How <strong>iPrism</strong> Works” on page 10),<br />
<strong>iPrism</strong> filters both web access as well as IM and P2P services. Web access is<br />
filtered by checking each client’s web request against an extensive URL<br />
database. This database classifies each listed website as being in one or<br />
more categories (e.g. adult, pornography, violence, drugs, sports,<br />
entertainment, etc.). If the requested website belongs to a category to which<br />
the <strong>iPrism</strong> administrator has chosen to block access, then the client will see<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
55
Managing Internet Access<br />
an “access denied” page instead. This page notifies the client that the web<br />
page they tried to access belongs to a category which is currently being<br />
blocked.<br />
The rules for IM and P2P filtering are application-based. In other words, the<br />
<strong>iPrism</strong> will check the application being run against the rules to see if the<br />
traffic is permitted.<br />
Besides blocking web, IM, and P2P activity, the administrator also has the<br />
ability to just monitor the traffic. For websites, you can select which<br />
categories are monitored and when this monitoring is to be done. For IM<br />
and P2P traffic, you can monitor based on the protocol used.<br />
Monitoring allows you to see how your network in being used; for example,<br />
who visits which sites and how often. All the power to block or monitor<br />
access lies in the hands of the administrator. <strong>iPrism</strong> just gives them the<br />
means by which to do it.<br />
Since a “one size fits all” approach to filtering is not suitable for most<br />
organizations, <strong>iPrism</strong> resolves the issue by using filtering profiles. The<br />
<strong>iPrism</strong> uses two different types of profiles – one for web access and another<br />
for IM/P2P traffic. A profile tells <strong>iPrism</strong> which categories of web traffic or<br />
what IM/P2P traffic to block or monitor at a particular moment. You can<br />
create as many different profiles as you need and assign them to different<br />
users, or different networks and subnets.<br />
This chapter explains profiles in <strong>iPrism</strong> – how to create them and how to<br />
assign them to subnets or an entire network. Details on how to assign these<br />
profiles to users will be covered in Chapter 5.<br />
Introduction to Profiles<br />
Profiles are the elements within <strong>iPrism</strong> that determine what information is<br />
blocked, monitored, or passed through. There are two types of profiles:<br />
URL Access Profiles, which determine which websites are filtered, and IM/<br />
P2P Profiles, which determine which instant message (IM) and peer to peer<br />
(P2P) traffic is allowed.<br />
Profiles are at the very core of <strong>iPrism</strong>’s functionality. In addition to<br />
determining what gets blocked where, profiles also determine when traffic<br />
is blocked. Thus, you don’t have to manually change profiles to<br />
accommodate a situation where one group has access to the network for<br />
56<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Filters Internet Activity<br />
some part of the day and another group has access to it for another. The<br />
active profile can automatically switch the filtering criteria at a designated<br />
time of day, so you can be assured of having the protection you need, when<br />
you need it.<br />
Profiles are flexible and accommodating, as each profile is actually made up<br />
of one or more individual filtering criteria, called an Access Control List<br />
(ACL). It is actually the ACL that specifies which traffic gets blocked or<br />
monitored. A profile can consist of a single ACL, which would provide the<br />
same degree of filtering all the time, or it can utilize several ACLs, allowing<br />
different degrees of filtering at specific times. This is how a single profile is<br />
able to provide a different level of filtering at various times of the day.<br />
Profiles and ACLs<br />
To demonstrate how profiles and ACLs work together, see Figure 24 on<br />
page 58, which demonstrates a web access profile being edited in <strong>iPrism</strong>’s<br />
System Configuration tool. (The IM/P2P profiles use the same system,<br />
except that the ACLs block different traffic.)<br />
This particular profile has been named “Office”, implying that it will be<br />
applied to the office staff or perhaps all of the workstations located in the<br />
office. Along the right side, you can see four different colored blocks; each<br />
of these represents an ACL (a set of filtering instructions) that has been<br />
created specifically for this profile. After creating an ACL, you need to drag<br />
it to the profile grid to schedule the times for which you want it to be active.<br />
For example:<br />
• The top ACL in the list is named “Allow All”, so named because it<br />
allows full Internet access. By looking at the profile grid, you can see<br />
that this ACL is active before and after working hours on Monday<br />
through Friday. That means users can have unrestricted access to the<br />
Internet during these times.<br />
• The two ACLs directly beneath it are named “Work” and “Lunch”, representing<br />
two different filtering levels that are applied during the work<br />
day. Again, by looking at the grid you can see that at 12:00 PM every<br />
weekday, <strong>iPrism</strong> automatically switches from the Work ACL to the<br />
Lunch ACL, and then switches back again at 1:00 PM.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
57
Managing Internet Access<br />
• On the weekends, the “Deny” profile is active. This profile (so named<br />
because it prevents any Internet access at all), ensures that no one will be<br />
coming in on the weekends just to surf the Net!<br />
FIGURE 24. Profile using multiple ACLs<br />
Putting Your Profile to Work<br />
Profiles, like the “Office” profile shown in Figure 24, can be utilized in a<br />
variety of ways. You can assign a profile to an IP address or an IP address<br />
range. If you have user authentication enabled, you can assign a profile to a<br />
user or group of users.<br />
58<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
How <strong>iPrism</strong> Filters Internet Activity<br />
Note: User assignments take precedence over network assignments.<br />
Profiles assigned to a user are always applied to that user regardless of<br />
which workstation they log into.<br />
Figure 25 illustrates a profile where any IP address in the range 192.168.0.0<br />
to 192.168.0.250 will have web access filtered by the “BlockOffensive”<br />
profile, and IM/P2P access filtered by the “BlockIMP2P” profile.<br />
FIGURE 25. How Profiles are Assigned to a Network<br />
This ability to assign profiles in many different ways is what allows <strong>iPrism</strong><br />
to successfully accommodate the filtering needs of even the most diverse<br />
networking environments.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
59
Managing Internet Access<br />
Creating Profiles<br />
In this section, you will learn how to create your own profiles, how to<br />
schedule ACLs within a profile, and how to delete unneeded profiles.<br />
Note: Creating a profile does NOT make it active. You must configure the<br />
<strong>iPrism</strong> to whom the profile applies (IP address range, users, or both) before<br />
it is active.<br />
Creating a Profile<br />
1. Open the <strong>iPrism</strong> System Configuration tool by clicking Manage<br />
Selected Appliance, then selecting System Configuration.<br />
2. Select Access, then the Profiles tab to create a web access profile, or<br />
select the IM/P2P Profiles tab to create an IM/P2P profile.<br />
3. In the Profile List frame, click Add. The ACL creation window opens<br />
(see Figure 26).<br />
4. In the Profile Name field, enter a name for this profile.<br />
• It is recommended that you use a descriptive name; one that<br />
distinguishes it from other profiles you create.<br />
• Profile names cannot contain space characters.<br />
5. Click OK.<br />
60<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Profiles<br />
As soon as you click OK, the Access Control Lists (ACLs) dialog box<br />
opens automatically. Figure 26 illustrates the ACL for a web profile and<br />
Figure 27 illustrates an ACL for a IM/P2P profile.<br />
FIGURE 26. ACL Creation Window (Web Profile)<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
61
Managing Internet Access<br />
FIGURE 27. ACL Creation Window (IM/P2P Profile )<br />
The <strong>iPrism</strong> system requires that there be at least one ACL in every profile<br />
(i.e., there can not be an empty cell in the profile grid). To ensure<br />
this, <strong>iPrism</strong> automatically creates this default ACL for you and applies it<br />
everywhere.<br />
This default ACL is initially named ‘ACL 1’, but you can change that at<br />
any time simply by editing the ACL Name field at the top of the ACLs<br />
dialog box.<br />
6. The default filtering ACL does not have any checkboxes marked initially<br />
– i.e., no categories are filtered until you check them, with the exception<br />
of the special category local denied, which is always checked. The Filter<br />
62<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Profiles<br />
Manager lets you assign web pages to this category. These web pages<br />
will always be blocked.<br />
7. Set the filtering properties for the profile by selecting the checkboxes<br />
next to the content you want to block or monitor.<br />
Note: Each profile owns all of the ACLs created within it, and these ACLs<br />
cannot be shared with another profile.This means the filtering settings you<br />
choose for the default ACL (or any other ACL) in this profile will not affect<br />
any other profile. Also each profile uses its own name space, so an ACL<br />
name “Fred” in one profile has nothing to do with anything named “Fred” in<br />
another.<br />
If you need assistance configuring the ACLs dialog box, refer to the<br />
following topics:<br />
• “Creating Access Control Lists (ACLs)” on page 70<br />
• Table 2, “Access Denied Page Options,” on page 79<br />
8. Check Deny access to the web under All Categories to deny all access<br />
to the web for everyone using this profile. This setting overrides the<br />
category settings and denies all Internet access.<br />
9. If you wish to force the user to use the “Safe Search” feature of Yahoo,<br />
Google, and other selected web search engines, check Enable Safe<br />
Search.<br />
10. Click OK to confirm your changes to the default ACL and close the<br />
ACL creation window.<br />
Notice how the default ACL is initially applied everywhere (see<br />
Figure 28).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
63
Managing Internet Access<br />
FIGURE 28. Default ACL (“ACL 1”) applied everywhere<br />
Note: If desired, you can create additional ACLs in this profile by clicking<br />
Add. (See “Creating Access Control Lists (ACLs)” on page 70.)<br />
11. Click OK. The new profile is added to the dropdown list in the Profile<br />
List frame.<br />
Now that we’ve defined a profile, we must tell <strong>iPrism</strong> to whom it applies.<br />
We can apply it to a set of IP addresses using the Networks tab, we can<br />
assign it to individual users with the Users tab, or both. User assignments<br />
take precedence over IP address assignments, so if a user logs into the<br />
network, the profile assigned to him/her will be used regardless of which<br />
machine s/he is on.<br />
64<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Profiles<br />
<strong>iPrism</strong>’s Default Profiles<br />
<strong>iPrism</strong> ships with six (6) preconfigured (default) profiles, three (3) for web<br />
filtering and three (3) for IM/P2P. This allows you to realize some level of<br />
filtering while you are learning how to create your own profiles. You may<br />
find these to be useful and decide to keep them or, once you start creating<br />
your own profiles, you may choose to edit or delete them. The six (6)<br />
preconfigured profiles are as follows:<br />
• Block Offensive: This web filtering profile blocks and monitors<br />
access to sites containing pornography, profanity, violence, bombmaking,<br />
etc.<br />
• Monitor Offensive: This profile allows access to the sites blocked by<br />
the Blocked Offensive profile, but monitors their use.<br />
• Pass All: This profile allows access to any site without monitoring.<br />
• BlockIMP2P: Blocks all IM and P2P traffic.<br />
• BlockP2P: Blocks all P2P traffic only.<br />
• PassIMP2P: Blocks no IM or P2P traffic.<br />
You will see these profiles listed along with the others you create, in the<br />
Profile dropdown list on the Profiles or IM/P2P Profiles tab (where<br />
profiles are created), on the Networks tab (where profiles are assigned to<br />
networks), and on the Users tab where profiles are assigned to users.<br />
Scheduling ACLs Within a Profile<br />
In order to have different filtering settings automatically “kick in” at<br />
different times, you must first create the ACLs that contain these settings.<br />
Once created, you must organize the ACLs within the profile’s scheduling<br />
grid, as described in this procedure.<br />
1. In the <strong>iPrism</strong> System Configuration tool, select the Access section, then<br />
the Profiles or IM/P2P Profiles tab.<br />
2. In the Profile List frame, select the profile you want to edit from the<br />
dropdown list. The current properties of that profile display in the<br />
Viewing frame.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
65
Managing Internet Access<br />
Note: By default, the profile window’s Time column is divided into<br />
hourly intervals. If you need finer intervals than this, click the magnifying<br />
glass icon under the Time column. This changes the time division to<br />
15-minute intervals. Click this icon again to toggle back to hourly intervals.<br />
3. If the ACL that you want to schedule has not been saved in this profile<br />
yet, create a new ACL now (see “Creating Access Control Lists (ACLs)”<br />
on page 70).<br />
66<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Profiles<br />
Note: You must have at least two ACLs defined before you can assign<br />
ACLs to different times.<br />
4. In the Access Control List frame, click the ACL that you want to<br />
schedule into this profile. The ACL will be highlighted.<br />
5. Schedule the ACL using the most convenient method described below:<br />
• The most common method is to “paint” the new ACL in the profile<br />
grid (see Figure 29). To do this, click in the starting cell and hold<br />
down the left mouse button. Now drag the mouse pointer to some<br />
other cell. You will notice a bold rectangular outline which indicates<br />
the area that will be painted with the selected ACL. When the proper<br />
area is outlined, release the mouse button.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
67
Managing Internet Access<br />
Drag<br />
from here<br />
to here<br />
FIGURE 29. Painting an ACL in the profile grid<br />
Besides “painting” an ACL in a profile, you can use the following methods<br />
to schedule an ACL in the profile grid.<br />
• To schedule the selected ACL in an individual cell, click once in that<br />
cell.<br />
• To schedule the selected ACL for an entire day, click that day’s<br />
heading bar.<br />
• To schedule the selected ACL to the same time (hour) across the<br />
entire week, click the starting time in the Time column.<br />
68<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Profiles<br />
• As an alternative to painting, you can schedule the selected ACL<br />
across any row or column by clicking on the first cell, pressing Shift,<br />
and then clicking on the last cell where you want it applied. All cells<br />
in-between will automatically receive the new ACL.<br />
FIGURE 30. Editing a Profile<br />
6. After you have scheduled all of the ACLs in the desired time slots, click<br />
OK. The profile is immediately updated with the new ACL settings.<br />
Copying a Profile<br />
To copy an existing profile:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
69
Managing Internet Access<br />
1. Select the profile from the Profile dropdown list.<br />
2. Click Copy Profile.<br />
3. Enter a name for the new profile.<br />
Deleting a Profile<br />
Profiles that are no longer used or needed can be deleted from <strong>iPrism</strong>.<br />
1. In the <strong>iPrism</strong> System Configuration tool, select Access, then the Profiles<br />
or IM/P2P Profiles tab.<br />
2. In the Profile List frame, select the profile you want to delete from the<br />
dropdown list.<br />
3. Click Delete. The Delete Profile dialog box appears.<br />
4. From the dropdown list, select a different profile that you want to replace<br />
the one you are deleting. (<strong>iPrism</strong> will substitute this profile in all places<br />
where the deleted profile may be in use.)<br />
5. Click OK. The profile you deleted is no longer on the Profile list.<br />
Creating Access Control Lists (ACLs)<br />
Access Control Lists (ACLs) are the building blocks that make up every<br />
filtering profile. They alone determine which types of traffic get blocked,<br />
what get monitored, and what are allowable for viewing. Unlike profiles,<br />
ACLs are not assignable to users or networks; they only exist in the context<br />
of a profile.<br />
When creating a new profile, a default ACL (called ‘ACL 1’) is always<br />
provided. 1 When a profile is created, this is the default value used for all<br />
squares on the time grid. You may create new ACLs and schedule them by<br />
applying them to the time grid.<br />
70<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
Creating a New ACL<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the Access section, then the Profiles tab (see Figure 31).<br />
1. Remember that each profile uses it’s own name space for ACLs. As a result there can be<br />
multiple lists named “ACL 1”, one for each profile. These lists have nothing to do with<br />
each other.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
71
Managing Internet Access<br />
Note: Although this example is for a web profile, the IM/P2P profiles<br />
use a similar interface.<br />
The lower (Viewing) frame shows the name of the profile currently<br />
selected in the Profile List frame.<br />
72<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
Note: If you wanted to create a new profile (as opposed to editing the<br />
one shown), click Add in the Profile List frame. When the dialog box<br />
displays, type the profile name and click OK.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
73
Managing Internet Access<br />
FIGURE 31. The Profiles tab<br />
3. To create a new ACL, click Add in the Access Control List frame. The<br />
Access Control Lists (ACLs) dialog box displays (see Figure 32).<br />
The ACLs dialog box is divided into sections, each containing a collection<br />
of filtering categories. For web filtering these categories represent<br />
the different types of content that can be blocked or monitored by <strong>iPrism</strong>.<br />
The IM/P2P ACLs contain a list of clients and protocols which can be<br />
blocked or monitored by <strong>iPrism</strong>.<br />
74<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
Note: A complete list of filtering categories can be found in “Filtering<br />
Categories” on page 307.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
75
Managing Internet Access<br />
76<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
Access Denied<br />
Page Options<br />
Deny all<br />
checkbox<br />
Enable<br />
Safe Search<br />
checkbox<br />
All groups<br />
toggle bar<br />
Group bar<br />
Individual<br />
categories<br />
FIGURE 32. Access Control Lists (ACLs) dialog box<br />
The items on this dialog are as follows:<br />
Categories: You can block and monitor individual categories. If Monitor is<br />
checked, any access to a website belonging to that category will be<br />
recorded. Selecting Block causes the access to be blocked. Table 1 explains<br />
the combinations of access controls and what they mean.<br />
Table 1: Access Controls<br />
Access<br />
No monitoring<br />
No blocking<br />
Monitoring<br />
No blocking<br />
Meaning<br />
Web pages are supplied to the user; no record is kept.<br />
Web pages are supplied to the user; each access is recorded and<br />
can be viewed using the reporting system or the real-time monitor.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
77
Managing Internet Access<br />
Table 1: Access Controls<br />
Access<br />
No monitoring<br />
Blocking<br />
Meaning<br />
The user does not see the website, but no record is kept of it being<br />
blocked.<br />
Monitoring The website is blocked, and a record is kept of the attempted<br />
Blocking<br />
access. This information can be viewed in the real-time monitor<br />
or reporting system.<br />
When you choose to monitor a category, an orange square displays to the<br />
left of the category’s name. When you choose to block a category, a red<br />
square displays. This allows you to quickly scan the entire window and see<br />
which categories are monitored, blocked, or both.<br />
Group Bars: The group bars at the top of each section allow you to quickly<br />
change the selection of all the categories in the section. Clicking once will<br />
cause all the categories in that section to be monitored. Multiple clicks<br />
allow you to cycle through the list:<br />
• Monitored<br />
• Monitored and Blocked<br />
• Blocked<br />
• No selection<br />
Toggle All Bar: (near the top of the ACL dialog box) Toggles all options in<br />
all categories.<br />
78<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
Access Denied Page Options: This frame allows you to see what happens<br />
when access to a page is denied. Table 2 lists the various options available<br />
to you.<br />
Table 2: Access Denied Page Options<br />
Access Configuration<br />
Override Link<br />
Description<br />
When selected, the Denied Access page will<br />
include an Override button, so users with override<br />
privileges can gain access to the page. (See “Creating<br />
User Accounts on the <strong>iPrism</strong>” on page 131.).<br />
Request Access Link<br />
When selected, the Denied Access page will<br />
include a Request Access button, which allows<br />
users to petition the administrator for access whenever<br />
they are blocked from a site. (See “Requesting<br />
Access to a Site” on page 104.)<br />
Deny access to the web: If this selected, all web access is not allowed for<br />
this ACL. This is a quick way of setting all categories (even local allowed)<br />
to Blocked. (This is the equivalent of setting everything to Blocked/<br />
Monitored.)<br />
Enable Safe Search: If this is enabled, the <strong>iPrism</strong> will enable the safe<br />
search for Yahoo, Google, and other selected search engines. “Safe Search”<br />
will be turned on even if the user attempts to do a search with this feature<br />
turned off.<br />
4. When you are finished configuring the ACL, click OK to return to the<br />
Profiles tab.<br />
The new ACL is now listed to the right of the scheduling grid, and is<br />
ready to be applied to the currently active profile.<br />
5. Repeat this procedure as necessary to create additional ACLs.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
79
Managing Internet Access<br />
Special Filtering Categories (Locally Defined / Other)<br />
When looking at the selection bars in the Access Control Lists (ACLs)<br />
dialog box, there are two specialty items to consider: locally defined and<br />
other.<br />
Locally Defined Categories<br />
• local1, local2, etc. The <strong>iPrism</strong> system lets you use your own<br />
categories for websites, overriding the ones in the iGuard database. In<br />
order to allow for maximum flexibility, sixteen (16) additional<br />
categories have been added exclusively for your use: local1, local2,<br />
... local16. These sixteen (16) categories give you additional<br />
flexibility in customizing your filtering.<br />
Note: It is important to understand that local filters only have precedence<br />
over the ratings in <strong>iPrism</strong>’s URL database. For example, if you<br />
create a custom filter and edit a site’s rating so that it belongs to the<br />
adult and local1 categories, the site will still be blocked by any profile<br />
that blocks adult content even though local1 is allowed. This is<br />
because the local filter settings do not override other ratings that you<br />
assign locally (e.g., via custom filters).<br />
• local allow. This category is not blocked (by default) on any ACL, so<br />
any site whose rating includes this category will be viewable,<br />
assuming the site doesn’t also belong to some category that is being<br />
blocked by the active profile.<br />
80<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
• local deny. This category is always blocked (by default) on all ACLs,<br />
so any website whose rating includes this category will be blocked.<br />
Additional information on local categories can be found later in this<br />
chapter. (See “Understanding the Local Allow and Local Deny Categories”<br />
on page 113)<br />
• Other. This category provides a way to let you block and/or monitor<br />
traffic to websites that are not currently rated by <strong>iPrism</strong>.<br />
Viewing ACL Filtering Properties<br />
To review the filtering properties of any ACL, do the following:<br />
1. In the <strong>iPrism</strong> System Configuration tool, select the Access section, then<br />
the Profiles or IM/P2P Profiles tab.<br />
2. In the Profile List frame, select the profile containing the ACL you want<br />
to view.<br />
The existing ACLs are listed on the right side of the profile (see<br />
Figure 24).<br />
3. Select the ACL you want to edit and click View. This opens a read-only<br />
version of the Access Control Lists (ACLs) dialog box (notice there are<br />
no checkboxes) where you can review the selections (see Figure 33).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
81
Managing Internet Access<br />
FIGURE 33. Viewing ACL Settings<br />
4. After reviewing the properties for this ACL, click OK.<br />
Editing ACL Settings<br />
1. In the <strong>iPrism</strong> System Configuration tool, select Access, then the Profiles<br />
or IM/P2P Profiles tab.<br />
2. In the Profile List frame, select the profile that owns the ACL you want<br />
to edit.<br />
That profile’s ACLs are listed on the right side of the profile grid (see<br />
Figure 24 on page 58).<br />
3. Select the ACL you want to edit and click Edit. The Access Control<br />
Lists (ACLs) dialog box opens.<br />
82<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Access Control Lists (ACLs)<br />
4. Make the desired changes to the ACL’s settings. You can change the<br />
filtering settings, the access configuration, and the ACL name.<br />
For additional information, refer to the following sections:<br />
• “Creating Access Control Lists (ACLs)” on page 70<br />
• Table 2, “Access Denied Page Options,” on page 79<br />
5. Click OK to save the changes to this ACL.<br />
Deleting an ACL<br />
To completely remove an ACL from <strong>iPrism</strong>, use the following procedure.<br />
1. In the <strong>iPrism</strong> System Configuration tool, select Global, then the Profiles<br />
or IM/P2P Profiles tab.<br />
2. In the Profile List frame, select the profile that owns the ACL you want<br />
to delete.<br />
The existing ACLs are listed on the right side of the profile grid (see<br />
Figure 24).<br />
3. Select the ACL that you want to remove and click Delete.<br />
Note: You cannot delete the Default ACL (initially named “ACL 1”)<br />
from any profile.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
83
Managing Internet Access<br />
Lock ACL<br />
Lock ACL provides a way for the SuperUser and the Global Policy<br />
Administrator to globally enforce access restrictions on the same categories.<br />
By using Lock ACL, categories can be marked to be blocked or monitored;<br />
e.g., “pornography” and “nudity”. Once a category is blocked or monitored<br />
in Lock ACL, all the existing and newly created profiles (including those<br />
created by the SuperUser, Global Policy Administrator, or Delegated<br />
Partition Administrator) are updated and the category is blocked/monitored.<br />
However, if you unblock a category from Lock ACL, it does not<br />
automatically update all profiles, so the category will remain blocked in<br />
those profiles. You must manually unblock them in each profile.<br />
The Lock ACL tab is only available to the SuperUser or the Global Policy<br />
Administrator.<br />
84<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Lock ACL<br />
FIGURE 34. Lock ACL Tab<br />
1. From the Appliance Manager, select Global, then Lock ACL.<br />
2. Click Edit for either Web Lock ACL or IM/P2P Lock ACL.<br />
3. Select the categories you would like to lock, as shown in the sample in<br />
Figure 35.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
85
Managing Internet Access<br />
The Advanced settings are as follows:<br />
FIGURE 35. Web Lock ACL Sample<br />
• Allow administrators to override locked categories: This option is<br />
disabled by default. When a category is locked in the Lock ACL, it cannot<br />
be overridden by anyone, even if that person has override privileges.<br />
There may be some cases where you would like to allow some people to<br />
override these categories; select this option to allow this.<br />
86<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Lock ACL<br />
Only administrators or users with override privileges are allowed to<br />
access sites that have been rated with the locked category.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
87
Managing Internet Access<br />
Note: In order for ACLs to work, the ACLs in the profile(s) must have<br />
the Override Link option enabled.<br />
• Allow users to request access for pages with locked categories: You<br />
can allow users to request access to a site that has been blocked. When<br />
this option is selected, if a user tries to go to a website that is locked, a<br />
page displays with a link to the Request Access page. From there, the<br />
user can choose to send the administrator an email requesting access. If<br />
you do not want users to request access to blocked sites, leave this option<br />
unchecked.<br />
Assigning Profiles<br />
Once you have created your profile(s), the final step is to assign them so<br />
that <strong>iPrism</strong> will start filtering web traffic based on the profile’s settings.<br />
This section discusses the different ways that a profile can be used by<br />
<strong>iPrism</strong> and provides instructions for configuring each.<br />
How <strong>iPrism</strong> Uses Profiles<br />
There are three different ways that <strong>iPrism</strong> can make use of a filtering<br />
profile, depending on how <strong>iPrism</strong> is configured on your network and<br />
whether or not you are using authentication:<br />
1. User-level filtering. This type of filtering associates a profile with a<br />
given user. It does not matter which machine they use, the user will<br />
always get the same profile, as it is based on their username.<br />
User-level filtering works well in environments where you want some<br />
people to have significantly more (or less) access to the web than others.<br />
It also offers an additional layer of protection because the user’s profile<br />
follows them, regardless of which workstation they log into.<br />
Before a user can access the Internet s/he must be authenticated. The<br />
<strong>iPrism</strong> system provides a variety of authentication methods and can<br />
access authentication servers like NTLM (Microsoft Windows) and<br />
88<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Assigning Profiles<br />
LDAP (Unix, Linux). See Chapter 6: Users and Authentication for more<br />
information on authentication.<br />
2. Network-level filtering. For network level filtering, you specify a set of<br />
IP addresses and associate a profile with them. For example, if you are a<br />
library, you can have one profile for the computers in the children’s<br />
reading area, and another for the adult library users.<br />
3. Mobile filtering. For mobile filtering, you specify the profile for users<br />
connecting to <strong>iPrism</strong> through the external port; i.e., from outside the<br />
network. For example, if you are a company that provides laptops to<br />
employees, you can enforce a web profile on all employees trying to<br />
access the Internet from outside the company.<br />
Network-level and user-level filtering are not mutually exclusive. If you are<br />
using user-level filtering and a user cannot be authenticated, the system will<br />
fall back to network-level filtering. Thus you can create a system which<br />
forms a complete blanket of protection, covering both authenticated and<br />
non-authenticated users.<br />
Authentication Systems and Assigning Profiles to Users<br />
Users can authenticate themselves to the <strong>iPrism</strong> system using a wide variety<br />
of systems. See Chapter 6: Users and Authentication for detailed<br />
information and instructions.<br />
Assigning Profiles to a Set of IP Addresses (Workstations)<br />
The <strong>iPrism</strong> system makes it easy to assign a profile to an individual IP<br />
address or a range of IP addresses.<br />
Defining IP Address Ranges<br />
1. Start the <strong>iPrism</strong> System Configuration tool and select Access, then click<br />
the Networks tab (see Figure 36).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
89
Managing Internet Access<br />
FIGURE 36. Assigning a Profile to a set of IP Addresses<br />
2. In the Network List frame, click Add.<br />
3. In the Adding Network frame, define the IP address range to which you<br />
want to assign a web profile and an IM/P2P profile.<br />
Normally all your workstations will be connected to the internal network<br />
interface. If the IP addresses you specified are connected to the external<br />
interface, check External.<br />
Note: External machines can only use proxy mode filtering. Also P2P<br />
filtering is not possible for workstations located on the External interface.<br />
The <strong>iPrism</strong> system is most efficient if the network traffic reaches <strong>iPrism</strong><br />
through the internal interface. Connecting local machines to the external<br />
interface is discouraged, as <strong>iPrism</strong>’s proxy features on its external inter-<br />
90<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Assigning Profiles<br />
face are normally disabled because this side is not protected by a firewall.<br />
If enabled, your <strong>iPrism</strong> may be used by anyone on the Internet.<br />
4. Select the web profile for this IP address range using the Web Profile<br />
dropdown list.<br />
5. Select the IM/P2P profile for this IP address range using the IM/P2P<br />
Profile dropdown list.<br />
6. Click OK. The address range is added to the Network List frame at the<br />
top of this window.<br />
7. Repeat steps 2 – 6 for each set of addresses you want to define.<br />
8. Order the items in the network list by selecting each item, then using the<br />
arrows to the right of the list to move it up or down accordingly.<br />
When the <strong>iPrism</strong> receives a network request, it will go through the list in<br />
order trying to find an IP address range that matches the system it is trying<br />
to filter. The first range that matches will be used.<br />
For example, if your address ranges are:<br />
10.0.0.0 - 10.255.255.255<br />
10.0.1.0 - 10.0.1.255<br />
0.0.0.0 - 255.255.255.255<br />
The second item in the list will never be used. Even though the IP<br />
address 10.0.1.33 is in range, it is also in the range of 10.0.0.0 -<br />
10.255.255.255. This range is matched first.<br />
The most specific entries should be first, followed by the more general<br />
ones. The default entry (0.0.0.0 to 255.255.255.255) should always be<br />
last on the list. Since this matches all IP addresses, any entries after it<br />
will not be processed.<br />
.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
91
Managing Internet Access<br />
Assigning Profiles to Remote or Mobile Users<br />
The <strong>iPrism</strong> system makes it easy to assign a profile to individuals who are<br />
trying to access the Internet using the company’s devices outside of the<br />
internal network. Simply enable the mobile filtering feature and select a<br />
web profile for all users connecting from outside the network, as follows:<br />
How to Configure Mobile Filtering<br />
1. Start the <strong>iPrism</strong> System Configuration tool and select Access, then select<br />
the Networks tab (see Figure 36).<br />
2. In the Network List frame, click Mobile.<br />
92<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Assigning Profiles<br />
Note: In order to enable Mobile Filtering you must be sure that you do<br />
not have an IP range 0.0.0.0 to 255.255.255.255 already defined in your<br />
Networks tab. If you do, please delete this range, define explicitly the IP<br />
ranges of your network and click Mobile. It is vital that you define these<br />
ranges so that all internal network device IP addresses fall into one of the<br />
ranges listed in the Network List, as any IP addresses not included in this<br />
list will no longer have the 0.0.0.0 to 255.255.255.255 range to fall<br />
through to, and will be denied access to the Internet unless configured to<br />
use the <strong>iPrism</strong> as a proxy.<br />
FIGURE 37. Assigning a Profile to Mobile or Remote Users<br />
3. Select the checkbox to Enable Mobile Filtering and choose the web<br />
profile you would like to apply to remote users. This profile will be<br />
applied to remote users who are not mapped to another profile by <strong>iPrism</strong><br />
including:<br />
• All local users with “Use Network” checked as their profile.<br />
• All other users not mapped to another profile on the Profile Mappings<br />
tab.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
93
Managing Internet Access<br />
Note: Mobile users must be proxied to the <strong>iPrism</strong> to be filtered. Also<br />
IM/P2P filtering is not possible for workstations filtered from the External<br />
interface.<br />
4. If you want remote users to be able to access your internal network,<br />
select the Allow internal network access checkbox.<br />
5. Select the type of web authentication. There are three types of<br />
authentication for remote users:<br />
• HTTPS authentication. When the user first attempts to access the<br />
Internet, s/he is sent to a secure login page. This is the preferred<br />
authentication method when LDAP is enabled..<br />
• Digest authentication. This is the most secure type of authentication,<br />
but <strong>iPrism</strong> must know the password of each user. Therefore, it cannot<br />
be used to authenticate NTLM or LDAP users, only local users.<br />
• NTLM authentication. This is the standard protocol used by<br />
browsers to authenticate with proxy servers. This is the preferred<br />
authentication method when NTLM is enabled.<br />
6. In the HTTPS Timeout frame, select the timeout settings to be applied<br />
to authenticated users. These settings apply only when HTTPS is<br />
selected.<br />
From the Style dropdown list, select one of the following timeout methods,<br />
and then enter the corresponding number of minutes in the Timeout<br />
field:<br />
• Fixed Duration. When selected, the Timeout value is the exact<br />
number of minutes between the authentication and the end of the<br />
session. After this number of minutes, <strong>iPrism</strong> will prompt the user to<br />
re-authenticate.<br />
• Inactivity. When selected, the Timeout value is the exact number of<br />
minutes between the last Web access and the end of the session. If<br />
there is no Web activity for the duration of the timeout value, the user<br />
will be asked to re-authenticate during the next Web access. In other<br />
words, each time that a Web access is made, the timeout restarts to its<br />
original value.<br />
94<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Assigning Profiles<br />
• Fixed Hourly. When selected, the Timeout value corresponds to the<br />
number of minutes past the hour at which the session will expire,<br />
independent of the original authentication time. The value of the<br />
timeout should be between 0 and 59 in this mode. This mode is useful<br />
is when users change activity on an hourly basis, such as students in<br />
class.<br />
7. Click OK. Mobile filtering is now enabled for users outside of the<br />
network ranges listed in the Access->Network List.<br />
Note: Mobile users must also be configured to use <strong>iPrism</strong> as their Internet<br />
proxy for mobile filtering to function. Also, when setting a new<br />
authentication type in the Mobile Filtering Configuration dialog, there<br />
may be a delay of up to 30 seconds after saving and exiting the configuration<br />
tool before the new authentication type is applied.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
95
Managing Internet Access<br />
96<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Access Denied Page Options<br />
Chapter 4<br />
Blocked Pages and<br />
Overrides<br />
When a browser tries to access a web page that is being blocked by <strong>iPrism</strong>,<br />
an ‘Access Denied’ page displays (see Figure 38). The <strong>iPrism</strong> system gives<br />
the user and the administrators a variety of options for handling blocked<br />
pages. This gives tremendous flexibility for dealing with blocked web<br />
pages, yet also allowing a great deal of control over Internet usage.<br />
Access Denied Page Options<br />
When a user encounters an Access Denied web page, depending on access<br />
configuration, there may be an Override/Request Access button at the<br />
bottom of it. This button provides access to <strong>iPrism</strong>’s override interface.<br />
Depending on the user’s filtering profile, this button can allow him/her to<br />
perform the following actions:<br />
• Override. When the user selects Override s/he is allowed to bypass<br />
the Access Denied page and view the blocked page, assuming s/he<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
97
Blocked Pages and Overrides<br />
has the proper administrative privileges. The override request is<br />
recorded in the reporting system.<br />
• Request Access. The user can use the Request Access button to send<br />
a message to the master <strong>iPrism</strong> administrator to explain why they<br />
need access to the site. The administrator may review the request and<br />
decide whether or not to grant access. No administration privileges<br />
are required to submit an access request. (If a request is granted, the<br />
requesting users and all users will be allowed to access the site.)<br />
FIGURE 38. Default Access Denied Page with Override Button<br />
The Access Denied Page Options are controlled by the profile, and can be<br />
enabled in the ACLs window. See Table 2, “Access Denied Page Options,”<br />
on page 79 for more information.<br />
98<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using Override Privileges<br />
By default, these options are disabled when you create a new ACL, so you<br />
must manually enable these if you want to provide Override/Request<br />
Access to users on your network. If both options are disabled, then the user<br />
has no recourse when they encounter the “Access Denied” page; they<br />
cannot view or even request access to the blocked site.<br />
Using Override Privileges<br />
Users that have been granted override privileges as part of their local user<br />
account will be able to bypass the Access Denied page and view the blocked<br />
site. You do not have to be using “full-fledged” authentication in order to<br />
assign these privileges; you can set up user accounts strictly for the purpose<br />
of granting override access. For example, you can use a network-level<br />
profile to control web access on the network, and if a user encounters a<br />
blocked site, s/he can click the Override link, enter their username/<br />
password, and (assuming they have override privileges), view the blocked<br />
website. If users have single override privileges, they can override a block<br />
for themselves. If they have extended override privileges they can let<br />
themselves and other users access a blocked website.<br />
For information on giving local users override privileges, see “Fine Tuning<br />
Your Web Filtering” on page 111.<br />
Overriding a Blocked Web Site<br />
To override a blocked site, you must have a user account with override<br />
privileges, or the <strong>iPrism</strong> supervisor account.<br />
1. When the Denied Access page is encountered, click Override/Request<br />
Access.<br />
Note: If this button is not available, override access is being denied by<br />
the active ACL in the current profile. You cannot gain access to the site.<br />
You may wish to communicate with your <strong>iPrism</strong> administrator directly to<br />
gain access to the page.<br />
2. If the Select Mode page appears (Figure 39), select the Override radio<br />
button and click Next.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
99
Blocked Pages and Overrides<br />
FIGURE 39. Select Mode<br />
3. The <strong>iPrism</strong> Login dialog box will display as shown in Figure .<br />
100<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using Override Privileges<br />
FIGURE 40. Login<br />
4. Enter your username and password in the appropriate fields and click<br />
Login. The Override Who page will appear as shown in Figure .<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
101
Blocked Pages and Overrides<br />
FIGURE 41. Override Who<br />
5. On the Override Who page, select the user to whom you want to grant<br />
access so they can view the blocked site. The options that display here<br />
will vary depending on your override privileges.<br />
• Current Workstation [IP address]: Any user on the current<br />
workstation will be able to access the blocked URL.<br />
• Current User [user name]: Override the block for this user only.<br />
(Available only if user authentication is enabled.)<br />
• Following Network [network range]: Any user whose workstation is<br />
within the specified network range will be able to access the blocked<br />
URL. (This is available if you are using network only profiles.)<br />
• Current Profile [profilename]: Any user associated with the<br />
specified profile, from any workstation; or any user on a workstation<br />
102<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using Override Privileges<br />
associated with the specified profile will be able to access the blocked<br />
URL.<br />
• Everyone: Any user from any workstation will be able to access the<br />
blocked URL, if the user has extended override privileges.<br />
6. If you just want to gain access to the blocked domain for a period less<br />
than one hour, you can click Finish now. The blocked web page will display,<br />
and access will be granted for one hour. If you want to override<br />
other URLs or change the override duration, go to the next step.<br />
7. Click Next. The Override Location/Duration page appears as seen in<br />
Figure 42.<br />
FIGURE 42. Override<br />
The options that appear here will vary depending on your override privileges.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
103
Blocked Pages and Overrides<br />
• This URL. Allows access to only the URL that is currently being<br />
blocked.<br />
• Domain. Allows access to all web pages in the domain of the URL<br />
that is being blocked.<br />
• Current Categories. Allows access to all web pages that would<br />
otherwise be blocked by the specified filter categories.<br />
• All URLs. Allows access to all web pages.<br />
8. In the Duration dropdown list, select how long you want the override<br />
privileges to last.<br />
9. Click Finish.<br />
The blocked site displays in the current browser and should be available<br />
to all users to whom you granted access.<br />
Using Access Requests<br />
Users that want to get past a blocked page but do not have override<br />
privileges have the option to plead their case to the <strong>iPrism</strong> administrator (or<br />
other authorized user with override privileges), who can subsequently grant<br />
or deny access to the page. In this scenario, the blocked user would use the<br />
Request Access button on the Denied Access page to send his request to the<br />
<strong>iPrism</strong> administrator. The request is emailed to the person whose email<br />
address is specified in the Block / Unblock Options page. If there is no<br />
email address specified on this page, the system will use the email address<br />
of the <strong>iPrism</strong> administrator found in the Registration tab in the System<br />
section of the System Configuration tool.<br />
Note: It is possible that the administrator may not get the email due to<br />
configuration/DNS problems. You may want to follow up your initial<br />
request until you are sure that this feature is working.<br />
Requesting Access to a Site<br />
1. When the Denied Access page is encountered, click the Override/<br />
Request Access button.<br />
104<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Using Access Requests<br />
If this button is not available, then access is being denied by the active<br />
ACL in the current profile. You cannot request access to the site.<br />
2. When the Select Mode page displays (Figure 39), select the Request<br />
Access radio button and click Next. The Request Access page displays<br />
(Figure 43).<br />
The Location field is prefilled with the URL you are trying to access.<br />
Complete the remaining fields by entering your email address in the<br />
Email field and describing why you need access in the Comments field.<br />
FIGURE 43. Request Access page<br />
3. If you want to be notified by email of the administrators actions, check<br />
the checkbox below the Comments field. You may want to use this<br />
option in a situation where you are not sure your request will be granted.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
105
Blocked Pages and Overrides<br />
4. Click Next. The Request Access Confirmation page displays. This<br />
page reiterates your request so you can review it for accuracy (see<br />
Figure 44).<br />
FIGURE 44. Request Access Confirmation<br />
5. To send your request to <strong>iPrism</strong> administrator, click Finish.<br />
The Request Added page confirms that your request has been added,<br />
and the request is emailed to the appropriate person.<br />
Your request will be seen the next time the administrator reviews access<br />
requests. If you requested notification, you will receive an email after<br />
this review is complete. You cannot reply to this email.<br />
For instructions on how to process access requests, see “Pending Access<br />
Requests” on page 276.<br />
106<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing Override Access<br />
Managing Override Access<br />
Override access allows users with the required privileges to be able to<br />
“overrule” the active filtering policy and gain access to web pages that<br />
would otherwise be blocked. In <strong>iPrism</strong>, override privileges are determined<br />
by a user’s administrator level assignment.<br />
From the Appliance Manager, open the System Configuration tool, select<br />
Access, then click the Override Management tab (see Figure 45). The<br />
<strong>iPrism</strong> administrator can review all of the currently active overrides and<br />
revoke them, if desired.<br />
FIGURE 45. Override Management Page<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
107
Blocked Pages and Overrides<br />
The Override Management Page<br />
The columns in the Override Management page are:<br />
• Administrator. The privileged user who created the override. This is<br />
only relevant when using user authentication. The override will only<br />
be valid for the indicated user. When user authentication is not used,<br />
or when the override is valid for all users, this column will indicate<br />
“Any”.<br />
• Profile. The filtering profile affected by the override. This may be the<br />
name of the profile overridden by the user or it may read “Any” if the<br />
override is relevant to a network, not a profile.<br />
• User/Workstation. The user, workstation, or range of workstations<br />
affected by the override, using the IP addresses. If only one<br />
workstation is affected, this column will show its IP address. If<br />
several workstations are affected, this column will show the IP<br />
Network Range.<br />
• Expiration. The date and time at which the override will expire by<br />
itself.<br />
• URL or Category. The URL (single page or domain name) affected<br />
by the override. If the override was performed for a list of categories<br />
instead of a URL, the categories affected will be displayed.<br />
Revoking a Single Override<br />
1. From the Active Overrides frame, select the item you want to override.<br />
2. Click Revoke at the bottom of the page.<br />
Note: To restore the original settings on the Override Management tab,<br />
click Reset.<br />
3. To save the change, select Exit in the top right corner of the window, and<br />
select Save & Exit.<br />
Revoking All Overrides<br />
1. From the Active Overrides frame, click Revoke All at the bottom of the<br />
page.<br />
108<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing Override Access<br />
Note: To restore the original settings on the Override Management tab,<br />
click Reset.<br />
2. To save the changes, select Exit in the top right corner of the window,<br />
and select Save & Exit.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
109
Blocked Pages and Overrides<br />
110<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Controlling Access to Individual Web Sites<br />
Chapter 5<br />
Fine Tuning Your<br />
Web Filtering<br />
The <strong>iPrism</strong> lets you have a finely detailed level of control over your Internet<br />
traffic. In this chapter you’ll learn how to customize the <strong>iPrism</strong> so that you<br />
can control exactly which individual sites are blocked or allowed. Through<br />
customization, you can have complete control over your web traffic.<br />
Controlling Access to Individual Web Sites<br />
The <strong>iPrism</strong> web filter operates by comparing each URL request to a<br />
database of URLs which have been categorized according to their content<br />
(see Appendix A: Filtering Categories for specific category information). If<br />
the requested site belongs to a category that is being blocked by the active<br />
ACL, then the site is inaccessible.<br />
Although the <strong>iPrism</strong> database is extremely large and detailed, you may find<br />
that there are some websites that need special processing. The <strong>iPrism</strong><br />
system gives you several ways customize the blocking or non-blocking of<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
111
Fine Tuning Your Web Filtering<br />
individual sites. Even if an individual site is marked as “blocked” by the<br />
database, you can tell <strong>iPrism</strong> to pass it anyway.<br />
Note: You can instantly check a site’s category rating in the URL database<br />
using the Check Site Ratings tool in the Filter Manager. See “Checking Site<br />
Ratings” on page 285.<br />
Changing a URL’s Rating with Custom Filters<br />
A custom filter lets you change a URL’s rating (or create a rating for it if it<br />
does not already have one). It allows you to assign any URL to either an<br />
existing filter category (e.g. adult, nudity, business, politics, etc.) The<br />
<strong>iPrism</strong> system has additional special categories called local categories<br />
which can be used exclusively by your system for URL classification.<br />
These are local1, local2, local3, local4, local5, local6, local7, local8,<br />
local9, local10, local11, local12, local13, local14, local15, local16, local<br />
allow, and local deny. Once you make a custom assignment, <strong>iPrism</strong> will<br />
treat the URL as a member of that category and either allow or deny access<br />
to the site based on the active filtering profile.<br />
Custom filters are important because they provide the ability to restrict or<br />
allow access to any website, not just those included in <strong>iPrism</strong>’s URL<br />
database.<br />
Custom Filters are part of <strong>iPrism</strong>’s Filter Manager utility, accessed by<br />
clicking on the Block/Unblock Site button from the <strong>iPrism</strong> Main web page.<br />
For detailed instructions on how to build a custom filter, see “Automatically<br />
Rating Unrated URLs” on page 259.<br />
Controlling URLs with Locally Defined Categories<br />
If you have created ACLs or custom filters, you probably have noticed that<br />
there is a group of filtering categories named Locally Defined (see<br />
Figure 46). Locally defined categories are unique in that they have<br />
precedence over the (non-local) ratings assigned in the <strong>iPrism</strong> URL<br />
database.<br />
For example, consider a site that is ordinarily blocked, such as<br />
www.playboy.com, whose category rating in the URL database is nudity and<br />
pornography. If you create a custom filter for playboy.com and assign it to a<br />
local rating, such as local1, the site will become available under any profile<br />
112<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Controlling Access to Individual Web Sites<br />
that does not explicitly block the local1 category. In other words, even<br />
though playboy.com is still classified as nudity and pornography and those<br />
categories are blocked by the active profile, the site will not be blocked as<br />
long as the local1 rating is not blocked.<br />
FIGURE 46. Locally Defined Categories<br />
Note: Local categories only have precedence over the ratings that are<br />
specified in <strong>iPrism</strong>’s URL database. Suppose we have a web page with the<br />
custom rating of nudity and local1. If all nudity is blocked, then the site<br />
would be blocked, regardless of the local1 category. The local1 setting does<br />
not supersede the other local settings, only the settings in the factory URL<br />
database.<br />
Using locally defined categories in your custom filters can give you a lot of<br />
individual control over which websites are accessible. For example, you can<br />
configure a profile to block access to all finance-related sites, but still allow<br />
access to a few select finance sites by creating custom filters for them and<br />
assigning them to a local category. To allow access to those sites, verify that<br />
the same local category is not being blocked by the profile.<br />
Understanding the Local Allow and Local Deny Categories<br />
Most of the local categories are named local1, local2, etc. However, there<br />
are two special names: local allow and local deny. These are intended to be<br />
used in a specific way.<br />
• Local Allow is reserved for web pages that you want everyone to access.<br />
It is automatically cleared (i.e., not blocked or monitored) in any new<br />
ACL that is created. <strong>iPrism</strong> uses this category as part of its Custom Fil<strong>iPrism</strong><br />
<strong>Administration</strong> <strong>Guide</strong><br />
113
Fine Tuning Your Web Filtering<br />
ters feature to grant clearance to blocked URLs. It is recommended that<br />
you keep this category cleared in any new or existing ACLs.<br />
• Local Deny is designed for web pages that no one should see. It is automatically<br />
checked (both blocked and monitored) in all new ACLs that<br />
are created, and should also be checked in all existing profiles (except<br />
the default “PassAll” profile). <strong>iPrism</strong> uses this category as part of its<br />
Custom Filters feature to let users instantly deny access to any URL.<br />
Important: The local allow and local deny categories are, by default, used<br />
internally by <strong>iPrism</strong>’s custom filters and override features. It is strongly recommended<br />
that you keep local allow cleared (unchecked) and local deny checked<br />
in all of your profiles. These settings will automatically be made by default in<br />
all new ACLs. If desired, you can change which categories <strong>iPrism</strong> uses to allow/<br />
deny access. This is done from the Custom Filters tab in the Access section.<br />
Using Local Categories<br />
The numbered local categories (local1, local2, etc.) can be used for any<br />
filtering purpose. For example, if you want to block access to the websites<br />
of your competitors, you could do this:<br />
1. Create a custom filter for each website you want to block access to and<br />
assign all of them to the same local category (e.g. local5).<br />
2. In the Profiles tab, edit the active profile so that the local category (e.g.<br />
local5) is blocked (and monitored, if desired.)<br />
That’s it! Now, any website that belongs to the local5 rating will be<br />
blocked by this profile.<br />
Note: When using local filters, it is up to you to keep track of which sites<br />
you assigned to each category.<br />
Submitting Sites to St. Bernard for Review<br />
<strong>iPrism</strong> relies on the iGuard database and the web reviewers at St. Bernard<br />
Software to make judgements about sites that should be categorized, and<br />
which categories they should be assigned to. That means that any new site<br />
that goes up on the web could exist for some time before it is finally<br />
registered, reviewed, categorized, and downloaded into your <strong>iPrism</strong>. If you<br />
114<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Controlling Access to Individual Web Sites<br />
encounter a website that you feel should be included in <strong>iPrism</strong>’s URL<br />
database, you can submit the site to St. Bernard Software for immediate<br />
review.<br />
Submitting Sites via Email<br />
1. From the Appliance Manager’s Main Menu - Administrator, click Via<br />
email to <strong>iPrism</strong> support under Add Web Sites.<br />
2. Submit your URL by clicking the hyperlink to one of the three options:<br />
• Email<br />
• Using the Filter manager interface (requires an Administrator login)<br />
• Using the Quick Submit feature<br />
Include the full URL to the website, as well as any additional information<br />
that you feel is important for the reviewers to know.<br />
Submitting Sites with Quick Submit – While You Surf!<br />
Quick Submit allows you to submit URLs to our iGuard URL Review team<br />
with a single mouse-click.<br />
1. From the Appliance Manager’s Main Menu - Administrator, click On<br />
the fly while you surf under Add Web Sites.<br />
2. Follow the instructions provided to bookmark the <strong>iPrism</strong> Quick Submit<br />
link. Once that is bookmarked, when you are surfing the web and find a<br />
site that you would like to see reviewed, simply select the bookmark<br />
while your browser is at the site in question. The URL of the site will be<br />
sent to the iGuard URL Review team and will be reviewed within 24<br />
hours.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
115
Fine Tuning Your Web Filtering<br />
Changing the Access Denied and<br />
Authentication Pages<br />
The Access Denied page is an HTML page which appears whenever a user<br />
tries to access a website that is being blocked by the active <strong>iPrism</strong> profile.<br />
Unless the user has override privileges or is otherwise granted access by the<br />
administrator, the user will not be able to view the site. <strong>iPrism</strong> provides a<br />
default Access Denied page (see Figure ) but also includes an HTML<br />
Template Manager so you can fully customize this page or replace it with<br />
another HTML document.<br />
116<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing the Access Denied and Authentication Pages<br />
FIGURE 47. Access Denied Page<br />
Using the HTML Template Manager<br />
The HTML Template Manager allows you to fully customize the default<br />
Access Denied Page and the Authentication Page used by <strong>iPrism</strong>. To access<br />
the HTML Template Manager, go to the main <strong>iPrism</strong> web page, then click<br />
HTML Template Manager (under System Admin Tools). When prompted,<br />
enter your administrator username (iprism) and password.<br />
Note: Only the <strong>iPrism</strong> administrator account (iprism) can access the HTML<br />
Template Manager.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
117
Fine Tuning Your Web Filtering<br />
FIGURE 48. HTML Template Manager<br />
Note: The interface and process for editing either the Access Denied page<br />
or the Authentication page is identical.<br />
118<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing the Access Denied and Authentication Pages<br />
Editing the default HTML Pages<br />
If you wish to only change the current HTML page instead of replacing it<br />
entirely, do the following:<br />
1. From the HTML Template Manager page, select the page you want to<br />
edit (Authentication Page or Access Denied Page) and click the corresponding<br />
Customize button.<br />
2. The Customize page opens for the page you selected (see Figure 49).<br />
In the bottom pane of this page you can see the code for the current<br />
HTML page. Edit the HTML code here, then click Preview to preview<br />
your changes and/or Save Changes to save your changes.<br />
Use the following tags to insert relevant <strong>iPrism</strong> system information and<br />
tools into the document:<br />
Table 3: Custom HTML Tags for Access Denied Page<br />
Tag<br />
|OVERRIDE|<br />
|CONTACTINFO|<br />
|URL|<br />
|INFO|<br />
|RATING|<br />
Description<br />
An Override button, which allows for override access.<br />
The Administrator’s contact information.<br />
The URL of the site that is trying to be accessed.<br />
An Information button, which provides more information<br />
about the Access Denied page.<br />
the rating of the site trying to be accessed.<br />
Note: You can view these HTML tags on-screen at any time by clicking<br />
on the Tag Help button.<br />
Table 4: Custom HTML Tags for Authentication Page<br />
Tag<br />
FORM_START<br />
CACHE_USER<br />
Description<br />
The starting HTML FORM element. This tag must be<br />
placed before any form input elements.<br />
The value entered in as the username. Use this when an<br />
authentication attempt fails. On the next display of the<br />
page, the Username field is populated with the cached<br />
value.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
119
Fine Tuning Your Web Filtering<br />
Table 4: Custom HTML Tags for Authentication Page<br />
Tag<br />
SUBMIT<br />
PROTO<br />
NTLM_DOMAINS<br />
PORT<br />
TIMEOUT<br />
LOGOUTLINK<br />
HOST<br />
ERROR_MESSAGE<br />
Description<br />
A Submit button to process the user authentication form.<br />
This tag must be placed last of all the HTML input elements.<br />
<strong>iPrism</strong>'s protocol, either “HTTP” or “HTTPS”.<br />
The text label “NTLM Domains” and a dropdown select<br />
box of NTLM Domains. This tag will get replaced with an<br />
HTML table row containing a text label and a dropdown<br />
selection box containing your NTLM Domains. (This tag<br />
can only be used when NTLM is enabled and configured.)<br />
The port on which <strong>iPrism</strong>'s web server is running.<br />
The configured default timeout value.<br />
A hyperlink to the logout page.<br />
The configured hostname or IP address of <strong>iPrism</strong>.<br />
An error message (if any.)<br />
3. To see what your page currently looks like, click Preview. After viewing<br />
the page, click Back to Customizing (at the top of the preview page) to<br />
continue customizing the page.<br />
Note: If necessary, you can revert back to the default template page at<br />
any time by clicking Use Default.<br />
4. When you have finished editing the page and are ready for it to “go<br />
live”, click Save Changes and close the HTML Template Manager window.<br />
120<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing the Access Denied and Authentication Pages<br />
FIGURE 49. Customize Page<br />
Replacing the Current Page<br />
You can load a custom HTML document template into the <strong>iPrism</strong> for both<br />
the Authentication Page and the Access Denied Page.<br />
Note: Uploading an HTML file into the template will completely replace<br />
the current page.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
121
Fine Tuning Your Web Filtering<br />
1. From the HTML Template Manager page, select the page you want to<br />
edit (Authentication Page or Access Denied Page) and click the corresponding<br />
Customize button.<br />
2. The Customize page opens for the page you selected (see Figure 49).<br />
The bottom pane of this page displays the code for the current HTML<br />
page.<br />
3. Click Upload Template.<br />
This opens the Upload HTML Template page (see Figure 50).<br />
122<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing the Access Denied and Authentication Pages<br />
FIGURE 50. Upload HTML Template Page<br />
4. Click Browse to locate the HTML file that you want to upload. Choose<br />
your file and click Open. The path to the HTML file should now appear<br />
in the File to Upload field.<br />
5. Click Upload File.<br />
The contents of the file is moved into the HTML Template Manager.<br />
6. Click Save Changes to save the new page.<br />
7. If desired, you can edit the new HTML page as if it were the default page<br />
(change text, add custom HTML tags, etc.). See “Editing the default<br />
HTML Pages” on page 119.<br />
Making “Quick Changes” to the Access Denied Page<br />
If you want to make changes to the default Access Denied Page without<br />
having to directly edit HTML code, you can do this from <strong>iPrism</strong>’s<br />
configuration interface. Here, you can change the administrator’s contact<br />
information or specify a different web page (URL) to be used as the Access<br />
Denied Page. This method requires no HTML editing.<br />
Note: When you specify a different URL for the Access Denied Page, the<br />
new page you specify will only replace the top portion of <strong>iPrism</strong>’s default<br />
page; The Override/Request Access button remains at the bottom of the<br />
page as usual. If you do not change the URL, you can still add additional<br />
information about your system administrators, so users who encounter a<br />
blocked page will know who to talk to and how to contact them.<br />
Use the following procedure to change the URL or the contact info<br />
associated with the Access Denied page.<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section and select the Proxy tab (see Figure ).<br />
3. In the Denied Page Information frame, make the desired changes to the<br />
Access Denied page.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
123
Fine Tuning Your Web Filtering<br />
• To add information to the current default page, select Contact Info.<br />
In the associated field, type the information you want to display on<br />
the Access Denied page. Usually, this is contact information for the<br />
<strong>iPrism</strong> administrator.<br />
• To change the web page that displays, select Custom Denied Page<br />
URL. Enter the full URL to the page you want to use in place of the<br />
default page.<br />
FIGURE 51. Denied Page<br />
4. Click Exit in the top right corner of the page, and select Save & Exit.<br />
124<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing the Access Denied and Authentication Pages<br />
Test the new page by accessing a web page that you know to be blocked in<br />
the current profile.<br />
Changing the “Other” pages<br />
If you wish to change the appearance of a page other than the Access<br />
Denied or Authentication page, you can do so by using the Other Pages<br />
template manager. The pages customizable using this template manager<br />
include the Logout, Override, Request Access, Anti-spoof, and selected<br />
Error pages.<br />
Start by clicking Customize under Other Pages in the HTML Template<br />
Manager (Figure 52). The Other Pages Template Manager screen appears.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
125
Fine Tuning Your Web Filtering<br />
FIGURE 52. Other Pages Template Manager<br />
The template manager allows you to define the background image and CSS<br />
style sheet for the pages. It also lets you define the HTML code to be used at<br />
126<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing the Access Denied and Authentication Pages<br />
the top, bottom, left, and right of the page. The <strong>iPrism</strong> itself will supply the<br />
middle.<br />
To customize a page, under Theme, select Custom and complete the fields.<br />
Available fields include:<br />
Field<br />
Background Image URL<br />
Style Sheet URL<br />
Contact Info<br />
Organization<br />
Description<br />
The URL of a background image to be used. Note:<br />
Images must be hosted on a system other than the<br />
<strong>iPrism</strong>. If this field is left blank, no background image<br />
will be used.<br />
The URL for a style sheet. This file must be hosted on a<br />
system other than the <strong>iPrism</strong>. Default = no style set.<br />
Text to be used when the |CONTACTINFO| tag is<br />
encounter in the HTML code for the top, left, right, or<br />
bottom HTML code defined below.<br />
Text to be used when the |ORGANIZATION| tag is<br />
encounter in the HTML code for the top, left, right, or<br />
bottom HTML code defined below.<br />
Top HTML<br />
HTML code to be used for the top of the page.<br />
Bottom HTML<br />
HTML code to be used for the bottom of the page.<br />
Left HTML<br />
HTML code to be used for the left of the page.<br />
Right HTML<br />
HTML code to be used for the right side of the page.<br />
The buttons at the top of the page perform the following actions:<br />
Button<br />
Back to Manager<br />
Save Changes<br />
Preview<br />
Action<br />
Exit to the template manager, discarding changes.<br />
Save the current changes.<br />
Display a sample page with the current settings applied.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
127
Fine Tuning Your Web Filtering<br />
128<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 6<br />
Users and<br />
Authentication<br />
The <strong>iPrism</strong> system can be configured to filter Internet traffic in a variety of<br />
ways:<br />
• By IP address. Each IP address range is assigned a Web Profile and<br />
an IM/P2P Profile. If, however, the user moves from one system to<br />
another (e.g., a desktop workstation with a very open profile to a lab<br />
machine with a very restricted profile), the more restrictive profile<br />
applies.<br />
• By username. Three different sources are accessed for user<br />
information:<br />
1. Redirect their first web access to an <strong>iPrism</strong> login page (see<br />
Figure 70 and Figure 71): Once s/he logs in, <strong>iPrism</strong> knows who<br />
they are and can provide filtering based on the profiles assigned to<br />
their username.<br />
2. Local authentication: For a limited set of users, a local user list<br />
resides on the <strong>iPrism</strong> itself, which does not require contacting an<br />
external authentication server (for more information, See “Setting<br />
up Local Authentication” on page 131.).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
129
Users and Authentication<br />
We recommend that you use local authentication only when you<br />
initially set up your <strong>iPrism</strong>. It is the simplest form of<br />
authentication and is extremely easy to set up. This will give you<br />
a chance to see how the <strong>iPrism</strong> authentication system works on a<br />
limited basis, without having to worry about what may be going<br />
on between a central authentication server and <strong>iPrism</strong>.<br />
3. Central authentication server: For a larger user base, the <strong>iPrism</strong><br />
can be configured to use a Windows (NTLM) or LDAP (Unix,<br />
Linux, Novell, Microsoft Windows) authentication server. (See<br />
“Communicating with a Microsoft Windows Authentication<br />
Server (NTLM)” on page 159 for details on Windows<br />
authentication and “Communicating with an LDAP Server” on<br />
page 150 for information on LDAP).<br />
After you gain experience with the system, you’ll probably want<br />
to connect to a central authentication server by configuring your<br />
<strong>iPrism</strong> to use Windows (NTLM) or LDAP based authentication.<br />
This will expand your user base to a much wider audience.<br />
Note: <strong>iPrism</strong> can use a Windows (NTLM) or LDAP<br />
authentication server, but not both at the same time.<br />
The <strong>iPrism</strong> system can also determine who a user is in a variety of ways,<br />
such as several types of login screens, proxy-based authentication, and the<br />
auto-login feature. For details, see “Auto-Login Details” on page 146.<br />
Notes:<br />
• <strong>iPrism</strong> can only authenticate web-based connections. Because of the<br />
way that IM and P2P protocols work, user-based authentication is<br />
impossible, so the <strong>iPrism</strong> uses IP-based profile mapping for these<br />
protocols.<br />
• If a users cannot be authenticated, s/he will not be able to use the<br />
Internet.<br />
130<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting up Local Authentication<br />
Setting up Local Authentication<br />
The <strong>iPrism</strong>’s local authentication system lets you define a set of users on the<br />
<strong>iPrism</strong> itself. No central authentication server is involved. Even if you have<br />
an external authentication server, the local user list allows you to provide a<br />
small number of people administrative access rights to the <strong>iPrism</strong> system.<br />
Creating User Accounts on the <strong>iPrism</strong><br />
1. Start the <strong>iPrism</strong> System Configuration tool and select the Users section,<br />
then select the Local tab (see Figure 53).<br />
2. Click Add beneath the <strong>iPrism</strong> Users frame.<br />
The Adding User frame becomes active, and “new_user” now displays<br />
in the Name field.<br />
3. In the Name field, type a new username.<br />
• Usernames cannot contain spaces. Only alphanumeric characters,<br />
underscores, hyphens, and periods are allowed (32 characters max.).<br />
• Names are not case-sensitive. All names are saved in lowercase by<br />
<strong>iPrism</strong>.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
131
Users and Authentication<br />
FIGURE 53. Create New User (Local Authentication)<br />
4. In the Password field, enter a password for this account.<br />
• Passwords are case sensitive.<br />
• Valid passwords must be at least four (4) characters long and not<br />
more than thirty-two (32) characters in length.<br />
• For security, the password you type will display as asterisks (*). The<br />
number of asterisks that display in the Password and Confirm<br />
Password fields does not indicate the number of characters in your<br />
password.<br />
132<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting up Local Authentication<br />
5. Re-enter your password in the Confirm Password field. Make sure to<br />
type it exactly as before.<br />
6. Enter comments about this user in Notes, such as their job title, department,<br />
position, etc..<br />
7. In the Profile dropdown list, select the web filtering profile to apply to<br />
this user.<br />
8. If you prefer that this user be assigned to the network-level profile that<br />
includes his/her workstation, click the Use Network checkbox. The Profile<br />
field will be grayed out, and this user will be governed by the profile<br />
designated on the Networks tab.<br />
9. To assign administrative privileges to this user, select the desired access<br />
level from the User Admin Privileges dropdown list. Otherwise, leave<br />
this field set to No access.<br />
<strong>iPrism</strong>’s administrator levels are:<br />
• Extended Override: Allows the user to log in to override<br />
management (see “The Override Management Page” on page 108)<br />
and grant access to others.<br />
• Filter Management: Allows the user to change the categories<br />
associated with a website (e.g., its site rating). Allows access to the<br />
Block/Unblock Site interface.<br />
• Full Access: Allows the user to reply to administrative requests<br />
(overrides, access, etc.). This user can access reports and the Block/<br />
Unblock Site interface, but cannot access the Configuration interface<br />
or the Real-time Monitor.<br />
• Global Policy Admin: This role is a user or login that is in charge of<br />
global filtering policies, regardless of existing partitions.<br />
• No Access: This basic user account has no administrative privileges.<br />
• Reports Only: This user will be allowed access to <strong>iPrism</strong>’s report<br />
interface only.<br />
• Single Override: Allows a user to grant access to themselves only.<br />
They cannot grant access to others.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
133
Users and Authentication<br />
If the <strong>iPrism</strong> is using mERS as its reporting system, and if the <strong>iPrism</strong> is<br />
the originator of an active mERS account, the administrator can also<br />
assign to the user the right to access mERS reporting services. This is<br />
done by checking the Allow access to mERS checkbox.<br />
10. After completing all the selections, click OK to add the new user to the<br />
<strong>iPrism</strong> user list.<br />
Note: You cannot exit the Users tab while you are creating or editing a<br />
user. Click Cancel to end your current editing session before exiting.<br />
134<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting up Local Authentication<br />
Editing Administrative Privileges<br />
The Administrative Profiles pull-down (Figure 55) assigns a local user an<br />
administrative profile based on a pre-defined list of values. The list of<br />
administrative profiles can be edited by clicking Edit/Add in the Adding<br />
User section as shown in Figure 53.<br />
FIGURE 54. Edit/Add button<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
135
Users and Authentication<br />
FIGURE 55. Administrative Profiles<br />
136<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting up Local Authentication<br />
Creating a new Administrative Profile<br />
1. Click Add.<br />
2. Type the name of the new profile in the Name field.<br />
3. Type a password in the Password field.<br />
4. Confirm the password and type any notes.<br />
5. Select a profile, or check Use Network to use a network profile.<br />
6. Select an administrative profile from the dropdown list in Admin Privileges<br />
(you can also click Edit/Add for a more detailed profile breakdown.<br />
Available profiles are as follows:<br />
• Extended Override: Allows the administrator to log in to override<br />
management (see “The Override Management Page” on page 108)<br />
and grant access to others.<br />
• Filter Management: Allows the user to change the categories<br />
associated with a website (e.g., its site rating). Allows access to the<br />
Block/Unblock Site interface.<br />
• Full Access: Allows the user to reply to administrative requests<br />
(overrides, access, etc.). This user can access reports and the Block/<br />
Unblock Site interface, but cannot access the Configuration interface<br />
or the Real-time Monitor.<br />
• Global Policy Admin: This role is a user or login that is in charge of<br />
global filtering policies, regardless of existing partitions.<br />
• No Access: This basic user account has no administrative privileges.<br />
• Reports Only: This user will be allowed access to <strong>iPrism</strong>’s report<br />
interface only.<br />
• Single Override: Allows a user to grant access to themselves only.<br />
They cannot grant access to others.<br />
7. In the Rights - Report Access section, select which level of access this<br />
administrative profile will have to the reporting system:<br />
• None. No access to the reporting system.<br />
• Full. Complete access to the reporting system.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
137
Users and Authentication<br />
• Access To Profile. Users can only access a specific profile selected<br />
from the list to the right of this selection. The special profile [User]<br />
indicates the profile currently in force for the user.<br />
• Access To Network Range. The user can only run reports on a<br />
limited range of IP addresses. The specific addresses are entered in<br />
the two adjacent fields.<br />
Note: Report restrictions are silently applied when the user runs<br />
reports. For example, if a user is restricted to a given IP address<br />
range, all reports will contain data for just that IP address range, even<br />
if a larger range was specified in the report itself.<br />
8. In the Custom Filters section, select a filter. These control access to the<br />
Filter Manager (see “The Filter Manager” on page 257 for information).<br />
• Select None to prevent users from accessing the Filter Manager<br />
• Select Full to give them complete access<br />
9. The Override Privileges section can be seen in Figure 56 below. This<br />
section allows you to fine-tune the user’s ability to override a blocked<br />
request.<br />
138<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting up Local Authentication<br />
FIGURE 56. Administrative Profiles (Continued)<br />
10. The Overrides subsection selects the users for whom this class of<br />
administrators can create an override:<br />
• Can Not Override: disables the user’s ability to override, even for<br />
himself/herself.<br />
• Self Only: The user can create an override for himself/herself, but no<br />
one else.<br />
• Users As Follows: The user can create overrides for a group of users<br />
specified in the Users definition section.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
139
Users and Authentication<br />
• Current Workstation: The administrator can override URLs<br />
only for the workstation s/he is currently using. Since the<br />
overrides exist for a specific time period, it is possible for the user<br />
to log in to a workstation, create an override, and log out, then<br />
another user to log in and benefit from the override setting.<br />
• Current User: The administrator can create an override for<br />
himself/herself only.<br />
• Current Partition: If partitions are enabled, the administrator can<br />
create an override for the users in her/his partition.<br />
• Network Range: The administrator can create an override for a<br />
range of IP addresses as specified.<br />
• Profile: The administrator can create an override for all users who<br />
use a specific profile. The special profile [User] indicates the<br />
profile current in force for the administrator.<br />
• Everyone. The administrator has complete override ability.<br />
11. The Contents section specifies what the administrator can override.<br />
• Current URL: Only the entire URL can be overridden.<br />
• Current Path: A specific path can be overridden, regardless of the<br />
host name. The path component is the part of the URL which appears<br />
after the host name.<br />
• Current Domain: A specific domain name can be overridden. The<br />
domain name of the host part of the URL; e.g., yahoo.com is the<br />
domain name of http://www.yahoo.com. The <strong>iPrism</strong> system is aware<br />
of country codes, so the domain for http://www.amazon.com.uk/<br />
index.html is amazon.co.uk.<br />
• Current Category: The administrator to override all users which<br />
belong to the category of the URL being requested.<br />
• All URLs: The administrator can override any URL.<br />
12. From the Duration dropdown list, select the amount of time an override<br />
can remain in effect.<br />
13. Click Ok to create the new profile, or Cancel to cancel it.<br />
14. Click Ok at the bottom of the pane.<br />
140<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting up Local Authentication<br />
Adding a New Administrative Profile<br />
1. In the Administrative Profile section, click New.<br />
2. Enter the name of the new profile in the Name field (see Figure 55).<br />
3. The values of the various administrative privileges are set using the same<br />
steps as in the section “Editing Administrative Privileges” on page 135.<br />
Deleting an Administrative Profile<br />
1. Select the profile to be deleted in the Administrative Profiles dropdown<br />
list.<br />
2. Click Delete.<br />
Importing User Accounts into <strong>iPrism</strong><br />
The import facility lets you create local user accounts by specifying the user<br />
data in an external file. The format of this file and the import process are<br />
described in “Importing User Data into <strong>iPrism</strong>” on page 365.<br />
Editing User Accounts<br />
You can edit a user’s account to change a user’s name, password, filtering<br />
profile, or administrative privileges. To edit an account:<br />
1. Select the Users section.<br />
2. In the <strong>iPrism</strong> Users frame, select the user to edit and make your<br />
changes.<br />
3. Click OK when you are finished.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
141
Users and Authentication<br />
Choosing an Authentication Mechanism<br />
Network-based profiles do not require authentication to be enabled. If,<br />
however, authentication is enabled, users must authenticate to reach the<br />
Internet.<br />
Assigning an Authentication Mechanism to an IP address<br />
range<br />
1. Start the <strong>iPrism</strong> System Configuration tool, select the Access section,<br />
then select the Networks tab (see Figure 57).<br />
142<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
FIGURE 57. Authentication control in Networks tab<br />
2. In the Network List frame, select the network on which you want to<br />
enable authentication. The default IP address range (0.0.0.0. to<br />
255.255.255.255) covers all the IP addresses. Select this if you want to<br />
apply the authentication settings across the entire network.<br />
• Select the network in the Network List to which you want to apply<br />
the authentication settings. You can only edit one network at a time.<br />
• If you want to define a new network, click Add and define the IP<br />
address range below. See “Defining IP Address Ranges” on page 89.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
143
Users and Authentication<br />
• If you want to remove a network, select the network from the<br />
Network list and click Delete.<br />
• Click View All to view the profile mappings and network settings.<br />
• Use the up/down arrows to move a selected network up or down the<br />
list.<br />
3. In the Web Authentication type(s) on this network section, select<br />
which types of authentication you wish to allow in Proxy Mode and<br />
Bridge (Transparent) Mode. (For a review of each mode, see “Proxy<br />
Mode” on page 5 and “Bridge (Transparent) Mode” on page 8.)<br />
• No Authentication: No user authentication is done, and the<br />
system uses IP address-based profile mapping.<br />
• HTTPS: (Secure http protocol; the preferred authentication<br />
method.) When the user first attempts to access the Internet, s/he<br />
is sent to a secure login page.<br />
Note: HTTPS (SSL) traffic on port 443 is now strictly enforced. If<br />
you do not use SSL but use port 443 for your traffic, either change<br />
the application port to a port other than port 443, or set up a filter<br />
exception for the client/server IP addresses. To learn how to set up<br />
filter exceptions, see “Creating Filter Exceptions” on page 207.<br />
• HTTP: Like https, only the protocol used is the insecure http<br />
protocol. This authentication type is not recommended because<br />
usernames and passwords are sent as clear text. Anyone with a<br />
sniffer on your network can obtain them.<br />
• Basic: (Proxy mode only) This is the standard protocol used by<br />
browsers to authenticate with proxy servers. Basic authentication<br />
is browser session-based. When the user exits the browser, the<br />
session is ended and the authentication goes away. When the user<br />
starts the browser again, they will have authenticate again.<br />
Note: This authentication type does not work if you have a proxy<br />
server between the user’s workstation and the <strong>iPrism</strong>.<br />
• [Disabled] - No authentication is done. The user is not allowed<br />
web access. The [Disabled] authentication can be used in proxy<br />
mode to force everyone to use bridge (transparent) mode; i.e., you<br />
can use [Disabled] to turn off proxy mode while leaving bridge<br />
(transparent) mode functioning.<br />
144<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
• Auto-Login - This allows for the system to automatically log in a<br />
user based on the Windows NTLM or LDAP authentication<br />
protocol. See “Auto-Login Details” on page 146 for details.<br />
Note: If the system can not automatically log in a user, it will fall<br />
back to the selected authentication method.<br />
When LDAP Auto-Login is enabled, you can use the LDAP<br />
group->profile mapping if you want to apply profiles to the users<br />
based upon their LDAP memberships (recommended). If you do<br />
not map profiles to groups, then all users will get the default<br />
fallback profile. LDAP authentication can be either configured<br />
with Auto-Login or with manual login. Profile mapping can also<br />
be used with manual authentication.<br />
4. In the HTTP/HTTPS Timeout frame, select the timeout settings to be<br />
applied to authenticated users. These settings apply to any mode for<br />
which either HTTP or HTTPS is selected.<br />
Note: These fields are grayed out if a valid mode is not selected.<br />
From the Style dropdown list, select one of the following timeout methods,<br />
then enter the corresponding number of minutes in the Timeout field:<br />
• Fixed Duration. When selected, the Timeout value is the exact<br />
number of minutes between the authentication and the end of the<br />
session. After this number of minutes, the user will be prompted<br />
by <strong>iPrism</strong> to re-authenticate.<br />
• Inactivity. When selected, the Timeout value is the exact number of<br />
minutes between the last Internet access and the end of the session. If<br />
there is no Internet activity for amount of time specified in the<br />
timeout value, the user will be asked to re-authenticate the next time<br />
the Internet is accessed. In other words, each time that an Internet<br />
access is made, the timeout restarts to its original value.<br />
• Fixed Hourly. When selected, the Timeout value corresponds to the<br />
number of minutes past the hour at which the session will expire,<br />
independent of the original authentication time. The value of the<br />
timeout should be between 0 and 59 minutes in this mode. This mode<br />
is useful is when users change activity on an hourly basis, such as<br />
students in a class.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
145
Users and Authentication<br />
5. Click OK. If you defined a new network, it is added to the Network List<br />
frame.<br />
Note: The Network List is an ordered list that is searched from the top<br />
down. To avoid confusion, broader networks must appear after narrower<br />
ones, as the broad network may overlap or include the specific subnet.<br />
Use the arrow keys to the right of the Network List to change the order<br />
of the selected network. If the order is not correct, you will get a message<br />
to change it when you try to exit.<br />
6. Select Exit, then Save & Exit to save your changes. Wait a few<br />
moments for <strong>iPrism</strong> to reset, then test the authentication settings by logging<br />
in from a workstation on the network.<br />
Recommended Authentication Settings<br />
Proxy Mode: If you are using NTLM or LDAP, the recommended<br />
authentication settings is Auto-Login with Basic enabled. If you are not<br />
using NTLM or LDAP, the recommended authentication setting is<br />
HTTPS.<br />
Bridge (Transparent) Mode: The recommended authentication setting<br />
is Auto-Login with HTTPS enabled.<br />
<strong>iPrism</strong> and External Certificate Authorities<br />
<strong>iPrism</strong> does not currently link to external Certificate Authorities. End users<br />
that are running HTTPS authentication will likely receive a warning from<br />
their browser that the certificate is not recognized. You should tell your<br />
browser to accept the certificate and proceed. Once a certificate has been<br />
accepted, the warning should not reappear.<br />
Auto-Login Details<br />
Auto-Login provides a mechanism by which authentication is automated.<br />
The mechanism is different if you are using Windows or LDAP.<br />
Windows<br />
When using Windows, rather than requiring a user to manually enter their<br />
account information, it is automatically obtained from the browser. 2 The<br />
146<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
details vary somewhat depending on which mode (proxy or bridge<br />
(transparent)) is in effect. The mode details are explained separately below,<br />
as well as the system requirements required to successfully enable Auto-<br />
Login.<br />
When using Windows, the <strong>iPrism</strong> system is able to authenticate any<br />
workstation as long as the user is logged in to a domain trusted by <strong>iPrism</strong>’s<br />
domain controller and the browser is configured to allow automatic<br />
authentication. If the Auto-Login fails, <strong>iPrism</strong> will revert to its regular<br />
authentication interface and prompt the user for his/her account credentials.<br />
LDAP<br />
When using LDAP, rather than requiring a user to manually enter their<br />
account information, <strong>iPrism</strong> queries the Novell eDirectory networkaddress<br />
attribute that keeps track of the IP address of the user’s workstation. When<br />
the user logs on, the attribute is populated with the IP address and the<br />
appropriate profile is applied. When the user logs off, the attribute is<br />
cleared.<br />
Using Auto-Login in Bridge (Transparent) Mode<br />
For Auto-Login to work in bridge (transparent) mode, the following<br />
network/system requirements must be met:<br />
Windows<br />
• Windows authentication must be configured, enabled, and operational<br />
on <strong>iPrism</strong> (see “Communicating with a Microsoft Windows<br />
Authentication Server (NTLM)” on page 159).<br />
• The primary web browser is either Internet Explorer or Firefox.<br />
• In Internet Explorer, one of the following modes must be in place to<br />
verify that the user is logged in to a domain trusted by <strong>iPrism</strong>’s<br />
domain controller.<br />
2. Some web accesses do not involve a browser (e.g., Windows Update). In this case the<br />
application may not honor the protocol used for automatic authentication. When this happens,<br />
the <strong>iPrism</strong> is unable to select a profile based on the user name, so it falls back to IP<br />
address-based profiles.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
147
Users and Authentication<br />
• IP-based mode. Under this configuration, the IP address of<br />
<strong>iPrism</strong> (i.e., not the DNS name or WINS name) must be in the<br />
local Intranet zone of the browser. (This can be done networkwide<br />
by configuring the domain controller, or each workstation<br />
can be configured manually using the procedure below.)<br />
- OR -<br />
• DNS-based mode. This approach requires that the browser be<br />
able to resolve <strong>iPrism</strong>’s non-fully qualified host name to an IP<br />
address. This can be done network-wide by configuring your<br />
local DNS forward lookup zone[s] to contain an A record for<br />
<strong>iPrism</strong>.<br />
• Firefox must be configured to use NTLM authentication through<br />
the about:config page. The parameter<br />
network.automatic-ntlm-auth.trusted-uris must include<br />
http:, where is the IP address of the<br />
<strong>iPrism</strong>.<br />
• In the Networks tab, the Auto-Login checkbox must be checked in<br />
the Bridge (Transparent) Mode row (see Figure 58).<br />
FIGURE 58. Auto-Login in Bridge (Transparent) Mode<br />
For LDAP<br />
• LDAP authentication must be configured, enabled, and operational on<br />
the <strong>iPrism</strong> (see “Communicating with an LDAP Server” on<br />
page 150).<br />
• Internet Explorer is the primary web browser.<br />
• Auto-Login LDAP Server requirements:<br />
• Novell eDirectory 8.7.3 or 8.8, on Novell NetWare<br />
• LDAP Auto-Login is supported for Windows/Linux users running<br />
a Novell “NMAS capable” (Novell Modular Authentication<br />
148<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
Service) login client, meaning a Novell login client version 4.90<br />
and higher.<br />
• End users must login to the Novell eDirectory using a Novell client.<br />
• In the Networks tab, the Auto-Login check box must be checked in<br />
the Bridge (Transparent) Mode row (see Figure 58).<br />
Note: Auto-Login requires precise configuration in order to work<br />
properly. Please check the <strong>iPrism</strong> tech notes page for up-to-date information.<br />
http://www.stbernard.com/products/docs/ip_technotes/Auto-Login.pdf<br />
Using Auto-Login in Proxy Mode<br />
Auto-Login capability is implemented differently in proxy mode than in<br />
bridge (transparent) mode. Here, it is not an extension of the IP-mapped<br />
authentication, but rather a session-based authentication system which<br />
authenticates on a per-connection basis. By using the same credentials that<br />
were used to log in to the workstation and authenticating against the same<br />
domain controller, Auto-Login can uniquely identify users and securely<br />
apply the correct profile to their browsing session. To make this work,<br />
Internet Explorer and Firefox open a number of socket connections to<br />
<strong>iPrism</strong>, each of which must succeed the authentication process. These<br />
connections can then transfer any number of URL requests without reauthenticating.<br />
Not using a connection for more than a minute will usually cause the<br />
browser to close the connection, but it will automatically open and<br />
authenticate more connections as necessary. Most browsers use one to four<br />
active connections, depending on the amount of URL traffic being<br />
transferred.<br />
For Auto-Login to work in proxy mode, the following network/system<br />
requirements must be met:<br />
• Internet Explorer v5.0 (or later), and <strong>iPrism</strong> v3.4 (or later).<br />
• Firefox (all versions).<br />
• The browser must be configured to use <strong>iPrism</strong> as a proxy. See<br />
“Configuring Browsers for Authentication” on page 345.<br />
• Workstations must participate in and log into a Windows domain.<br />
<strong>iPrism</strong> must have a shared trust in this same domain.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
149
Users and Authentication<br />
• NTLM authentication must be enabled, configured, and operational<br />
on <strong>iPrism</strong>. See “Configuring Browsers for Authentication” on<br />
page 345.<br />
• The authentication method must be set to Basic in the Networks tab.<br />
(This is necessary to support software that does not, or cannot,<br />
support NTLM authentication.)<br />
• In the Networks tab, the Auto-Login check box must be checked in<br />
the Proxy Mode row. (See Figure 59)<br />
FIGURE 59. Auto-Login in Proxy Mode<br />
Auto-Login can be enabled simultaneously for both proxy mode and bridge<br />
(transparent) mode operation, as long as the network/system requirements<br />
for each configuration are met.<br />
Communicating with an LDAP Server<br />
LDAP centralizes and makes user information available on a network.The<br />
<strong>iPrism</strong> can authenticate users and, optionally, obtain access information (an<br />
<strong>iPrism</strong> Access Profile name) for those users from an LDAP server.<br />
Each user object within the LDAP directory may contain many attributes to<br />
associate with the user (such as password, phone number, full name, etc.).<br />
For the <strong>iPrism</strong> to utilize users on a remote LDAP server, that server must<br />
perform simple LDAP binds (authentications) to the user’s node. When<br />
these binds fail (i.e., passwords don’t match), then the <strong>iPrism</strong> considers the<br />
authentication to have failed, and the associated service access (Web Proxy)<br />
consequently fails.<br />
Note: LDAP authentication does not implement the Simple Authentication<br />
and Security Layer (SASL) mechanism.<br />
150<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
Refer to the “Configuration example (using NT Active Directory)” on<br />
page 157 to understand how the <strong>iPrism</strong> performs lookups.<br />
Setting Up the <strong>iPrism</strong> LDAP Client<br />
1. Start the <strong>iPrism</strong> System Configuration tool and select the Users section,<br />
then select the LDAP tab (see Figure 60).<br />
2. Check Enable LDAP Authentication.<br />
• Presets. Click Presets to display the LDAP Presets dialog box, which<br />
contains a useful selection of common configurations to pre-load the<br />
LDAP screen with place holder and default values that you can<br />
modify. Select a configuration (Active Directory (Multi-Domain),<br />
Active Directory (Single-Domain), or NDS) and click Apply. The<br />
LDAP fields will be prefilled based on your selection.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
151
Users and Authentication<br />
FIGURE 60. LDAP Tab<br />
3. In the LDAP Server frame, provide the requested information about the<br />
LDAP server to which <strong>iPrism</strong> will connect.<br />
• Server. Enter the DNS name or IP address of your LDAP Server<br />
from which user authentication and profile information will be<br />
retrieved.<br />
Note: <strong>iPrism</strong> requires plain text authentication to be enabled on<br />
the server.<br />
• Port. Enter the TCP port number used by LDAP. The default<br />
LDAP port is 389. For NT/Win2k Active Directory, the global<br />
catalog port is 3268.<br />
• Backup Server. You can configure a optional backup LDAP<br />
server that replicates the primary server’s information. If <strong>iPrism</strong><br />
fails to establish a connection to your LDAP server, it will try the<br />
backup server. Enter the DNS name or IP address of your LDAP<br />
Server, or leave it blank if there is no backup server.<br />
• Backup Server Port. If designating a backup server with a port<br />
other than 389, enter the port associated with this server.<br />
• Binding DN or UPN. Bind is the LDAP user authentication. The<br />
DN/UPN should be a domain user account with privileges to<br />
query the LDAP server. Non-Windows LDAP servers may accept<br />
only LDAP distinguished name (DN) format:<br />
CN=domain_user_account, DC=your_domain_name, DC=com.<br />
Windows 2000 and above servers accept DNs, but also accept<br />
RFC 822 User Principal Name (UPN) format:<br />
domain_user_account@stbernard.com, where stbernard.com is a<br />
domain name.<br />
Note: If left empty, an anonymous bind is performed. A common<br />
problem is that anonymous binds lack administrative rights to<br />
perform a sufficient search of the LDAP tree.<br />
• Binding DN or UPN Password (only used with Binding DN or<br />
UPN). The password associated with the Binding DN or UPN<br />
username on the LDAP server. It can be left empty if the LDAP<br />
server does not require a password.<br />
152<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
• Base DN. This parameter indicates the common root of all<br />
information that will be considered when <strong>iPrism</strong> queries the<br />
LDAP server for user data. Base DN will typically be some<br />
representation of your organization. LDAP data is stored<br />
conceptually in a tree, containing nodes, or branches of<br />
information. This describes how the LDAP information is<br />
organized in the source server. Changing the Base DN can restrict<br />
to searching a given group on the LDAP server. The setting<br />
depends on your LDAP vendor:<br />
• Novell NDS: o=organization<br />
• Windows Active Directory: dc=domain, dc=com<br />
• InterGate: o=organization<br />
It can also be left empty for servers that accept an empty Base<br />
DN, such as NDS, and <strong>iPrism</strong> will default to the root of the LDAP<br />
server. Base DNs can use domain components (DC) to search as<br />
subdomain, as in: “DC=mySubdomain, DC=mydomain,<br />
DC=com.”<br />
• Use UID. Selecting the checkbox automatically activates the<br />
simple Mask value of uid=%1.<br />
Note: Since the pound sign (#) is used as the attribute value<br />
separator, it must be considered an illegal character in any<br />
attribute value (uid, name, organization, etc.)<br />
• Mask. The mask is a way to designate the attribute(s) that will<br />
cause the LDAP access to result in a unique user node. The syntax<br />
for the Mask field uses a combination of attribute (attrNUM) and<br />
value (%NUM) separated by the equals sign (=). Multiple<br />
attribute/value pairs must be separated by the # character.<br />
attrNUM is the actual name of the attribute, and %NUM<br />
indicates the position in which a user would enter the information<br />
in the name field of an authentication prompt. So the syntax is as<br />
follows attr1=%1[#attr2=%2[...]].<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
153
Users and Authentication<br />
The two examples in Table 5 should help clarify the matter:<br />
Table 5: Mask values in LDAP Configuration<br />
Mask<br />
uid=%1<br />
name=%1#organization=%2<br />
User login example<br />
bill<br />
sally#accounting<br />
In the first row, the LDAP server is going to search for the unique<br />
node that has the uid attribute equal to bill. In the second row,<br />
the matching node will have the name attribute equal to sally<br />
and the organization attribute equal to accounting. This<br />
flexibility allows the organization to have the same username<br />
(sally) in two different departments.<br />
• Require Attribute. Check this box if you want to force the LDAP<br />
server to supply the profile name attribute. As a consequence,<br />
fallback profiles are not used. If this box is checked and a profile<br />
name attribute is not obtained, authentication will fail.<br />
Note: This method is no longer recommended, but is supported<br />
for users with <strong>iPrism</strong> prior to version 5.0. Instead, use Profile<br />
Mapping to map LDAP user profile results with <strong>iPrism</strong> profiles;<br />
See “Mapping Groups to <strong>iPrism</strong> Resources” on page 168..<br />
• Attribute / SubQuery Attribute. Each LDAP node will usually<br />
have many attributes of information about the user. <strong>iPrism</strong> can run<br />
up to two LDAP queries to determine a user’s profile. If the value<br />
in the Attribute field is a distinguished name, <strong>iPrism</strong> will perform<br />
a second query, searching for the SubQuery attribute. This allows<br />
the ability to use groups to define profiles, so you will not have to<br />
reconfigure individual users. For example:<br />
Query for user returns<br />
the values<br />
memberOf = <br />
memberOf = <br />
154<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
The <strong>iPrism</strong> LDAP client will then query each ‘memberOf’<br />
group until it finds a valid attribute. Since there is no mapping yet,<br />
the first valid attribute is used.<br />
<strong>iPrism</strong> can also just retrieve a single attribute to use as the name of<br />
an access profile on <strong>iPrism</strong>. This will then be associated with the<br />
user for access privileges. If you want to use this feature,<br />
configure your LDAP server to provide such information under a<br />
specific attribute name, and list that name in the Attribute field.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
155
Users and Authentication<br />
If a SubQuery Attribute is defined, <strong>iPrism</strong> will proceed as<br />
follows:<br />
• Authenticate the user using provided credentials<br />
• Look up the value of the (primary) attribute for the user<br />
• If the attribute is a DN, look up this DN<br />
• Search for the secondary (SubQuery) attribute of this DN<br />
• Use the value of the secondary attribute as the <strong>iPrism</strong> filtering<br />
profile name<br />
Note: For multi-valued attributes, the first valid (meaning the<br />
value maps to an existing <strong>iPrism</strong> profile) match will be used.<br />
• Use Legacy Profile Resolution: When un-checked, it enables<br />
LDAP group-to-profile mapping via the Profile Mapping tab.<br />
When checked, it disables access to the Profile Mapping tab,<br />
implying you wish to use an pre-existing LDAP configuration as<br />
is.<br />
Note: This method is no longer recommended, but is supported<br />
for users with <strong>iPrism</strong> prior to version 5.0.<br />
• Encryption Type. This dropdown menu supports secure<br />
connectivity and contains the values of none (default), SSL, and<br />
TLS. SSL (Secure Sockets Layer) and TLS (Transport Layer<br />
Services) enable encrypted traffic between <strong>iPrism</strong> and eDirectory<br />
for improved security. When selecting SSL, change the port to<br />
636.<br />
4. When you have finished configuring the LDAP server, click Test to test<br />
LDAP server connectivity. Once connected, an LDAP bind attempt<br />
using administrative credentials is made to configure the base. If either<br />
the primary server or backup server test is successful, a notice indicating<br />
that the test was successful is displayed. If the server test is successful,<br />
the backup server is not tested. If the server fails, then the backup server<br />
is tested. If there is an error with the connection or binding, a notice indicating<br />
at which point in the test failed is displayed.<br />
5. To test the Backup Server and Backup Server Port, enter incorrect<br />
Server and Port information and click Test. When the server test fails<br />
due to the incorrect information, the backup server is tested. The connect<br />
156<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
and bind process described above for the server test is attempted for the<br />
backup server and the appropriate success or error notice is displayed.<br />
Configuration example (using NT Active Directory)<br />
User John:<br />
DN = samaccountname=John, dc=company, dc=com<br />
email = John@company.com<br />
location = San Diego<br />
memberOf = cn=group1, dc=company, dc=com<br />
memberOf = cn=group2, dc=company, dc=com<br />
Group1<br />
DN = cn=group1, dc=company, dc=com<br />
attr1 = value1.1<br />
attr2 = value2.1<br />
Group2<br />
DN = cn=group2, dc=company, dc=com<br />
attr1 = value1.2<br />
attr2 = value2.2<br />
iprism = BlockOffensive<br />
Group3<br />
DN = cn=group3, dc=company, dc=com<br />
attr1 = value1.3<br />
attr2 = value2.3<br />
iprism = undefined_value<br />
<strong>iPrism</strong> configuration :<br />
Attribute = memberOf<br />
SubQuery attribute = iprism<br />
Profiles = BlockOffensive, Pass All,<br />
MonitorOffensive<br />
Notes:<br />
When John tries to<br />
authenticate, <strong>iPrism</strong> will lookup<br />
the group’s ‘memberOf’<br />
attribute attached to John's<br />
user settings.<br />
John is a member of group1<br />
and group2. <strong>iPrism</strong> will first<br />
look up group1 and search for<br />
the 'iprism' attribute; there is no<br />
such attribute in group1 so<br />
<strong>iPrism</strong> will move on to group2<br />
and find the value<br />
BlockOffensive, which is used<br />
as John's profile.<br />
Group3's ‘iprism’ attribute is<br />
not valid because the value<br />
does not correspond to a<br />
profile on <strong>iPrism</strong>; it would be<br />
skipped.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
157
Users and Authentication<br />
Troubleshooting LDAP Authentication<br />
To start the LDAP diagnostic utility from the Appliance Manager, start the<br />
System Diagnostics tool and select the LDAP tab.<br />
To test authentication:<br />
FIGURE 61. LDAP Diagnostics<br />
1. Type a user name in the Username field and a password in the Password<br />
field.<br />
2. Click Test to test authentication<br />
158<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
How Profiles are Assigned<br />
When users on your network authenticate through a LDAP authentication<br />
server, you can configure <strong>iPrism</strong> to access user information directly from<br />
the LDAP domain controllers. After authenticating, <strong>iPrism</strong> can obtain group<br />
assignments, and each of these groups can be mapped directly to an <strong>iPrism</strong><br />
profile. The group mapping for profiles is done from the Profile Mappings<br />
tab (page 170), and the mapping for assigning <strong>iPrism</strong> administrator<br />
privileges is done from the Privilege Mappings tab (page 174) in the Users<br />
section.<br />
Communicating with a<br />
Microsoft Windows Authentication<br />
Server (NTLM)<br />
The Microsoft Windows authentication feature lets <strong>iPrism</strong> access Microsoft<br />
Windows users information directly from one or more Microsoft Windows<br />
domain controllers. This allows <strong>iPrism</strong> to seamlessly authenticate Microsoft<br />
users and obtain Microsoft group assignments. With this information,<br />
<strong>iPrism</strong> can control and/or monitor user access to the Internet. <strong>iPrism</strong><br />
provides a simple mapping scheme in which Microsoft Windows groups are<br />
associated with <strong>iPrism</strong> access profiles and administrative privileges. This<br />
allows for extremely detailed control of externally authenticated users.<br />
Configuring Microsoft Windows authentication on <strong>iPrism</strong> requires only a<br />
few steps. In fact, depending on the complexity of your Microsoft Windows<br />
environment, and the granularity with which you want to control/monitor<br />
users, it can be extremely easy. The next few sections will show you how to<br />
join <strong>iPrism</strong> to your Microsoft Windows Domain and map Microsoft groups<br />
to <strong>iPrism</strong>’s profiles and administrator privileges.<br />
1. Join <strong>iPrism</strong> to a Microsoft Windows Domain<br />
Joining <strong>iPrism</strong> to a Microsoft Windows domain requires configuring a small<br />
number of Microsoft Windows parameters, such as the domain name and<br />
the WINS server addresses, if needed. After you have supplied sufficient<br />
Microsoft Windows administration credentials, clicking Join will create a<br />
Microsoft Windows account for <strong>iPrism</strong>. It is under this account that <strong>iPrism</strong><br />
will securely communicate with the domain controllers.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
159
Users and Authentication<br />
1. Start the <strong>iPrism</strong> System Configuration tool, select the Users section and<br />
click the Windows tab (see Figure 62).<br />
Note: The Windows tab is where <strong>iPrism</strong> is told how to participate in the<br />
Microsoft Windows domain. Outside of establishing a “machine<br />
account” on the domain, <strong>iPrism</strong> acts strictly as an authentication client,<br />
querying for user and group memberships.<br />
2. Select Enable Windows Authentication. When selected, all items<br />
related to Windows authentication can be modified.<br />
160<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
FIGURE 62. Joining <strong>iPrism</strong> to an Microsoft Windows Domain<br />
3. Select either NT4 Domain authentication system or one which uses<br />
Active Directory.<br />
• If you choose to use a NT4 Domain authentication system, type the<br />
name of the NT domain in which <strong>iPrism</strong> will participate in the NT4<br />
Domain field. This entry should be a single domain name.<br />
Note: All NT “trust” domains associated with the NT domain listed<br />
here will be detected and provided as selectable domains in all <strong>iPrism</strong><br />
authentication screens. All NT groups from this domain and the<br />
trusted domains will be available for mapping to access profiles and<br />
administrator privileges.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
161
Users and Authentication<br />
• If you choose Active Directory, type the name of the Active<br />
Directory Server.<br />
4. In the Machine Account field, specify a unique machine account name<br />
for <strong>iPrism</strong>. (<strong>iPrism</strong> must establish a machine account on the NT domain.)<br />
Note: The account will be created with this name and should be defined<br />
so as to not conflict with other machine accounts on the domain. This<br />
new account must remain, as created by the Join operation, for the duration<br />
of <strong>iPrism</strong>’s participation within the domain. If the account is accidentally<br />
removed from the NT server, the Join procedure must be<br />
repeated again.<br />
5. In the NT Admin Name and NT Admin Password fields, type the user<br />
name and password of the Windows administrator account that will be<br />
used for the Join operation. The user should have the authority to perform<br />
the Join operation.<br />
6. If you intend to use Auto-Login, then you must specify a redirect<br />
method. This defines how <strong>iPrism</strong> will verify that users are logged in to a<br />
trusted domain. Select the desired method from the Auto-Login redirection<br />
settings frame (only pertains to Bridge (Transparent) Mode Auto-<br />
Login).<br />
• IP Address: (default) To use this method, the IP address of<br />
<strong>iPrism</strong> (i.e., not the DNS name or WINS name) must be in the<br />
local Intranet zone of the browser. This can be done networkwide<br />
by configuring the domain controller, or by manually configuring<br />
each workstation.<br />
• DNS: To use this method, the browser must be able to resolve<br />
<strong>iPrism</strong>’s host name to an IP address. This can be done networkwide<br />
by configuring your local DNS zone[s] to contain an a<br />
record for <strong>iPrism</strong>.<br />
Note: Depending on the redirection setting you choose, you will need to<br />
configure either your browser/workstation, domain controller, or the<br />
DNS server (as appropriate) to support that choice. If you require more<br />
information about why you would use DNS versus IP address redirections<br />
for Auto-Login, refer to the <strong>iPrism</strong> Auto-Login tech-note on the<br />
<strong>iPrism</strong> support web page:<br />
162<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
http://www.stbernard.com/products/support/iprism/support_iprism-tnotes.asp<br />
7. Click Join.<br />
Initially, a dialog box will indicate that the Join operation is in progress.<br />
After this dialog box goes away, the status (success or failure) will be<br />
displayed at the bottom of the Join the NT Domain frame.<br />
Once <strong>iPrism</strong> has successfully joined the domain, you are ready to proceed.<br />
Advanced Windows Authentication<br />
Clicking Advanced in the Windows screen (Figure 62) brings up a dialog<br />
which allows you to configure your <strong>iPrism</strong> if you are dealing with a<br />
customized Windows Authentication environment (Figure 63).<br />
FIGURE 63. Advanced Windows Authentication Options<br />
• Specify the IP addresses of the domain controllers you wish to use in<br />
the Domain Controllers field. Multiple IP addresses must be<br />
separated by commas.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
163
Users and Authentication<br />
• If your network is configured to use NetBIOS protocol, check Enable<br />
NetBIOS.<br />
• The LMHosts file provides a mapping between IP address and<br />
NETBIOS computer names for networks without WINS Servers (or<br />
networks with broken WINS Servers). If you have a LMHosts file on<br />
your workstation you can transfer it to the <strong>iPrism</strong> by clicking Import<br />
and selecting the LMHosts file from the window that appears. You<br />
can also edit this file manually by clicking Edit, which brings up an<br />
editing window as shown in Figure 64. Check Enable LMHosts to<br />
use this file.<br />
FIGURE 64. Edit LMHosts<br />
• If you are using WINS services, type the IP addresses of your WINS<br />
servers in the WINS Servers field.<br />
• The Auto-Login Script Generator frame allows the generation of<br />
the logon/logoff scripts for deployment to users. Bridge (transparent)<br />
mode filtering configurations can benefit from client-side logon/<br />
logoff scripts. They support immediate Windows authentication to<br />
164<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
<strong>iPrism</strong> when users log on to their workstations. This provides up-front<br />
user identification without requiring web browsing to establish the<br />
authenticated session with <strong>iPrism</strong>, providing timelier authentication<br />
for bridge (transparent) mode users.<br />
For example, a user can be profiled/reported-on by username for an<br />
IM/P2P application without the user browsing the Internet first to<br />
establish an authenticated <strong>iPrism</strong> session. Another benefit is that the<br />
first browsed website may now be an HTTPS (secure) website, which<br />
will be profiled by username, instead of IP address. Basic requirements<br />
for successfully using these scripts are as follows:<br />
• Windows Authentication and Transparent-Mode Auto-Login are<br />
working.<br />
• Transparent Auto-Login Timeout compatibility check.<br />
• Script generation using <strong>iPrism</strong>.<br />
For more information, refer to the Auto-Login tech-note on the <strong>iPrism</strong><br />
support web page:<br />
http://www.stbernard.com/products/support/iprism/support_iprismtnotes.asp<br />
• Select whether to Generate Login Script or Generate Logoff<br />
Script.<br />
• If the Auto-Login redirection setting is configured to resolve<br />
<strong>iPrism</strong>’s IP address using DNS, an <strong>iPrism</strong> DNS Name should be<br />
displayed. If the setting is configured using an IP address, an <strong>iPrism</strong><br />
IP Address should be displayed.<br />
• The <strong>iPrism</strong> Port Number defaults to 80. If you are using a different<br />
port number for HTTP, you may change this value.<br />
• The Script Loop Delay (minutes) determines the frequency of user<br />
authentication by the <strong>iPrism</strong> logon script.<br />
Note: The Script Loop Delay should be less than the value used for<br />
the Fixed Duration Timeout or Inactivity Timeout options for the<br />
Transparent Auto-Login Timeout setting in the Network tab. The<br />
Fixed Hourly style should not be used, as users could generate IM/<br />
P2P traffic without username recognition (See “Using Auto-Login in<br />
Bridge (Transparent) Mode” on page 147.).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
165
Users and Authentication<br />
• Click Create to generate the Auto-Login Script and a notice appears for<br />
confirmation. Click OK to save the script using the Auto-Login VPSscript<br />
File Location window that follows.<br />
• Click OK in the Advanced window to save these settings or Cancel to<br />
discard them.<br />
Maintaining <strong>iPrism</strong>’s Machine Account<br />
The process of joining a domain (establishing the machine account and<br />
defining the encryption key by which all communications will be encoded)<br />
is a one-time event. Once a client has “joined” the domain, it is not<br />
necessary to rejoin, unless some event occurs on either the domain or the<br />
<strong>iPrism</strong> that causes the shared encryption key to be lost, such as the<br />
following:<br />
• The machine account is deleted from the domain.<br />
• The domain controller encounters a failure in which all machines<br />
must rejoin the domain.<br />
• A replacement <strong>iPrism</strong> is deployed and is configured from scratch.<br />
Debugging Windows Authentication Problems<br />
If you encounter difficulties which prevents users from accessing the<br />
system, launch the System Diagnostics tool from the Appliance Manager.<br />
Click the NTLM tab to bring up the authentication tool (Figure 65).<br />
You can also access additional NTLM diagnostic information from the<br />
Users section’s Profile Mappings tab. Click Policy Test. This tool allows<br />
you to determine what profile will be applied to a user given the current<br />
system configuration.<br />
166<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
FIGURE 65. NTLM Diagnostic Tool<br />
To check to if a user can be authenticated, complete the following steps:<br />
1. Type the user name in the Username field and the password in the Password<br />
field.<br />
2. Select the correct domain name from the Domain list.<br />
3. Click Auth and the system will attempt to validate the user. The results<br />
will be displayed in the large text field below the blanks.<br />
To run a report on which groups a user belongs to, complete the following<br />
steps:<br />
1. Click User.<br />
2. Type the username in the Username field.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
167
Users and Authentication<br />
3. Select the correct Domain and click User. A list of groups to which this<br />
user belongs appears in the large text field.<br />
The Domain button lists the trusted domains.<br />
The Secret button checks if the shared secret used by <strong>iPrism</strong> to authenticate<br />
to the domain controller is valid.<br />
Step 2: How Profiles are Assigned<br />
When users on your network authenticate through a Microsoft Windows<br />
authentication server, you can configure <strong>iPrism</strong> to access user information<br />
directly from the Windows domain controllers. After authenticating, <strong>iPrism</strong><br />
can obtain group assignments, and each of these groups can be mapped<br />
directly to an <strong>iPrism</strong> profile. The group mapping for profiles is done from<br />
the Profile Mappings tab (page 170), and the mapping for assigning <strong>iPrism</strong><br />
administrator privileges is done from the Privilege Mappings tab<br />
(page 174) in the Users section.<br />
Mapping Groups to <strong>iPrism</strong> Resources<br />
Once <strong>iPrism</strong> has successfully joined the domain, you will need to map the<br />
user groups to <strong>iPrism</strong>’s access profiles and administrator privileges. Users<br />
who have been authenticated from a domain controller must be associated<br />
with an <strong>iPrism</strong> access profile. This is accomplished on the Profile<br />
Mappings and Privilege Mappings tabs in the Users section. The strategy<br />
for both configuration screens is the same, namely to map user groups. This<br />
means that all users who are members of a particular user group can be<br />
mapped to a particular <strong>iPrism</strong> access profile or administrator privilege.<br />
Before doing any mapping, you should review the following guidelines.<br />
Rules and <strong>Guide</strong>lines for Group Mapping<br />
Users on <strong>iPrism</strong> are controlled based on their group memberships. This is<br />
accomplished by mapping a group to an <strong>iPrism</strong> resource; in this case, an<br />
access profile via the Profile Mappings tab. User groups (fully qualified<br />
with the DOMAIN\groupname notation) are mapped to <strong>iPrism</strong> access<br />
profiles.<br />
Notes:<br />
168<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
• It is very important to recognize that this particular list editor is<br />
ordered.<br />
• LDAP mapping profiles use Attributes and Subquery Attributes,<br />
rather than the DOMAIN\groupname notation.<br />
When mapping groups to profiles, the following principles should be kept<br />
in mind:<br />
• As <strong>iPrism</strong> is determining a user’s profile, a top-to-bottom search is<br />
performed on the list, with the default assignment applied last (if no<br />
match is found).<br />
• For the first group on the list in which the user is a member, the<br />
corresponding profile for that map item is associated with the user.<br />
<strong>iPrism</strong> then uses this profile to define this user’s access to <strong>iPrism</strong>.<br />
• If the user is not a member of any group mappings on the list, the user<br />
is associated with the Web Fallback and IM/P2P Fallback profiles.<br />
• Whatever defines the group (DOMAIN or groupname) can be<br />
wildcarded (replaced with a single asterisk (*)). The asterisk wildcard<br />
means that all domains or all groups are covered by the mapping<br />
entry. An example of this convenience is if you want members of the<br />
‘staff’ group (in any domain) to be mapped to the MonitorAll profile<br />
( [*\staff -> MonitorAll] ).<br />
Likewise, a wildcard can be used in the group position to cover all<br />
groups within a particular domain (e.g., [DOMAIN\* -><br />
BlockOffensive] ).<br />
• The Web Fallback and IM/P2P Fallback profiles are checked last and<br />
have the implied [*\* -> default profile] map.<br />
The default profile should be carefully assigned, since any user who<br />
is not a member of one of the group mappings will be associated with<br />
this profile. A common strategy is to plan that most users will obtain<br />
the default profile, and use explicit mappings on the list for<br />
exceptions.<br />
Note: Since *\* is implicitly mapped to the default profile, explicitly<br />
mapping *\* on the list is not allowed.<br />
In summary, an effective way to view mappings is to set the default profile<br />
as what most users will be controlled by. Exceptions to the default profile<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
169
Users and Authentication<br />
can be configured via mappings, with the most specific exceptions to be<br />
ordered at the top.<br />
Step 1: Mapping Groups to Profiles<br />
Once <strong>iPrism</strong> has successfully joined the domain, you can start mapping the<br />
user groups to <strong>iPrism</strong>’s profiles and an administrative privilege.<br />
Notes:<br />
• The Profile Mappings tab is used to map groups from either Windows or<br />
LDAP authentication. Depending on this authentication type, the panels<br />
will appear differently. This section describes Windows profile mapping<br />
and highlights the differences for LDAP profile mapping.<br />
• You cannot perform LDAP profile mapping if Use Legacy Profile Resolution<br />
is checked in the LDAP tab.<br />
1. From the <strong>iPrism</strong> System Configuration tool, select the Users section,<br />
then the Profile Mappings tab.<br />
The Windows Group to Profile map list at the top of this tab shows<br />
your existing map entries, if any (see Figure 68).<br />
Note: When LDAP profile mapping, the LDAP Attribute to Profile<br />
map list appears instead.<br />
2. To add a new group/profile map, click Add. To delete a group/profile<br />
map, select the map from the list, then click Delete.<br />
3. Click View All to view profile mappings, overrides and email alerts.<br />
4. To perform a check on all mapped groups to determine if any do not<br />
exist in your directory, click Group Check.<br />
5. To check what profile a user will get given the last saved policy configuration,<br />
click Policy Test. This will bring up the Policy Tester tool, which<br />
allows you to enter a username, password, domain and IP Address. Click<br />
Test to show the profile that will be applied to the user.<br />
Note: If you made policy changes in the same session, you need to Save<br />
and Exit to save your changes, then log back in to test your policy. 3<br />
170<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
FIGURE 66. Policy Tester window<br />
6. To get a summary view of the policy, click View All. A browser window<br />
opens where you can print your policy from. If you are using partitions,<br />
the group mapping for all partitions also displays.<br />
7. In the Domain dropdown list, select the domain that includes the group<br />
you want to map. This dropdown list includes the main domain, all<br />
trusted domains, plus the wildcard (*) option. This combines with the<br />
Group (see next step) to fully define the user group.<br />
Note: When LDAP profile mapping, the Domain and Group fields are<br />
replaced by a single field containing the Attribute and Subquery Attribute<br />
defined in the LDAP tab. You can manually enter a value, or to<br />
view and select available attribute values on the current session’s LDAP<br />
server, click Select. The LDAP Attribute Selector window (Figure 67)<br />
is displayed. Select an attribute from the list, then click Apply to popu-<br />
3. If you have unchecked “Close Manager after launching appliance tool” in your Appliance<br />
Manager Options, you will not need to log back in to test your policy.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
171
Users and Authentication<br />
late the field. If desired, click Refresh to redisplay/refresh the list. Otherwise,<br />
click Cancel to exit the window with no action.<br />
FIGURE 67. LDAP Attribute Selector window<br />
8. In the Group field, type the group name that you want to map in this<br />
field.<br />
Note: The domain comes from the Domain field; do not enter the<br />
domain here.<br />
172<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
FIGURE 68. Mapping Groups to Profiles<br />
9. In the Web Access Profile dropdown list, select the <strong>iPrism</strong> web profile<br />
that you want to associate with the users in the specified domain\group.<br />
Click View to view a profile’s configuration.<br />
10. In the IM/P2P Access Profile dropdown list, select the <strong>iPrism</strong> IM/P2P<br />
profile that you want to associate with the users in the specified<br />
domain\group. Click View to view a profile’s configuration.<br />
11. Click OK. The new Group-to-Profile map item is added to the list.<br />
Note: As a group-to-profile mapping is added to the list, a verification is<br />
made to the domain controller to ensure that the defined group really<br />
exists. A warning dialog will be presented when the group cannot be<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
173
Users and Authentication<br />
resolved on the domain. You can run this verification at any time by<br />
clicking Group Check.<br />
12. In the Web Fallback Profile dropdown list, select a default web profile<br />
that will apply to all members who are not part of a designated group.<br />
Note: On this list, the Use Network option will assign a profile according<br />
to the user’s IP address (network), as specified in the Access section’s<br />
Networks tab.<br />
13. In the IM/P2P Fallback Profile dropdown list, select a default IM/P2P<br />
profile that will apply to all members who are not part of a designated<br />
group.<br />
Note: On this list, the Use Network option will assign a profile according<br />
to the user’s IP address (network), as specified in the Access section’s<br />
Networks tab.<br />
14. Repeat this process to add additional mappings. Otherwise, save the settings<br />
by selecting Exit, then Save & Exit.<br />
Sorting and Editing Map List Items<br />
Items on the Group to Profile map list can be reordered by selecting an<br />
item, and clicking the arrows on the right side of the list to move it up or<br />
down. An attempt is made to identify incorrect ordering in which a<br />
wildcarded mapping overrides an item lower on the list. A mapping such as<br />
this means that the lower item will never be reached; a message will appear<br />
at the bottom of the tab area when incorrect ordering exists.<br />
To edit an item on the list, select the list item and make the desired changes<br />
to the Domain, Group, or Access Profile fields. Click OK to save the<br />
revised settings.<br />
To remove an item from the list, select the list item and click Delete.<br />
Step 2: Mapping Groups to Privileges<br />
This process is very much the same as the previous procedure for mapping<br />
profiles. The difference is that Profile Mappings can only View existing<br />
profiles, while Privilege Mappings provides the capability to Edit/Add the<br />
privileges.<br />
174<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Choosing an Authentication Mechanism<br />
When mapping groups to privileges, be aware that only the <strong>iPrism</strong> account<br />
will gain access to the Configuration tool; Full Access will not work.<br />
1. From the Configuration interface, select the Users section, then the<br />
Privilege Mappings tab.<br />
The list at the top of this tab shows your existing map entries, if any.(See<br />
Figure 69 on page 176)<br />
2. To add a new group/privilege map, click Add. To delete a group/privilege<br />
map, select the map from the list, then click Delete.<br />
3. In the Domain dropdown list, select the domain that includes the group<br />
you want to map. This dropdown list includes the main domain, all<br />
trusted domains, plus the * wildcard option. (This combines with Group<br />
(see next step) to fully define the group.)<br />
4. In the Group field, type the group name that you want to map in this<br />
field.<br />
Note: The domain comes from the Domain field; do not enter the<br />
domain here.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
175
Users and Authentication<br />
FIGURE 69. Configuring User Privileges<br />
5. In the Admin Privilege dropdown list, select the <strong>iPrism</strong> privilege level<br />
that you want to assign to the users in the specified group.<br />
6. Click Edit/Add to add or edit a new a administrative privilege. See<br />
“Editing Administrative Privileges” on page 135 for more information.<br />
7. Click OK. The new Group-to-Profile map item is added to the list.<br />
Note: As a group-to-profile mapping is added to the list, a verification is<br />
made to the domain controller to ensure that the defined group really<br />
exists. A warning dialog will be presented when the group cannot be<br />
resolved on the domain. You can run this verification at any time by<br />
clicking Group Check.<br />
176<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Authentication from the User’s Perspective<br />
8. In the Fallback Privilege dropdown list, select a default administrator<br />
privilege. This will apply to all members who are not part of a designated<br />
group.<br />
9. Repeat this process to add additional mappings. Otherwise, save the settings<br />
by selecting Exit, then Save & Exit.<br />
10. The final step in configuring <strong>iPrism</strong> to communicate with y our Microsoft<br />
Windows or LDAP authentication server is to choose the form of<br />
authentication you want to use (proxy mode/bridge (transparent) mode).<br />
This will enable <strong>iPrism</strong>’s authentication features. See “Choosing an<br />
Authentication Mechanism” on page 142 for more information.<br />
Authentication from the User’s Perspective<br />
When a user first accesses the Internet, s/he will be authenticated. If Auto-<br />
Login is enabled and functioning, this will be transparent to him/her.<br />
Otherwise s/he will see a Network Password dialog box (Figure 70) or a<br />
web-based login page (Figure 71).<br />
The user must enter their username and password to be allowed onto the<br />
network.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
177
Users and Authentication<br />
FIGURE 70. Browser-Based Login<br />
178<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Authentication from the User’s Perspective<br />
FIGURE 71. Transparent Authentication Login<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
179
Users and Authentication<br />
Logging in and out using the web interface<br />
When the user is presented with a web based login page (Figure 72), s/he<br />
should bookmark this page because it contains a link to the logout page.<br />
(Figure 72). If the user is on a shared computer, s/he should logout when s/<br />
he is finished. If s/he does not, the next person who uses the machine will be<br />
able to access the Internet using his/her profile.<br />
Note: The logout page can be accessed directly through the url: http://<br />
/logout. Where is the IP address of the<br />
<strong>iPrism</strong> system.<br />
Even if a user fails to logout, the system will automatically log him/her out<br />
based on the time entered in the Timeout field.<br />
Note: You can only change the Timeout field to a value less than the default<br />
specified by the administrator.<br />
180<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Authentication from the User’s Perspective<br />
FIGURE 72. <strong>iPrism</strong> Logout Page<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
181
Users and Authentication<br />
182<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 7<br />
Email Alerts<br />
<strong>iPrism</strong> includes a powerful feature called “Email Alerts” to keep you aware<br />
of specific Internet-related events. Email Alerts work by sending an email<br />
notification to the <strong>iPrism</strong> administrator each time a certain type of event<br />
occurs, or a certain threshold of activity is exceeded. Email Alerts are useful<br />
when the ACLs are configured to monitor activity, rather than blocking it,<br />
such as the following activities:<br />
• You want to be immediately notified every time a particular employee<br />
surfs for more than 2MB of material from the job/employment search<br />
category in any 1-hour timeframe.<br />
• You want to be immediately notified whenever any workstation whose<br />
profile monitors pornographic material attempts to surf to more than 10<br />
web pages with pornographic content within 10 minutes.<br />
• You want to receive an email when the combined bandwidth from all<br />
workstations within a low-priority Internet lab exceeds 100MB during<br />
any 30-minute period.<br />
Once created, email alerts can be turned on and off as desired, so you can<br />
control when you are notified of events.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
183
Email Alerts<br />
Creating and Configuring an Email Alert<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the Reports section and select the Email Alerts tab (see Figure<br />
73).<br />
The first time you use this feature, the details of a email alert named<br />
“Example” display in the Email Alerts List frame. This alert is included<br />
with <strong>iPrism</strong> to demonstrate the feature.<br />
FIGURE 73. Email Alerts Tab<br />
3. In the Email Alerts List frame, click Add.<br />
4. In the Type frame, select whose activity you want to monitor:<br />
184<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
• Any: The access of any user (or from any workstation) will be<br />
considered when determining if alert conditions are met.<br />
• User: Only the specified user will be tracked for alert consideration.<br />
Enter the user’s <strong>iPrism</strong> username or the workstation’s IP address in<br />
the associated field.<br />
• Profile: Only users monitored by the profile selected from the<br />
dropdown list will be considered.<br />
• IP Range: Only workstations that have an IP address within the<br />
specified IP range will be monitored for alert events. To track a single<br />
workstation, type the workstation’s IP address in both the IP Start<br />
and IP End fields.<br />
5. In the Watch frame, select which parameter should be watched and<br />
specify the threshold of activity that will cause an email alert to be sent.<br />
• Threshold: This is always an integer value and can represent<br />
kilobytes, pages, hits, or time spent, depending on what you select in<br />
the Data field below.<br />
• Data: This defines what parameter goes with the Threshold value<br />
you entered above. To aid in the understanding of these parameters,<br />
the following descriptions tell you what would happen with the<br />
Threshold value set to “10”.<br />
• Bandwidth (KB): An email alert will be sent every time 10 kilobytes<br />
of data is accessed by those defined in the Type frame<br />
within the time range specified in the Time span field.<br />
• Pages: An email alert will be sent every time 10 pages are<br />
accessed by those defined in the Type frame within any time<br />
span. A page is defined as an HTML access with a MIME content<br />
type of text/*. This includes blocked attempts as well.<br />
• Hits: An email alert will be sent every time 10 web accesses of<br />
any content type are accessed by those defined in the Type frame<br />
within any time span. Generally, Pages are a more useful selection<br />
type than Hits, since Hits will track data for every access<br />
(images, etc.), even though they all fall within a single page.<br />
Session Duration (minutes). An email alert will be sent after the<br />
user(s) specified in the Type frame have spent more than 10 minutes<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
185
Email Alerts<br />
within any time span. Since it is impossible for computer software<br />
alone to track exactly how long someone spends browsing at a<br />
particular site, real-world usage heuristics have been used to<br />
approximate the time spent browsing.<br />
• Time span. This is the duration over which the email alert tracker<br />
counts access information. Anytime the number of counts exceeds the<br />
threshold value within this time span, an email alert is sent.<br />
• Grouped. Instead of tracking information for individual users or<br />
workstations (as defined in Type), checking this option will set<br />
<strong>iPrism</strong> to track the accesses of all members within the group as<br />
defined by Type (e.g., “Any”, “IP Range”, etc.). For example, when<br />
the Type is set to “Any” and Grouped is enabled, <strong>iPrism</strong> will<br />
combine all User, Profile and IP Range accesses into a single email<br />
alert. Collectively, these accesses will trigger the alert according to<br />
the Watch settings.<br />
Note: This selection will have no effect if selected Type is User, or if<br />
the IP Range specifies a single workstation.<br />
6. (Optional) In the Categories frame, you can narrow the scope of the<br />
alert event even further by requiring that the web accesses be to sites that<br />
belong to one of the categories you specify here.<br />
To select (or deselect) categories, click Set to open the Email Alerts-Category<br />
List window and select the desired categories. When finished,<br />
click OK to close this window.<br />
7. In the Adding Email Alerts frame, enter a descriptive name for this alert<br />
in the Name field.<br />
8. If you want this email alert to be disabled (i.e., inactive) for now, check<br />
Disabled.<br />
9. In the Recipient box, type the email address of the person to whom<br />
email alert notifications should be sent.<br />
Note: Generally, the email generated by an email alert is sent at the same<br />
exact time that the specified threshold is exceeded. But occasionally<br />
186<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
(under heavy load), the email delivery can be delayed for as long as 5<br />
minutes.<br />
10. Click OK. The new email alert item is added to the dropdown list in the<br />
Email Alerts List frame.<br />
Editing an Email Alert<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the Reports section, then the Email Alerts tab (see Figure 73).<br />
3. In the Email Alerts List frame, select the alert item you want to edit<br />
from the dropdown list. (If the list is grayed out, click OK or Cancel at<br />
the bottom of the tab to close the current editing session.)<br />
4. Make the desired changes to the information in the Editing frame. (For<br />
descriptions of each field, see “Creating and Configuring an Email<br />
Alert” on page 184)<br />
Note: If you change the name of the email alert, a new alert will not be<br />
created. It will overwrite the current email alert.<br />
5. Click OK. The changes are now saved to this email alert.<br />
Deleting an Email Alert<br />
If you no longer require the service of an email alert, you can remove it<br />
from the system.<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the Reports section , then the Email Alerts tab (see Figure 73 on<br />
page 184).<br />
3. In the Email Alerts List frame, select the alert item that you want to<br />
delete from the dropdown list. (If the list is grayed out, click OK or Cancel<br />
at the bottom of the tab to close the current editing session.)<br />
4. Click Delete.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
187
Email Alerts<br />
The Email Alert is removed from the list.<br />
188<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Accessing <strong>iPrism</strong>’s Network Settings<br />
Chapter 8<br />
Network<br />
Management<br />
This chapter describes how to change <strong>iPrism</strong>’s network settings. This may<br />
be necessary if you make changes to your network environment, or if you<br />
change <strong>iPrism</strong>’s network topology. The parameters you can change include<br />
<strong>iPrism</strong>’s host name, IP address(es), interface settings, its designated name<br />
server, its default route (gateway), and more.<br />
Accessing <strong>iPrism</strong>’s Network Settings<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section and click the Networking tab. (See Figure 74<br />
on page 190)<br />
The Networking tab is where you can change <strong>iPrism</strong>’s identity, interface<br />
settings, name server, and routing settings.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
189
Network Management<br />
FIGURE 74. Networking tab in the System section<br />
If at any point you want to restore your network settings to what they<br />
were before you made changes, click Reset.<br />
3. When you have finished making changes in the Networking tab, you<br />
must save your <strong>iPrism</strong> configuration. Click Exit, then Save & Exit.<br />
Changing <strong>iPrism</strong>’s Identity (Host Name)<br />
To change <strong>iPrism</strong>’s identity on the network, enter the new <strong>iPrism</strong> host name<br />
in the Host Name field, located in the Identity frame. (This should be a<br />
fully qualified standard Internet host name.)<br />
190<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Accessing <strong>iPrism</strong>’s Network Settings<br />
Note: If you use a host name to connect to <strong>iPrism</strong>, be sure to define it within<br />
your name server. Otherwise, you will only be able to access <strong>iPrism</strong> through<br />
the IP address that you assigned to <strong>iPrism</strong>.<br />
Changing Network Interface Settings<br />
<strong>iPrism</strong> supports the following Ethernet Interfaces:<br />
• auto detect<br />
• 10 BaseT/half duplex<br />
• 10 BaseT/full duplex<br />
• 100 BaseTX/half duplex<br />
• 100 BaseTX/full duplex<br />
• disabled (External and Management only)<br />
The MTU blank allows you to change the Maximum Transfer Unit (MTU)<br />
for packets sent by this interface. This parameter should only be set by<br />
network experts doing high performance network tuning.<br />
The <strong>iPrism</strong> system uses the following interfaces:<br />
Internal. This interface is connected to your internal network.<br />
External. In bridge (transparent) mode, this interface is connected to the<br />
Internet. (See “How <strong>iPrism</strong> Fits Into Your Network” on page 5.). In proxy<br />
only mode, this interface is not connected. This interface has the same IP<br />
address as the internal interface. 4 In proxy mode, this interface is not used<br />
and should be disabled.<br />
Management. This interface allows the <strong>iPrism</strong> to be connected to a<br />
separate network for configuration and report traffic. Both E-mail and FTP<br />
transmit data “in the clear”. 5 This means that anyone who has access to your<br />
internal network could use a sniffer to grab this data as it’s being<br />
4. In older versions of <strong>iPrism</strong> you could set the internal and external interfaces to different<br />
IP addresses and run in something called router mode. This mode has been eliminated in<br />
<strong>iPrism</strong> 4.0.<br />
5. The FTP protocol even transmits passwords in the clear.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
191
Network Management<br />
transmitted. This problem can be avoided by connecting the management<br />
interface to a secure (and hopefully sniffer proof) network. Any reports<br />
transmitted to machines on this network will not appear on the internal<br />
network. Configuration done by workstations on this network can not be<br />
seen by anyone on the internal network.<br />
Enabling the Co-Management Network<br />
The ability to access <strong>iPrism</strong>’s configuration software is normally disabled<br />
for addresses located on the external interface of <strong>iPrism</strong>. To enable this<br />
ability, you can define a co-management network.<br />
Note: Defining a co-management network does not affect the<br />
ability to access the configuration software from <strong>iPrism</strong>’s internal<br />
interface.<br />
To define an IP range on the co-management network:<br />
1. Start the <strong>iPrism</strong> System Configuration tool. Select the System section<br />
and click the Preferences tab (see Figure 75).<br />
192<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Accessing <strong>iPrism</strong>’s Network Settings<br />
FIGURE 75. System Preferences<br />
2. In the Co-Management Network frame, use the IP Start and IP End<br />
fields to define the range of IP addresses. Only workstations in this range<br />
will be able to configure <strong>iPrism</strong> via the External interface.<br />
3. Select Exit, then Save & Exit.<br />
Changing the Name Server Configuration<br />
<strong>iPrism</strong>’s Name Server setting is located on the Networking tab.<br />
Note: Although it is possible to run <strong>iPrism</strong> without specifying a name<br />
server, it is not advised. Many of <strong>iPrism</strong> features such as the anti-spoofing<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
193
Network Management<br />
filter depending on being able to contact a name server and will not work if<br />
no DNS server is available.<br />
<strong>iPrism</strong> constantly resolves Internet host names to their IP address, as well as<br />
reverse map IP addresses to their host names. If <strong>iPrism</strong>'s installed<br />
environment allows direct Internet access, it will (by default) use its built-in<br />
name resolver to perform all DNS tasks. However, some installations<br />
require that <strong>iPrism</strong> defer all DNS lookups to another name server, called the<br />
“forwarder” name server. In these cases, you’ll need to designate the IP<br />
address of this forwarder name server.<br />
If the specified name server is not available the <strong>iPrism</strong> will attempt to<br />
resolve name through a root name server if the DNS Fallback to Root<br />
option is checked.<br />
Changing the Name Server<br />
To change the name server, enter the IP address of your forwarder name<br />
server in the Forwarder field, located in the Name Server frame. In this<br />
case, <strong>iPrism</strong> will forward all DNS queries to this server.<br />
Note: When using a forwarder, it is highly desirable to use the<br />
same DNS server as used by the workstations. In this way, the<br />
DNS information will be cached when <strong>iPrism</strong> asks for it, reducing<br />
the latency of the request.<br />
Configuring <strong>iPrism</strong> to use its Internal Name Server<br />
To use <strong>iPrism</strong> as a stand alone DNS server, it must be able to issue DNS<br />
queries to the Internet. This requires that <strong>iPrism</strong> be able to access the<br />
Internet for the DNS protocol. In this case, the Forwarder field should be<br />
left empty.<br />
Note: Although <strong>iPrism</strong> ships with an internal DNS server, it is always<br />
preferable (i.e., faster) to use a name server instead.<br />
Using <strong>iPrism</strong> with Multiple Name Servers<br />
It is possible to configure <strong>iPrism</strong> to use up to three parent servers, to ensure<br />
that <strong>iPrism</strong> will always be able to resolve host names to IP addresses (and<br />
vice versa), even if the primary parent server is not available.<br />
194<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Communication with Other IP Networks<br />
To specify multiple parent servers, enter their IP addresses, separated by a<br />
comma, in the Forwarder field. Enter the IP addresses in the order that you<br />
want them to be accessed. For example:<br />
192.168.0.1,192.168.0.2,192.168.0.3<br />
Note: In forwarding mode, <strong>iPrism</strong> is at the mercy of its parent name server.<br />
If the parent server fails (the first server in this list), <strong>iPrism</strong> will not be able<br />
to resolve names and consequently, not operate effectively. <strong>iPrism</strong> will not<br />
keep hunting for an answer when configured with multiple name servers.<br />
Changing <strong>iPrism</strong>’s Default Route<br />
The <strong>iPrism</strong> system must have a default route set. In more complex situations<br />
you may need to set static routes as well.<br />
To edit <strong>iPrism</strong>’s default route, enter the desired IP address in the Default<br />
Route field, located in the Routing frame.<br />
Communication with Other IP Networks<br />
The <strong>iPrism</strong> system may be required to communicate with other networks in<br />
order to service the clients located there. This section shows you how to<br />
establish static routes to such networks and enable the Routing Information<br />
Protocol (RIP) to keep <strong>iPrism</strong> current with changes on the network.<br />
About Static Routes<br />
<strong>iPrism</strong> is a network appliance, and as such, must know how to exchange<br />
packets with workstations and servers at your organization, as well as<br />
servers on the Internet. By default, <strong>iPrism</strong> monitors workstations and<br />
servers that are attached to the same IP network. However, if you want<br />
<strong>iPrism</strong> to communicate with workstations on other IP networks, you must<br />
define “static routes” to these networks so <strong>iPrism</strong> can access them. In other<br />
words, if you have a local network that is not reachable via the default route,<br />
then you must provide <strong>iPrism</strong> with information about how to access this<br />
network.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
195
Network Management<br />
Enabling RIP Updates in <strong>iPrism</strong><br />
Some routers constantly exchange this type of network information via<br />
Routing Information Protocol (RIP) updates. If your routers support RIP,<br />
you can have <strong>iPrism</strong> listen for these updates.<br />
Note: <strong>iPrism</strong> supports versions 1 and 2 of the RIP protocol.<br />
To enable this functionality in <strong>iPrism</strong>, check the Listen box in the Routing<br />
frame. When <strong>iPrism</strong> is listening to RIP updates, changes to local network<br />
configurations will automatically propagate to <strong>iPrism</strong>.<br />
If using RIP is not an option, you will need to create static routes in order<br />
for <strong>iPrism</strong> to “see” workstations that are on a different IP network.<br />
Adding a Static Route<br />
1. Start the System Configuration tool, select the System section, then click<br />
the Networking tab (see Figure 76).<br />
196<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Communication with Other IP Networks<br />
FIGURE 76. System Networking<br />
2. In the Routing frame, click Advanced. The Static Routes dialog box<br />
opens (see Figure 77 on page 198).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
197
Network Management<br />
FIGURE 77. Static Routes Dialog Box<br />
3. In the Static Routes dialog box, click Add.<br />
4. To change the range of addresses behind the static route, in the IP field,<br />
type the base IP address of the subnet that lays behind the route.<br />
5. Use your mouse to drag the slider under the Mask control until the<br />
Range field shows the desired mask value. This defines the series of<br />
workstations in the remote location that you want to reach.<br />
6. In the Gateway field, type the IP address of the Internal router/gateway<br />
that connects <strong>iPrism</strong> to the workstations you specified above.<br />
7. Click OK. The new route displays in the Static Routes frame.<br />
8. Repeat this procedure as necessary to create additional static routes in<br />
<strong>iPrism</strong>. When you are finished, click Close.<br />
198<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Configuring SMTP Relay Settings<br />
Editing or Deleting a Static Route<br />
1. In the Routing frame, click Advanced. The Static Routes dialog box<br />
opens (see Figure 77 on page 198).<br />
2. In the Static Routes frame, select the route that you want to edit or<br />
remove.<br />
3. To remove this route, click Delete. Otherwise, make the desired changes<br />
to the IP, Mask, and Route values.<br />
4. Click OK to save the changes.<br />
5. Click Close to close the Static Routes dialog box.<br />
Configuring SMTP Relay Settings<br />
<strong>iPrism</strong> uses the SMTP protocol to perform the following types of<br />
communications:<br />
• reports<br />
• email alerts<br />
• system notifications (upgrades, filter list problems, registration)<br />
• access requests<br />
By default, <strong>iPrism</strong> will perform a DNS (MX record) lookup to deliver these<br />
emails. If <strong>iPrism</strong> is installed in a network where a DNS server is not<br />
available and a SMTP Smarthost is used (for efficiency), its IP address can<br />
be configured here, in the SMTP Relay field.<br />
If a SMTP relay is specified, <strong>iPrism</strong> will delegate the delivery of the email<br />
to the relay and not attempt to directly contact the recipient's mail server.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
199
Network Management<br />
Using a WCCP Router with <strong>iPrism</strong><br />
<strong>iPrism</strong> supports the WCCP v1 protocol providing all the advantages of<br />
<strong>iPrism</strong>’s transparent mode. WCCP provides fault tolerance by automatic<br />
detection and re-routing to eliminate network downtime in the event that<br />
<strong>iPrism</strong> is turned off, disconnected, or a system failure occurs.<br />
The configuration is straightforward and involves deploying <strong>iPrism</strong> V3.200<br />
or greater and a router which supports WCCP. When the client workstation<br />
generates traffic outbound to web servers on the Internet, the router detects<br />
that it is HTTP traffic (TCP port 80) and diverts that traffic to <strong>iPrism</strong> using a<br />
GRE tunnel. <strong>iPrism</strong> then makes the request to the server on behalf of the<br />
client, and responds directly to the client. However, from a client<br />
perspective the response appears to come directly from the origin server, so<br />
the client does not even know it is communicating with <strong>iPrism</strong>.<br />
Note: <strong>iPrism</strong> can be placed on either side of the router.<br />
Configuring WCCP Settings in <strong>iPrism</strong><br />
1. In the System section, click the Networking tab.<br />
2. In the WCCP Router field, enter the IP address of the WCCP router.<br />
3. Select Exit, then Save & Exit.<br />
Note: Refer to the Tech Notes section on <strong>iPrism</strong>’s support website for<br />
information on configuring various versions of the WCCP router.<br />
http://www.stbernard.com/products/support/iprism/support_iprism-tnotes.asp<br />
Setting Up a Parent Proxy<br />
Under normal circumstances, <strong>iPrism</strong> contacts remote sites (that aren't<br />
blocked) and retrieves web pages on behalf of the original requester.<br />
However, if you have a local web-caching server, you will want <strong>iPrism</strong> to<br />
make all of its unblocked requests to the caching server, so you can realize<br />
200<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Setting Up a Parent Proxy<br />
the benefits of the caching set up. This is achieved by designating a proxy<br />
parent host and the port on which it communicates.<br />
Notes:<br />
• In many cases, it will be desirable to disable <strong>iPrism</strong>’s DNS functionality<br />
when <strong>iPrism</strong> is using a parent proxy. (See “Changing the Name Server<br />
Configuration” on page 193.)<br />
• The parent proxy feature only works when the users are using the <strong>iPrism</strong><br />
in proxy mode. In other words, they must configure their browsers to use<br />
the <strong>iPrism</strong> as a proxy. The parent proxy setting does not affect transparent<br />
mode.<br />
Setting Up a Parent Proxy<br />
Make sure that <strong>iPrism</strong> is able to connect to the proxy server before<br />
performing this procedure.<br />
1. Start the System Configuration tool.<br />
2. Select the System section and click the Proxy tab (see Figure 78).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
201
Network Management<br />
FIGURE 78. System Proxy Settings<br />
3. In the Parent Proxy frame, check Slave To.<br />
4. Enter the IP address or host name (e.g. domainname.com) of the parent<br />
proxy server in the text box above the Port field.<br />
Note: It is actually advantageous to use IP addresses instead of host<br />
names. Hostnames will not work if DNS is disabled.<br />
5. In the Port field, enter the port number for the parent proxy.<br />
202<br />
6. In the Direct Connection To field, enter any domains to which direct<br />
(i.e., non-slaved) connections should be made (e.g., anotherdo<strong>iPrism</strong><br />
<strong>Administration</strong> <strong>Guide</strong>
Using a Proxy for Filter and System Updates<br />
main.com). Enter one domain name per line. You may want to use this<br />
for your own domain’s website or for Intranet sites.<br />
7. If you want to completely disable <strong>iPrism</strong>’s DNS functionality, check the<br />
Disable DNS checkbox.<br />
Note: The only time you should disable DNS functionality is when<br />
<strong>iPrism</strong> is configured to use a slave proxy server. Email functionality in<br />
<strong>iPrism</strong> will NOT work if DNS functionality is disabled.<br />
8. To save your new configuration, click Exit, then Save & Exit.<br />
Using a Proxy for Filter and System Updates<br />
You can configure a proxy server to handle <strong>iPrism</strong>’s communications with<br />
St. Bernard Software’s update servers. There are several variations available<br />
depending on whether you are using a parent proxy.<br />
1. Start the System Configuration tool.<br />
2. Select the System section, then the Proxy tab (see Figure 78).<br />
3. In the Filter List / System Update Proxy frame, select the appropriate<br />
radio button option, and configure as necessary.<br />
• None. When you choose this option, <strong>iPrism</strong> can access external<br />
HTTP servers directly and does not use a parent proxy. This is the<br />
default setting.<br />
• Same as parent port. When you choose this option, <strong>iPrism</strong> will use<br />
the parent proxy you configured for all HTTP traffic in the Parent<br />
Proxy frame (if applicable). If you use a parent caching proxy for<br />
HTTP traffic and you want it to also be used for traffic to St. Bernard<br />
Software's upgrade server, select this option.<br />
• Custom. Choose this option if you want the traffic to St. Bernard<br />
Software's servers to use a different proxy. Configure the proxy here,<br />
using the fields in the Settings frame. You will need to indicate the<br />
location of the proxy using the Host and Port fields. You can also<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
203
Network Management<br />
specify a username and a password if the parent proxy requires user<br />
authentication.<br />
4. If you want to change your Proxy settings back to the way they were<br />
before you started editing, click Reset.<br />
5. To save your new configuration, click Exit, then Save & Exit.<br />
Changing <strong>iPrism</strong>’s Port Assignments<br />
Depending on how you deploy <strong>iPrism</strong> in your network, it may be necessary<br />
to change the port setting(s) that <strong>iPrism</strong> uses to listen to proxy requests,<br />
access the configuration program, and proxy to non-standard secure ports.<br />
These settings are made from <strong>iPrism</strong>’s Ports tab, located in the System<br />
section (see Figure 79).<br />
Changing <strong>iPrism</strong>’s Proxy Port<br />
1. Start the System Configuration tool.<br />
2. Select the System section, then the Ports tab (see Figure 79).<br />
204<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Changing <strong>iPrism</strong>’s Port Assignments<br />
FIGURE 79. System Ports Screen<br />
3. In the Ports frame, make the desired changes to the Port settings.<br />
• Proxy Port. The Proxy Port is the TCP port that <strong>iPrism</strong> uses to listen<br />
for proxy requests. In general, you would only want to change this<br />
when you are using <strong>iPrism</strong> as a direct proxy, that is, when the<br />
browsers are configured to use <strong>iPrism</strong> as their proxy. The default<br />
Proxy Port is 3128.<br />
• Configuration Port. The Configuration Port is the port used to<br />
access <strong>iPrism</strong>'s configuration tools. The port can be any value<br />
between 1 and 65,535 but cannot be the same as the Proxy Port.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
205
Network Management<br />
After changing the configuration port, you will be able to access the<br />
<strong>iPrism</strong> configuration tools via your web browser by entering the following<br />
type of URL:<br />
http://[iprism IP address]:[configuration port]<br />
For example: http://iprism.yourdomain.com:8080<br />
Note: When the default port value (80) is used, you do not need<br />
to specify the port value in the URL.<br />
4. Click Exit, then Save & Exit to save your changes.<br />
Transparent Mode Redirected Ports<br />
Redirect ports are ports that <strong>iPrism</strong> will filter in transparent proxy mode. By<br />
default, <strong>iPrism</strong> will only filter port 80 traffic, but more ports can be added<br />
here. Traffic on the ports configured here should be HTTP only.<br />
Adding Other Redirected Ports<br />
1. Start the System Configuration tool.<br />
2. Select the System section, then the Ports tab (see Figure 79).<br />
3. In the Redirected Ports frame, click Add.<br />
4. In the Adding item frame, enter the number of the secured port that you<br />
want to add in the Port field.<br />
5. Click OK.<br />
6. Repeat steps 3 – 5 for each port you want to add.<br />
7. Click Exit, then Save & Exit to save your changes.<br />
Secured Site Access (HTTPs Ports)<br />
HTTPs Ports are used to proxy to non-standard secure ports for HTTPs. By<br />
default, <strong>iPrism</strong> only allows access to secure ports 443 and 563. If you are<br />
206<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Filter Exceptions<br />
running in direct mode and you require access to secured sites on other<br />
ports, you can define them here.<br />
Adding Other Secured Ports<br />
1. Start the System Configuration tool.<br />
2. Select the System section, then the Ports tab (see Figure 79).<br />
3. In the HTTPs Ports frame, click Add.<br />
4. In the Adding item frame, enter the number of the secured port that you<br />
want to add in the Port field.<br />
5. Click OK.<br />
6. Repeat steps 3 – 5 for each port you want to add.<br />
7. Click Exit, then Save & Exit to save your changes.<br />
Creating Filter Exceptions<br />
<strong>iPrism</strong>’s goal on your network is to act as a web filter for access to the<br />
Internet. In fact, this is how it is able to perform its monitoring and blocking<br />
tasks. However, there may be some addresses for which you do not want<br />
<strong>iPrism</strong> to intervene. For example, you may want the <strong>iPrism</strong> to ignore all<br />
requests going between local machines.<br />
Normally your <strong>iPrism</strong> is used to filter traffic going between your internal<br />
network and the Internet. Local traffic is not normally routed through the<br />
<strong>iPrism</strong>. However, you may encounter a situation in which you have to send<br />
some internal traffic through the <strong>iPrism</strong>. Filter exceptions may be used to<br />
accommodate this situation and give you complete access to your internal<br />
network.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
207
Network Management<br />
Note: HTTPS (SSL) traffic on port 443 is now strictly enforced by default.<br />
If you do not use SSL but do use port 443, either change the application port<br />
or create a filter exception for the client/server addresses.<br />
Specifying a Filter Exception<br />
1. From the <strong>iPrism</strong> System Configuration tool, select the Access section,<br />
then the Filter Exceptions tab.<br />
FIGURE 80. Filter Exceptions<br />
2. In the Filter Exception List frame, click Add.<br />
3. In the Name field, type a name for this filtering rule.<br />
208<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Creating Filter Exceptions<br />
4. The filter can be limited to a specific sending set of machines (the<br />
Source IP blanks) and a specific set of receiving machines (the Destination<br />
IP blanks.) Enter a range of IP addresses in the Start and End<br />
blanks for these two types of addresses. If you wish to filter based on<br />
only one IP address, type it in both the Start and End fields.<br />
5. Select the ports you filter in the Ports section. Multiple ports must be<br />
separated by commas. A range of ports can be specified as well (e.g., 80<br />
– 120).<br />
6. The Protocol blanks lets you filter based on whether the protocol is TCP<br />
or UDP. If you select both TCP and UDP all IP protocols will be<br />
blocked including ICMP and others. (At least one must be selected.)<br />
7. The bottom selection list tell the <strong>iPrism</strong> how you want it to treat this traffic:<br />
No Filter: Do not filter this traffic at all.<br />
Block: Block all access for the specified traffic.<br />
No Authentication: Allow access and do not require the user to authenticate<br />
themselves for web based accesses.<br />
NAT (Network Address Translation): This causes the traffic from the<br />
internal network to be transformed so that the IP address of the sender is<br />
replaced by the IP address of the <strong>iPrism</strong>. A reverse translation is done to<br />
any responses coming back. To the workstation on the internal network,<br />
the communications look like normal TCP/IP packets. To the outside<br />
world, they look as they are coming from the <strong>iPrism</strong>. This setting is good<br />
if you wish to hide the IP addresses of your internal workstations from<br />
the Internet.<br />
No Authentication & NAT: Similar to NAT, only no authentication is<br />
required.<br />
8. Select Exit, then Save & Exit to save your changes.<br />
If there is a conflict between the rules, and multiple actions are possible for<br />
a given transaction, the following priority list applies:<br />
1. No Filter<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
209
Network Management<br />
2. Block<br />
3. NAT (Network Address Translation)<br />
4. No Authentication<br />
5. No Authentication & NAT<br />
For example, if one rule tells the system to block port 80 traffic and another<br />
tells it to allow it (No filter), the No Filter exception applies.<br />
Filter rules are displayed in priority order, so the first rule which applies will<br />
be the one that is used.<br />
210<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 9<br />
Central<br />
Management<br />
<strong>iPrism</strong>’s central management features lets you manage a large set of <strong>iPrism</strong><br />
systems using a single configuration manager. The system works by letting<br />
you designate a single master system and one or more slave systems. Any<br />
configuration changes made to the master system will be automatically<br />
copied by the slaves.<br />
Before You Begin<br />
Prior to setting the Configuration Sharing properties, each <strong>iPrism</strong> (master<br />
and slaves) should be installed using the Installation Wizard, so as to set the<br />
networking parameters and the minimum configurations. Once that is done,<br />
decide which systems should be slaves and which system will be the master.<br />
There are not specific criteria in the choice of the master; however, you<br />
must observe the following guidelines.<br />
• There should be only one master system designated at any given time.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
211
Central Management<br />
• Other systems need to be set as slaves if they want to participate in<br />
the configuration sharing. If you do not want them to participate in<br />
the shared arrangement, you must designate them as standalone units.<br />
• All communications are implemented over the HTTP protocol. This<br />
means that master and slave <strong>iPrism</strong>s should be able to contact<br />
themselves with HTTP in both directions. This may be done using<br />
direct connections or an HTTP proxy. This may impact your IP<br />
filtering configuration if you have a firewall between the master and<br />
the slave systems.<br />
• All communications are encrypted so as not to expose your<br />
configuration to network sniffing.<br />
Note: The master <strong>iPrism</strong> will never try to modify the Networking<br />
configuration of a slave (IP addresses and mask, routes, interface settings)<br />
because these are unique and/or system dependent.<br />
Setting up a Master/Slave Arrangement<br />
There are only two steps to setting up a master/slave arrangement, but you<br />
must proceed in the following order:<br />
1. Designate slave unit(s).<br />
2. Configure the master unit.<br />
Designating Slave Devices<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Central Mgmt. tab (see Figure 81).<br />
212<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
FIGURE 81. Central Mgmt. Tab<br />
3. In the Mode Selection frame, open the Mode dropdown list and choose<br />
Slave.<br />
4. Select Exit, then Save & Exit.<br />
5. Repeat this procedure on each <strong>iPrism</strong> unit you want to designate as a<br />
slave.<br />
Configuring the Master <strong>iPrism</strong> Server<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Central Mgmt. tab (see Figure 81).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
213
Central Management<br />
3. In the Mode Selection frame, open the Mode dropdown list and select<br />
Master.<br />
4. In the Connection Timeout field, enter the timeout setting for the Master<br />
<strong>iPrism</strong> unit only. When sharing the configuration data, the connection<br />
timeout is the number of seconds after which the master will fail. The<br />
default is 5 seconds, which is long enough for most networks; however,<br />
you can assign a higher value if there is high latency between the master<br />
and the slaves.<br />
5. In the Password field, type an alphanumeric password to protect the<br />
central management settings for this <strong>iPrism</strong> unit. Reenter the password in<br />
the Password Confirmation field.<br />
Note: The Current Config field is an information-only field, which displays<br />
the current configuration of either the master or of individual<br />
slaves.<br />
6. In the Slave Configuration frame, click Add.<br />
7. In the Adding Item frame, type the IP Address of the first slave device<br />
in the Address field.<br />
8. Click OK to add the IP address to the <strong>iPrism</strong> Systems list.<br />
9. Repeat steps 5-8 to add other slave units, as necessary.<br />
10. Save your settings by selecting Exit, then clicking Save & Exit.<br />
The master <strong>iPrism</strong> will start sharing its configuration with all the slaves.<br />
The configuration is sent by the master each time a configuration change<br />
is made. If a slave can not be reached at this point, the master will retry<br />
periodically (every 15 minutes).<br />
Note: It is also possible to force an immediate update of the slaves by<br />
clicking Force in the Mode Selection frame.<br />
214<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Adding a Slave to a Shared Configuration<br />
1. Install the new <strong>iPrism</strong> system and run its Configuration Wizard.<br />
2. From the master <strong>iPrism</strong> system, open the System Configuration tool,<br />
select the System section, then select the Central Mgmt. tab. and add<br />
the slave's IP address to the list of the existing slaves. (See “Configuring<br />
the Master <strong>iPrism</strong> Server” on page 213).<br />
Removing a Slave from a Shared Configuration<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Central Mgmt. tab (see Figure 81).<br />
3. In the Slave Configuration frame, select the IP Address you want to<br />
remove in the <strong>iPrism</strong> Systems list.<br />
4. Click Delete. The IP Address is removed.<br />
Changing the Master <strong>iPrism</strong> Device<br />
Changing which system is your master is a transparent operation. The only<br />
case where this is useful is when the original master will be unavailable for<br />
a long period of time, such as when they are network problems, a hardware<br />
failure, etc.<br />
Note: There is one important criteria to take into account for this operation:<br />
it is important to use a slave with an up-to-date configuration. If you<br />
chose a slave system that was not reachable by the master, the shared<br />
configuration will not be up-to-date. If your <strong>iPrism</strong> detects that another<br />
slave has a more recent configuration, you will be prompted for<br />
confirmation.<br />
1. Choose which slave should become the new master and start its System<br />
Configuration tool.<br />
2. Select the System section, then the Central Mgmt. tab (see Figure 81).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
215
Central Management<br />
3. In the Mode Selection frame, open the Mode dropdown list and change<br />
the mode from Slave to Master.<br />
4. Select Exit, then Save & Exit to save the configuration.<br />
Forcing Slave Updates<br />
Normally the configuration on the slaves is updated every time a change is<br />
made to the master system. (Remember, changes are only applied after you<br />
exit the configuration tool.) You can update manually by clicking Update<br />
in the Mode Selection frame.<br />
Using Standalone Mode with Configuration Sharing<br />
It is possible to configure a system (master or slave) as a Standalone system<br />
(this is actually the default configuration when Configuration Sharing is not<br />
used). Do this by selecting the System section, then the Central Mgmt. tab;<br />
select Stand Alone from the Mode dropdown list in the Mode Selection<br />
frame.<br />
If you reconfigure your master as a standalone <strong>iPrism</strong>, the slaves will not be<br />
updated until a new master is chosen and configured.<br />
216<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
System Date and Time<br />
Chapter 10<br />
System Settings<br />
This chapter shows you how to change <strong>iPrism</strong>’s internal settings and set<br />
your preferences for common <strong>iPrism</strong> activities. This includes how to change<br />
the system date and time, set your update and backup preferences, enter new<br />
registration information, manage <strong>iPrism</strong> updates (HotFixes), and change the<br />
supervisor password. This also includes instructions on how to reset the<br />
<strong>iPrism</strong> system if you ever need to perform a “clean install”.<br />
System Date and Time<br />
In <strong>iPrism</strong>, you can set the system date and time manually, or configure<br />
<strong>iPrism</strong> to use the Network Time Protocol (NTP).<br />
To Manually Set the Date and Time<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section and click the Preferences tab (see Figure 82).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
217
System Settings<br />
FIGURE 82. System Preferences<br />
3. In the Current Date frame, make sure the Use NTP checkbox is not<br />
checked.<br />
4. Click Set. The Date Editor dialog box opens (see Figure 83).<br />
218<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
System Date and Time<br />
FIGURE 83. Date Editor dialog box<br />
5. To change the date, type the current date in the Date field, using the mm/<br />
dd/yyyy format.<br />
6. To change the time, type the current time in the Time field, using<br />
hh:mm:ss format.<br />
<strong>iPrism</strong> uses a 12-hour clock, so you must select AM or PM from the<br />
adjacent dropdown list.<br />
7. In the Time Zone list, select a city that is in your time zone and shares<br />
the same local variations, such as Daylight Savings Time. (This is usually<br />
the city that is closest to you geographically.) This list is alphabetized<br />
by Continent/City.<br />
8. Click Apply to save your changes.<br />
Setting the Date to use the Network Time Protocol<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
3. In the Current Date frame, check Use NTP.<br />
4. Click Set. The NTP server window opens (see Figure 84).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
219
System Settings<br />
FIGURE 84. Use NTP dialog box<br />
5. In the NTP Server field, type the IP address of the server that handles<br />
NTP requests.<br />
6. Select a city whose time zone matches your own from the Timezone list.<br />
The list is sorted alphabetically by Continent/City.<br />
Note: It is still possible to configure the time zone settings using the<br />
standard zone names (PST, EST, AST, etc.), but by using the time zone<br />
definitions, the administrator can configure <strong>iPrism</strong> based on the local differences.<br />
7. Click Apply.<br />
Bypass Authentication<br />
Some tools, such as Microsoft Windows Update, access the Internet without<br />
authentication. If your <strong>iPrism</strong> is configured to require authentication, then<br />
these tools will no longer work. If you select 3rd Party Software Updates,<br />
then the <strong>iPrism</strong> will allow connections to third party software update sites<br />
(i.e. http://update.microsoft.com) without authentication.<br />
220<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
System Updates<br />
System Updates<br />
<strong>iPrism</strong> automatically checks for updates to its filtering database and system<br />
(software) files once each day. You can disable this function to allow only<br />
manual updates, or specify the time of day when you want <strong>iPrism</strong> to run its<br />
update utility. 6 By default, <strong>iPrism</strong> is set up to automatically check for<br />
system updates in the early morning hours, when network traffic is likely to<br />
be at a minimum. If this is convenient for you, there is no reason to change<br />
the default setting.<br />
Filter List Updates<br />
Filter list updates help to keep your <strong>iPrism</strong>’s URL database current with the<br />
constantly updated iGuard database.<br />
Scheduling Filter List Updates<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab (sse Figure 85).<br />
6. Disabling automatic updates is not advised. With automatic updates disabled, your system<br />
will not automatically install critical HotFixes.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
221
System Settings<br />
FIGURE 85. System Preferences Tab<br />
3. In the Filter List Update frame, click in the Filter List field and enter<br />
the time of day that you want <strong>iPrism</strong> to check for filter updates. <strong>iPrism</strong><br />
uses a 12-hour clock, so you must also specify AM or PM from the adjacent<br />
dropdown list.<br />
4. Make sure Automatic is checked.<br />
222<br />
Note: If the Automatic box is already checked and you still are not<br />
receiving filter updates, then there may be a network problem that pre<strong>iPrism</strong><br />
<strong>Administration</strong> <strong>Guide</strong>
System Updates<br />
vents <strong>iPrism</strong> from downloading the filter list. Contact your network<br />
administrator.<br />
5. Save your <strong>iPrism</strong> configuration by selecting Exit, then Save & Exit.<br />
Manually Updating the Filter List<br />
Normally the <strong>iPrism</strong> system will automatically update the filter list. If for<br />
some reason the <strong>iPrism</strong> has been unable to communicate with St. Bernard<br />
Software for over three days, you may want to update the filter list<br />
manually.<br />
You may also be required to update the filter list under the direction of<br />
technical support.<br />
To update the filter list manually, complete the following steps:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
3. In the Filter List Updates frame, click ASAP.<br />
A notice message will display, asking you to confirm your decision, and<br />
notifying you that the update will take place within 15 minutes. Download<br />
time will vary depending on network load.<br />
4. Click OK to confirm the update.<br />
Checking <strong>iPrism</strong>’s Filter List Status<br />
To determine the last time your system received a filter list update:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the Reports section, then the Security Log tab.<br />
3. At the top of the report window, note the filter list age and the configuration<br />
changes.<br />
If no update was available the last time <strong>iPrism</strong> checked, the status will<br />
read “empty update”.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
223
System Settings<br />
FIGURE 86. <strong>iPrism</strong> Security Log<br />
System Software Updates<br />
System updates keep your <strong>iPrism</strong> unit up-to-date with the latest software<br />
enhancements.<br />
Scheduling System Updates<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
224<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
System Updates<br />
3. In the System Updates frame, select either Automatic, Check only or<br />
Manual from the dropdown list. To perform an immediate update, click<br />
ASAP.<br />
If you have selected Automatic or Check only, enter the time of day<br />
when you want to update the system. <strong>iPrism</strong> uses a 12-hour clock, so you<br />
must also select AM or PM from the adjacent dropdown list.<br />
Notes:<br />
• It is recommended that automatic updates be done during the late<br />
night or early morning hours (e.g., 2:30 AM) when the network load<br />
is the lightest.<br />
• Manual updates are not recommended, as the Internet changes on a<br />
daily basis and St. Bernard is continually updating the filtering<br />
information.<br />
• If you want <strong>iPrism</strong> to check for updates but not install them, select<br />
Check only.<br />
4. Save your <strong>iPrism</strong> configuration by selecting Exit, then Save & Exit.<br />
Performing an Immediate Update<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
3. In the System Updates frame, click ASAP.<br />
You will be prompted to confirm your decision, and will be notified that<br />
the update will take place within 15 minutes. Download time will vary<br />
depending on network load.<br />
4. Click OK.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
225
System Settings<br />
Protecting Against DoS Attacks<br />
A DoS (Denial of Service) attack occurs when a malicious person tries to<br />
shutdown a system by flooding it with network traffic. Usually the traffic is<br />
designed to use the maximum amount of system resources; e.g., initiating a<br />
connection but not finishing the process. (This consumes the memory<br />
needed to hold the information on the half-open connection.)<br />
To enable DoS protection, do the following:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
3. In the Network Hardening frame, check Enable DoS Protection. The<br />
<strong>iPrism</strong> will now detect DoS attacks and limit the resources that a malicious<br />
machine can consume on the system.<br />
Anti-spoof detection<br />
Spoofing occurs when the name in the URL for a HTTP request does not<br />
match the IP address for that request; e.g., when http://<br />
www.cnn.com/index.html is sent to an IP address owned by<br />
playboy.com. (One way this can happen is if the user modifies a local hosts<br />
file.)<br />
If the Anti-Spoofing feature is enabled, the <strong>iPrism</strong> will detect spoofing and<br />
prevent the user from accessing the any blocked pages.<br />
To enable Anti-Spoofing, do the following:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
3. In the Anti-Spoofing frame, select an option from the dropdown list:<br />
• Disabled: This will disable <strong>iPrism</strong> Anti-DNS Spoofing functionality.<br />
• Check iGuard database only: Check the <strong>iPrism</strong>’s internal database<br />
only. This database is updated based on the options you specified in<br />
“Scheduling Filter List Updates” on page 221.<br />
226<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
System Updates<br />
• Check iGuard database and DNS Check the IP address being<br />
requested against the <strong>iPrism</strong>’s internal database. If it’s not there,<br />
perform a reverse DNS lookup on the IP address to verify that the<br />
requested host name and the IP address are consistent.<br />
Configuring Filter List Failure Options<br />
Filter Failover Mode determines how <strong>iPrism</strong> will respond in the event that a<br />
filter list error occurs and <strong>iPrism</strong> cannot perform its normal filtering duties.<br />
Filter failures occur when a filter list fails to download, or when <strong>iPrism</strong> is<br />
unable to download a fresh filter list for an extended period of time<br />
(typically 30 days).<br />
Note: <strong>iPrism</strong> will send an email to the administrator’s email address (as<br />
defined in the Registration tab) if it is unable to download a filter after<br />
three days.<br />
To configure filter failover mode, do the following:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Preferences tab.<br />
3. In the Filter Failover Mode frame, select an option:<br />
• Pass Traffic (Unfiltered): This setting allows all Internet traffic to<br />
pass, as though all categories are allowed access. Users will have full<br />
access to the web.<br />
• Block Traffic: This setting effectively blocks all HTTP activity, not<br />
allowing any web surfing to occur until the problem is resolved and<br />
the filter list can be updated. If in bridge (transparent) mode, all other<br />
services will work normally.<br />
Regardless of the option you choose, the rest of your network will continue<br />
to work normally if <strong>iPrism</strong> is not operating.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
227
System Settings<br />
Backing Up and Restoring <strong>iPrism</strong> Settings<br />
Backing Up<br />
Backing up your <strong>iPrism</strong> configuration stores all of your settings to a file on<br />
your local hard drive. If necessary, you can restore your settings from this<br />
file.<br />
Note: The data in Backup files are encrypted for security.<br />
Setting Backup Preferences<br />
By default, <strong>iPrism</strong> automatically prompts you, when you exit the System<br />
Configuration tool, to back up your <strong>iPrism</strong> system configuration. You can<br />
change the frequency of the prompts by doing the following:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Backups tab (see Figure 87).<br />
3. To perform an immediate backup, click Backup.<br />
228<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Backing Up and Restoring <strong>iPrism</strong> Settings<br />
FIGURE 87. Backups Tab<br />
Setting Backup Reminders<br />
1. To set your backup reminder preferences, select your desired options:<br />
• Prompt when Exiting: You will be prompted to back up your system<br />
when you exit an <strong>iPrism</strong> session.<br />
• Prompt when Starting: You will be prompted to back up your<br />
system when you start an <strong>iPrism</strong> session.<br />
• Specify the intervals at which you want to be prompted by typing a<br />
number between 1 and 30, then selecting Days or Sessions next to the<br />
Every (1-30) field. This is how often you will be prompted to back<br />
up. For example, if you want to be prompted once a month, enter 30<br />
and select Days. If you want to be prompted every 10th time you<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
229
System Settings<br />
open/close the <strong>iPrism</strong> configuration software, enter 10 and select<br />
Sessions.<br />
Note: The default setting is to prompt every 6 days when exiting.<br />
2. Save your <strong>iPrism</strong> configuration by selecting Exit, then Save & Exit.<br />
Restoring<br />
You can restore your <strong>iPrism</strong> from a local backup or to its original factory<br />
configuration.<br />
Restoring your system from a local backup<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Backups tab (see Figure 87).<br />
3. In the Restore frame, select Restore from backup and click Restore.<br />
Notes:<br />
• <strong>iPrism</strong> v4.0 introduced a new database format. Backups created prior<br />
to version 4.0 are NOT compatible and cannot be restored.<br />
• You can backup 4.0 settings and restore them on a 4.1 system.<br />
However, in general it is not a good idea to change software versions<br />
between backup and restore.<br />
Restoring <strong>iPrism</strong> to its Default (Factory) Configuration<br />
Restoring the <strong>iPrism</strong> to its factory settings will clear all user-defined<br />
configuration information. You should do a backup of your current<br />
configuration before performing this procedure. (See “Backing Up” on<br />
page 228).<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Backups tab (see Figure 87).<br />
3. In the Restore frame, select Restore Factory Configuration.<br />
Note: This will restore <strong>iPrism</strong> to its “out of the box” state. All settings,<br />
including network settings, are lost or set back to their default values.<br />
230<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Registration Information<br />
4. Click Restore.<br />
A dialog box appears to inform you about the ramifications of the choice<br />
you have made.<br />
5. Click OK to proceed with the restoration that you selected. If you want<br />
to cancel this process now, click Cancel.<br />
If you clicked OK, the <strong>iPrism</strong> unit will reboot within two minutes, and<br />
your <strong>iPrism</strong> session will end.<br />
When you log into <strong>iPrism</strong> again, you will be presented with the installation<br />
wizard, as if you were setting up <strong>iPrism</strong> for the first time. Refer to<br />
your <strong>iPrism</strong> Installation <strong>Guide</strong> for assistance with this wizard.<br />
Registration Information<br />
The registration information, which you entered when you initially set up<br />
<strong>iPrism</strong> and ran the installation wizard, should only be changed if you are<br />
updating your <strong>iPrism</strong> license or changing the <strong>iPrism</strong> administrator’s<br />
information. For example, if you are updating your temporary registration<br />
key to a permanent key, you may need to access these settings.You can also<br />
change the administrator’s email address here.<br />
Editing Registration Information<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Registration tab (see Figure 88).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
231
System Settings<br />
FIGURE 88. Registration Tab<br />
3. In the Registration Information frame, make the desired changes:<br />
• Serial Number: This is unique serial number for your <strong>iPrism</strong>, which<br />
can found on the back of the <strong>iPrism</strong> appliance. The software will<br />
retrieve the serial number directly from the hardware. This field<br />
cannot be edited.<br />
• Key: The field contains your <strong>iPrism</strong>’s Product key. To complete this<br />
field, simply upload the key file (included with your <strong>iPrism</strong> unit, or<br />
received from your <strong>iPrism</strong> sales associate) on the same computer that<br />
the <strong>iPrism</strong> software is installed. Using the key file (as opposed to<br />
232<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Registration Information<br />
manually entering this number) ensures that it is entered correctly.<br />
The Key value is case sensitive.<br />
Note: If you do not have an <strong>iPrism</strong> registration key, a message displays<br />
warning you that filter and system updates will not occur. You<br />
will receive an email notification from St. Bernard Software, Inc.<br />
when your filter list is about to expire.<br />
• Subscription Expiration: Select the month, day, and year that your<br />
subscription ends. This information was included with your <strong>iPrism</strong><br />
unit or received from your <strong>iPrism</strong> sales associate, along with the<br />
Registration key file. You will not be able to receive filter list updates<br />
from St. Bernard Software’s URL database past this date.<br />
• Administrator Email: Enter your email address here for notification<br />
purposes. The <strong>iPrism</strong> will send status information (e.g., “Your license<br />
key is about to expire”) and override requests, as well as other<br />
information, to this email address.<br />
• Administrator Name. This field identifies the owner of the <strong>iPrism</strong><br />
unit. This field is not currently used by <strong>iPrism</strong>.<br />
Note: The other fields on this tab (City, State, Country) are used for<br />
creating SSL Certificates. See “Using SSL Encryption” on page 233.<br />
4. Save your <strong>iPrism</strong> configuration by selecting Exit, then Save & Exit.<br />
Using SSL Encryption<br />
In order to provide secure network-level communications during<br />
authentication and other administrative procedures, a server certificate is<br />
required on each SSL-enabled web server. This certificate is attached to<br />
<strong>iPrism</strong>’s IP address and, once created, should not have to be changed unless<br />
you change the IP address of your <strong>iPrism</strong> appliance.<br />
To create a certificate:<br />
1. Start the <strong>iPrism</strong> System Configuration tool.<br />
2. Select the System section, then the Registration tab.<br />
3. Verify that all of the following fields are completed in the Registration<br />
tab:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
233
System Settings<br />
City: Enter the name of the city where your organization is located.<br />
State: Enter the full name of the state where your organization is located.<br />
Country: Enter the two-character country code for the country where<br />
your organization is located.<br />
Organization: Enter the full name of your company or organization.<br />
4. Click Create.<br />
A “Working” dialog box displays while the certificate is being generated,<br />
and the status line under the Organization field will read “Creating<br />
a new certificate”. If the certificate is completed successfully, the status<br />
line will change to “Your certificate is valid”.<br />
5. Install the SSL Certificate in each browser.<br />
The first time that end users access an SSL-enabled service on <strong>iPrism</strong>,<br />
their web browser will display the certificate information. Users can<br />
choose to accept the certificate permanently, or only for the current session.<br />
To avoid being prompted each time, you should install the certificate<br />
permanently; it will then be valid until the certificate expires.<br />
Managing <strong>iPrism</strong> Updates with the HotFix<br />
Manager<br />
The HotFix Manager provides a convenient interface for tracking <strong>iPrism</strong><br />
updates and patches (called “HotFixes”). With the HotFix Manager you can<br />
instantly check for new updates, view available updates, view which ones<br />
have already been installed, and manually install/uninstall a HotFix.<br />
The <strong>iPrism</strong> administrator can access the HotFix Manager from the <strong>iPrism</strong>’s<br />
main web page by clicking Manage Selected Appliance, then choosing<br />
HotFix Manager (under System Admin Tools). After entering the<br />
username and password, the HotFix Manager interface opens (see<br />
Figure 89).<br />
Note: Only the <strong>iPrism</strong> administrator account (iprism) can access the HotFix<br />
Manager.<br />
234<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing <strong>iPrism</strong> Updates with the HotFix Manager<br />
FIGURE 89. The HotFix Manager Interface<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
235
System Settings<br />
Using the HotFix Manager<br />
The HotFix Manager functionality is accessible directly from the HotFix<br />
Manager interface as shown above. The following sections describe the<br />
different actions that can be performed with the HotFix Manager.<br />
Viewing Installed HotFixes<br />
HotFixes that have already been installed are listed in the Installed<br />
HotFixes list. You can view additional information about an installed<br />
HotFix by selecting it from this list and clicking Details.<br />
Viewing Available HotFixes<br />
HotFixes that have not yet been installed are listed in the Available<br />
HotFixes list. To view more information about a particular HotFix, select it<br />
from this list and click Details.<br />
You can update this list to include the very latest HotFixes by clicking<br />
Check for new HotFixes.<br />
Installing a New HotFix<br />
To install a new HotFix, select it from the Available HotFixes list and click<br />
Install. If no new HotFixes are available, a message will display; otherwise,<br />
if there are available HotFixes, the Install HotFixes web page opens. You<br />
will be prompted to confirm your decision to install that HotFix.<br />
If the HotFix you selected is dependent upon earlier HotFix(es) that you<br />
have not installed, then all required HotFixes will be installed automatically<br />
once you authorize the installation of the new HotFix.<br />
Note: The same dependency principle applies when uninstalling HotFixes.<br />
Uninstalling a HotFix on which others are dependent will result in all<br />
dependent HotFixes being uninstalled.<br />
To proceed with the installation, click Install HotFixes. Otherwise, click<br />
Cancel Installation to return to the main HotFix Manager page.<br />
236<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing <strong>iPrism</strong> Updates with the HotFix Manager<br />
Uninstalling a HotFix<br />
Although it is unlikely you will ever need to do this, you can uninstall a<br />
HotFix if you suspect that it is causing issues with your <strong>iPrism</strong>. To do this,<br />
select the HotFix you want to remove from the Installed HotFixes list and<br />
click Uninstall.<br />
When the Uninstall HotFixes page appears, verify that this is the HotFix<br />
you want to remove and click Uninstall HotFixes.<br />
Note: If you Uninstall a HotFix on which others are dependent, all<br />
dependent HotFixes will also be uninstalled.<br />
Checking for New Updates<br />
By default, <strong>iPrism</strong> automatically checks for new updates each night, using<br />
the <strong>iPrism</strong> System Update settings specified in the System section’s<br />
Preferences tab, in the System Updates frame (see Figure 90).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
237
System Settings<br />
FIGURE 90. Preferences Tab<br />
When the System Updates are set to Automatic, updates will be<br />
downloaded and any new HotFixes will automatically be listed on the<br />
Available HotFixes list.<br />
Note: When Automatic System Updates are enabled, critical updates will be<br />
installed automatically.<br />
You can also manually check for new updates at any time directly from the<br />
HotFix Manager page. To do this, click the Check for new HotFixes<br />
button. Checking for new HotFixes may take several minutes, during which<br />
a new page will appear to let you know the status of the process. If no new<br />
updates are available, a message will indicate that <strong>iPrism</strong>’s HotFix Database<br />
is up-to-date. If a new HotFix is found, it is added to the Available<br />
HotFixes list so you can install it. If a critical HotFix is downloaded and<br />
238<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing <strong>iPrism</strong> Updates with the HotFix Manager<br />
<strong>iPrism</strong> is configured to automatically perform system updates, it will be<br />
installed for you.<br />
Viewing the Details of a HotFix<br />
The details associated with a HotFix include its HotFix ID, Priority, Extra<br />
Arguments, and a Description as shown in Figure 91 and described below.<br />
When you have finished viewing the HotFix Details, click Back to HotFix<br />
Manager to return to the main HotFix Manager page.<br />
FIGURE 91. HotFix Details Page<br />
The following information can be found in the HotFix Details page:<br />
HotFix ID: This is the official version number of the HotFix.<br />
Priority: This specifies the importance of the HotFix. HotFixes can be<br />
classified as either critical, optional, or private.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
239
System Settings<br />
• Critical HotFixes are important HotFixes provided to help resolve<br />
known issues and to protect your <strong>iPrism</strong> from known security<br />
vulnerabilities. It is highly recommended that these always be<br />
installed.<br />
Note: When the System Updates are set to Automatic (see page 237),<br />
critical HotFixes will automatically be installed for you.<br />
• Optional HotFixes are usually feature enhancements and are<br />
considered non-vital to the operation of your <strong>iPrism</strong>. These HotFixes<br />
are never automatically installed.<br />
• Private HotFixes must be manually installed. Private HotFixes are<br />
specific to only your <strong>iPrism</strong> and are intended to resolve issues<br />
specific to your <strong>iPrism</strong>. If your <strong>iPrism</strong> requires a private HotFix,<br />
details on installing the HotFix will be given to you by Technical<br />
Support.<br />
• Extra Arguments: Some HotFixes will support extra arguments or<br />
user-supplied options. If the HotFix supports extra arguments,<br />
information regarding what they do and how to use them will be<br />
documented in the HotFix’s Description field. You can edit the<br />
arguments for an installed HotFix by selecting it from the Installed<br />
HotFixes list and clicking Edit Args. When the HotFix is NOT<br />
installed, the Extra Arguments field always displays as n/a and the<br />
user is not allowed to change it.<br />
• Description: This describes the purpose of the HotFix, such as<br />
correcting an existing problem or adding additional features.<br />
Manually Installing a HotFix<br />
Manual installations are used to install “Private HotFixes”. Private<br />
HotFixes are those that are specific to your <strong>iPrism</strong> and are intended to<br />
resolve issues specific to your <strong>iPrism</strong>. HotFixes should only be installed<br />
manually when instructed to do so by Technical Support.<br />
240<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing <strong>iPrism</strong> Updates with the HotFix Manager<br />
FIGURE 92. Manually Installing a HotFix<br />
To manually install a HotFix you must know its ID, which will be given to<br />
you by Technical Support.<br />
1. Type the HotFix ID in the HotFix ID field.<br />
2. If any extra arguments are needed, enter them into the Extra Arguments<br />
field.<br />
3. Click Manual Install to install the HotFix.<br />
Rebooting <strong>iPrism</strong><br />
After installing (or uninstalling) a HotFix, the changes will not take effect<br />
until you reboot <strong>iPrism</strong>. You do not have to reboot <strong>iPrism</strong> right away, just be<br />
aware that the changes to your system will not take place until you do.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
241
System Settings<br />
To reboot <strong>iPrism</strong>, click Reboot <strong>iPrism</strong> in the HotFix Manager web page.<br />
You will be prompted to confirm your decision to reboot. After clicking<br />
Yes, <strong>iPrism</strong> will be rebooted and will take several minutes to restart.<br />
Managing Multiple <strong>iPrism</strong> Units<br />
This section is intended for administrators who employ several <strong>iPrism</strong><br />
appliances on their network. <strong>iPrism</strong> units can share configuration<br />
information with each other, which makes managing them much easier.<br />
This is achieved by designating one of your <strong>iPrism</strong> units as the “master”<br />
unit. You need only make the desired configuration changes on the master<br />
<strong>iPrism</strong> and the changes will be automatically applied to the other, dependent<br />
<strong>iPrism</strong> systems.<br />
The following situations demonstrate possible scenarios in which you<br />
would install multiple <strong>iPrism</strong>s:<br />
• As a load-balancing solution, to handle the load of high-bandwidth networks.<br />
• As part of a fault tolerance solution.<br />
• If your network configuration has multiple connections to the Internet,<br />
and filtering needs to be implemented for each one.<br />
• Each <strong>iPrism</strong> is running the same version of the software and each has the<br />
same set of HotFixes installed.<br />
Configuration Sharing does not feature sharing of the Report Interface and<br />
the Active Override. Reports should be handled separately for each <strong>iPrism</strong>.<br />
When used in a load-balancing environment, an override will only be<br />
effective if the load balancer can be configured to always use the same<br />
<strong>iPrism</strong> for a given workstation. Please refer to your load balancer’s<br />
documentation and to the technical notes available on the St. Bernard<br />
Software’s website at www.stbernard.com.<br />
<strong>iPrism</strong> in a Load Balancing Environment<br />
<strong>iPrism</strong> can be integrated with web traffic load balancers to achieve higher<br />
throughput and fault tolerance. Visit www.stbernard.com/support/iprism for<br />
242<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing Multiple <strong>iPrism</strong> Units<br />
updated white papers regarding specific load-balancer deployments with<br />
<strong>iPrism</strong>.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
243
System Settings<br />
244<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 11<br />
<strong>iPrism</strong> System<br />
Reports<br />
The <strong>iPrism</strong> system has an extensive reporting tool designed to give you<br />
access to event data, as well as the <strong>iPrism</strong> security, status, build ID, and<br />
other information through the Reporting section of the System<br />
Configuration tool.<br />
Detailed information about the reporting tool is also available in the <strong>iPrism</strong><br />
Reporting <strong>Guide</strong>.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
245
<strong>iPrism</strong> System Reports<br />
Exporting Events Using Syslog<br />
The reporting tool’s real-time monitor gives you instant access to all<br />
monitored Web, IM, and P2P events. This is the preferred tool for viewing<br />
these events.<br />
The <strong>iPrism</strong> system can output Web, IM, and P2P events using the syslog<br />
protocol. In order to use this feature, you will need a system with a syslog<br />
client running and configured to accept events from an external system. 7<br />
Syslog is a common UNIX, Linux and FreeBSD communication protocol<br />
used for communicating system event information. There are also a few<br />
Microsoft Windows-based syslog clients available.<br />
To enable event export using syslog, open the System Configuration tool;<br />
select the Reports section, then the Preferences tab (see Figure ). Type the<br />
name of the system which will receive the logging information in the<br />
“Syslog Host” field.<br />
7. Most UNIX based systems do not accept external connections by default. This is a security<br />
feature.<br />
246<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Exporting Events Using Syslog<br />
FIGURE 93. Reports Preferences Tab<br />
Note: The syslog protocol uses UDP datagrams. Events may get dropped by<br />
the network if the load is high.<br />
The format of an HTTP access syslog message is described in Table 6.<br />
Table 6: HTTP access syslog information (Web traffic only)<br />
Field Name<br />
Syslog<br />
header<br />
Type<br />
Protocol<br />
Contents<br />
Information added by the syslog program (varies<br />
from client to client)<br />
WEB (IM and P2P events will use IM or P2P for this<br />
field. See below.)<br />
http, https<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
247
<strong>iPrism</strong> System Reports<br />
Table 6: HTTP access syslog information (Web traffic only)<br />
Field Name<br />
Time<br />
Action<br />
IP<br />
Profile<br />
User<br />
Bandwidth<br />
URL<br />
Rating<br />
Duration<br />
Method<br />
Status<br />
Contents<br />
Time of access<br />
Action taken<br />
B — Blocked<br />
P — Passed<br />
O — Overriden<br />
I — Override Initiated<br />
IP address of the system making the request<br />
Active Profile<br />
User name<br />
In bytes<br />
Url of the request<br />
Rating of the site (comma separated list of categories)<br />
Duration calculation estimate<br />
GET or other HTML method<br />
Status code for this URL<br />
Mime<br />
Mime type<br />
IM and P2P events contain the information listed in Table 7.<br />
Table 7: IM and P2P access syslog information<br />
Field Name<br />
Syslog<br />
Header<br />
Type<br />
Protocol<br />
Action<br />
IP<br />
Profile<br />
Contents<br />
Header added by the syslog client. This varies from system to system.<br />
IM or P2P<br />
IM or P2P protocol<br />
Action takes<br />
IP Address<br />
Active Profile<br />
248<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Exporting Events Using Syslog<br />
Table 7: IM and P2P access syslog information<br />
Field Name<br />
User<br />
Application<br />
Contents<br />
User name<br />
Application used<br />
Determining the Number of Records in the Database<br />
Information about the number of records in the database, as well as the time<br />
of the oldest record, can also be found in the Preferences tab (see<br />
Figure 93).<br />
Deleting Access Event Records<br />
There are times when you may wish to purge event data from the machine,<br />
such as if an <strong>iPrism</strong> is transferred from one department to another. To delete<br />
data from the system, select the Reports section, then the Preferences tab<br />
(see Figure ).<br />
Click Delete All to delete all of the access event records, or type a date and<br />
click Delete to delete all the event records occurring before that date.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
249
<strong>iPrism</strong> System Reports<br />
Audit Log<br />
The Audit Log tracks changes made to policies, including who made them<br />
and when.<br />
FIGURE 94. Audit Log<br />
250<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
<strong>iPrism</strong> Status<br />
<strong>iPrism</strong> Status<br />
You can view information about the status of your <strong>iPrism</strong> unit, as well as<br />
utilization data, in the Reports section’s Status tab (see Figure 95). All<br />
fields on the Status tab are view-only.<br />
FIGURE 95. Status tab<br />
In the System Status frame, you can view the following information:<br />
• Uptime: The days, hours, and minutes that your <strong>iPrism</strong> has been continuously<br />
running.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
251
<strong>iPrism</strong> System Reports<br />
• System Memory: The amount of system memory that your <strong>iPrism</strong> is<br />
consuming while running.<br />
• Free Memory: The amount of memory (in MB) available on <strong>iPrism</strong><br />
while running.<br />
• CPU Utilization: The percentage of CPU that your <strong>iPrism</strong> system is utilizing<br />
while running.<br />
In the Raid Status frame, you can see the status of the RAID disk system if<br />
your <strong>iPrism</strong> model contains RAID (available on <strong>iPrism</strong> models 30h, 50h,<br />
and 100h).<br />
In the Filtering Status frame, you can view the following information:<br />
• Web Proxy: Number of URLs processed and blocked for systems using<br />
the <strong>iPrism</strong> as a proxy.<br />
• Bridge: Number of URLs processed and blocked for systems using the<br />
<strong>iPrism</strong> in bridge (transparent) mode.<br />
• Number of Clients: Number of client workstations serviced by <strong>iPrism</strong>.<br />
In the Network Utilization frame, you can view the following information:<br />
• Traffic received (internal interface): Amount of IP traffic (measured in<br />
bytes, for all protocols) received by the internal interface.<br />
• Traffic Received (external interface): IP traffic received for the external<br />
interface, if one is being used (bridge (transparent) mode only).<br />
• Traffic Received (management interface): IP traffic received by the<br />
management interface.<br />
252<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
<strong>iPrism</strong> Security Log<br />
<strong>iPrism</strong> Security Log<br />
<strong>iPrism</strong> automatically detects and logs security events. This information can<br />
be viewed in the Reports section’s Security Log tab (see Figure 96).<br />
FIGURE 96. Security Log tab<br />
The following security events are logged by <strong>iPrism</strong>:<br />
• Each override performed on the system, along with the name of the user<br />
who performed it and the parameters used (who and what was overridden).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
253
<strong>iPrism</strong> System Reports<br />
• Any attempt to access the HTTP server from the external interface.<br />
Access to the Configuration and Report Interfaces are only allowed on<br />
the internal interface.<br />
• Any attempt to access Proxy services from the external interface. Access<br />
to <strong>iPrism</strong>’s proxy is only allowed on the internal interface.<br />
• Any attempt to access configuration services from the external interface.<br />
Access to the configuration services (used by the interface) is only<br />
allowed on the internal interface.<br />
• Any attempt to access console services (telnet) from the external interface.<br />
• If an attempt is made to access the <strong>iPrism</strong> internal web server from the<br />
outside, it will generate an event in the security log. Systems listed in the<br />
co-management list are allowed to access the internal web server. These<br />
accesses do not generate a security event.<br />
This log will also show:<br />
• Date and time of the last filter list update.<br />
• Date and time of the last configuration changes.<br />
• Date and time of the last backup.<br />
• The date and time of the last reporting database maintenance operation.<br />
• The date and time each emailed report was sent.<br />
254<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
About <strong>iPrism</strong> Tab<br />
About <strong>iPrism</strong> Tab<br />
The Reports section’s About tab displays version information about your<br />
<strong>iPrism</strong> software, as well as the model numbers and serial numbers of your<br />
<strong>iPrism</strong> appliance. Contact information for St. Bernard software can also be<br />
found here.<br />
FIGURE 97. About tab in the Reports menu<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
255
<strong>iPrism</strong> System Reports<br />
256<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 12<br />
The Filter Manager<br />
This chapter describes how to use <strong>iPrism</strong>’s Filter Manager utility, accessed<br />
by clicking the Block/Unblock Site link on the <strong>iPrism</strong> Main Menu<br />
(Figure 98). This will take you to the Filter Manager (Figure 99), which<br />
allows you to perform the following functions:<br />
• Automatically submit unrated, frequently accessed URLs to iGuard<br />
for rating and review, and manually rate URLs that cannot<br />
automatically be determined by iGuard.<br />
• Create and edit a custom filter, which can be used to restrict/allow<br />
access to any website – even those not listed in the URL database.<br />
• View and process requests from users who have been blocked from a<br />
website and have submitted access requests to the administrator.<br />
• Review the websites that have been recently blocked by <strong>iPrism</strong> and, if<br />
desired, grant access to them.<br />
• Check the category rating of URLs in the <strong>iPrism</strong> database.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
257
The Filter Manager<br />
FIGURE 98. <strong>iPrism</strong> Main Menu - Administrator<br />
258<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Automatically Rating Unrated URLs<br />
FIGURE 99. Filter Manager<br />
Automatically Rating Unrated URLs<br />
iGuard allows <strong>iPrism</strong> to automatically rate unrated, frequently accessed<br />
URLs. After a period of seven (7) days the top 100 currently unrated,<br />
frequently accessed URLs for a given <strong>iPrism</strong> are sent to iGuard for rating.<br />
You can opt to get an email message when the list of sites is sent and when<br />
the rating is complete (see “Sending Unrated Sites to iGuard for Rating” on<br />
page 260), which normally occurs within a few days. You can also view<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
259
The Filter Manager<br />
those sites that could not be rated automatically and rate them manually.<br />
The number of sites listed and the need to manually submit URLs for<br />
review or inclusion should decline with the frequent and consistent use of<br />
the iGuard rating function.<br />
Notes:<br />
• The capability to send unrated sites to iGuard can also be enabled during<br />
the <strong>iPrism</strong> installation process. Refer to the <strong>iPrism</strong> Installation <strong>Guide</strong> for<br />
detailed instructions.<br />
• If the total number of unrated sites is less than 100, all of them are sent to<br />
iGuard.<br />
Sending Unrated Sites to iGuard for Rating<br />
1. From <strong>iPrism</strong>’s main web page, click Block/Unblock Site.<br />
2. When prompted to log in, type your administrator username and password<br />
and click Login.<br />
Note: If <strong>iPrism</strong> is joined to an domain, choose LOCAL from<br />
the domain list.<br />
3. From the Filter Manager page (see Figure 99 on page 259), click Send<br />
unrated sites to iGuard.<br />
4. From the Send unrated sites to iGuard page (Figure ), select the options<br />
you want. You can elect whether to be notified via email here.<br />
• The Admin E-Mail Address is the default and automatically displays<br />
the <strong>iPrism</strong> administrator’s email address.<br />
• To have notifications sent to a different email, select Custom E-Mail<br />
Address and type the email address.<br />
A list of URLs automatically sent to iGuard for rating is sent, via<br />
email, to the <strong>iPrism</strong> administrator or the custom email address specified.<br />
Within a few days the sites are rated and an email is sent indicating<br />
the iGuard rating response.<br />
260<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Automatically Rating Unrated URLs<br />
FIGURE 100. Send Unrated Sites to iGuard<br />
5. To save the settings and exit, click Save Settings. To exit without saving,<br />
click Cancel.<br />
Manually Rating Unrated URLs from iGuard<br />
Some URLs may not be ratable by iGuard, such as private/internal websites<br />
or websites that require a login. Such URLs can be rated manually.<br />
1. Click the “here” hyperlink (see Figure 101) and manually rate URLs<br />
that iGuard was unable to rate. A list of current URLs that are un-ratable<br />
by iGuard appears (see Figure 102).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
261
The Filter Manager<br />
FIGURE 101. Hyperlink to iGuard<br />
FIGURE 102. Unrated URLs<br />
2. Select one or more locations to rate, then click Re-rate Selected. A<br />
Select Categories page appears (Figure 103).<br />
262<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Automatically Rating Unrated URLs<br />
FIGURE 103. Select Categories<br />
3. Select one or more categories that apply to all of the selected locations.<br />
(See Appendix A for category definitions.) Click Next to proceed.<br />
4. A list of the categorized URLs is displayed in the Confirm Re-rating<br />
Unratable URLs page (Figure 104). To make any changes, click Back<br />
to return to the Current URLs un-ratable by iGuard page. Otherwise,<br />
click Finish to proceed.<br />
5. The Current Filters page displays (Figure 105). Click Finish if you are<br />
done, or to re-rate items, click Cancel to return to the previous page.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
263
The Filter Manager<br />
FIGURE 104. Confirmation page<br />
264<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Automatically Rating Unrated URLs<br />
FIGURE 105. Current Filters page<br />
Modifying URLs<br />
• To search for a current URL and its settings, type the search string in<br />
the Match Location field and click Search.<br />
• To change the sort order, click the triangle next to the Location or<br />
Rating column. The filters will be sorted according to the selected<br />
column. Clicking twice on a column will reverse the sort order.<br />
• To edit a location on the list, click the Edit link next to the location.<br />
The Advanced Filter Settings page displays (see Figure 109). Click<br />
Next to proceed to the Select Categories page (Figure 103) or Clear<br />
to reset the page to the default settings.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
265
The Filter Manager<br />
• To remove URLs from the Location list and return them to the list of<br />
iGuard unratable sites, select the checkbox next to the location(s) to<br />
be returned. Click Delete Selected. The site(s) will remain on the<br />
iGuard unratable list.<br />
6. To submit the sites to St. Bernard Software with their new manual rating<br />
for inclusion in the filtering database, check the checkbox next to the<br />
URLs you wish to submit and click Submit Selected to St. Bernard<br />
Software. A confirmation page is displayed. Click Send, or if you want<br />
to cancel this process, click Cancel.<br />
Custom Filters<br />
Custom Filters allow you to locally change the category rating of any<br />
website. This can be used to block access to an offensive website that may<br />
not yet be listed in <strong>iPrism</strong>’s URL database, or to provide access to a website<br />
that would otherwise be blocked. An understanding of how custom filters<br />
and <strong>iPrism</strong>’s local categories work together will bring some powerful<br />
capabilities to your <strong>iPrism</strong> experience. For more information, see:<br />
• “Changing a URL’s Rating with Custom Filters” on page 112<br />
• “Controlling URLs with Locally Defined Categories” on page 112<br />
Custom Filter Management<br />
When creating custom filters, accuracy and organization count. You can<br />
verify that you have the correct URL by copying the URL from your<br />
browser to the URL field in the Filter Manager.<br />
Note: Do not create multiple filter exceptions for the same URL, as the first<br />
matching URL in the custom filter list will be used by <strong>iPrism</strong>. For instance,<br />
if you create a custom filter that identifies http://www.playboy.com<br />
as “online shopping” and later add a filter that identifies it as “adult<br />
content”, <strong>iPrism</strong> will treat it as “online shopping”.<br />
266<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Custom Filters<br />
Creating a Custom Filter<br />
1. From the main <strong>iPrism</strong> web page, click Block/Unblock Site.<br />
2. When prompted to log in, enter your administrator username and password<br />
and click Login.<br />
Note: If <strong>iPrism</strong> is joined to an domain, choose LOCAL from<br />
the domain list.<br />
3. When the Filter Manager page appears, click the Block/Unblock Site<br />
(Create a filter) link.<br />
4. In the Enter Location page, type the URL that you want to block in the<br />
Location field.<br />
(For example: http://www.blockthissite.com.)<br />
5. Click Next to go to the Select Rating page (Figure 106).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
267
The Filter Manager<br />
FIGURE 106. Select Rating page<br />
6. In the Select Rating page, assign this site to one of the filter categories<br />
by clicking the appropriate radio button:<br />
• Allow Access (rating: local allow): Allows all users to access this<br />
site. This changes the URLs rating to include the Local Allow<br />
category, which is not blocked in any ACL (by default), and overrides<br />
any other category ratings that may otherwise block access.<br />
• Deny Access (rating:local deny): Denies all users access to this<br />
URL. It changes the URLs rating to include the Local Deny category,<br />
which is blocked and monitored in all ACLs (by default).<br />
Note: Local Deny is blocked and monitored by default in all new<br />
ACLs.<br />
• Select Categories: Use this option to assign this URL to a specific<br />
filtering category (e.g., adult, business, finance, etc.). When you click<br />
Next, you will be presented a category list where you can select<br />
which categories you want to add to this site’s rating.<br />
7. When you have checked the categories you want to assign, click Next.<br />
The Create Filter page displays with the URL and category selections<br />
you have made (see Figure •).<br />
Note: If you feel that the website you filtered should be part of St. Bernard’s<br />
standard URL database, check the box on this page. The URL will<br />
be reviewed by St. Bernard’s web analysts and, if appropriate, assigned<br />
to an existing category in the database. This addition will usually<br />
become available within 24 hours, after <strong>iPrism</strong> is updated.<br />
268<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Custom Filters<br />
FIGURE 107. Create Filter<br />
8. Click Finish to return to the main Filter Manager page.<br />
9. At the very top of the main page, click the Save Changes link. After a<br />
few moments, you should be notified that the save was successful and<br />
that the changes will be applied shortly.<br />
Editing or Removing a Custom Filter<br />
1. From the main <strong>iPrism</strong> web page click Block/Unblock Site.<br />
2. When prompted to log in, type your administrator username and password,<br />
then click Log in.<br />
3. From the Filter Manager page, click the View and Edit Custom Filters<br />
link. The Custom Filters page displays, listing all of the custom filters<br />
you have created (see Figure 108).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
269
The Filter Manager<br />
FIGURE 108. Current Filters page<br />
4. To search the locations, type the search string in the Match Location<br />
field and click Search.<br />
5. To change the sort order, click the triangle next to the Location or Rating<br />
column. The filters will be sorted according to the selected column.<br />
Clicking twice on a column will reverse the sort order.<br />
6. To delete one or more filters, check the box next to each URL you want<br />
to remove and click Delete Selected.<br />
270<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Custom Filters<br />
7. To submit the selected site to St. Bernard Software for review and possible<br />
inclusion in the filtering database, select the checkbox next to the<br />
URL you wish to submit and click Submit Selected to St. Bernard<br />
Software.<br />
8. To edit an entry, locate a URL that you want to edit, then click Edit. The<br />
Advanced Filter Creation page displays (see Figure 109).<br />
FIGURE 109. Advanced Filter Creation page<br />
9. In the Location field, type the location (the beginning of the URL) to be<br />
blocked. This can be a simple url such as http://www.playboy.com<br />
or it can contain a wildcard such as http://*.playboy.com.<br />
In the second case, the wildcard causes the location to match<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
271
The Filter Manager<br />
all sites which end in playboy.com. You can also include a path in the<br />
location such as http://www.playboy.com/images.<br />
The wildcard character can be used in any place in the Location. For<br />
example:<br />
*://www.playboy.com: No access is allowed to www.playboy.com no<br />
matter what protocol is used.<br />
*://*.playboy.com: No access to any playboy site is allowed no matter<br />
what protocol is used.<br />
10. In the File Mask section, you can select specific types of media that will<br />
be denied from blocked sites. For instance, if you select the Images<br />
option, the .jpg and .gif graphics on the blocked website will not display,<br />
but all other content (such as text) will be available, even though the<br />
site’s category is blocked in the ACL. To use this, the site’s category<br />
must be designated as “blocked”, otherwise all content on the site will<br />
display.<br />
The wildcard character (*) can be used to match zero or more characters;<br />
e.g., “*.jpg” matches all files which end in “.jpg”.<br />
For the purposes of seeing if this filter matches, the Location is matched<br />
against the beginning of the URL and the File Mask is matched against<br />
the end.<br />
11. In the Rating section, you can change the site’s rating or change its current<br />
category designation:<br />
• To allow all users access to this site, select Allow Access. This<br />
assigns the URL to the Local Allow category, which is not blocked<br />
on any ACL (by default).<br />
• To deny all users access to this URL, select Deny Access. This<br />
assigns the URL to the Local Deny category, which is blocked on all<br />
ACLs (by default).<br />
• To change or alter which category this site is assigned to, select Select<br />
Categories, then Submit Filter. You will be presented with the<br />
Select Categories page, where you can select the categories with<br />
which you want this site to be associated.<br />
272<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Import / Export Custom Filters<br />
12. In the Confirm Filter Creation page, review the settings for the custom<br />
filter and click Confirm.<br />
13. At the top of the main page, click Save Changes.<br />
Import / Export Custom Filters<br />
You can save a list of custom filters by exporting them. This list then can be<br />
imported into <strong>iPrism</strong> at a later time.<br />
Exporting Custom Filters<br />
1. From the <strong>iPrism</strong> main web page, click Import / Export Custom Filters.<br />
2. The Import / Export screen is displayed (Figure 110).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
273
The Filter Manager<br />
FIGURE 110. Import/Export Filters<br />
3. Click Export File. A dialog will appear which allows you to specify the<br />
name of the export file.<br />
Import / Export File Format<br />
The custom filter list information is stored in text format. A typical custom<br />
filter list looks like:<br />
* http://*.playboy.com * la<br />
+ http://*.sex.com * pfs,j/emp,cpm,bshp<br />
* http://*.whitehouse.gov *.jpg,*.gif la<br />
Each line consists of four fields separated by white space (any number of<br />
spaces or tabs).<br />
Note: The text file uses as its end-of-line<br />
separator. This is the Microsoft Windows standard line terminator. UNIX,<br />
Linux, and Macintosh use different conventions. If you use these systems,<br />
make sure your text editor can handle the line termination properly.<br />
1. The first field indicates whether or not this is a “final filter”. Entries<br />
which begin with an * are considered final, while entries which start with<br />
+ are not.<br />
2. The next field contains the URL (with wildcards) for this filter.<br />
3. This is followed by the specification of the file types to be blocked. An<br />
entry of * blocks all files. An entry such as *.jpg,*.png blocks all files<br />
with the .jpg and .png extensions.<br />
4. The fourth and final field specifies the short category names for this<br />
entry. For example, the entry for “playboy.com” is in the single category<br />
la (Local Allow) while “sex.com” is in four different categories.<br />
A list of categories is available through the <strong>iPrism</strong> online help system (see<br />
http:///help/categories.html).<br />
274<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Import / Export Custom Filters<br />
Importing Custom Filters<br />
1. From the main <strong>iPrism</strong> web page, click the Import / Export Custom Filters<br />
link.<br />
2. The Import / Export screen is displayed (see Figure 110).<br />
3. Type the name of the file you wish to import in the File to Import field,<br />
or click Browse to locate the file.<br />
4. Click Import File to import the file.<br />
5. The system displays a screen showing the number of filters successfully<br />
imported (Figure 111).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
275
The Filter Manager<br />
FIGURE 111. Import Completion Screen<br />
Pending Access Requests<br />
When a user requests access to a blocked web page, it goes into a pending<br />
request queue. These can be viewed from the <strong>iPrism</strong> web interface.<br />
Reviewing Access Requests<br />
1. From the main <strong>iPrism</strong> web page, click the Block/Unblock Site link.<br />
2. When prompted to log in, type your administrator username and password,<br />
then click the Login.<br />
3. When the Filter Manager page displays, click View pending requests.<br />
The Pending Requests page displays, listing all of the requests that have<br />
been sent (see Figure 112).<br />
Each request row shows the URL to which the user wants to gain access,<br />
the type of request, the user’s name (if authentication is used), and the<br />
comments the user provided.<br />
276<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Import / Export Custom Filters<br />
FIGURE 112. Pending Requests page<br />
4. Review each request, then check the checkbox next to each request (or<br />
check Select All to select all requests) and click the appropriate link in<br />
the Action column:<br />
• Grant Selected: Gives the user access to the requested site. Granted<br />
requests are handled differently depending on whether or not<br />
partitioning is enabled on your <strong>iPrism</strong>:<br />
If partitioning is not enabled, then the effect of granting a request<br />
depends on the Grant pending request preference in the filter manager<br />
options. If the option is to grant access using a custom filter,<br />
then granting access creates a custom filter that assigns the site to the<br />
'local allow' category. With this filter in place, all users will have<br />
access to the specified site (not just the user who requested it). This<br />
filter remains in effect until you manually edit it from the Filter Manager<br />
'View and Edit custom Filters' page (See “Editing or Removing a<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
277
The Filter Manager<br />
Custom Filter” on page 269). If the option is to grant access using<br />
overrides, then granting access to the site will create an override with<br />
unlimited duration. You can delete this unlimited override in both the<br />
configuration UI or in the View and Delete recently overridden<br />
pages in the Filter Manager.<br />
If partitioning is enabled, then the effect of granting a request<br />
depends on the privilege of the administrator who is granting the<br />
request. If the administrator is a Delegated Administrator (DA)<br />
of the partition where the request originated, then an override of that<br />
site will be created with an unlimited duration. This override will<br />
apply only to users belonging to the same partition as the user whose<br />
request was granted. In this case granted requests can be viewed or<br />
deleted along with other overrides in the Filter Manager View and<br />
Delete recently overridden pages page. A given override will be<br />
visible to the delegated administrator of the same partition as the user<br />
whose request was granted, as well as to the Global Policy Administrator<br />
and to the super user (<strong>iPrism</strong> account). If the administrator<br />
granting the request has global filter manager privileges (super<br />
user, global policy admin (GPA), or user with filter manager privileges),<br />
then the effect of granting the request will depend on the<br />
Grant pending request preference setting in the filter manager<br />
options, as described in the previous section.<br />
• Deny Selected. The site remains blocked to this user. No changes are<br />
made to the site’s filtering.<br />
• Edit Request. Opens the Advanced Filter Creation page where you<br />
can manually make changes to the URLs filter settings. (See<br />
Figure 109 on page 271)<br />
Use the options in the Rating section to change the site’s category<br />
rating, which affects all users. You can also use the Select Categories<br />
option to manually change the site’s category designation.<br />
Use the options in the File Mask section to “mask out” certain types<br />
of content. For example, you can prevent the user from being able to<br />
view images, movies, music, or other file types that you specify. To<br />
apply a file mask, the URL must be designated as “blocked”. When a<br />
mask is applied, the user will be able to see everything else on the site<br />
except what has been masked.<br />
278<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Import / Export Custom Filters<br />
To apply the filtering changes you made, click Submit Filter. If you<br />
chose the Select Categories option, the Select Categories page will<br />
display so you can choose the new filter categories for this site. Click<br />
Next when you are finished.<br />
5. When the Confirm Grant Request page displays (See Figure 113),<br />
review your decision and then click the appropriate button to confirm it.<br />
Depending on the option you chose, one of three buttons will be available:<br />
Grant, Deny, or Confirm.<br />
You are returned to the Pending Requests page so you can review the<br />
remaining requests.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
279
The Filter Manager<br />
FIGURE 113. Confirm Grant Request<br />
Unblocking Blocked and Overridden Pages<br />
As an administrator, you may find yourself in a situation where you are<br />
getting pummelled with access requests, all pertaining to one or more<br />
websites. In this situation, rather than dealing with each request<br />
individually, you may just choose to unblock the page(s) in question so that<br />
everyone can view it.<br />
<strong>iPrism</strong> has built in functionality that lets you review all of the blocked sites<br />
that have recently had hits (access attempts) on them, and then unblock<br />
those sites as desired. There is also a similar utility that lets you do the same<br />
thing for overridden pages. That is, if there is a blocked web page that is<br />
being frequently accessed by users with override privileges, you can<br />
280<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Unblocking Blocked and Overridden Pages<br />
unblock the page so it can be accessed by everyone — without going<br />
through the override process.<br />
For information about how to enable Overrides in <strong>iPrism</strong>, see “Using<br />
Override Privileges” on page 99.<br />
Unblocking Recently Blocked Pages<br />
1. From the main <strong>iPrism</strong> web page, click the Block/Unblock Site link.<br />
You must be an <strong>iPrism</strong> administrator in order to access the Block/<br />
Unblock Site interface.<br />
2. When prompted to login, enter your username and password, then click<br />
Login.<br />
3. From the Filter Manager page, click the Create filters for recently<br />
blocked pages link. The Recent Blocks page displays (see Figure 114).<br />
4. The table lists all the websites that have been blocked in chronological<br />
order, and the users who tried to access them. Each site’s current category<br />
rating is also shown. To unblock a site, click the Allow Access link.<br />
The site’s rating is changed to ‘local allow’ and you are returned to the<br />
main Filter Manager page.<br />
If you want to deny access to this site again, you must remove the filter<br />
you just created. See “Editing or Removing a Custom Filter” on<br />
page 269.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
281
The Filter Manager<br />
FIGURE 114. Recent Blocks page<br />
Unblocking Recently Overridden Pages<br />
1. From the main <strong>iPrism</strong> web page, click the Block/Unblock Site link.<br />
2. When prompted to log in, enter your administrator username and password<br />
and click Login.<br />
3. From the main Filter Manager page, click the Unblock recently overridden<br />
pages link. The Current Overrides page displays (see<br />
Figure 115).<br />
This table lists all the websites that have been recently blocked, but then<br />
accessed using override privileges. It also shows information about the<br />
user who granted the override and which categories were overridden.<br />
282<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Unblocking Blocked and Overridden Pages<br />
FIGURE 115. Current Overrides page<br />
4. To unblock a site in this list, just click the Allow Access link, located in<br />
the right-most column.<br />
Note: Remember that you are unblocking this site for all users, not just<br />
the user(s) that tried to access it.<br />
The site’s rating is changed to ‘local allow’ and you are returned to the<br />
main Filter Manager page.<br />
If you want to deny access to this site again, you must remove the filter<br />
you just created. (See “Editing or Removing a Custom Filter” on<br />
page 269.)<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
283
The Filter Manager<br />
Viewing and Deleting Current IP-Host Map<br />
Entries<br />
Spoofing occurs when the host name of HTTP request is different from the<br />
IP address in the request. In other words, if the HTTP request says<br />
“www.yahoo.com” and connects to the IP address of “www.sex.com”, the<br />
<strong>iPrism</strong> spoofing detector is triggered if spoof detection is enabled.<br />
If spoof detection is enabled, the user is directed to a blocked page and may,<br />
depending on his/her profile, be able to override the block.<br />
If this override is successful, the host name of the request and the IP address<br />
of where the request really went are added to the IP-Host map.<br />
The IP-Host Map page shows a list of the names (good sites) and the<br />
spoofed IP addresses they connected to (bad sites). The controls allow the<br />
administrator to delete one or more entries from this list.<br />
To view and delete current IP-Host Map Entries<br />
1. From the main <strong>iPrism</strong> web page, click View and Delete current IP-<br />
Host Map Entries.<br />
2. When prompted to log in, enter your administrator username and password<br />
and click Login.<br />
3. The Current IP-Host Map page appears with a list of the current<br />
entries.<br />
4. To delete an entry, select the entry and click Delete.<br />
284<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Checking Site Ratings<br />
Checking Site Ratings<br />
A website’s rating determines whether or not it will be blocked by the active<br />
filtering profile. All of the websites included in <strong>iPrism</strong>’s URL database have<br />
a “site rating” based on their content. For example, a political website<br />
would have a rating that included the category “Politics”, and potentially<br />
other categories as well. If the current profile in <strong>iPrism</strong> is set to block sites<br />
in the “Politics” category, then this site would be blocked when someone<br />
tries to access it. A simple way to check the category rating of any website<br />
is to do the following:<br />
1. From the Filter Manager main page, click Check Site Ratings.<br />
2. In the Enter Site Location page, type the full URL of the website whose<br />
ratings you want to check.<br />
Note: This shows you only how the site is rated in <strong>iPrism</strong>’s database, and<br />
not in any custom filters you may have created for that site.<br />
Checking a Site’s Rating<br />
1. From the main web page in <strong>iPrism</strong>, click the Block/Unblock Site button.<br />
2. When prompted to log in, enter your username and password.<br />
3. In the Filter Manager page, click the Check Site Ratings link.<br />
4. In the Location field, type the full URL of the site you want to check<br />
and click Next (see Figure 116).<br />
5. The Site Ratings page appears with any ratings assigned the given website.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
285
The Filter Manager<br />
FIGURE 116. Site Ratings page<br />
6. To perform another check, click New Check.<br />
286<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Filter Manager Options<br />
Filter Manager Options<br />
To modify Filter Manager Options, click the Options link from the main<br />
Filter Manager page. The Options page appears as shown in Figure 117.<br />
FIGURE 117. Filter Manager Options<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
287
The Filter Manager<br />
Timeout: The amount of idle time (in minutes) before a override request<br />
session times out.<br />
Font Size: The size of the font to be used in the override request reports.<br />
Report Lines: The number of lines to be displayed in each override request<br />
report page.<br />
E-Mail Address: If set, override requests will be sent to this email address.<br />
By default, this is the email address of the <strong>iPrism</strong> administrator. (This<br />
option is only available under the iprism account.)<br />
E-Mail Preference: By default, an email will be sent for each request. If<br />
this is set to Daily Consolidation, one email containing all requests will be<br />
sent each day.<br />
Daily Request Limit: The maximum number of requests that can be made<br />
by all users in a given day. (This option is only available under the iprism<br />
account.)<br />
Assigned Categories - Allow<br />
Assigned Categories - Deny<br />
For both of these fields, you can select the default categories used by the<br />
system when creating a filter to unblock a URL (Allow) or to block a URL<br />
(Deny). The default settings (‘local allow’ and ‘local deny’) are<br />
recommended unless you always use the same categories when adding a<br />
filter. Administrators can always override the default category when<br />
creating the filter. (This option is only available under the iprism account.)<br />
Grant Pending Request Preference: In previous versions of <strong>iPrism</strong>, when<br />
access is granted for a specific URL, a custom filter is created and the URL<br />
is rated as local ratings, such as ‘local allow’. If you use an override to grant<br />
access, the outcome is not the same. The URL keeps its original rating<br />
provided by St. Bernard Software, but the Blocked action is overridden and<br />
the URL request goes through. This enables you to see the original rating of<br />
the URL for reporting purposes. The difference is invisible to the end user.<br />
If you have partitions enabled, the Delegated Partition Administrator can<br />
only use an override to grant access.<br />
Local Category Descriptions: Each of the local categories may be given<br />
a unique description. These descriptions will be displayed on the<br />
category selection panels that exist in the Filter Manager,<br />
Configuration Manager, and Reports.<br />
288<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Filter Manager Options<br />
7. To apply these settings, click Save Settings. To discard the settings,<br />
click Cancel.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
289
The Filter Manager<br />
290<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Partitions<br />
Chapter 13<br />
Partitions and<br />
Delegation<br />
Through the use of partitions and delegation, multiple users can have<br />
administrative rights (with limits) in <strong>iPrism</strong>.<br />
Partitions<br />
Creating partitions enables you to divide the <strong>iPrism</strong> into smaller sections<br />
(partitions) that you can delegate to different administrators. Then, each of<br />
these administrators can independently manage the web filtering policies of<br />
their own partition.<br />
Partitioning can be done by network or by group. Creating partitions by<br />
network is based on IP address ranges. There is no overlap allowed in this<br />
type of partition. If your organization uses Windows Active Directory or<br />
LDAP directory, partitions can be created based on user groups. This<br />
enables different administrators to manage policies for different groups of<br />
users. Fine-tuned profile mapping can be created within the partition. It is<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
291
Partitions and Delegation<br />
possible for the user to belong to multiple groups. To resolve which<br />
partition the user belongs to, the partitions are ordered. The first partition<br />
the user matches decides the web access profile to which the user is<br />
assigned. Group partitions are authenticated against the active directory for<br />
both LDAP and NTLM. It can also use LDAP authentication against any<br />
LDAP server.<br />
Setting up Partitions<br />
1. Start the <strong>iPrism</strong> System Configuration tool and select the Users section,<br />
then select the Local tab (see Figure 118).<br />
2. Click Add beneath the <strong>iPrism</strong> Users frame.<br />
FIGURE 118. Partitions<br />
The Partitions tab allows you to view, add, delete or modify partitions.The<br />
Partitions window consists of the following sections:<br />
• Partition Type<br />
292<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Partitions<br />
• Partitions<br />
• Viewing<br />
Partition Type<br />
Before you start to partition <strong>iPrism</strong>, decide what type of partitions there<br />
should be. There are three options: to partition by network ranges, to<br />
partition by groups, or to not partition your <strong>iPrism</strong>. In this field, select<br />
either:<br />
• None: By default, None is selected. <strong>iPrism</strong> is not partitioned, and <strong>iPrism</strong><br />
behaves as in version 4.2 or older.<br />
Caution: If partitions have already been defined, selecting this option<br />
deletes all partitions.<br />
• by Network: Partitions are created by network ranges (IP addresses).<br />
• by Group: Partitions are created by NTLM or LDAP groups.<br />
Partitions<br />
This section contains a list of the currently defined partitions. Select an<br />
entry to display the partition’s information in the Viewing window to the<br />
right.<br />
The Add button creates a new partition and enables the partition data to be<br />
edited in the Viewing window. The Delete button deletes the selected<br />
partition.<br />
Viewing<br />
This window enables you to view or modify the settings of the selected<br />
partition and change its attributes.<br />
1. In the Name field, enter the partition’s name. Names should be between<br />
1 and 16 characters long and only contain alpha-numeric characters or<br />
underscores (_). Names cannot contain spaces.<br />
2. In the Description field, enter the description of the partition. These<br />
comments are not used by <strong>iPrism</strong>.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
293
Partitions and Delegation<br />
3. In the IP Start field, enter the starting IP address for the partition, if the<br />
partition is by Network. If it is a partition by Group, this field is not displayed.<br />
4. In the IP End field, enter the ending IP address for the partition, if the<br />
partition is by Network. If it is a partition by Group, this field is not displayed.<br />
5. If the partition is by group, and Windows authentication is enabled, the<br />
Domain setting is needed. The Domain is either the Windows domain,<br />
all trusted domains, or the wildcard (*). The Domain and the Group<br />
(next field) combine to fully define the partition. If this partition uses<br />
LDAP authentication, this setting is not displayed.<br />
6. If the partition is by Group, enter the Windows or LDAP group name. If<br />
this is a network-based partition, this setting is not displayed.<br />
Note: For Windows authentication, the domain comes from the<br />
Domain selector - do not enter the domain here.<br />
7. The Web Profile field displays global profiles. Global profiles are created<br />
by the Super User <strong>iPrism</strong> account or by the Global Policy Administrator<br />
(GPA) in the Access > Profiles tab. The profiles describe the web<br />
categories that users can access. When the partition is added, a copy of<br />
the selected global profile is assigned to the selected partition. The profile<br />
is granted to users belonging to that partition.<br />
8. The IM/P2P Profile displays global profiles. Global profiles are created<br />
by the Super User <strong>iPrism</strong> account or by the Global Policy Administrator<br />
(GPA) in the Access > Profiles tab. The profiles describe the IM/P2P<br />
categories that users can access. When the partition is added, a copy of<br />
the selected global profile is assigned to the selected partition. The profile<br />
is granted to the users belonging to that partition.<br />
9. In the Admin Email field enter the email address of the partition administrator.<br />
The email address is used by <strong>iPrism</strong> to send diagnostic information<br />
about the partition to the administrator.<br />
294<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Partitions<br />
10. The Administrator field displays all of the administrators for the current<br />
partition.<br />
Note: After a partition is created, initially there are no administrators<br />
delegated. You have to add administrators for the partition.<br />
Administrators are assigned to the partition by defining a local<br />
user or Windows/LDAP group with the role of Delegated Partition<br />
Administrator (DPA) for this partition. When a partition is<br />
added, <strong>iPrism</strong> automatically creates an administrative privilege<br />
with these rights. The name of this privilege is partition_DA. You<br />
can use this privilege and assign it to any local users, Windows<br />
groups, or LDAP groups. To do this go to the Users > Local or<br />
Users > Privilege Mappings tab.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
295
Partitions and Delegation<br />
Delegation<br />
Delegation allows multiple users to control aspects of <strong>iPrism</strong>. The available<br />
roles for delegation are:<br />
• Super User - this role is the same as in most software programs. There is<br />
only one Super User in <strong>iPrism</strong>, and that person, or login, controls all<br />
<strong>iPrism</strong> access, configuration, and reporting. Only the user iprism has this<br />
role. It cannot be delegated.<br />
• Global Policy Administrator (GPA) - The GPA has the right to log in<br />
to system configuration tools and administer global filtering policies.<br />
The GPA can also access reports, filter management, and overrides. Use<br />
this role to delegate management policies of the entire <strong>iPrism</strong> to a user.<br />
• Delegated Partition Administrator (DPA) - The DPA has the right to<br />
log in to the System Configuration tool to administer the filtering policies<br />
for the selected partition(s). It also has full access to the reports and<br />
overrides of the partition(s). This user does not have the right to manage<br />
custom filters, only the GPA and the Super User (<strong>iPrism</strong> account) can do<br />
this. Use this role to delegate the management policies of a partition to a<br />
different administrator.<br />
In addition to these administration roles, there are two other roles:<br />
• <strong>iPrism</strong>-wide Privileged User - This role assigns specific rights for the<br />
entire <strong>iPrism</strong>. For example, with this option, you can create a privilege<br />
that has full reporting access and overrides for the entire <strong>iPrism</strong>.<br />
• Partition-wide Privileged User - This role assigns specific rights for<br />
the selected partition(s). For example, with this option, you can create a<br />
privilege that has full reporting access for a specific partition.<br />
Note: In relation to rights and roles, only the <strong>iPrism</strong> Super User<br />
can create custom filters.<br />
296<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Delegation<br />
Defining Delegation<br />
To define delegations, click on the Users icon.<br />
FIGURE 119. Delegation<br />
1. To create a new user, click Add. The right side of the window becomes<br />
active.<br />
2. In the Name field, type the user’s name, for authentication. The user<br />
name should be between 1 and 32 characters long and cannot contain<br />
spaces.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
297
Partitions and Delegation<br />
3. In the Password field, type the user’s password. Passwords should be a<br />
minimum of 4 characters long, and a maximum of 32. The password<br />
field must match the password confirmation field.<br />
4. In the Confirm Password field, type the user’s password again. This<br />
must match the Password field.<br />
5. In the Notes field, type any comments about the user. This is for your<br />
own use; the comments are not used by <strong>iPrism</strong>.<br />
6. Select a profile in the Profile field. (Profiles are created in the Access ><br />
Profiles tab.) The profile is given to the user if authentication is enabled.<br />
If the user moves from one network to another, the profile remains the<br />
same.<br />
7. Click View to display details about the currently selected profile.<br />
8. If you select Use Network, the filtering profile given to the user after<br />
authentication is inherited from the IP network the user is currently<br />
accessing. If the user moves to another network, they will be filtered<br />
according to the profile for the workstation used. Profiles are assigned to<br />
Networks in the Access section’s Network tab.<br />
9. In the Admin Privileges field, you can assign local users’ administrative<br />
privileges:<br />
• Extended Override: Can override websites for others.<br />
• Filter Management: Can access the filter manager only.<br />
• Full Access: Can access reports, filter manager, and overrides.<br />
• Global Policy Admin (GPA): Can log in to the configuration UI to<br />
set filtering policies, access reports, filter manager, and overrides.<br />
• No Access: Can only use <strong>iPrism</strong> as a regular user; has no access to<br />
administrative functions.<br />
• Reports Only: Can only run reports.<br />
• Single Override: Can override single web pages for the specific<br />
workstation.<br />
10. Click Edit/Add to create or edit a set of administrative privileges.<br />
298<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Delegation<br />
When the parameters for the user have been entered, click OK. The user<br />
displays in the <strong>iPrism</strong> Users section of the window.<br />
To delete a user, select the user from the <strong>iPrism</strong> Users section, and click<br />
Delete.<br />
Setting Administrator Privileges<br />
By clicking Edit/Add, you can assign other Administrative Profiles to a<br />
user, including: Global Policy Administrator, Delegated Partition<br />
Administrator, <strong>iPrism</strong>-wide Privileged User, and Partition-wide Partition<br />
User.<br />
To assign one of these profiles to a user, select the Administrative Profile<br />
from the Administrative Profile dropdown menu. Or, to add a new profile,<br />
click Add.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
299
Partitions and Delegation<br />
FIGURE 120. Administrative Profiles<br />
300<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Delegation<br />
1. The Roles section defines the type of role that a user or group will have.<br />
Each role has some rights. The Global Policy Administrator and Partition<br />
Delegated Administrator roles are pre-defined. The <strong>iPrism</strong>-wide and<br />
Partition-wide Privileged Users roles can be customized.<br />
• Global Policy Administrator (GPA): The GPA has full management<br />
rights to manage global policies, including Web/IMP2P profile<br />
mapping, Lock ACL, and logging in to system configuration tools<br />
and administer global filtering policies. The GPA can also access<br />
reports, filter management, and overrides. Use this role to delegate<br />
management policies of the entire <strong>iPrism</strong> to a user.<br />
• Delegated Partition Administrator (DPA): The DPA has the right<br />
to log in to the system configuration tool to administer the filtering<br />
policies for the selected partition(s). It also has full access to the<br />
reports and overrides of the partition(s). This user does not have the<br />
right to manage custom filters; only the GPA and the Super User<br />
(<strong>iPrism</strong> account) can do this. Use this role to delegate the<br />
management policies of a partition to a different administrator.<br />
• <strong>iPrism</strong>-wide Privileged User: This role assigns specific rights for the<br />
entire <strong>iPrism</strong>; e.g., you can create a privilege that has full reporting<br />
access and overrides for the entire <strong>iPrism</strong>.<br />
• Partition-wide Privileged User: This role assigns specific rights for<br />
the selected partition(s); e.g., you can create a privilege that has full<br />
reporting access for a specific partition.<br />
2. The Rights - Report Access section defines the access an administrator<br />
has to reporting. The following options are available:<br />
• None: No access is allowed to the reporting system.<br />
• Full: Allows complete access to the reporting system.<br />
• Access To Profile: Users can only access a specific profile selected<br />
from the list to the right of this selection. The special profile [User]<br />
indicates the profile currently assigned to the user.<br />
• Access To Network Range: Users can only run reports on a limited<br />
range of IP addresses. The specific addresses are entered using the<br />
two IP address fields:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
301
Partitions and Delegation<br />
Note: Report restrictions are silently applied when the user runs<br />
reports. For example, if a user is restricted to a given network range,<br />
all reports contain data for just that network range, even if a larger<br />
range was specified in the report itself.<br />
3. The Custom Filters section controls access to the Filter Manager. Select<br />
None to prevent users from accessing the Filter Manager and Full to<br />
give them complete access. This right is only available for <strong>iPrism</strong>-wide<br />
Privileged Users or Global Policy Administrators.<br />
4. The Override Privileges section fine-tunes the ability of the user to<br />
override a blocked request. The options are:<br />
• Can Not Override: The user can not override any URLs, even for<br />
themselves.<br />
• Self Only: The user can create an override for her/himself, but no one<br />
else.<br />
• Users As Follows: The user can create overrides for a group of users<br />
specified in the Users definition section. If Users As Follows is<br />
selected, the class of users for which the administrator can create<br />
overrides must be specified. The options are:<br />
• Current Workstation: The administrator can override URLs<br />
only for the workstation s/he is currently using. Since the<br />
overrides exist for a specific time period, the user can log in to<br />
a workstation, create an override, and log out, allowing<br />
another user to log in and benefit from the override setting.<br />
• Current User: The administrator can create an override for<br />
himself.<br />
• Current Partition: The administrator can create an override<br />
for the selected partition(s). This option is available for<br />
Partition-wide Privileged Users or Delegated Partition<br />
Administrators only.<br />
• Network Range: The administrator can create an override for<br />
a range of IP addresses. The specific addresses are specified in<br />
the Network section using the IP Start and IP End fields. This<br />
option is available for <strong>iPrism</strong>-wide Privileged Users or Global<br />
Policy Administrators only.<br />
302<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Delegation<br />
• Profile: The administrator can create an override for all users<br />
assigned a specific profile. The special profile [User] indicates<br />
the profile currently assigned to the administrator. For<br />
Partition-wide Privileged Users or Delegated Partition<br />
Administrators, the only available Profile is [User].<br />
• Everyone: The administrator has complete override<br />
capability.<br />
5. The Contents section defines which URLs can be overridden:<br />
• Current URL: Only the entire URL can be overridden.<br />
• Current Path: The path component is the part of the URL which<br />
appears after the host name. This allows overriding based on a<br />
specific path, regardless of the host name.<br />
• Current Domain: The domain name of the host part of the URL. For<br />
example, the domain for http://www.yahoo.com is yahoo.com. The<br />
<strong>iPrism</strong> system is aware of country codes, so the domain for http://<br />
www.amazon.co.uk/index.html is amazon.co.uk.<br />
• Current Category: This option allows the administrator to override<br />
all users that belong to the category of the URL being requested.<br />
• All URLs: The user can override any URL.<br />
6. The Maximum Duration field defines the amount of time an override<br />
can remain in effect.<br />
7. Once you have selected the appropriate options for the profile, click OK.<br />
Or, to cancel the changes, click Cancel.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
303
Partitions and Delegation<br />
Managing Policies as a Delegated Partition<br />
Administrator<br />
Delegated Partition Administrators (DPAs) see a subsection of the screens<br />
available to the Super User. The main areas available to a DPA are Users,<br />
Access, and Reports.<br />
The options available to the DPA in the Users screen vary, depending on<br />
what privileges they have been assigned. The DPA in the screen above was<br />
given Full Access privileges.<br />
304<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Managing Policies as a Delegated Partition Administrator<br />
FIGURE 121. DPA Access screen<br />
The DPA in the screen above has Full Access privileges, giving them access<br />
to all of the tabs in the Access section of the <strong>iPrism</strong><br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
305
Partitions and Delegation<br />
configuration.<br />
As with the previous screens, the DPA’s view is dependent upon the<br />
privileges they have been assigned. The DPA in the screen above was given<br />
reporting access.<br />
306<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Appendix A<br />
Filtering<br />
Categories<br />
This appendix lists the filtering categories in the iGuard database. This is<br />
the URL database that <strong>iPrism</strong> uses to determine a URL’s category<br />
designation. These are also the categories of content that you can choose to<br />
block and/or monitor when configuring an Access Control List in <strong>iPrism</strong>.<br />
Note: Local categories are not included here; the only categories that are<br />
included here are those that are determined by the iGuard database.<br />
The iGuard database is constantly being updated, and the categories are<br />
subject to change as new and different types of content are encountered. To<br />
see the very latest list of categories, as well as descriptions of each, you<br />
should refer to the online resource at:<br />
http://www.stbernard.com/products/support/iprism/support_iprism-cats.asp<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
307
iGuard Site Rating Categories<br />
Questionable<br />
Copyright Infringement<br />
This category refers to sites that offer media, software, MP3,<br />
DVD movies or any other copyrighted materials that are<br />
bootlegged or illegally available for purchase or download. This<br />
category is often blocked to protect <strong>iPrism</strong> owners from liability<br />
caused by the download and installation of bootlegged software.<br />
Note that this category does not refer to sites that are specific to<br />
computer hacking.<br />
Examples:<br />
http://www.bitoogle.com/<br />
http://www.mp3search.com/<br />
http://www.ugpirates.com/<br />
Keywords:<br />
bootleg, illegal copy, plagiarize software, descrambler, serialz,<br />
warez, ripped and free MP3, patent, exclusive rights<br />
Computer Hacking<br />
This category refers to any site promoting questionable or illegal<br />
use of equipment and/or software to crack passwords, create<br />
viruses, gain access to other computers, and so on. This includes<br />
any site that offers instruction on how to hack as well. This does<br />
not include legitimate security information sites that are focused<br />
on the prevention of hacking.<br />
Examples:<br />
308<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
http://www.2600.com<br />
http://www.hackersplayground.com/<br />
http://www.illegalworld.com/<br />
Keywords:<br />
hacking, crack, toolz, warez, cryptanalysis, virus, password,<br />
crackz<br />
Intolerance/Extremism<br />
This category refers to any site advocating militant activities or<br />
extremism. This includes groups with extreme political views and<br />
intolerance to individuals and/or groups based upon<br />
discriminating or racial distinction.<br />
Examples:<br />
http://www.kukluxklan.bz/<br />
http://www.stormfront.org<br />
http://www.godhatesamerica.com/<br />
Keywords:<br />
KKK, skin heads, nazism, fascism, anti-Semitism, homophobia,<br />
hate speech, totalitarianism, absolutism, anti-gay, discrimination,<br />
racism, militias, bigotry, prejudice, fanaticism, radicalism<br />
Miscellaneous Questionable<br />
This category refers to sites that are considered questionable in<br />
nature and may involve illegal activities, but do not fall under<br />
another, more specific “questionable” category. These are sites<br />
that could contain information about conspiracy, scams or any<br />
other suspected fraudulent behavior or activity.<br />
Examples:<br />
http://www.stopwishing.com/<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
309
http://www.geniuspapers.com<br />
http://a4a.mahost.org/<br />
Keywords:<br />
anarchy, conspiracy, fraud, illegal, chain letters, pyramid scams,<br />
essay/term papers for sale<br />
Profanity<br />
This category refers to any site that contains profanity of any kind<br />
that is NOT classified under the SEX category. These are sites<br />
that have language that would not be permitted in common social<br />
situations. This may include swearing, blasphemy, vulgarity or<br />
any dialog with malicious intent. It should be noted that this<br />
category should also contain sites with language that implies<br />
profanity like some jokes, poems, letters, greeting cards, etc.<br />
Examples:<br />
http://www.tshirthell.com/<br />
http://www.eviladam.com<br />
http://www.wtfpeople.com/<br />
Keywords:<br />
swearing, cursing, vulgarity, strong lyrics, bad language<br />
Tasteless<br />
This category refers to sites that contain information on subjects<br />
such as mutilation, torture, horror, grotesque or any behavior that<br />
may be considered inappropriate for public audience. This will<br />
not include pornography, nudity, or sites dealing with sexuality,<br />
which have their own specific classifications.<br />
Examples:<br />
http://www.rotten.com<br />
310<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
http://www.deathgallery.com<br />
http://www.freakhole.com/<br />
Keywords:<br />
mutilation, horror, grotesque, torture, scat, gross, in bad taste, in<br />
poor taste, garish, vulgar<br />
Weapons/Bombs<br />
This category refers to any site promoting the use of weapons and/<br />
or bombs and the making of bombs. This does not include sites<br />
related to gun control (social issues).<br />
Examples:<br />
http://www.gunsamerica.com/<br />
http://www.thefiringline.com<br />
http://www.imperialweapons.com<br />
Keywords:<br />
guns, bombs, swords, knives, arms, armaments, artillery, arsenal,<br />
weaponry, military hardware<br />
Violence<br />
This category refers to sites that contain visual representations of<br />
or invitations to participate in violent acts. This may include war,<br />
crime, pranks, hazing, etc. A violent act may be considered any<br />
activity that uses physical force designed to injure another living<br />
being.<br />
Examples:<br />
http://www.fightworld.com<br />
http://www.fightauthority.com/<br />
http://www.whoopasstv.com/<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
311
Keywords:<br />
war, crime, pranks, hazing, injury, killing, backyard wrestling,<br />
fighting, hostility, brutality, cruelty, sadism, carnage<br />
Foreign Language<br />
This category refers to any site that is exclusively in a language<br />
other than English. If possible, the site should still be rated by<br />
subject matter if that is able to be determined. The “foreign<br />
language” category is strictly internal. It is not sent to our<br />
customers. When this rating is assigned, the URL is placed in a<br />
table to be rated again when the Analyst team is expanded to<br />
include foreign languages.<br />
Note: In many cases these sites have an “English” link that<br />
provides a translation of the site allowing an accurate rating.<br />
Examples:<br />
http://www.dmi.dk/<br />
http://www.hankooki.com/<br />
http://www.stchi.com/<br />
Society<br />
Alt/New Age<br />
This category refers to any site relating to the advocacy and/or<br />
information pertaining to the occult (i.e. witchcraft, voodoo, black<br />
arts) astrology, ESP or similar forms of telepathy, fortune telling,<br />
out-of-body experience, magic, spirituality, and UFOs. Note that<br />
common horoscopes found in daily newspapers are not a part of<br />
this category. Any site that relates to new age meditation practices<br />
or the study of new age principles should be included in this<br />
category.<br />
312<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Note: Occult will be defined as anything pertaining to any system<br />
claiming use or knowledge of secret or supernatural powers or<br />
agencies.<br />
Examples:<br />
http://www.crystalhealing.co.nz/<br />
http://www.pandbox.com<br />
http://wicca.net/<br />
Keywords:<br />
horoscopes, goddesses, witchcraft, voodoo, Wicca, spells, palm<br />
reading, fortune telling<br />
Art/Culture<br />
This category refers to any site relating to the arts or culture.<br />
Culture includes the beliefs, customs, practices, and social<br />
behavior of a particular nation or people. The arts include the<br />
creation of beautiful or thought-provoking works, for example, in<br />
paintings, pictures, drawings, or writings. Sites falling into this<br />
category include virtual art galleries, museums, architecture,<br />
contemporary and fine art.<br />
Examples:<br />
http://www.binggallery.com<br />
http://www.ago.net/<br />
http://www.kamat.com/<br />
Keywords:<br />
clip art, museums, galleries, traditions, customs, art gallery,<br />
contemporary art, fine art, painting, sculpture<br />
Government<br />
This category refers to any site that is associated with<br />
governments and/or their militaries. This includes federal, state,<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
313
county, city and local governments as well as any government<br />
agency. This does not include general information about a<br />
specific geographical location (state, city, etc) – these sites should<br />
be classified as Travel. A strong indication is a domain identifier<br />
of either “gov” or “mil”.<br />
Examples:<br />
http://www.whitehouse.gov<br />
http://www.dmv.ca.gov<br />
http://www.nic.mil<br />
Keywords:<br />
military, white house, senate, congress, FBI, CIA, IRS, federal,<br />
state, county, city government, government agencies, regime, fire<br />
dept., post office, foreign governments<br />
Politics<br />
This category refers to any site that is associated with political<br />
advocacy of any type or the opinions of the government. This<br />
includes any site promoting or containing information on any<br />
political party, pro or con. This includes registered and officially<br />
recognized political parties. Sites that inform or promote an<br />
election of any political office receive this rating. It does not<br />
include official government sites.<br />
Examples:<br />
http://www.northernvirginiagop.com<br />
http://www.rnc.org/<br />
http://www.declareyourself.com/<br />
Keywords:<br />
republican, democrat, grassroots, voting, political affairs, affairs<br />
of state and policy, mayoral races, local districts, elections<br />
314<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
News<br />
This category refers to any site that is associated with online<br />
newspapers, headline news sites, news wiring services,<br />
personalized news services and mainstream publications. Some<br />
online magazines will be given this rating along with another (i.e.<br />
www.wired.com will be news and Science & Tech). This does not<br />
include Usenet (classified as discussion forums).<br />
Examples:<br />
http://www.cnn.com<br />
http://www.suntimes.com<br />
http://www.usatoday.com<br />
Keywords:<br />
newspapers, magazines, wire service, publications, headlines<br />
Classifieds<br />
Sites that offer and advertise ads for barter or sale of merchandise<br />
or services.<br />
Examples:<br />
http://www.usfreeads.com/<br />
http://www.oodle.com<br />
http://classifieds.suntimes.com<br />
http://www.southsoundclassifieds.com/<br />
Keywords:<br />
place an ad, post ads, sell an item<br />
Religion<br />
This category refers to any site that pertains to mainstream<br />
religions, religious activities or participation. This includes<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
315
information relating to any common religious organization. This<br />
is a stand-alone category.<br />
Examples:<br />
http://www.homechurch.com<br />
http://www.gospel.com<br />
http://www.wop.com<br />
Keywords:<br />
church, synagogue, temple, worship, ministries, atheism, faith,<br />
belief, creed, religious conviction, bible study, youth ministry<br />
Cult<br />
This category refers to any site that advocates or discusses<br />
information relating to the use of or membership in cults. Cults<br />
are defined as a group or movement exhibiting great or excessive<br />
devotion or dedication to some person, idea or thing. Cults<br />
employ unethical, manipulative or coercive techniques of<br />
persuasion and control designed to advance the goals of the group<br />
leaders, to the detriment of the members, their families or the<br />
community. Sites that relate to the practice or advocacy of<br />
common religions do not belong here as well as any site that<br />
serves to educate on the perils of cult activity.<br />
Examples:<br />
http://lastdaysministry.com<br />
http://www.rael.org<br />
http://www.the600club.com<br />
Keywords:<br />
coercion, manipulation, sect, faction, satanic<br />
316<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Alternative Lifestyle<br />
Sites that contain information relating to gay, lesbian or bisexual<br />
lifestyles. This excludes sites that are about social issues or<br />
contain sexual content. Sites that promote the lifestyle but are of<br />
business or professional nature are not included in this category.<br />
Examples:<br />
http://www.outproud.org/<br />
http://gbltc.asuw.org/<br />
http://www.thetaskforce.org/<br />
http://www.sgn.org/<br />
http://www.glaad.org/<br />
Keywords:<br />
GLBT communities, news, organization<br />
Business<br />
Specialized Shopping<br />
This category refers to any site that sells a specific item(s) or<br />
product(s) that can be purchased using the Internet or telephone<br />
with minimal effort using information on the site. This rating is<br />
sometimes accompanied by another rating depending on the<br />
subject matter of the items sold.<br />
Examples:<br />
http://www.art.com<br />
http://www.carparts.com<br />
http://www.furniture.com<br />
Keywords:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
317
online ordering, shopping cart, visa/mc accepted, add to cart,<br />
purchase<br />
Dining/Restaurant<br />
Sites that list, review, promote, market or advertise food<br />
service and eating establishments. Included are catering services,<br />
dining guides and recipes.<br />
Examples:<br />
http://www.tonyromas.com<br />
http://restaurants.com<br />
http://cooker.com<br />
http://www.restaurantrow.com/<br />
http://ruthschris.com/<br />
Keywords:<br />
menus, locations, online recipes, dining guide, reviews, cooking,<br />
reservations<br />
Real Estate<br />
Information or services related to buying/selling, renting or<br />
financing property.<br />
Examples:<br />
http://www.sandiegohomes.com/<br />
http://www.remax.com/<br />
http://www.realtor.com<br />
http://www.rent.com/<br />
http://www.apartments.com/<br />
Keywords:<br />
rentals, listings, apartments, condos, realtor, residential homes,<br />
commercial property, home finance, mortgages, property search<br />
318<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Automotive<br />
Sites that offer repair, maintenance, parts, sale or other services.<br />
Examples:<br />
http://www.convoyautorepair.com<br />
http://www.automotive.com/<br />
http://www.autonews.com/<br />
http://autopedia.com/<br />
http://www.cars.com<br />
Keywords:<br />
new cars, used cars, blue book, vehicle make/model, auto dealers,<br />
mechanics, motorcycles, off road vehicles<br />
Internet Services<br />
Site that offer services to assist in Internet communication.<br />
Examples:<br />
http://www.earthlink.net/<br />
http://mydatanet.com/<br />
http://www.juno.com/<br />
http://www.isp.com<br />
http://www.netzero.net/<br />
http://www.voiceoveripserviceproviders.com/<br />
Keywords:<br />
web design, Internet access, wireless service, high speed,<br />
broadband, isp, web hosting services<br />
Corporate Marketing<br />
This category refers to any site that offers corporate info and<br />
product information, but does not specifically sell their products<br />
online.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
319
Examples:<br />
http://www.deltaco.com<br />
http://www.honda.com<br />
http://www.mcdonalds.com/<br />
Keywords:<br />
corporate info, product info, company info, advertising,<br />
promotion<br />
Finance<br />
This category refers to any site that provides investment<br />
information, stocks, bonds, mutual funds, newsletters, tips, and<br />
firms that offers these services (including banks).<br />
Examples:<br />
http://investing.lycos.com<br />
http://www.etrade.com<br />
http://www.datek.com<br />
Keywords:<br />
loans, futures, options, currency, estate planning, asset planning,<br />
retirement planning, taxes, bankruptcy, stocks, bonds, mutual<br />
funds, banks, economics, investment, funding<br />
Job/Employment Search<br />
This category refers to sites that provide jobs or employment<br />
services. Includes temp agencies, career resources and resume<br />
services. Corporate sites containing a “Jobs” section should have<br />
the specific jobs area classified in this category.<br />
Examples:<br />
http://www.monster.com<br />
320<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
http://www.hotjobs.com<br />
http://www.kellyservices.com/<br />
Keywords:<br />
jobs, temp agencies, career, resume builder, headhunter<br />
Professional Services<br />
This category refers to business related sites that include technical<br />
and professional services. Normally these businesses sell a<br />
service such as legal or consulting rather than a product. This<br />
excludes professional sites relating to health (doctors, hospitals,<br />
etc) that should be classified as ‘Health’.<br />
Examples:<br />
http://www.ei.com<br />
http://www.c2graphics.com<br />
http://www.leveltendesigns.com/<br />
Keywords:<br />
firms, consulting, legal services, accounting services, insurance<br />
Online Auctions<br />
This category refers to sites that involve participating in online<br />
auctions, where the site visitor can bid on various items.<br />
Examples:<br />
http://www.ebay.com<br />
http://auctions.yahoo.com<br />
http://www.atozbid.com<br />
Keywords:<br />
eBay, bidding, trading, auction, public sale, Dutch auction<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
321
Sex<br />
Adult<br />
This category refers to sites that are adult in nature and are not<br />
defined in other rating categories. Sites that have adult themes are<br />
those that are associated with the following concepts: Adult<br />
oriented entertainment not defined as Porn, sale of penis<br />
enlargement products, erectile dysfunction products, online<br />
pharmacies, and mail order brides. These sites are usually<br />
intended for mature persons.<br />
Examples:<br />
http://www.mailorderbrides.com/<br />
http://www.personals.com<br />
http://www.matchmaker.com<br />
Keywords:<br />
mature subjects, mail order brides, penis enlargement, Viagra/<br />
Cialis, online pharmacy<br />
Lingerie/Bikini<br />
This category refers to sites displaying or dedicated to bikini or<br />
lingerie that could be considered for adults only. Sites about<br />
modeling would not be included in this area.<br />
Examples:<br />
http://www.bikinihangout.com/<br />
http://www.victoriassecret.com<br />
http://www.outdoorgirl.net/<br />
Keywords:<br />
bikini, swimsuits, garters, underwear (male and female)<br />
322<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Nudity<br />
This category refers to sites that provide images or representations<br />
of nudity. They may be in any artistic or non-artistic form like<br />
magazines, pictures, paintings, sculptures, etc. This category<br />
should be assigned to those sites that display both partial and full<br />
nudity but the images are not pornographic in nature.<br />
Examples:<br />
http://www.photo.net/nudes<br />
http://www.naturistart.com/<br />
http://www.naturistworld.com/<br />
Keywords:<br />
nudes, body images, nudist colonies, before/after pictures of<br />
cosmetic surgery<br />
Pornography<br />
This category covers anything relating to pornography, including<br />
mild depiction, soft pornography and hard-core pornography.<br />
Pornography pertains to writings, photographs, movies, etc.<br />
intended to arouse sexual excitement. Also, any site offering<br />
memberships that may provide access to other pornographic sites<br />
will fit into this category.<br />
Examples:<br />
http://www.playboy.com<br />
http://www.penthouse.com<br />
http://www.persiankitty.com<br />
Keywords:<br />
smut, graphic pictures, arousal, sex, escorts, erotica<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
323
Sexuality<br />
This category contains sites that provide information, images or<br />
implications of body piercing, tattoos and any form of body art.<br />
Sites not in this category are those that contain images or<br />
information about sexual acts as discussed in the Pornography<br />
and Nudity categories.<br />
Note: This category implies adult content in nature; therefore a<br />
rating of ‘Adult’ and ‘Sexuality’is not necessary.<br />
Examples:<br />
http://piercing.org<br />
http://www.tattoonow.com/<br />
http://www.thechateau.com/<br />
Keywords:<br />
tattoos, piercing, body art, skin art, henna<br />
Health<br />
Alcohol/Tobacco<br />
This category refers to sites that support the use of alcohol and<br />
tobacco products. They may be commercial sites, such as Philip<br />
Morris and Anheuser Busch, or sites that support the use of<br />
alcohol and tobacco related products. This category does not refer<br />
to sites that contain educational info about the hazards of alcohol<br />
and tobacco products.<br />
Examples:<br />
http://www.budweiser.com<br />
http://www.richardsliquors.com<br />
http://www.cigarettesexpress.com<br />
Keywords:<br />
324<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
cigarettes, beer, wine, liquor, smoking, drunk, breweries, bars<br />
Drugs<br />
This category refers to sites associated with the use, legalization<br />
or advocacy of illegal drugs and the illegal use of prescription<br />
drugs. Exempt from this category are sites that attempt to relay<br />
educational information about the dangers of drug use and sites<br />
relating to the products of pharmaceutical companies (should be<br />
classified as ‘Health’).<br />
Examples:<br />
http://www.yahooka.com<br />
http://www.homemadedrugs.net/<br />
http://www.norml.org<br />
Keywords:<br />
bong, marijuana, cocaine, paraphernalia<br />
Health<br />
This category refers to sites that claim to improve an individual's<br />
well being either medically, organically or through support.<br />
Examples:<br />
http://www.webmd.com<br />
http://www.deltadental.com<br />
http://health.yahoo.com<br />
Keywords:<br />
doctors, hospitals, medications, fitness, nutrition, dentists, weight<br />
loss, massage, cosmetic surgery, day spas, diet, clinics,<br />
ophthalmology<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
325
Adult Sex Education<br />
This category refers to sites that provide sexual education<br />
information to anyone who has graduated from high school.<br />
Topics would include how to put on a condom, masturbation and<br />
other adult topics such as orgasm and ejaculation. Topics that are<br />
dealt with in the adult themes category or sexuality category<br />
would not be covered here.<br />
Examples:<br />
http://www.sexualcounselling.com/<br />
http://www.sexhealth.org/<br />
http://www.sexhealthinplainenglish.com/<br />
Keywords:<br />
kama sutra, sex techniques/tips, masturbation, condoms<br />
Recreation<br />
Entertainment<br />
This category refers to sites associated with passive activities –<br />
meaning visitors are looking for “sit back and entertain me” sites<br />
such as those dealing with theatre, online comics, anime,<br />
amusement parks, clubs, etc.<br />
Examples:<br />
http://www.theatre.com<br />
http://www.playbill.com<br />
http://www.comics.com<br />
Keywords:<br />
clubs, anime, comics, e cards, theatre, plays, musicals<br />
326<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Gambling<br />
This category refers to any site that presents information about<br />
gambling for the purpose of advocating its practice. These sites<br />
can provide instruction on any gaming activity that involves<br />
gambling or provide actual on-line gambling. Sites that attempt to<br />
educate the public on the dangers and/or cures for gambling<br />
problems do not belong in this category.<br />
Examples:<br />
http://www.betexchange.net<br />
http://www.beverlyhillsbookie.com/<br />
http://www.gambling.com<br />
Keywords:<br />
casinos, betting, bookies, odds, handicap, gaming, poker<br />
Games<br />
This category refers to any site that is associated with traditional<br />
board games, role-playing games and pursuits. This includes sites<br />
that promote game makers (Mattel), electronic games, video<br />
games, computer games or online games. This category includes<br />
both game hardware & software. Also included are tips, advice<br />
and cheat codes on playing computer/Internet based games and<br />
websites hosting games and contests.<br />
Examples:<br />
http://www.solitaire.com<br />
http://games.yahoo.com<br />
http://www.gamespot.com<br />
Keywords:<br />
cheats, codes, clans, video games, contests, fantasy sports,<br />
lotteries, bingo<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
327
Hobbies/Leisure<br />
This category refers to any site associated with the noncompetitive<br />
active pursuits or interests outside one's regular<br />
occupation or an activity engaged in for pleasure and relaxation<br />
during spare time. This would include pet lover sites, sewing,<br />
model building/making, woodcarving, stamp/coin collecting,<br />
mountain biking, hiking, etc. Note that sites dealing with<br />
competitive pursuits should be considered as sports.<br />
Examples:<br />
http://www.nmra.com/<br />
http://www.stamps.org/<br />
http://www.boat-show.com<br />
Keywords:<br />
collecting, pastime, leisure pursuit, diversion, sideline, model<br />
trains, personal homepages (non-offensive)<br />
Mature Humor<br />
This category refers to any site that contains mature themes and<br />
humor that may not be suitable for children, but do not contain<br />
pornography or strong profanity. These sites may contain a<br />
limited amount of “PG-13” profanity without a profanity rating.<br />
Examples:<br />
http://www.theonion.com<br />
http://www.laughgallery.com<br />
http://www.fark.com/<br />
Keywords:<br />
jokes, humor, anecdotes<br />
328<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Television /Movies<br />
Sites that promote or provide content relating to television<br />
programming or movies.<br />
Examples:<br />
http://abc.go.com/<br />
http://nbc.com<br />
http://pixar.com<br />
http://allmovie.com<br />
http://imdb.com<br />
Keywords:<br />
film, TV, Local Listings, episodes, movie database<br />
Note: Sites that contain streaming media or downloadable files<br />
such as previews or trailers should include the rating of digital<br />
media.<br />
Music<br />
Sites that promote music for entertainment purposes relating to<br />
bands, concerts, festivals, orchestras, symphonies and disc<br />
jockeys.<br />
Examples:<br />
http://www.trapt.com<br />
http://discjockeys.com<br />
http://metallica.com<br />
http://rcarecords.com<br />
http://www.philorch.org<br />
Keywords:<br />
DJs, tour dates, fanzone, discography, albums<br />
Note: Sites that provide mp3, streaming or other downloadable<br />
media will also be rated digital media.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
329
Digital Media<br />
Digital audio, video and other technologies that can be accessible<br />
to stream, download or share.<br />
Examples:<br />
http://www.ifilm.com<br />
http://www.youtube.com/<br />
http://www.videoegg.com/<br />
http://www.jumpcut.com/<br />
Keywords:<br />
upload/download videos, watch, create, share, mp3, mp4, mpeg<br />
Radio Stations<br />
Sites whose purpose is to provide and/or promote music, talk or<br />
sports radio. These sites have live streams and/or archived<br />
listening available.<br />
Examples:<br />
http://www.kioz.com<br />
http://www.wrko.com/<br />
http://www.wfan.com/<br />
Keywords:<br />
streaming audio, listen now, on air, live feed<br />
Social Networking / Dating<br />
Sites that offer free or paid services that promote interaction,<br />
dating or other networking through forums, chat, email or other<br />
methods.<br />
Examples:<br />
330<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
http://www.match.comhttp://www.myspace.com<br />
http://friendfinder.com<br />
http://eharmony.com<br />
http://okcupid.com<br />
http://www.friendster.com/<br />
Keywords:<br />
singles, online dating, personals, connections, find/make friends,<br />
matchmakers<br />
Special Interests<br />
Interest groups/clubs that include environmental, worker, social,<br />
and philanthropic organizations. These include alumni<br />
associations and all non-profit organizations.<br />
Examples:<br />
http://www.amexp.org/<br />
http://charity.org<br />
http://surfrider.org<br />
http://www.ncna.org/<br />
http://www.teamsters.com/<br />
Keywords:<br />
associations, foundations, charities, chapters, non-profits,<br />
donations, alumni<br />
Sports<br />
This category refers to any site that contains information about<br />
sports or sports related activities. This includes sites that provide<br />
sports scores or games. These sites may also contain information<br />
about sporting events, camps, teams or outings. Sports are defined<br />
as organized and competitive athletics.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
331
Examples:<br />
http://www.espn.com<br />
http://www.mlb.com<br />
http://www.nba.com<br />
Keywords:<br />
baseball, football, tennis, basketball, golf, teams, motor sports,<br />
NCAA, high school sports, little league<br />
Travel<br />
This category refers to sites specializing in travel and travelrelated<br />
information or activities. This includes travel destinations,<br />
reservation services, discount travel listings, leisure travel<br />
package listings, and special events in various cities. Also<br />
included are sightseeing guides, airlines and online flight booking<br />
agencies, accommodations and rental cars. Additional items such<br />
as chamber of commerce or non-government information<br />
pertaining to a given city or region can also be assigned this<br />
category.<br />
Examples:<br />
http://www.lasvegastours.com<br />
http://www.visit.hawaii.org<br />
http://www.travelocity.com<br />
Keywords:<br />
bed & breakfast, reservations, flights, trips, airlines, travel agent,<br />
cruise, vacation, site seeing, tourist, tour, voyage, timeshare,<br />
rental cars<br />
332<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Web Log (Blog)<br />
Journals, diaries or newsletters that can be updated daily usually<br />
involving personal thoughts/opinions on Internet, social or<br />
political issues. Other categories can be added to further classify.<br />
Examples:<br />
http://krose.typepad.com/kevinrose/<br />
http://blogger.com<br />
http://globeofblogs.com<br />
http://joelion.com/<br />
http://cnewmark.com/<br />
Keywords:<br />
blogroll, posts, comments, post thoughts, archives<br />
Internet (Web)<br />
Anonymizer<br />
This category refers to sites that allow the user to surf the net<br />
anonymously. It also refers to sites that allow the user to send<br />
anonymous emails. This also includes sites providing proxy<br />
bypass information or services.<br />
Examples:<br />
http://www.silentsurf.com<br />
http://www.proxify.com/<br />
http://www.anonymizer.com<br />
Keywords:<br />
anonymous surfing, fake email, proxy bypass, web based proxy<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
333
Discussion Forums<br />
This category refers to sites dedicates to Usenet, Usenet news,<br />
forums, newsgroups, online bulletin board system.<br />
Examples:<br />
http://discussions.apple.com<br />
http://www.driverforum.com<br />
http://www.smr-archive.com<br />
Keywords:<br />
forums, newsgroups, bulletin boards, Usenet<br />
Online Chat<br />
This category refers to any site that offers access to, software for<br />
or participation in any Internet chat forum. The notion of chat<br />
should be associated with any online conversation involving at<br />
least two people that takes place in real time. If a site offers chat<br />
as one of it's services, then the exact location where chat is taking<br />
place will be rated as 'Chat'.<br />
Examples:<br />
http://chat.yahoo.com<br />
http://chat.msn.com/<br />
http://www.chat.net<br />
Keywords:<br />
chat, post, IRC, ICQ<br />
Translators<br />
This category refers to any site that offers the service of<br />
translating a page, URL, or phrase into various different<br />
languages.<br />
334<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Examples:<br />
http://world.altavista.com<br />
http://www.freetranslation.com/<br />
http://www.translation2.paralink.com/<br />
Keywords:<br />
languages, online translation<br />
Image Host<br />
Sites that provide image hosting, linking and/or sharing. This<br />
includes videos and pictures.<br />
Example:<br />
http://imageshack.us/<br />
http://www.streamdump.com/<br />
http://tinypic.com/<br />
http://photobucket.com/<br />
http://www.freeimagehosting.net/<br />
http://www.webshots.com/<br />
http://www.easyavatar.com/<br />
http://www.flickr.com/<br />
Keywords:<br />
create/ link/ share/ host image, jpg, gif, tif, png<br />
File Host<br />
Sites that offer hosting, backup and sharing of files on the<br />
Internet.<br />
Examples:<br />
http://www.filefactory.com/<br />
http://www.fileden.com/<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
335
http://www.fileburst.com<br />
http://www.tradebit.com/<br />
http://www.turboupload.com/<br />
http://rapidshare.de/<br />
Keywords:<br />
file management, file storage, file sharing, upload files,<br />
storage<br />
Peer to Peer<br />
Sites that provide client software to enable peer to peer file<br />
sharing and transfer.<br />
Examples:<br />
http://www.gnutella.com/<br />
http://kazaa.com<br />
http://www.zeropaid.com/<br />
http://www.avvenu.com/<br />
http://www.limewire.com<br />
Keywords:<br />
file sharing, P2P, client-server, ad-hoc, tor<br />
Email Host<br />
Sites that provide email accounts, free or otherwise.<br />
Examples:<br />
http://www.hotmail.com<br />
http://mail.yahoo.com<br />
http://www.gmail.com/<br />
Keywords:<br />
336<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
email, POP3, accounts<br />
Safe Search Engine<br />
This category refers to any search site that is specifically targeted<br />
toward families and children. Safe search engines will not allow<br />
the child or family member to search for pornography.<br />
Examples:<br />
http://www.yahooligans.com<br />
http://www.dibdabdoo.com/<br />
http://www.ajkids.com<br />
Keywords:<br />
kids searches, family safe, kid safe<br />
Sharewares Download<br />
This category refers to sites that specialize in the downloading of<br />
*legal* software.<br />
Examples:<br />
http://www.shareware.com<br />
http://www.jumbo.com/<br />
http://www.tucows.com<br />
Keywords:<br />
desktop themes, wallpapers, screen savers, legal software,<br />
downloads, shareware, freeware<br />
Web Banners<br />
This category refers to sites that provide service links/ banners/<br />
ads for websites. This could also include redirect services.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
337
Examples:<br />
http://www.banner-link.com<br />
http://www.123banners.com<br />
http://www.free-banners.com<br />
Keywords:<br />
links, banners, ads, redirects, spam urls, gibberish urls<br />
Web Host<br />
This category refers to sites that offer web hosting services, free<br />
or otherwise. These sites would usually offer domain names and<br />
web spaces to host end-user web pages.<br />
Note: Sites that offer web hosting as one of their services would<br />
get rated as web host only at the location where actual web hosting<br />
is taken place.<br />
Examples:<br />
http://www.geocities.com<br />
http://www.tripod.com<br />
http://www.angelfire.com<br />
Keywords:hosting, domain names<br />
Web Search<br />
This category refers to sites that specialize or offer a Web search<br />
engine. Sites containing links to other search engines or sitespecific<br />
search functionality do not qualify for this rating.<br />
Examples:<br />
http://www.yahoo.com<br />
http://www.google.com<br />
http://www.altavista.com<br />
338<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Keywords:<br />
search engines, directories<br />
Portals<br />
Sites that offer multiple web based services to assist a users<br />
experience on the Internet.<br />
Examples:<br />
http://www.aol.com/<br />
http://www.msn.com/<br />
http://www.buzzle.com/<br />
Keywords:<br />
email, search, marketplace, forums, news, directory<br />
Education<br />
Continuing Education/Colleges<br />
This category refers to sites that contain institutions/colleges<br />
offering formal course studies for adults. College homepages will<br />
fall into this category as well as distance education, degree<br />
programs for part time students, vocation and adult education.<br />
Examples:<br />
http://www.grossmont.edu/<br />
http://www.ucsd.edu<br />
http://www.photofieldschool.com<br />
Keywords:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
339
colleges, universities, junior colleges, trade schools, vocational<br />
schools, ESL<br />
History<br />
This category refers to sites that offer a systematic, written and<br />
methodical record of past events. These events are arranged as to<br />
show the connection of causes and effects, to give an analysis of<br />
motive and action, etc.<br />
Examples:<br />
http://www.civilwarsite.com<br />
http://www.thehistorychannel.com<br />
http://www.history.com<br />
Keywords:<br />
past events, historical information, genealogy<br />
K-12<br />
This category refers to sites dealing with the education of<br />
children. Also included in this category are sites with the<br />
identifier of “K12” (Kindergarten through 12 th grade) in the URL.<br />
Preschools and day care centers also qualify for this rating.<br />
Examples:<br />
http://www.cathedralcatholic.org/<br />
http://www.goshenschools.org<br />
http://www.forestlake.org<br />
Keywords:<br />
high schools, elementary, junior high, child education, school<br />
districts, preschools, day care<br />
340<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Reference Sites<br />
This category refers to site specifically dedicated to providing a<br />
research method on one or more subject matters.<br />
Examples:<br />
http://www.radnorlibrary.org<br />
http://www.mvls.info/<br />
http://www.libraryspot.com/<br />
Keywords:<br />
libraries, databases, yellow pages, people finder<br />
Sci/Tech<br />
This category refers to sites that relate specifically to education in<br />
Science and Technology. Also included in this category are sites<br />
relating to education with emphasis on computers, astronomy,<br />
programming, physics, etc.<br />
Examples:<br />
http://www.pcworld.com/<br />
http://www.astronomy.com<br />
http://www.aip.org/<br />
Keywords:<br />
astronomy, computers, programming, physics, NASA<br />
Sex Education<br />
This category refers to sites that are associated with sex education<br />
of children. This includes sites that offer information about sex,<br />
AIDS, sexually transmitted diseases, human reproduction,<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
341
contraceptives, medical research or any other sexually oriented<br />
material used to educate. Information within these sites may be<br />
minimal in nature as in technical journals, dictionaries,<br />
encyclopedias or other reference materials. Sites may also display<br />
subtle images or graphics showing sexual organs.<br />
Note: If a site is rated as 'K-12 Sex Education', it must not have<br />
any other rating.<br />
Examples:<br />
http://www.sxetc.org<br />
http://www.siecus.org<br />
http://www.teensource.org/<br />
Keywords:<br />
reproduction, contraceptives, family planning, safe sex<br />
Security Exploits<br />
Phishing<br />
Deceptive websites that trick end-users into revealing personal<br />
data such as credit card numbers, account usernames, passwords,<br />
social security numbers, etc. These websites pretend to be those<br />
of common, well-known sites such as banks and credit card<br />
companies.<br />
Examples:<br />
http://www.dotnetsql.com<br />
http://www.acctaccess-es.com<br />
http://www.paypal.com-cgi.us/<br />
Keywords:<br />
phishing, credit card fraud, identity theft<br />
342<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
iGuard Site Rating Categories<br />
Spyware/Adware<br />
Websites that are known to distribute or contain code that displays<br />
unwanted advertisements or gathers information about the user<br />
without the users knowledge. This information is oftentimes<br />
relayed to advertisers or other 3rd parties.<br />
Examples:<br />
http://www.gamebar.net<br />
http://www.esurveiller.com/<br />
http://www.seeq.com<br />
Keywords:<br />
spyware, adware, browser hijacker, keylogger<br />
Malware<br />
Websites that are known to contain harmful code that may modify<br />
a users system without the users knowledge.<br />
Examples:<br />
http://www.ivstil.ru/<br />
http://www.buddylinks.net<br />
http://www.1weight.us/<br />
Keywords:<br />
malware, virus, trojan, dialer, worm<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
343
344<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Configuring Browsers for Authentication<br />
Appendix B<br />
Configuring<br />
Browsers<br />
for<br />
Authenticati<br />
on<br />
Configuring Browsers for Authentication<br />
To enable browser-based authentication through <strong>iPrism</strong>, you must configure<br />
each browser to use <strong>iPrism</strong> as a proxy server. (Do NOT do this if you are<br />
using bridge (transparent) mode.) The following procedures describe how<br />
to make the necessary proxy settings in both Netscape Navigator and<br />
Internet Explorer web browsers.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
345
Configuring Netscape Navigator for Authentication<br />
1. In Netscape Navigator, open the Edit menu and select Preferences to<br />
display the Preferences window.<br />
2. In the Category list, double-click the word Advanced. This opens the<br />
Advanced menu so you can view the various menu options.<br />
3. Select Proxies from the Advanced menu to display the Proxies page.<br />
(See Figure 122)<br />
FIGURE 122. Proxy Settings in Netscape<br />
Select Proxies<br />
from the list of<br />
Advanced<br />
menu options.<br />
Select either Manual proxy configuration or Automatic proxy<br />
configuration, then enter the IP address that you assigned to the <strong>iPrism</strong><br />
unit in the appropriate field(s). When using the manual configuration, enter<br />
the IP address in the FTP Proxy, HTTP Proxy, and SSL Proxy fields.<br />
4. Since you will be assigning the same IP address to each protocol, you<br />
must select the Manual proxy configuration option.<br />
Enter the IP address that you assigned to your <strong>iPrism</strong> server in the FTP<br />
Proxy field, the HTTP Proxy field, and the SSL Proxy field. In the<br />
adjacent Port fields, enter the value “3128” next to each proxy field. The<br />
346<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Configuring Browsers for Authentication<br />
following example shows the proxy settings for <strong>iPrism</strong> unit that has an<br />
IP address of 192.168.0.6 and is using the default <strong>iPrism</strong> port (3128).<br />
Note: <strong>iPrism</strong> is not a SOCKS proxy. Leave the SOCKS Host<br />
field empty.<br />
5. After entering the settings, click OK. Your Netscape browser is now<br />
configured to use the new proxy settings.<br />
Configuring Internet Explorer for Authentication<br />
1. From within Internet Explorer, select the Tools menu, then select Internet<br />
Options.<br />
2. Select the Connections tab.<br />
3. Click LAN Settings to open the Local Area Network (LAN) Settings<br />
dialog box (see Figure 7).<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
347
FIGURE 123. LAN Settings<br />
4. In the Proxy Server frame, check the Use a proxy server checkbox.<br />
5. In the Address field, enter the IP address that you assigned to your<br />
<strong>iPrism</strong> server. (You do not have to put “http://” in front of it.) The example<br />
in Figure 7 shows the settings for an <strong>iPrism</strong> unit with the IP address<br />
192.168.1.1.<br />
6. In the Port field, enter “3128”.<br />
7. Note: If you want to manually specify the proxy address and port settings<br />
for each protocol (FTP, HTTP, etc.), click Advanced and type the<br />
information in the Proxy Settings dialog box. Uncheck the Use the same<br />
proxy server for all protocols checkbox, and type the <strong>iPrism</strong> IP address<br />
in the HTTP, Secure, FTP, and Gopher fields. Assign each line the Port<br />
value “3128”. (See Figure 124).<br />
8. Click OK.<br />
348<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Configuring Browsers for Authentication<br />
FIGURE 124. Manually Configuring Proxy Settings in IE<br />
9. If you do not want <strong>iPrism</strong> to filter local (e.g., Intranet) traffic, check<br />
Bypass proxy server for local addresses.<br />
10. Click OK.This browser is now configured to authenticate through<br />
<strong>iPrism</strong>.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
349
350<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Appendix C<br />
<strong>iPrism</strong><br />
Error<br />
Messages<br />
This section describes the more common error messages that you may<br />
encounter while using <strong>iPrism</strong>.<br />
The error conditions are listed by error name/type, one per page, and in no<br />
particular order. A description of the conditions that cause each error is<br />
provided as well as a screen shot showing the typical error page that is<br />
generated. Beneath each screen shot is a “What to Do” section that suggests<br />
how to correct the condition.<br />
Note: This appendix covers only the more common error messages; errors<br />
that occur only rarely are not included.<br />
<strong>iPrism</strong> List Update Error<br />
By default, <strong>iPrism</strong> downloads its filter list once per day. During the actual<br />
download, web access is not impacted. However, once the download is<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
351
complete, <strong>iPrism</strong> will need to reload its filter list. (This also occurs when<br />
custom filters are added or edited in the system.) The reload process<br />
typically lasts 2-5 seconds. During this time, <strong>iPrism</strong> will display the “<strong>iPrism</strong><br />
List Update” message as shown in Figure 125.<br />
FIGURE 125. <strong>iPrism</strong> List Updates Error<br />
What to Do:<br />
This message is not an error message and should only last for a few<br />
seconds. Contact St. Bernard Technical Support (www.stbernard.com/<br />
products/support/support.asp) if the message does not disappear.<br />
352<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
<strong>iPrism</strong> List Error<br />
<strong>iPrism</strong> needs a filter list to operate correctly. If a system is missing its filter<br />
list, it is possible to configure <strong>iPrism</strong> to ‘pass all’ or ‘block all’ HTTP traffic<br />
using the settings in the System section’s Preferences tab. Click<br />
Advanced in the Filter List Updates frame to access these settings.<br />
If <strong>iPrism</strong> is set to block all traffic when the filter list is missing, it will<br />
display the error shown below. Otherwise, all traffic will be passed<br />
unfiltered.<br />
FIGURE 126. <strong>iPrism</strong> List Error<br />
What to Do:<br />
This is an error condition. Contact St. Bernard Technical Support<br />
(www.stbernard.com/products/support/support.asp) to resolve this issue.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
353
<strong>iPrism</strong> Filter Service Expired Error<br />
If <strong>iPrism</strong>’s subscription to the filter list update expires, the error message<br />
shown in Figure 127 will be displayed:<br />
FIGURE 127. <strong>iPrism</strong> Filter Service Expired Error<br />
What to Do:<br />
<strong>iPrism</strong>’s registration key must be updated before access is possible. Contact<br />
St. Bernard Technical Support (www.stbernard.com/products/support/<br />
support.asp).<br />
354<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Access Denied Error<br />
The error shown in Figure 128 will display if any of the following<br />
conditions occur:<br />
• The IP address of the workstation trying to access <strong>iPrism</strong> is not allowed<br />
to access <strong>iPrism</strong>. If needed, the configuration can be updated by the system<br />
administrator from the Networks tab in the Access section.<br />
• The mode used by the workstation is not allowed. Workstations can<br />
access <strong>iPrism</strong> in proxy (direct mode), where the browser or application is<br />
configured to use <strong>iPrism</strong> as a proxy, or in bridge (transparent) mode (no<br />
browser configuration needed). Each mode can be independently disabled<br />
from the Networks tab in the Access section.<br />
• <strong>iPrism</strong> detected a routing loop. A routing loop occurs when the traffic<br />
that <strong>iPrism</strong> is sending to reach a website is being routed via <strong>iPrism</strong> again,<br />
causing <strong>iPrism</strong> to filter its own traffic. This is typically the result of configuring<br />
<strong>iPrism</strong>’s default gateway as a machine located on the internal<br />
interface of the appliance.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
355
•<br />
FIGURE 128. Access Denied Error<br />
What to Do:<br />
Check <strong>iPrism</strong>’s configuration (access and authentication) for the client<br />
workstation’s IP address; if looping occurs, check the routing setup.<br />
Authentication is Required Error<br />
The “Authentication is Required” error displays when a workstation<br />
operating in proxy mode does not authenticate or provide valid credentials<br />
(username and password). This may occur if the profile associated with the<br />
username is invalid (typically, an LDAP configuration error).<br />
356<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
FIGURE 129. Authentication is Required Error<br />
What to Do:<br />
Reload the page and provide your user credentials when prompted.<br />
Connection Failed Error<br />
If you get the “Connection Failed” message (see Figure 130), <strong>iPrism</strong> is not<br />
able to connect to the desired web server. This is typically the result of one<br />
of the following conditions:<br />
• The remote server is temporarily unavailable.<br />
• You entered a URL with an incorrect port number.<br />
• The connection is being denied by upstream equipment, such as a firewall.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
357
FIGURE 130. Connection Failed Error<br />
What to Do:<br />
• Check the URL to verify it is correct.<br />
• Try accessing the site again later.<br />
• Check your network environment for devices that may prohibit the connection.<br />
Unable to Determine IP Address Error<br />
The error “Unable to determine IP address from host name for ”<br />
indicates that <strong>iPrism</strong> is not able to resolve the hostname of the desired URL.<br />
If this happens only for a small number of websites, it is probably a<br />
transient network error with the web server’s DNS service, in which case<br />
you can try again later.<br />
358<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
If multiple (or all) web servers are showing the same symptoms, <strong>iPrism</strong>’s<br />
DNS service is unable to operate because its DNS master (if one is used)<br />
may be unreachable, or because it can not perform direct DNS requests.<br />
This would occur if a firewall were blocking ports UDP/53 and/or TCP/53.<br />
FIGURE 131. Unable to Determine IP Address from Host Name Error<br />
What to Do:<br />
Wait awhile and check the URL again; if the error occurs across multiple<br />
web servers, check <strong>iPrism</strong>’s DNS configuration and status.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
359
Invalid Request Error<br />
The “Invalid Request” error occurs when the syntax of the HTTP request<br />
submitted to <strong>iPrism</strong> is not valid and does not follow the HTTP protocol. A<br />
possible reason is that the request did not include the HTTP/1.x information<br />
on the HTTP request line. This error is infrequent in web browsers and<br />
more often occurs with other HTTP applications.<br />
FIGURE 132. Invalid Request Error<br />
What to Do:<br />
Check the request syntax as displayed by <strong>iPrism</strong> and fix the client software.<br />
360<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Invalid URL (Error)<br />
Much like the “Invalid Request” error on the previous page, the “Invalid<br />
URL” error occurs if <strong>iPrism</strong> detects that the request does not respect the<br />
HTTP RFC. In short, the syntax of the URL is incorrect. The usual reason<br />
this occurs has to do with invalid characters in the URL, and may happen if<br />
the web page contains such an invalid URL as a link.<br />
FIGURE 133. Invalid URL Error<br />
What do Do:<br />
Check the request’s syntax. If the URL is a link on a web page, you can also<br />
inform the remote website’s administrator.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
361
<strong>iPrism</strong> is in the Process of Reconfiguring Itself (Error)<br />
<strong>iPrism</strong> will display the message shown in Figure 134 while a<br />
reconfiguration is in progress.<br />
If the administrator made a change to the configuration, <strong>iPrism</strong> will reload<br />
its configuration. This is short-lived condition and the message should go<br />
away within 10 seconds.<br />
FIGURE 134. <strong>iPrism</strong> is in the Process of Reconfiguring Error<br />
What to Do:<br />
Retry after a few seconds. If the error message does not go away, Contact<br />
St. Bernard Technical Support (www.stbernard.com/products/support/<br />
support.asp).<br />
362<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Zero Sized Reply (Error)<br />
The “Zero Sized Reply” error occurs when no data is returned in the HTTP<br />
connection. This may happen under the following conditions:<br />
• The remote web server did not send actual data and closed the connection<br />
too early (typically a script error).<br />
• The remote web server is unable to reply.<br />
FIGURE 135. Zero Sized Reply Error<br />
What to Do:<br />
This is a problem on the web server you are trying to reach. Try again later<br />
or contact the web server’s administrator.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
363
Write Error / Broken Pipe<br />
This message is shown when <strong>iPrism</strong> is not able to establish a connection to<br />
a web server. A common reason is that an upstream firewall is closing<br />
connections (TCP resets), usually because it has reached a threshold in the<br />
maximum number of connections it will allow from <strong>iPrism</strong> (such as<br />
CISCO’s PIX).<br />
This can be addressed by managing the maximum number of connections<br />
on the firewall.<br />
FIGURE 136. Write Error<br />
What to Do:<br />
Check the network environment (firewall logs, routing).<br />
364<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Importing User Data into <strong>iPrism</strong><br />
Appendix D<br />
Importing/<br />
Exporting<br />
User Data<br />
If you decide to use local authentication through <strong>iPrism</strong>, then you have the<br />
option of either creating new user accounts or importing this data from an<br />
existing user database. Use the Import instructions provided in this chapter<br />
to help you properly prepare and transfer your data into <strong>iPrism</strong>.<br />
Once you have your user’s accounts properly configured, you have the<br />
option of exporting the user database as a backup measure. Follow the<br />
instructions provided later in this chapter.<br />
Importing User Data into <strong>iPrism</strong><br />
<strong>iPrism</strong> can import user data from a properly delimited text-based file.<br />
Follow the steps outline in this section to ensure that your data is properly<br />
formatted for import.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
365
Step 1: Prepare the User List For Import<br />
1. Prepare the user database so the fields will be exported in the order and<br />
data format specified in Table 8. (Name, Password, Admin Privilege<br />
Name, Use Network Profile? (Boolean), Profile Name, Notes.) This is<br />
the order in which <strong>iPrism</strong> will import the fields.<br />
2. Save or export the user records to a simple text-based format using either<br />
a comma, pipe(|), or Tab character between each field. (The same delimiter<br />
must be used for all records.)<br />
Table 8: Import Field Properties<br />
* If Use Network<br />
Profile is True, then<br />
a Profile Name is<br />
not required.<br />
Field Name Data Type Required<br />
Name Text Yes<br />
Password Text Yes<br />
Admin Privilege Name Text Yes<br />
Use Network Profile? Boolean Yes<br />
Profile Name* Text Yes<br />
Notes Text No<br />
Figure 137 shows an example of what a properly formatted user list<br />
should look like, using comma delimiters.<br />
FIGURE 137. Example of Comma-Delimited Import List<br />
judy,judypass,No access,false,BlockOffensive,normal user<br />
sandy,sandypass,Full Access,true,BlockOffensive,power admin<br />
bill,billpass,Single Override,true,PassAll,override me only<br />
jill,jullpass,Extended Override,true,BlockOffensive,override any<br />
sam,sampass,Reports Only,true,BlockOffensive,reporter<br />
Note: In this example, the Notes field is used to describe what<br />
the users access level would be.<br />
366<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Importing User Data into <strong>iPrism</strong><br />
Step 2: Import the User List into <strong>iPrism</strong><br />
Make sure you have properly prepared your import list before importing it<br />
into <strong>iPrism</strong>.<br />
1. Start the <strong>iPrism</strong> System Configuration tool, select the Users section, and<br />
click the Import/Export tab (see Figure 138).<br />
FIGURE 138. Import/Export Tab<br />
2. In the Import Users frame, click the Duplicate User Policy dropdown<br />
list and choose how you want <strong>iPrism</strong> to handle duplicate entries if they<br />
are encountered.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
367
• Prompt for action. <strong>iPrism</strong> will notify you each time a duplicate<br />
<strong>iPrism</strong> username is encountered, then ask you whether or not to overwrite<br />
the existing entry.<br />
• Retain existing. <strong>iPrism</strong> will keep your existing <strong>iPrism</strong> user intact<br />
when it encounters duplicate users.<br />
• Override existing. <strong>iPrism</strong> will replace a currently existing <strong>iPrism</strong><br />
user matching the username encountered in the import list.<br />
3. In the Import Users frame, click the Field Delimiter dropdown list and<br />
select the delimiting character that is used in the import file. (Comma,<br />
Pipe (“|”), or Tab).<br />
4. If you want to do a dry run of your import without actually making any<br />
changes to <strong>iPrism</strong>, click Preview and follow the onscreen instructions.<br />
This will report duplicate names as well as invalid data records, giving<br />
you a chance to make changes before performing the actual import.<br />
5. When you are ready to import the data, click Import. (If a Notice message<br />
displays, read it, then click OK.)<br />
The User Import File Location dialog box opens.<br />
6. Select the file you want to import and click Open.<br />
If duplicate records occur, you will be prompted to resolve them individually.<br />
When all the records are imported, a User Import Report dialog<br />
box displays the results (See Figure 139). This report shows each username<br />
that was imported and indicates whether that username was created<br />
(new) or replaced in the user list.<br />
368<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Exporting Local User Data from <strong>iPrism</strong><br />
FIGURE 139. <strong>iPrism</strong> User Import Report<br />
7. Click OK to close the Report dialog box.<br />
That’s it! When you click the Users tab, you will notice that the names<br />
you imported are now listed in the <strong>iPrism</strong> Users frame. If necessary, you<br />
can edit these records using the instructions in the next section.<br />
Exporting Local User Data from <strong>iPrism</strong><br />
If you are using local authentication, then you either manually created user<br />
accounts in <strong>iPrism</strong>, imported them into <strong>iPrism</strong>, or perhaps both. If ever you<br />
need to re-use this information, such as to import it into another <strong>iPrism</strong> unit<br />
or another database, you can export all of the user names that are stored in<br />
<strong>iPrism</strong>. You may also want to do this just to keep a backup of your user data<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
369
in the event it is ever lost. This is done from the Import/Export tab on the<br />
Users section. (See Figure 138)<br />
Exporting User Account Data<br />
1. From the <strong>iPrism</strong> System Configuration tool, select the Users section, and<br />
click the Import/Export tab.<br />
1. In the Export Users frame, click the Field Delimiter dropdown list and<br />
select the delimiter character that you want inserted between adjacent<br />
fields in the exported list. (Comma, Pipe (“|”), or Tab.<br />
2. Click Export. A notice message opens, informing you that a file dialog<br />
will appear in which you specify the name and location of the export file.<br />
This is the file where the exported data will be stored on your local hard<br />
drive.<br />
Note: Passwords are encrypted in the export file, but they can be reimported<br />
into <strong>iPrism</strong>.<br />
3. Click OK to clear the notice message. The User Export File Location<br />
dialog box opens.<br />
4. Select the directory where you want the file saved and enter the desired<br />
name for the export list in the File name field. The default file name is<br />
“all_users.iprism”.<br />
5. Click Save.<br />
The names are exported to the specified file in text format.<br />
370<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
<strong>iPrism</strong> Software License<br />
iPRISM SOFTWARE LICENSE AND SUPPORT AGREEMENT<br />
-IMPORTANT-<br />
Read This Carefully Before Completing Installation of your <strong>iPrism</strong> Internet Filtering System<br />
READ THE TERMS AND CONDITIONS OF THIS <strong>iPrism</strong> SOFTWARE LICENSE AND SUPPORT<br />
AGREEMENT CAREFULLY. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN<br />
YOU AND ST. BERNARD SOFTWARE, INC. BY COMPLETING THE INSTALLATION OF THE<br />
iPRISM APPLIANCE AND SOFTWARE (OR AUTHORIZING ANY OTHER PERSON TO DO<br />
SO), YOU ACCEPT THIS SOFTWARE LICENSE AND SUPPORT AGREEMENT. IF YOU DO<br />
NOT ACCEPT THE TERMS AND CONDITIONS OF THIS SOFTWARE LICENSE AND<br />
SUPPORT AGREEMENT, YOU MAY RETURN THE MEDIA PACKAGE, LICENSED<br />
SOFTWARE, APPLIANCE AND ALL ACCOMPANYING ITEMS (INCLUDING WRITTEN<br />
MATERIALS AND BINDERS OR OTHER CONTAINERS) WITHIN TEN (10) DAYS OF YOUR<br />
RECEIPT OF THIS MEDIA PACKAGE, TO THE PLACE YOU OBTAINED THEM FOR A FULL<br />
REFUND. ST. BERNARD SOFTWARE MAY REVISE TERMS OF THIS AGREEMENT<br />
WITHOUT PRIOR NOTIFICATION.<br />
1. DEFINITIONS.<br />
“System” means the <strong>iPrism</strong> filtering appliance, documentation, software and URL Database access<br />
provided by St. Bernard Software, Inc. (“St. Bernard”).<br />
“Equipment” means the hardware component of the System.<br />
“Appliance” means Equipment.<br />
“URL Database” means the list of Internet URL's and their associated content categorization ratings<br />
and provided from time to time as part of the System.<br />
“Specifications” means the <strong>iPrism</strong> standard features current as of the date of shipment.<br />
“Technical Support” means the Software Remedy, telephone-based technical support during Support<br />
Hours<br />
“Software Subscription” means free software Updates, and offers to purchase new add-ons, Upgrades<br />
and access to the latest <strong>iPrism</strong> URL Database.<br />
“Update” means a minor modification or addition that includes corrections or modifications (other<br />
than an Upgrade) to correct errors, provide patches or bug fixes or minor enhancements.<br />
“Upgrade” means a major revision or modification which changes its utility or efficiency and/or which<br />
adds features, functions, applications or modules.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
371
“License” means the number of workstations to be filtered via the System.<br />
2. GRANT OF LICENSE.<br />
(a) In exchange for your payment to St. Bernard of the then current license fee (“License Fee”), St.<br />
Bernard Software, Inc. and its affiliates, including, without limitation, any parent, subsidiary, and<br />
successor and any entity merged into or with St. Bernard Software, grants to you, the end user, a<br />
personal, nonexclusive, nonsublicensable, nontransferable, nonassignable, terminable license<br />
(“License”) to use a single copy of (i) this software program in machine readable form on the<br />
Equipment, and (ii) all related documentation, including any Updates, additional modules, or<br />
additional software provided by St. Bernard (the “Licensed Software”), solely for your own use, and<br />
solely in accordance with the terms and conditions of this software license and support agreement<br />
(“Agreement”).<br />
(b) Unless you have paid the License Fee to St. Bernard, St. Bernard, grants to you, the end user, a onetime<br />
personal, nonexclusive, nonsublicensable, nontransferable, nonassignable, terminable license<br />
(“Trial License”) to use a single copy of the Licensed Software for thirty (30) days from your first use<br />
of the Software (“Trial Period”), solely for your own use, and solely in accordance with the terms and<br />
conditions of this Agreement. Upon the lapse of the Trial Period and provided that you do not pay the<br />
License Fee then the Software will become non-functional. You must then cease using all software and<br />
return the software and equipment.<br />
3. COPYRIGHT AND COPIES.<br />
The Licensed Software (including any copy thereof), is owned by St. Bernard and/or its licensors and<br />
is protected by United States, local and international copyright and/or patent laws and international<br />
treaty provisions. The Licensed Software contains pieces contributed by third parties or licensed from<br />
third parties. Copyrights in the software are claimed by St. Bernard and other contributors, as indicated<br />
by proprietary notices and credits contained in the Licensed Software and the documentation. The<br />
Licensed Software copy is licensed, not sold to you, and you are not an owner of any copy thereof. You<br />
may either (a) make one copy of the Licensed Software solely for backup or archival purposes, or (b)<br />
transfer the Licensed Software to a single hard disk provided you keep the original solely for backup or<br />
archival purposes. You may not otherwise copy the Licensed Software, and you may not copy the<br />
written materials accompanying the Licensed Software unless such copies of the associated written<br />
materials are solely for your own internal use. St. Bernard hereby reserves all rights not explicitly<br />
granted in this Agreement.<br />
4. MODIFICATIONS AND REVERSE ENGINEERING.<br />
Except as otherwise provided herein, you shall not copy, modify, reverse engineer, map, decompile,<br />
enhance, or make derivative works, translations, or compilations or portions or otherwise derive the<br />
source code, internal structure, organization or any other aspect of the Licensed Software, the URL<br />
372<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Database, the System or any part thereof or directly or indirectly aid, abet or permit others to do so.<br />
Any unauthorized modifications, derivative works, translations, or any other intellectual property,<br />
created directly or indirectly using or referring to the Licensed Software, the URL Database, the<br />
System, or components thereof, or enhancements of the Licensed Software and the System, shall<br />
belong exclusively to St. Bernard and you hereby assign any and all rights in them (and agree to forego<br />
enforcement of any moral rights) to St. Bernard. You hereby agree to promptly enter into any further<br />
documentation required by St. Bernard in its sole discretion to legally or commercially effect such<br />
assignment, including, without limitation, ensuring that your employees and/or contractors do the<br />
same. You hereby expressly waive any rights you may obtain inconsistent with the foregoing through<br />
application of the law of any other country or otherwise. You hereby acknowledge that you have no<br />
right whatsoever and shall have no right whatsoever, whether by the express terms of this Agreement<br />
or by any course of conduct, to use, review, or access the source code for the Licensed Software or the<br />
URL Database.<br />
5. OTHER RESTRICTIONS.<br />
You may not rent or lease the Licensed System, but you may transfer the System and accompanying<br />
written materials on a permanent basis if you receive St. Bernard's written permission and provided<br />
you retain no copies and the recipient agrees to the terms of this Agreement. If the Licensed Software<br />
is an Update, any transfer must include the update and all prior versions. You may not modify or<br />
translate the Licensed Software. You further agree (i) not to remove any Licensed Software<br />
identification or notices of any proprietary or copyright restrictions from the Licensed Software or any<br />
support material; (ii) except for archival or backup copies, not to copy the Software, or any derivative<br />
or part thereof; develop any derivative or composite works thereof or include any portion of the<br />
Software in any other software program; (iii) not to provide use of the Licensed Software or System in<br />
a computer service business, rental or commercial timesharing arrangement; and (iv) not to develop<br />
methods to enable unauthorized parties to use the Licensed Software or URL Database.<br />
6. EQUIPMENT.<br />
Ownership and risk of loss (by fire, theft or the like) to the Equipment shall pass to you upon delivery,<br />
however, you give St. Bernard a security interest in the equipment, together with the right to repossess<br />
the Equipment without liability, until all payment obligations have been met.<br />
7. LIMITED WARRANTY AND REMEDY.<br />
St. Bernard warrants that (i) for a period of sixty (60) days from the original retail purchase date the<br />
physical media (e.g. diskette(s) or CD-ROM), and the physical documentation, will be free of defects<br />
in materials and workmanship (“Media Warranty”), and (ii) for the duration of the period purchased by<br />
you (twelve or thirty-six months as documented on St. Bernard's invoice shipped with the Licensed<br />
Software) and beginning with the original retail purchase date (“Warranty Period”) the Software and<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
373
Equipment will substantially conform to the functionality described in the physical documentation<br />
(“System Warranty”) (the Media Warranty and System Warranty are collectively the “Limited<br />
Warranty”). This warranty applies only to equipment that has not been modified except with the prior<br />
written permission of St. Bernard. This warranty does not apply to damage caused by neglect or<br />
misuse, accident, electric power failure or causes other than ordinary use. This warranty is voidable by<br />
St. Bernard, at the option of St. Bernard, if you use the Equipment for any other purpose other than as<br />
an Internet filtering Appliance. If St. Bernard receives notification (i) within the period of sixty (60)<br />
days from the original retail purchase date with respect to the Media Warranty, or (ii) within the<br />
Warranty Period with respect to the System Warranty of any such defects, and you demonstrate such<br />
defects by identifying a bug or error which can be reproduced consistently, and none of the Exceptions<br />
specified below exist, then St. Bernard will, at its sole option and discretion, repair or replace the<br />
media, documentation (“Media Remedy”), repair or replace the Equipment (“Equipment Remedy”) or<br />
repair the Software or provide you a full refund (“Software Remedy”). If a refund is made, you will<br />
deliver to the place of purchase the Equipment and the media containing the Software and certify to St.<br />
Bernard that you have returned the Software and that you have returned, erased and/or destroyed your<br />
one backup copy. The foregoing is your sole and exclusive remedy and states St. Bernard's entire<br />
liability arising out of this Limited Warranty. Any other warranty claim, if any, must be brought to the<br />
distributor (or reseller), if any, who you agree shall be the sole party you look to for warranty claims<br />
and damages beyond the express, Limited Warranty set out herein if you obtained the Software<br />
through a distributor (or reseller). Moreover, this Limited Warranty is void if the damage or defect has<br />
resulted from accident, abuse, misuse or misapplication of the Software and/or media (collectively<br />
“Exceptions”).<br />
8. SUPPORT AND SUBSCRIPTION SERVICES.<br />
St. Bernard will provide technical support, software subscription and maintenance services.<br />
(a) TECHNICAL SUPPORT. During the Warranty Period and any Additional Warranty Period, St.<br />
Bernard shall provide you with Support as follows. St. Bernard's obligation to provide Support is<br />
conditioned on your first attempting to resolve your technical issues by consulting the Technical Tips,<br />
Frequently Asked Questions, and the technical <strong>iPrism</strong> product documentation including but not limited<br />
to the <strong>iPrism</strong> Installation <strong>Guide</strong> and the <strong>iPrism</strong> Administrator's <strong>Guide</strong> all of which are published online<br />
by St. Bernard (“Support Information”). If after reviewing the electronic Support Information, you are<br />
unable to resolve the issue, you may enter a service request (“Support Request”) by contacting St.<br />
Bernard as set forth below in Section 8. Telephone support shall be provided solely to you during the<br />
hours of 7:00 a.m. - 4:00 p.m. Monday through Friday, Pacific Daylight Time (for US, Canada, Pacific<br />
Rim and Latin America), 0830 - 1730 GMT (Europe, Middle East and Africa), except for Holidays<br />
(“Support Hours”). St. Bernard shall respond to all requests for Support pursuant to the timeline<br />
schedule set forth in Section (c) below or, if the request for Support is received outside of the Support<br />
Hours, by noon of the next business day.<br />
374<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
(b) TECHNICAL SUPPORT CONTACT. To contact St. Bernard Software for technical support,<br />
choose the location appropriate to your region:<br />
US, Canada, Pacific Rim and Latin America: Corporate Headquarters - San Diego, CA, USA, Phone:<br />
858-676-5050, Fax: 858-676-5055, Email: iprism-support@stbernard.com, Hours: 7:00am - 4:00pm<br />
Pacific Time<br />
Europe, Middle East and Africa, EMEA Office - Surrey, UK, Phone: +44-1276-609-992, Fax: +44-<br />
1276-609-558, Email: support@stbernard.org.uk, Hours: 0830 - 1730 GMT<br />
Communications should include a complete description of the software behavior, version of the<br />
product installed, your <strong>iPrism</strong> serial number and your contact information.<br />
(c) TECHNICAL SUPPORT REQUEST LEVELS. St. Bernard shall classify Support Requests using<br />
the following definitions:<br />
Fatal: System is inoperable by you.<br />
Severe: System is operational, but you are experiencing loss of major functionality.<br />
Degraded: Sporadic System behavior - non-essential functions are disabled.<br />
Minimal Impact: All other issues<br />
All Support Requests shall be reported only during the Support Hours. St. Bernard shall provide you<br />
with an acknowledgment of the Support Request and will use commercially reasonable efforts to<br />
respond, as necessary in its sole discretion, according to the following schedule:<br />
Support Request Acknowledgment Period of time to respond<br />
Fatal Within four (4) hours Not more than two (2) business days<br />
Severe Within eight (8) hours Not more than four (4) business days<br />
Degraded Operations Within forty-eight (48) hours Not more than ten (10) business days<br />
Minimal Impact Within five (5) business days Not more than twenty (20) business days<br />
(d) SOFTWARE SUBSCRIPTION. You have the right to extend the Warranty Period with respect to<br />
the System Warranty for additional twelve (12) month periods (each an “Additional Warranty Period”)<br />
by paying to St. Bernard the annual support fee (“Support Fee”) as established by St. Bernard, and<br />
modified from time to time, before the expiration of the Warranty Period or within thirty (30) days<br />
before the expiration of any applicable Additional Warranty Period. A renewal notification and invoice<br />
will be sent seventy-five days (75) in advance of the renewal date and provided that you pay this<br />
invoice prior to the renewal date, your Support will continue uninterrupted. [CRR1] St. Bernard is not<br />
obligated to provide you any Support during an Additional Warranty Period unless the Support Fee for<br />
that particular Additional Warranty Period has been timely paid in advance by you. St. Bernard retains<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
375
the right to modify its Support services program so long as its modifications do not decrease Support<br />
provided to you under this Agreement. St. Bernard has the right to cease providing Support services<br />
described herein upon two (2) months' prior written notice to you if St. Bernard generally ceases to<br />
provide Support services to its other customers and St. Bernard will provide you with a prorated refund<br />
for the remaining term, if any, of the Warranty Period. All of the provisions set forth in Section 6 above<br />
for the System Warranty shall equally apply to Support services during any Additional Warranty<br />
Period. If you need to manage web access for additional machines, you may purchase an additional<br />
machines license. The amount charged will be calculated based on the number of additional machines<br />
licensed and a prorated amount for the remaining months of the original Support subscription.<br />
Therefore, the subscription for the original and additional machines licenses are co-terminus. When<br />
renewed, you will be charged for the Support subscription based on the new License level. If the<br />
subscription lapses, you will no longer receive URL Database updates, and the system will cease to<br />
function. St. Bernard collects some program information from the local system. This information is not<br />
sold or rented to any 3rd parties.<br />
9. NO OTHER WARRANTIES.<br />
THE LIMITED WARRANTY ABOVE IS EXCLUSIVE AND IN LIEU OF ALL OTHER<br />
CONDITIONS AND WARRANTIES FOR THE LICENSED SOFTWARE, EQUIPMENT AND<br />
DOCUMENTATION. ST. BERNARD AND ITS LICENSORS MAKE NO OTHER CONDITIONS,<br />
GUARANTEES, OR WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND<br />
EXPRESSLY DISCLAIM ALL OTHER CONDITIONS AND WARRANTIES, INCLUDING BUT<br />
NOT LIMITED TO IMPLIED CONDITIONS OR WARRANTIES OF MERCHANTABILITY AND<br />
FITNESS FOR A PARTICULAR PURPOSE. ST. BERNARD, IN NO WAY, REPRESENTS OR<br />
WARRANTS THAT ANY OF THE THIRD-PARTY SOFTWARE PROGRAMS, UPDATES,<br />
ENHANCEMENTS, VERSIONS OR ANY OTHER MEDIA (“THIRD-PARTY SOFTWARE”)<br />
DOWNLOADED BY YOU THROUGH YOUR USE OF ST. BERNARD SOFTWARE, IS FREE<br />
FROM DEFECT AND MAKES NO OTHER REPRESENTATIONS, GUARANTEES, OR<br />
WARRANTIES OF ANY KIND RELATING TO THE THIRD-PARTY SOFTWARE. YOU<br />
UNDERSTAND THAT ST. BERNARD SHALL NOT BE LIABLE TO YOU, OR ANY OTHER<br />
PARTY, FOR ANY DAMAGE OF ANY KIND, INCLUDING, WITHOUT LIMITATION, SYSTEM<br />
FAILURE, LOSS OF DATA OR INFORMATION AND/OR ANY OTHER DAMAGE OR LOSS<br />
RESULTING FROM THE DOWNLOADING AND/OR ACCESS OF THIRD-PARTY SOFTWARE.<br />
YOU UNDERSTAND THAT ALL USE OF THIRD-PARTY SOFTWARE IS SUBJECT TO THE<br />
TERMS AND CONDITIONS OF SUCH THIRD-PARTY LICENSE AGREEMENTS WITH ITS<br />
USERS AND ST. BERNARD SHALL NOT BE RESPONSIBLE FOR ANY CLAIMS RELATING<br />
TO ANY INFRINGEMENT OF THE THIRD-PARTY SOFTWARE.<br />
376<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
10. DISCLAIMER OF OTHER REPRESENTATIONS.<br />
ALL REPRESENTATIONS OR WARRANTIES MADE OR AGREEMENTS EXECUTED BY ANY<br />
OTHER PARTY, INCLUDING, WITHOUT LIMITATION, ANY DISTRIBUTOR AND/OR<br />
RESELLER SHALL BE SUCH PARTY'S SOLE RESPONSIBILITY.<br />
11. LIMITATION OF LIABILITY.<br />
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT AND<br />
UNDER NO LEGAL THEORY SHALL ST. BERNARD OR ITS SUPPLIERS BE LIABLE TO YOU<br />
FOR ANY COSTS OF SUBSTITUTE PRODUCTS, OR FOR ANY CONSEQUENTIAL, SPECIAL,<br />
INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES OF ANY KIND ARISING OUT OF THE<br />
LICENSE OF, USE OF, OR INABILITY TO USE ANY ST. BERNARD SOFTWARE OR<br />
DOCUMENTATION, OR YOUR INABILITY TO ACCESS AND USE THIRD-PARTY<br />
SOFTWARE OR ANY CLAIMS RELATING TO THE INTELLECTUAL PROPERTY RIGHTS OF<br />
ANY THIRDPARTY SOFTWARE, EVEN IF ST. BERNARD HAS BEEN ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL ST. BERNARD'S OR ITS<br />
SUPPLIERS' LIABILITY EXCEED THE LICENSE FEE PAID BY YOU. THIS LIMITATION OF<br />
LIABILITY AND RISKS IS REFLECTED IN THE PRICE OF THE SOFTWARE LICENSE.<br />
12. INDEMNIFICATION.<br />
(a) You agree to defend, release, indemnify and hold St. Bernard harmless for any claims made by any<br />
third party that your use of Third-Party Software infringes the intellectual property rights of such third<br />
party. In no event shall you be entitled to bind St. Bernard to any settlement.<br />
(b) St. Bernard warrants that it either owns or has the right to sublicense the Licensed Software and has<br />
full power and authority to grant the rights described in this Agreement. In addition, St. Bernard shall<br />
indemnify and hold you harmless from any and all damages, losses or expenses which you or any of<br />
your respective officers or directors may incur, suffer or become liable for as a result of or in<br />
connection with any claim that any part of the Licensed Software infringes the rights of a third party in<br />
or to any patent, copyright or trademark, provided that you: (i) notify St. Bernard in writing promptly<br />
upon becoming aware of the claim, (ii) give St. Bernard such information and assistance as is<br />
reasonable under the circumstances, and (iii) give St. Bernard the right, at St. Bernard's sole discretion,<br />
to defend or settle the claim at St. Bernard's expense. St. Bernard will pay any resulting costs and<br />
damages finally awarded by a court with respect to any such claims. If you are prevented from using<br />
the Software due to an actual or claimed infringement, then at St. Bernard's option, St. Bernard shall<br />
promptly either obtain for you the right to continue using the intellectual property in question, replace<br />
or modify the intellectual property in question so that it becomes non-infringing, or terminate this<br />
License as it relates to the intellectual property and refund the payments paid by you for the Software,<br />
less reasonable amortization for use over the commercially reasonable life of the Licensed Software.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
377
THIS PARAGRAPH SETS OUT THE ENTIRE EXPOSURE OF ST. BERNARD FOR ANY<br />
INTELLECTUAL PROPERTY CLAIMS OR ACTUAL INFRINGEMENTS.<br />
13. CONSUMER PROTECTION LAWS.<br />
EACH OF THE PRODUCTS IS A BUSINESS PRODUCT, THE APPLICATION OF WHICH IS<br />
COMMERCIAL, RATHER THAN CONSUMER-ORIENTED, IN NATURE. IN EXECUTING THIS<br />
AGREEMENT, THE PARTIES RECOGNIZE, TO THE MAXIMUM EXTENT PERMITTED BY<br />
APPLICABLE LAW, THAT CONSUMER PROTECTION LAWS IN THE TERRITORY DO NOT<br />
APPLY.<br />
14. GOVERNMENT RESTRICTED RIGHTS.<br />
The Software and accompanying documentation are provided with Restricted Rights. You agree to<br />
meet all requirements necessary to ensure that such rights will be honored by the Federal Government<br />
and/or any international laws or regulations. Disclosure, use or reproduction of the Software and<br />
Documentation are subject to restrictions set forth in the Commercial Computer-Restricted Rights<br />
clause at Federal Acquisition Regulation 52.227-19, when applicable, or in the Department of Defense<br />
Federal Acquisition Regulations Supplement 252.227-7013, or any of their international equivalents.<br />
15. TERM.<br />
Upon payment of the License Fee to St. Bernard the License will remain effective until the expiration<br />
of term of your paid support and subscription, or any extension thereto. Unless the License Fee is paid<br />
before the lapse of the Trial Period, the Trial License will automatically terminate. You may terminate<br />
the License at any time by destroying the Software together with all copies, modifications and merged<br />
portions in any form. It will also terminate automatically upon your failure to comply with any term or<br />
condition of this Agreement. In the event of any termination of the License or lapse of the Trial<br />
License, you agree to promptly destroy the Software together with all copies, modifications and<br />
merged portions in any form. You agree that upon St. Bernard's request, you will provide St. Bernard<br />
with a signed certificate representing that such destruction has occurred. ST. BERNARD MAY TER-<br />
MINATE PROVIDING UPDATES FOR THE LICENSED SOFTWARE, IN ITS SOLE<br />
DISCRETION.<br />
16. GOVERNING LAW.<br />
You acknowledge that St. Bernard is based in the State of California, U.S.A. and requires uniformity<br />
and consistency in the laws under which it deals directly or indirectly with all of the licensees and<br />
sublicensees of its Software, documentation and trademarks. In addition, you acknowledge that St.<br />
Bernard is the proponent of this Agreement and the business transactions contemplated by this<br />
Agreement. Accordingly, this Agreement shall be governed by and interpreted only in accordance with<br />
the laws of the State of California, U.S.A., without reference to conflict of laws principles, and to the<br />
378<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
maximum extent permitted under applicable law, you expressly waive any rights to the application of<br />
any other law or regulation on the effect thereof.<br />
17. FORUM SELECTION AND DISPUTE RESOLUTION.<br />
(a) Except as otherwise provided below, any controversy or claim arising out of or relating to this<br />
Agreement shall be submitted to final and binding arbitration before, and in accordance with, the rules<br />
of the American Arbitration Association (“AAA”) as modified herein. If the claim seeks damages of<br />
U.S. $100,000 or less, it shall be decided by a single independent arbitrator. If the claim seeks damages<br />
in excess of U.S. $100,000, it shall be decided by three independent arbitrators, one nominated by each<br />
party and one selected by the AAA, in accordance with AHA's rules and procedures. All arbitrators<br />
shall have expertise in the subject matter of the dispute. The arbitration process, including selection of<br />
the arbitrator or arbitrators, exchanges of requests for information and the arbitration hearing, shall be<br />
completed within sixty (60) days following the initiation of the arbitration by either party, and the<br />
actual arbitration hearing shall be limited to one (1) day. The arbitrator(s) shall issue a written<br />
judgment within ten (10) days following the arbitration hearing. Judgment upon any arbitration award<br />
may be entered in any court having jurisdiction thereof. This provision is self executing, and in the<br />
event that either party fails to appear at any properly noticed arbitration proceeding, an award may be<br />
entered against such party notwithstanding said failure to appear. This clause shall survive the<br />
termination of this Agreement.<br />
(b) Notwithstanding the foregoing: (1) any claim between the parties relating to the validity of the St.<br />
Bernard Software, the St. Bernard trademarks, or other proprietary technology or intellectual property<br />
shall not be determined by arbitration, but only by a court located in the Southern District of<br />
California, to whose sole jurisdiction the parties hereby consent or such other court in the United States<br />
which St. Bernard, in its sole discretion as owner of the licensed intellectual property, shall select; and<br />
you expressly waive any right you may have to any other forum; and (2) you acknowledge that any<br />
breach of your obligations under this Agreement which relates to the proprietary rights, or which is<br />
otherwise not subject to remedy by monetary damages, will cause St. Bernard irreparable harm, and<br />
that St. Bernard accordingly will be entitled to injunctive and other equitable relief in addition to all<br />
other remedies provided by this Agreement or available at law, in any court of competent jurisdiction.<br />
18. DISCLAIMER AND ACKNOWLEDGEMENTS.<br />
You acknowledge that the <strong>iPrism</strong> web filtering System may not be completely successful blocking user<br />
access to inappropriate websites. St. Bernard is not responsible if your users access inappropriate<br />
websites and will not be liable for any damages that might result from such access. You acknowledge<br />
that your organization is solely responsible for user access to any website on the Internet. You<br />
understand that each computer on your network must be configured to use the Appliance as a proxy<br />
server for the System filtering to apply to that device. You acknowledge that additional software must<br />
be installed on each computer or a router/firewall filter is necessary to reduce the risk of a user<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
379
ypassing the System filter. You acknowledge the ability of your organization to enter a System Rating<br />
and that rating will take precedence over previously defined System Ratings. IN NO EVENT WILL<br />
ST. BERNARD BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT SPECIAL OR<br />
CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION ARISING OUT OF CONTRACT,<br />
NEGLIGENCE OR TORT, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE ST.<br />
BERNARD SYSTEM THAT ENABLES ACCESS TO WEB SITES OR INFORMATION OVER<br />
THE INTERNET THAT IS DEEMED INAPPROPRIATE OR OBJECTIONABLE FOR A<br />
PARTICULAR USER, OR THAT BLOCK ACCESS TO AN OTHERWISE APPROPRIATE SITE.<br />
19. MISCELLANEOUS.<br />
This is the entire Agreement between you and St. Bernard, and supersedes any prior agreement, or<br />
representations of St. Bernard, or Distributor, if any, whether written or oral, relating to the subject<br />
matter of this Agreement. The parties disclaim the application of the United Nations Convention on the<br />
International Sale of Goods. You may not export or re-export the Software or documentation without<br />
the appropriate United States or foreign government licenses. If any provision of this Agreement is<br />
ruled invalid, such invalidity shall not affect the validity of the remaining portions of this Agreement.<br />
Third Party Licenses<br />
<strong>iPrism</strong> employs a number of third party software packages to implement its functionality. The<br />
copyrights and terms of use for these licenses are provided below. If you have any questions regarding<br />
these, please feel free to contact St. Bernard Software for clarification.<br />
FreeBSD<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
# <strong>iPrism</strong> utilizes the FreeBSD operating system as its runtime environment.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
FreeBSD: src/COPYRIGHT,v 1.4 1999/09/05 21:33:47 obrien Exp $#@(#)COPYRIGHT8.2<br />
(Berkeley) 3/21/94<br />
All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is<br />
copyrighted by The Regents of the University of California.<br />
Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994<br />
380<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
The Regents of the University of California. All rights reserved. Redistribution and use in source and<br />
binary forms, with or without modification, are permitted provided that the following conditions are<br />
met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
This product includes software developed by the University of California, Berkeley and its<br />
contributors.<br />
4. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
The Institute of Electrical and Electronics Engineers and the American National Standards Committee<br />
X3, on Information Processing Systems have given us permission to reprint portions of their<br />
documentation. In the following statement, the phrase “this text” refers to portions of the system<br />
documentation.<br />
Portions of this text are reprinted and reproduced in electronic form in the second BSD Networking<br />
Software Release, from IEEE Std 1003.1-1988, IEEE Standard Portable Operating System Interface<br />
for Computer Environments (POSIX), copyright C 1988 by the Institute of Electrical and Electronics<br />
Engineers, Inc. In the event of any discrepancy between these versions and the original IEEE Standard,<br />
the original IEEE Standard is the referee document.<br />
In the following statement, the phrase “This material” refers to portions of the system documentation.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
381
This material is reproduced with permission from American National Standards Committee X3, on<br />
Information Processing Systems. Computer and Business Equipment Manufacturers Association<br />
(CBEMA), 311 First St., NW, Suite 500, Washington, DC 20001-2178. The developmental work of<br />
Programming Language C was completed by the X3J11 Technical Committee.<br />
The views and conclusions contained in the software and documentation are those of the authors and<br />
should not be interpreted as representing official policies, either expressed or implied, of the Regents<br />
of the University of California.<br />
NOTE: The copyright of UC Berkeley's Berkeley Software Distribution (“BSD”) source has been<br />
updated. The copyright addendum may be found at ftp://ftp.cs.berkeley.edu/pub/4bsd/<br />
README.Impt.License.Change and is included below.<br />
July 22, 1999<br />
To All Licensees, Distributors of Any Version of BSD:<br />
As you know, certain of the Berkeley Software Distribution (“BSD”) source code files require that<br />
further distributions of products containing all or portions of the software, acknowledge within their<br />
advertising materials that such products contain software developed by UC Berkeley and its<br />
contributors.<br />
Specifically, the provision reads:<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
“This product includes software developed by the University of California, Berkeley and its<br />
contributors.”<br />
Effective immediately, licensees and distributors are no longer required to include the<br />
acknowledgement within advertising materials. Accordingly, the foregoing paragraph of those BSD<br />
Unix files containing it is hereby deleted in its entirety.<br />
William Hoskins<br />
Director, Office of Technology Licensing<br />
University of California, Berkeley<br />
382<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
LibPCAP & TCPDump<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
These OpenSource products provide a means to capture, manage, and decode packets from a network<br />
interface.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. The names of the authors may not be used to endorse or promote products derived from this<br />
software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
VI<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
This is an editor that is included with <strong>iPrism</strong> to facilitate development and debugging. It is not end-user<br />
accessible.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
The vi program is freely redistributable. You are welcome to copy, modify and share it with others<br />
under the conditions listed in this file. If any company (not any individual!) finds vi sufficiently useful<br />
that you would have purchased it, or if any company wishes to redistribute it, contributions to the<br />
authors would be appreciated.<br />
Copyright (c) 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved.<br />
Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996 Keith Bostic. All rights reserved.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
383
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
This product includes software developed by the University of California, Berkeley and its<br />
contributors.<br />
4. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
384<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Perl5<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Perl5 is used extensively in <strong>iPrism</strong> as a high level programming language.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
The “Artistic License”<br />
Preamble<br />
The intent of this document is to state the conditions under which a Package may be copied, such that<br />
the Copyright Holder maintains some semblance of artistic control over the development of the<br />
package, while giving the users of the package the right to use and distribute the Package in a more-orless<br />
customary fashion, plus the right to make reasonable modifications.<br />
Definitions:<br />
“Package” refers to the collection of files distributed by the Copyright Holder, and derivatives of that<br />
collection of files created through textual modification.<br />
“Standard Version” refers to such a Package if it has not been modified, or has been modified in<br />
accordance with the wishes of the Copyright Holder as specified below.<br />
“Copyright Holder” is whoever is named in the copyright or copyrights for the package.<br />
“You” is you, if you're thinking about copying or distributing this Package.<br />
“Reasonable copying fee” is whatever you can justify on the basis of media cost, duplication charges,<br />
time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but<br />
only to the computing community at large as a market that must bear the fee.)<br />
“Freely Available” means that no fee is charged for the item itself, though there may be fees involved<br />
in handling the item. It also means that recipients of the item may redistribute it under the same<br />
conditions they received it.<br />
1. You may make and give away verbatim copies of the source form of the Standard Version of this<br />
Package without restriction, provided that you duplicate all of the original copyright notices and<br />
associated disclaimers.<br />
2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain<br />
or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard<br />
Version.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
385
3. You may otherwise modify your copy of this Package in any way, provided that you insert a<br />
prominent notice in each changed file stating how and when you changed that file, and provided that<br />
you do at least ONE of the following:<br />
a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by<br />
posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major<br />
archive site such as uunet.uu.net, or by allowing the Copyright Holder to include your modifications in<br />
the Standard Version of the Package.<br />
b) use the modified Package only within your corporation or organization.<br />
c) rename any non-standard executables so the names do not conflict with standard executables, which<br />
must also be provided, and provide a separate manual page for each non-standard executable that<br />
clearly documents how it differs from the Standard Version.<br />
d) make other distribution arrangements with the Copyright Holder.<br />
4. You may distribute the programs of this Package in object code or executable form, provided that<br />
you do at least ONE of the following:<br />
a) distribute a Standard Version of the executables and library files, together with instructions (in the<br />
manual page or equivalent) on where to get the Standard Version.<br />
b) accompany the distribution with the machine-readable source of the Package with your<br />
modifications.<br />
c) give non-standard executables non-standard names, and clearly document the differences in manual<br />
pages (or equivalent), together with instructions on where to get the Standard Version.<br />
d) make other distribution arrangements with the Copyright Holder.<br />
5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any<br />
fee you choose for support of this Package. You may not charge a fee for this Package itself. However,<br />
you may distribute this Package in aggregate with other (possibly commercial) programs as part of a<br />
larger (possibly commercial) software distribution provided that you do not advertise this Package as a<br />
product of your own. You may embed this Package's interpreter within an executable of yours (by<br />
linking); this shall be construed as a mere form of aggregation, provided that the complete Standard<br />
Version of the interpreter is so embedded.<br />
6. The scripts and library files supplied as input to or produced as output from the programs of this<br />
Package do not automatically fall under the copyright of this Package, but belong to whoever<br />
generated them, and may be sold commercially, and may be aggregated with this Package. If such<br />
scripts or library files are aggregated with this Package via the so-called “undump” or “unexec”<br />
methods of producing a binary executable image, then distribution of such an image shall neither be<br />
386<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
construed as a distribution of this Package nor shall it fall under the restrictions of Paragraphs 3 and 4,<br />
provided that you do not represent such an executable image as a Standard Version of this Package.<br />
7. C subroutines (or comparably compiled subroutines in other languages) supplied by you and linked<br />
into this Package in order to emulate subroutines and variables of the language defined by this Package<br />
shall not be considered part of this Package, but are the equivalent of input as in Paragraph 6, provided<br />
these subroutines do not change the language in any way that would cause it to fail the regression tests<br />
for the language.<br />
8. Aggregation of this Package with a commercial distribution is always permitted provided that the<br />
use of this Package is embedded; that is, when no overt attempt is made to make this Package's<br />
interfaces visible to the end user of the commercial distribution. Such use shall not be construed as a<br />
distribution of this Package.<br />
9. The name of the Copyright Holder may not be used to endorse or promote products derived from<br />
this software without specific prior written permission.<br />
10. THIS PACKAGE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
The End<br />
Sendmail<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Sendmail is a mail transfer agent used by <strong>iPrism</strong> to send email to the administrator for a variety of<br />
reasons.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
SENDMAIL LICENSE<br />
The following license terms and conditions apply, unless a different license is obtained from Sendmail,<br />
Inc., 6425 Christie Ave, Fourth Floor, Emeryville, CA 94608, or by electronic mail at<br />
license@sendmail.com.<br />
License Terms:<br />
Use, Modification and Redistribution (including distribution of any modified or derived work) in<br />
source and binary forms is permitted only if each of the following conditions is met:<br />
1. Redistributions qualify as “freeware” or “Open Source Software” under one of the following terms:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
387
(a) Redistributions are made at no charge beyond the reasonable cost of materials and delivery.<br />
(b) Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to<br />
provide a copy of the Source Code for up to three years at the cost of materials and delivery.<br />
Such redistributions must allow further use, modification, and redistribution of the Source Code under<br />
substantially the same terms as this license. For the purposes of redistribution “Source Code” means<br />
the complete compilable and linkable source code of sendmail including all modifications.<br />
2. Redistributions of source code must retain the copyright notices as they appear in each source code<br />
file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below.<br />
3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the<br />
disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other<br />
materials provided with the distribution. For the purposes of binary distribution the “Copyright<br />
Notice” refers to the following language:<br />
“Copyright (c) 1998-2001 Sendmail, Inc. All rights reserved.”<br />
4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their<br />
contributors may be used to endorse or promote products derived from this software without specific<br />
prior written permission. The name “sendmail” is a trademark of Sendmail, Inc.<br />
5. All redistributions must comply with the conditions imposed by the University of California on<br />
certain embedded code, whose copyright notice and conditions for redistribution are as follows:<br />
(a) Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved.<br />
(b) Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
(i) Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
(ii) Redistributions in binary form must reproduce the above copyright notice, this list of conditions<br />
and the following disclaimer in the documentation and/or other materials provided with the<br />
distribution.<br />
(iii) Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL, INC.<br />
AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL<br />
SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR<br />
388<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
$Revision: 1.1.1.1 $, Last updated $Date: 2001/06/13 21:52:18 $<br />
OpenSSL<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
OpenSSL is used to implement TLS and Secure Sockets Layer. These are used in the HTTPs protocol<br />
implementation.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
LICENSE ISSUES<br />
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and<br />
the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both<br />
licenses are BSD-style Open Source licenses.<br />
In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.<br />
OpenSSL License<br />
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgment:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
389
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.<br />
(http://www.openssl.org/)<br />
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote<br />
products derived from this software without prior written permission. For written permission, please<br />
contact openssl-core@openssl.org.<br />
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in<br />
their names without prior written permission of the OpenSSL Project.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment:<br />
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit<br />
(http://www.openssl.org/)”<br />
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED<br />
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE<br />
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
====================================================================<br />
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This<br />
product includes software written by Tim Hudson (tjh@cryptsoft.com).<br />
Original SSLeay License<br />
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.<br />
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The<br />
implementation was written so as to conform with Netscape’s SSL.<br />
This library is free for commercial and non-commercial use as long as the following conditions are<br />
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,<br />
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is<br />
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).<br />
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed.<br />
390<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
If this package is used in a product, Eric Young should be given attribution as the author of the parts of<br />
the library used. This can be in the form of a textual message at program startup or in documentation<br />
(online or textual) provided with the package.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”<br />
The word 'cryptographic' can be left out if the routines from the library being used are not<br />
cryptographic related :-).<br />
4. If you include any Windows specific code (or a derivative thereof) from the apps directory<br />
(application code) you must include an acknowledgement:<br />
“This product includes software written by Tim Hudson (tjh@cryptsoft.com)”<br />
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN<br />
NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR<br />
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<br />
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<br />
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY<br />
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE.<br />
The licence and distribution terms for any publicly available version or derivative of this code cannot<br />
be changed. i.e. this code cannot simply be copied and put under another distribution licence<br />
[including the GNU Public Licence.]<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
391
GNU V1<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Several open source packages utilize the GNU license. Below specific packages will refer to a GNU<br />
license. Note there are 3 GNU licenses, the V1, V2 and The Library license. These are different<br />
licenses and each product with call out which specific license governs it's use.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
GNU GENERAL PUBLIC LICENSE<br />
Version 1, February 1989<br />
Copyright (C) 1989 Free Software Foundation, Inc.<br />
675 Mass Ave, Cambridge, MA 02139, USA<br />
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it<br />
is not allowed.<br />
The Free Software Foundation has exempted Bash from the requirement of Paragraph 2c of the<br />
General Public License. This is to say, there is no requirement for Bash to print a notice when it is<br />
started interactively in the usual way. We made this exception because users and standards expect<br />
shells not to print such messages. This exception applies to any program that serves as a shell and that<br />
is based primarily on Bash as opposed to other GNU software.<br />
Preamble<br />
The license agreements of most software companies try to keep users at the mercy of those companies.<br />
By contrast, our General Public License is intended to guarantee your freedom to share and change<br />
free software--to make sure the software is free for all its users. The General Public License applies to<br />
the Free Software Foundation's software and to any other program whose authors commit to using it.<br />
You can use it for your programs, too.<br />
When we speak of free software, we are referring to freedom, not price. Specifically, the General<br />
Public License is designed to make sure that you have the freedom to give away or sell copies of free<br />
software, that you receive source code or can get it if you want it, that you can change the software or<br />
use pieces of it in new free programs; and that you know you can do these things.<br />
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to<br />
ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you<br />
distribute copies of the software, or if you modify it.<br />
392<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
For example, if you distribute copies of a such a program, whether gratis or for a fee, you must give the<br />
recipients all the rights that you have. You must make sure that they, too, receive or can get the source<br />
code. And you must tell them their rights.<br />
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which<br />
gives you legal permission to copy, distribute and/or modify the software.<br />
Also, for each author's protection and ours, we want to make certain that everyone understands that<br />
there is no warranty for this free software. If the software is modified by someone else and passed on,<br />
we want its recipients to know that what they have is not the original, so that any problems introduced<br />
by others will not reflect on the original authors' reputations.<br />
The precise terms and conditions for copying, distribution and modification follow.<br />
GNU GENERAL PUBLIC LICENSE<br />
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION<br />
0. This License Agreement applies to any program or other work which contains a notice placed by the<br />
copyright holder saying it may be distributed under the terms of this General Public License. The<br />
“Program”, below, refers to any such program or work, and a “work based on the Program” means<br />
either the Program or any work containing the Program or a portion of it, either verbatim or with<br />
modifications. Each licensee is addressed as “you”.<br />
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any<br />
medium, provided that you conspicuously and appropriately publish on each copy an appropriate<br />
copyright notice and disclaimer of warranty; keep intact all the notices that refer to this General Public<br />
License and to the absence of any warranty; and give any other recipients of the Program a copy of this<br />
General Public License along with the Program. You may charge a fee for the physical act of<br />
transferring a copy.<br />
2. You may modify your copy or copies of the Program or any portion of it, and copy and distribute<br />
such modifications under the terms of Paragraph 1 above, provided that you also do the following:<br />
a) cause the modified files to carry prominent notices stating that you changed the files and the date of<br />
any change; and<br />
b) cause the whole of any work that you distribute or publish, that in whole or in part contains the<br />
Program or any part thereof, either with or without modifications, to be licensed at no charge to all<br />
third parties under the terms of this General Public License (except that you may choose to grant<br />
warranty protection to some or all third parties, at your option).<br />
c) If the modified program normally reads commands interactively when run, you must cause it, when<br />
started running for such interactive use in the simplest and most usual way, to print or display an<br />
announcement including an appropriate copyright notice and a notice that there is no warranty (or else,<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
393
saying that you provide a warranty) and that users may redistribute the program under these<br />
conditions, and telling the user how to view a copy of this General Public License.<br />
d) You may charge a fee for the physical act of transferring a copy, and you may at your option offer<br />
warranty protection in exchange for a fee. Mere aggregation of another independent work with the<br />
Program (or its derivative) on a volume of a storage or distribution medium does not bring the other<br />
work under the scope of these terms.<br />
3. You may copy and distribute the Program (or a portion or derivative of it, under Paragraph 2) in<br />
object code or executable form under the terms of Paragraphs 1 and 2 above provided that you also do<br />
one of the following:<br />
a) accompany it with the complete corresponding machine-readable source code, which must be<br />
distributed under the terms of Paragraphs 1 and 2 above; or,<br />
b) accompany it with a written offer, valid for at least three years, to give any third party free (except<br />
for a nominal charge for the cost of distribution) a complete machine-readable copy of the<br />
corresponding source code, to be distributed under the terms of Paragraphs 1 and 2 above; or,<br />
c) accompany it with the information you received as to where the corresponding source code may be<br />
obtained. (This alternative is allowed only for noncommercial distribution and only if you received the<br />
program in object code or executable form alone.) Source code for a work means the preferred form of<br />
the work for making modifications to it. For an executable file, complete source code means all the<br />
source code for all modules it contains; but, as a special exception, it need not include source code for<br />
modules which are standard libraries that accompany the operating system on which the executable<br />
file runs, or for standard header files or definitions files that accompany that operating system.<br />
4. You may not copy, modify, sublicense, distribute or transfer the Program except as expressly<br />
provided under this General Public License. Any attempt otherwise to copy, modify, sublicense,<br />
distribute or transfer the Program is void, and will automatically terminate your rights to use the<br />
Program under this License. However, parties who have received copies, or rights to use copies, from<br />
you under this General Public License will not have their licenses terminated so long as such parties<br />
remain in full compliance.<br />
5. By copying, distributing or modifying the Program (or any work based on the Program) you indicate<br />
your acceptance of this license to do so, and all its terms and conditions.<br />
6. Each time you redistribute the Program (or any work based on the Program), the recipient<br />
automatically receives a license from the original licensor to copy, distribute or modify the Program<br />
subject to these terms and conditions. You may not impose any further restrictions on the recipients'<br />
exercise of the rights granted herein.<br />
394<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
7. The Free Software Foundation may publish revised and/or new versions of the General Public<br />
License from time to time. Such new versions will be similar in spirit to the present version, but may<br />
differ in detail to address new problems or concerns.<br />
Each version is given a distinguishing version number. If the Program specifies a version number of<br />
the license which applies to it and “any later version”, you have the option of following the terms and<br />
conditions either of that version or of any later version published by the Free Software Foundation. If<br />
the Program does not specify a version number of the license, you may choose any version ever<br />
published by the Free Software Foundation.<br />
8. If you wish to incorporate parts of the Program into other free programs whose distribution<br />
conditions are different, write to the author to ask for permission. For software which is copyrighted by<br />
the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions<br />
for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of<br />
our free software and of promoting the sharing and reuse of software generally.<br />
NO WARRANTY<br />
9. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY<br />
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN<br />
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES<br />
PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER<br />
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE<br />
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH<br />
YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL<br />
NECESSARY SERVICING, REPAIR OR CORRECTION.<br />
10. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING<br />
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR<br />
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR<br />
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL<br />
DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM<br />
(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED<br />
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF<br />
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER<br />
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
END OF TERMS AND CONDITIONS<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
395
Appendix: How to Apply These Terms to Your New Programs<br />
If you develop a new program, and you want it to be of the greatest possible use to humanity, the best<br />
way to achieve this is to make it free software which everyone can redistribute and change under these<br />
terms.<br />
To do so, attach the following notices to the program. It is safest to attach them to the start of each<br />
source file to most effectively convey the exclusion of warranty; and each file should have at least the<br />
“copyright” line and a pointer to where the full notice is found.<br />
That's all there is to it!<br />
GNU v2<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
GNU V2: This is version 2 of the GNU license. Programs which use this will call it out below.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
GNU GENERAL PUBLIC LICENSE<br />
Version 2, June 1991<br />
Copyright (C) 1989, 1991 Free Software Foundation, Inc.<br />
675 Mass Ave, Cambridge, MA 02139, USA<br />
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it<br />
is not allowed.<br />
Preamble<br />
The licenses for most software are designed to take away your freedom to share and change it. By<br />
contrast, the GNU General Public License is intended to guarantee your freedom to share and change<br />
free software--to make sure the software is free for all its users. This General Public License applies to<br />
most of the Free Software Foundation's software and to any other program whose authors commit to<br />
using it. (Some other Free Software Foundation software is covered by the GNU Library General<br />
Public License instead.) You can apply it to your programs, too.<br />
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses<br />
are designed to make sure that you have the freedom to distribute copies of free software (and charge<br />
for this service if you wish), that you receive source code or can get it if you want it, that you can<br />
change the software or use pieces of it in new free programs; and that you know you can do these<br />
things.<br />
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to<br />
ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you<br />
distribute copies of the software, or if you modify it.<br />
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the<br />
recipients all the rights that you have. You must make sure that they, too, receive or can get the source<br />
code. And you must show them these terms so they know their rights.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
397
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which<br />
gives you legal permission to copy, distribute and/or modify the software.<br />
Also, for each author's protection and ours, we want to make certain that everyone understands that<br />
there is no warranty for this free software. If the software is modified by someone else and passed on,<br />
we want its recipients to know that what they have is not the original, so that any problems introduced<br />
by others will not reflect on the original authors' reputations.<br />
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger<br />
that redistributors of a free program will individually obtain patent licenses, in effect making the<br />
program proprietary. To prevent this, we have made it clear that any patent must be licensed for<br />
everyone's free use or not licensed at all.<br />
The precise terms and conditions for copying, distribution and modification follow.<br />
GNU GENERAL PUBLIC LICENSE<br />
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION<br />
0. This License applies to any program or other work which contains a notice placed by the copyright<br />
holder saying it may be distributed under the terms of this General Public License. The “Program”,<br />
below, refers to any such program or work, and a “work based on the Program” means either the<br />
Program or any derivative work under copyright law: that is to say, a work containing the Program or a<br />
portion of it, either verbatim or with modifications and/or translated into another language.<br />
(Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is<br />
addressed as “you”.<br />
Activities other than copying, distribution and modification are not covered by this License; they are<br />
outside its scope. The act of running the Program is not restricted, and the output from the Program is<br />
covered only if its contents constitute a work based on the Program (independent of having been made<br />
by running the Program). Whether that is true depends on what the Program does.<br />
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any<br />
medium, provided that you conspicuously and appropriately publish on each copy an appropriate<br />
copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to<br />
the absence of any warranty; and give any other recipients of the Program a copy of this License along<br />
with the Program.<br />
You may charge a fee for the physical act of transferring a copy, and you may at your option offer<br />
warranty protection in exchange for a fee.<br />
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based<br />
on the Program, and copy and distribute such modifications or work under the terms of Section 1<br />
above, provided that you also meet all of these conditions:<br />
398<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
a) You must cause the modified files to carry prominent notices stating that you changed the files and<br />
the date of any change.<br />
b) You must cause any work that you distribute or publish, that in whole or in part contains or is<br />
derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties<br />
under the terms of this License.<br />
c) If the modified program normally reads commands interactively when run, you must cause it, when<br />
started running for such interactive use in the most ordinary way, to print or display an announcement<br />
including an appropriate copyright notice and a notice that there is no warranty (or else, saying that<br />
you provide a warranty) and that users may redistribute the program under these conditions, and telling<br />
the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not<br />
normally print such an announcement, your work based on the Program is not required to print an<br />
announcement.)<br />
These requirements apply to the modified work as a whole. If identifiable sections of that work are not<br />
derived from the Program, and can be reasonably considered independent and separate works in<br />
themselves, then this License, and its terms, do not apply to those sections when you distribute them as<br />
separate works. But when you distribute the same sections as part of a whole which is a work based on<br />
the Program, the distribution of the whole must be on the terms of this License, whose permissions for<br />
other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.<br />
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by<br />
you; rather, the intent is to exercise the right to control the distribution of derivative or collective works<br />
based on the Program.<br />
In addition, mere aggregation of another work not based on the Program with the Program (or with a<br />
work based on the Program) on a volume of a storage or distribution medium does not bring the other<br />
work under the scope of this License.<br />
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or<br />
executable form under the terms of Sections 1 and 2 above provided that you also do one of the<br />
following:<br />
a) Accompany it with the complete corresponding machine-readable source code, which must be<br />
distributed under the terms of Sections 1 and 2 above on a medium customarily used for software<br />
interchange; or,<br />
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge<br />
no more than your cost of physically performing source distribution, a complete machine-readable<br />
copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on<br />
a medium customarily used for software interchange; or,<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
399
c) Accompany it with the information you received as to the offer to distribute corresponding source<br />
code. (This alternative is allowed only for noncommercial distribution and only if you received the<br />
program in object code or executable form with such an offer, in accord with Subsection b above.)<br />
The source code for a work means the preferred form of the work for making modifications to it. For<br />
an executable work, complete source code means all the source code for all modules it contains, plus<br />
any associated interface definition files, plus the scripts used to control compilation and installation of<br />
the executable. However, as a special exception, the source code distributed need not include anything<br />
that is normally distributed (in either source or binary form) with the major components (compiler,<br />
kernel, and so on) of the operating system on which the executable runs, unless that component itself<br />
accompanies the executable.<br />
If distribution of executable or object code is made by offering access to copy from a designated place,<br />
then offering equivalent access to copy the source code from the same place counts as distribution of<br />
the source code, even though third parties are not compelled to copy the source along with the object<br />
code.<br />
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under<br />
this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and<br />
will automatically terminate your rights under this License. However, parties who have received<br />
copies, or rights, from you under this License will not have their licenses terminated so long as such<br />
parties remain in full compliance.<br />
5. You are not required to accept this License, since you have not signed it. However, nothing else<br />
grants you permission to modify or distribute the Program or its derivative works. These actions are<br />
prohibited by law if you do not accept this License. Therefore, by modifying or distributing the<br />
Program (or any work based on the Program), you indicate your acceptance of this License to do so,<br />
and all its terms and conditions for copying, distributing or modifying the Program or works based on<br />
it.<br />
6. Each time you redistribute the Program (or any work based on the Program), the recipient<br />
automatically receives a license from the original licensor to copy, distribute or modify the Program<br />
subject to these terms and conditions. You may not impose any further restrictions on the recipients'<br />
exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties<br />
to this License.<br />
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason<br />
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or<br />
otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of<br />
this License. If you cannot distribute so as to satisfy simultaneously your obligations under this<br />
License and any other pertinent obligations, then as a consequence you may not distribute the Program<br />
400<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
at all. For example, if a patent license would not permit royalty-free redistribution of the Program by<br />
all those who receive copies directly or indirectly through you, then the only way you could satisfy<br />
both it and this License would be to refrain entirely from distribution of the Program.<br />
If any portion of this section is held invalid or unenforceable under any particular circumstance, the<br />
balance of the section is intended to apply and the section as a whole is intended to apply in other<br />
circumstances.<br />
It is not the purpose of this section to induce you to infringe any patents or other property right claims<br />
or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of<br />
the free software distribution system, which is implemented by public license practices. Many people<br />
have made generous contributions to the wide range of software distributed through that system in<br />
reliance on consistent application of that system; it is up to the author/donor to decide if he or she is<br />
willing to distribute software through any other system and a licensee cannot impose that choice.<br />
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of<br />
this License.<br />
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by<br />
copyrighted interfaces, the original copyright holder who places the Program under this License may<br />
add an explicit geographical distribution limitation excluding those countries, so that distribution is<br />
permitted only in or among countries not thus excluded. In such case, this License incorporates the<br />
limitation as if written in the body of this License.<br />
9. The Free Software Foundation may publish revised and/or new versions of the General Public<br />
License from time to time. Such new versions will be similar in spirit to the present version, but may<br />
differ in detail to address new problems or concerns.<br />
Each version is given a distinguishing version number. If the Program specifies a version number of<br />
this License which applies to it and “any later version”, you have the option of following the terms and<br />
conditions either of that version or of any later version published by the Free Software Foundation. If<br />
the Program does not specify a version number of this License, you may choose any version ever<br />
published by the Free Software Foundation.<br />
10. If you wish to incorporate parts of the Program into other free programs whose distribution<br />
conditions are different, write to the author to ask for permission. For software which is copyrighted by<br />
the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions<br />
for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of<br />
our free software and of promoting the sharing and reuse of software generally.<br />
NO WARRANTY<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
401
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY<br />
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN<br />
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES<br />
PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER<br />
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE<br />
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH<br />
YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL<br />
NECESSARY SERVICING, REPAIR OR CORRECTION.<br />
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING<br />
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR<br />
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR<br />
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL<br />
DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM<br />
(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED<br />
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF<br />
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER<br />
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
END OF TERMS AND CONDITIONS<br />
Appendix: How to Apply These Terms to Your New Programs<br />
If you develop a new program, and you want it to be of the greatest possible use to the public, the best<br />
way to achieve this is to make it free software which everyone can redistribute and change under these<br />
terms.<br />
To do so, attach the following notices to the program. It is safest to attach them to the start of each<br />
source file to most effectively convey the exclusion of warranty; and each file should have at least the<br />
“copyright” line and a pointer to where the full notice is found.<br />
You should have received a copy of the GNU General Public License along with this program; if not,<br />
write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.<br />
Also add information on how to contact you by electronic and paper mail.<br />
If the program is interactive, make it output a short notice like this when it starts in an interactive<br />
mode:<br />
Gnomovision version 69, Copyright (C) 19yy name of author<br />
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.<br />
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for<br />
details.<br />
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General<br />
Public License. Of course, the commands you use may be called something other than `show w' and<br />
`show c'; they could even be mouse-clicks or menu items--whatever suits your program.<br />
You should also get your employer (if you work as a programmer) or your school, if any, to sign a<br />
“copyright disclaimer” for the program, if necessary. Here is a sample; alter the names:<br />
Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes<br />
passes at compilers) written by James Hacker.<br />
, 1 April 1989<br />
Ty Coon, President of Vice<br />
This General Public License does not permit incorporating your program into proprietary programs. If<br />
your program is a subroutine library, you may consider it more useful to permit linking proprietary<br />
applications with the library. If this is what you want to do, use the GNU Library General Public<br />
License instead of this License.<br />
Bind<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Bind implements a name server used to resolve DNS names into IP addresses.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Copyright (c) 1993-2000 by Internet Software Consortium, Inc.<br />
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is<br />
hereby granted, provided that the above copyright notice and this permission notice appear in all<br />
copies.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
403
THE SOFTWARE IS PROVIDED “AS IS” AND INTERNET SOFTWARE CONSORTIUM<br />
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL<br />
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT,<br />
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM<br />
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,<br />
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION<br />
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.<br />
Internet Software Consortium<br />
950 Charter Street<br />
Redwood City, CA 94063<br />
Tel: 1-888-868-1001 (toll free in U.S.)<br />
Tel: 1-650-779-7091<br />
Fax: 1-650-779-7055<br />
Email: <br />
RSA<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Portions of BIND include code from RSA which provide enhanced security. That code is governed by<br />
the following license:<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
DNSSAFE LICENSE TERMS<br />
This BIND software includes the DNSsafe software from RSA Data Security, Inc., which is<br />
copyrighted software that can only be distributed under the terms of this license agreement.<br />
The DNSsafe software cannot be used or distributed separately from the BIND software. You only<br />
have the right to use it or distribute it as a bundled, integrated product.<br />
The DNSsafe software can ONLY be used to provide authentication for resource records in the<br />
Domain Name System, as specified in RFC 2065 and successors. You cannot modify the BIND<br />
software to use the DNSsafe software for other purposes, or to make its cryptographic functions<br />
available to end-users for other uses.<br />
404<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
If you modify the DNSsafe software itself, you cannot modify its documented API, and you must grant<br />
RSA Data Security the right to use, modify, and distribute your modifications, including the right to<br />
use any patents or other intellectual property that your modifications depend upon.<br />
You must not remove, alter, or destroy any of RSA’s copyright notices or license information. When<br />
distributing the software to the Federal Government, it must be licensed to them as “commercial<br />
computer software” protected under 48 CFR 12.212 of the FAR, or 48 CFR 227.7202.1 of the DFARS.<br />
You must not violate United States export control laws by distributing the DNSsafe software or<br />
information about it, when such distribution is prohibited by law.<br />
THE DNSSAFE SOFTWARE IS PROVIDED “AS IS” WITHOUT ANY WARRANTY<br />
WHATSOEVER. RSA HAS NO OBLIGATION TO SUPPORT, CORRECT, UPDATE OR<br />
MAINTAIN THE RSA SOFTWARE. RSA DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED<br />
OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED<br />
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND<br />
NON-INFRINGEMENT OF THIRD PARTY RIGHTS.<br />
If you desire to use DNSsafe in ways that these terms do not permit, please contact RSA Data Security,<br />
Inc., 100 Marine Parkway, Redwood City, California 94065, USA, to discuss alternate licensing<br />
arrangements.<br />
Magelang<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Magelang produces some Java based GUI components that are used in portions of the user interface.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Use this code at your own risk! MageLang Institute is not responsible for any damage caused directly<br />
or indirectly through use of this code.<br />
SOFTWARE RIGHTS<br />
TabSplitter, version 2.0, Scott Stanchfield, MageLang Institute<br />
We reserve no legal rights to this code--it is fully in the public domain. An individual or company may<br />
do whatever they wish with source code distributed with it, including the incorporation of it into<br />
commercial software.<br />
However, this code cannot be sold as a standalone product.We encourage users to develop software<br />
with this code. However, we do ask that credit is given to us for developing it.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
405
By “credit”, we mean that if you use these components or incorporate any source code into one of your<br />
programs (commercial product, research project, or otherwise) that you acknowledge this fact<br />
somewhere in the documentation, research report, etc... If you like these components and have<br />
developed a nice tool with the output, please mention that you developed it using these components. In<br />
addition, we ask that the headers remain intact in our source code. As long as these guidelines are kept,<br />
we expect to continue enhancing this system and expect to make other tools available as they are<br />
completed.<br />
The MageLang Support Classes Gang:<br />
@version TabSplitter 2.0, MageLang Institute, Jan. 18, 1998<br />
@author Scott Stanchfield, MageLang Institute<br />
GNU Java regexp<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
The GNU Java regexp packages is used to perform regular expression pattern matching in the user<br />
interface.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
See “GNU v2” on page 310<br />
LibBF<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
This library provides blowfish encryption capabilities used by <strong>iPrism</strong>.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)<br />
All rights reserved.<br />
This package is an Blowfish implementation written by Eric Young (eay@cryptsoft.com).<br />
This library is free for commercial and non-commercial use as long as the following conditions are<br />
adhered to. The following conditions apply to all code found in this distribution.<br />
406<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
This product includes software developed by Eric Young (eay@cryptsoft.com)<br />
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN<br />
NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR<br />
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<br />
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<br />
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY<br />
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE.<br />
The license and distribution terms for any publicly available version or derivative of this code cannot<br />
be changed. i.e. this code cannot simply be copied and put under another distribution license [including<br />
the GNU Public License.]<br />
The reason behind this being stated in this direct manner is past experience in code simply being<br />
copied and the attribution removed from it and then being distributed as part of other packages. This<br />
implementation was a non-trivial and unpaid effort.<br />
OpenLDAP<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
OpenLDAP is used by <strong>iPrism</strong> to implement the LDAP protocol.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
407
++++++++++++++++++++++++++++++++++++++<br />
Copyright 1998-2000 The OpenLDAP Foundation, Redwood City, California, USA<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted only as authorized by the OpenLDAP<br />
Public License. A copy of this license is available at http://www.OpenLDAP.org/license.html or in file<br />
LICENSE in the top-level directory of the distribution.<br />
This work is derived from the University of Michigan LDAP v3.3 distribution. Information concerning<br />
is available at http://www.umich.edu/~dirsvcs/ldap/ldap.html or from ldap-support@umich.edu.<br />
This work also contains materials derived from public sources.<br />
Additional Information about OpenLDAP can be obtained at:<br />
http://www.openldap.org/<br />
or by sending e-mail to:<br />
info@OpenLDAP.org<br />
Portions Copyright (c) 1992-1996 Regents of the University of Michigan.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted provided that this notice is preserved<br />
and that due credit is given to the University of Michigan at Ann Arbor. The name of the University<br />
may not be used to endorse or promote products derived from this software without specific prior<br />
written permission. This software is provided “as is” without express or implied warranty.<br />
The OpenLDAP Public License<br />
Version 1.4, 18 January 1999<br />
Copyright 1998-1999, The OpenLDAP Foundation.<br />
All Rights Reserved.<br />
Note:<br />
This license is derived from the “Artistic License” as distributed with the Perl Programming Language.<br />
As significant differences exist, the complete license should be read.<br />
PREAMBLE<br />
The intent of this document is to state the conditions under which a Package may be copied, such that<br />
the Copyright Holder maintains some semblance of artistic control over the development of the<br />
package, while giving the users of the package the right to use and distribute the Package in a more-orless<br />
customary fashion, plus the right to make reasonable modifications.<br />
408<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Definitions:<br />
“Package” refers to the collection of files distributed by the Copyright Holder, and derivatives of that<br />
collection of files created through textual modification.<br />
“Standard Version” refers to such a Package if it has not been modified, or has been modified in<br />
accordance with the wishes of the Copyright Holder.<br />
“Copyright Holder” is whoever is named in the copyright or copyrights for the package.<br />
“You” is you, if you're thinking about copying or distributing this Package.<br />
“Reasonable copying fee” is whatever you can justify on the basis of media cost, duplication charges,<br />
time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but<br />
only to the computing community at large as a market that must bear the fee.)<br />
“Freely Available” means that no fee is charged for the item itself, though there may be fees involved<br />
in handling the item. It also means that recipients of the item may redistribute it under the same<br />
conditions they received it.<br />
1. You may make and give away verbatim copies of the source form of the Standard Version of this<br />
Package without restriction, provided that you duplicate all of the original copyright notices and<br />
associated disclaimers.<br />
2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain<br />
or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard<br />
Version.<br />
3. You may otherwise modify your copy of this Package in any way, provided that you insert a<br />
prominent notice in each changed file stating how and when you changed that file, and provided that<br />
you do at least ONE of the following:<br />
a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by<br />
posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major<br />
archive site such as uunet.uu.net, or by allowing the Copyright Holder to include your modifications in<br />
the Standard Version of the Package.<br />
b) use the modified Package only within your corporation or organization.<br />
c) rename any non-standard executables so the names do not conflict with standard executables, which<br />
must also be provided, and provide a separate manual page for each non-standard executable that<br />
clearly documents how it differs from the Standard Version.<br />
d) make other distribution arrangements with the Copyright Holder.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
409
4. You may distribute the programs of this Package in object code or executable form, provided that<br />
you do at least ONE of the following:<br />
a) distribute a Standard Version of the executables and library files, together with instructions (in the<br />
manual page or equivalent) on where to get the Standard Version.<br />
b) accompany the distribution with the machine-readable source of the Package with your<br />
modifications.<br />
c) accompany any non-standard executables with their corresponding Standard Version executables,<br />
giving the non-standard executables non-standard names, and clearly documenting the differences in<br />
manual pages (or equivalent), together with instructions on where to get the Standard Version.<br />
d) make other distribution arrangements with the Copyright Holder.<br />
5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any<br />
fee you choose for support of this Package. You may not charge a fee for this Package itself. However,<br />
you may distribute this Package in aggregate with other (possibly commercial) programs as part of a<br />
larger (possibly commercial) software distribution provided that you do not advertise this Package as a<br />
product of your own.<br />
6. The scripts and library files supplied as input to or produced as output from the programs of this<br />
Package do not automatically fall under the copyright of this Package, but belong to whomever<br />
generated them, and may be sold commercially, and may be aggregated with this Package.<br />
7. C subroutines supplied by you and linked into this Package in order to emulate subroutines and<br />
variables defined by this Package shall not be considered part of this Package, but are the equivalent of<br />
input as in Paragraph 6, provided these subroutines do not change the behavior of the Package in any<br />
way that would cause it to fail the regression tests for the Package.<br />
8. Software supplied by you and linked with this Package in order to use subroutines and variables<br />
defined by this Package shall not be considered part of this Package and do not automatically fall<br />
under the copyright of this Package. Executables produced by linking your software with this Package<br />
may be used and redistributed without restriction and may be sold commercially so long as the primary<br />
function of your software is different than the package itself.<br />
9. The name of the Copyright Holder may not be used to endorse or promote products derived from<br />
this software without specific prior written permission.<br />
10. THIS PACKAGE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
The End<br />
410<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Perl/Cryptix<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
These packages provide various cryptography support to the perl environment. They are used to<br />
support encryption of protocols and protect data.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
This perl extension includes software developed by, and copyright of, A.M. Kuchling.<br />
Other parts of the library are covered by the following licence:<br />
Copyright (C) 1995, 1996 Systemics Ltd (http://www.systemics.com/)<br />
All rights reserved.<br />
This library and applications are FREE FOR COMMERCIAL AND NON-COMMERCIAL USE as<br />
long as the following conditions are adhered to.<br />
Copyright remains with Systemics Ltd, and as such any Copyright notices in the code are not to be<br />
removed. If this code is used in a product, Systemics should be given attribution as the author of the<br />
parts used. This can be in the form of a textual message at program startup or in documentation (online<br />
or textual) provided with the package.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
This product includes software developed by Systemics Ltd (http://www.systemics.com/)<br />
THIS SOFTWARE IS PROVIDED BY SYSTEMICS LTD “AS IS” AND ANY EXPRESS OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES<br />
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.<br />
IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
411
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<br />
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<br />
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY<br />
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE.<br />
The licence and distribution terms for any publicly available version or derivative of this code cannot<br />
be changed. i.e. this code cannot simply be copied and put under another distribution licence<br />
[including the GNU Public Licence.]<br />
Perl/Mime-Tools<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
This is a library that provides mime parsing capabilities to the Perl environment.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
The “MIME-tools” Perl5 kit.<br />
Copyright (c) 1996 by Eryq. All rights reserved.<br />
This program is free software; you can redistribute it and/or modify it under the same terms as Perl<br />
itself.<br />
You should have received a copy of the Perl license along with Perl; see the file README in Perl<br />
distribution.<br />
You should have received a copy of the GNU General Public License along with Perl; see the file<br />
Copying. If not, write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.<br />
You should have received a copy of the Artistic License along with Perl; see the file Artistic.<br />
NO WARRANTY<br />
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY<br />
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN<br />
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES<br />
PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER<br />
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE<br />
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH<br />
412<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL<br />
NECESSARY SERVICING, REPAIR OR CORRECTION.<br />
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING<br />
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR<br />
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR<br />
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL<br />
DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM<br />
(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED<br />
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF<br />
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER<br />
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
END OF TERMS AND CONDITIONS<br />
PostgreSQL<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
This is a SQL DBMS used to store configuration and state data on <strong>iPrism</strong>.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
PostgreSQL Data Base Management System (formerly known as Postgres, then as Postgres95).<br />
Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group<br />
Portions Copyright (c) 1994 Regents of the University of California<br />
Permission to use, copy, modify, and distribute this software and its documentation for any purpose,<br />
without fee, and without a written agreement is hereby granted, provided that the above copyright<br />
notice and this paragraph and the following two paragraphs appear in all copies.<br />
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR<br />
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES,<br />
INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS<br />
DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF<br />
THE POSSIBILITY OF SUCH DAMAGE.<br />
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
413
IS ON AN “AS IS” BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS<br />
TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR<br />
MODIFICATIONS.<br />
Samba<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Samba is used to provide the protocol support to interact with an NTLM environment.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
-- Samba uses the GNU V2 license. See “GNU v2” on page 310<br />
Squid<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Squid implements an HTTP proxy used to implement the actual data handling of the HTTP traffic in<br />
<strong>iPrism</strong><br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
By accepting this notice, you agree to be bound by the following agreements:<br />
This software product, SQUID, is developed by Duane Wessels, and copyrighted (C) 2000 by the<br />
Regents of the University of California, with all rights reserved. UCSD administers the NLANR Cache<br />
grants, NCR 9616602 and NCR 9521745 under which most of this code was developed.<br />
This program is free software; you can redistribute it and/or modify it under the terms of the GNU<br />
General Public License (version 2) as published by the Free Software Foundation. It is distributed in<br />
the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty<br />
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General<br />
Public License for more details.<br />
You should have received a copy of the GNU General Public License along with this program; if not,<br />
write to:<br />
The Free Software Foundation<br />
59 Temple Place<br />
414<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Suite 330<br />
Boston, MA 02111, USA<br />
Or contact info@nlanr.net<br />
Sudo<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Sudo implements a mechanism for controlling privileges to <strong>iPrism</strong> system resources.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Sudo is distributed under the following BSD-style license:<br />
Copyright (c) 1994-1996,1998-2000 Todd C. Miller <br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. The name of the author may not be used to endorse or promote products derived from this software<br />
without specific prior written permission from the author.<br />
4. Products derived from this software may not be called “Sudo” nor may “Sudo” appear in their<br />
names without specific prior written permission from the author.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL<br />
THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEM-<br />
PLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
415
Additionally, lsearch.c, fnmatch.c, getcwd.c, snprintf.c, strcasecmp.c and fnmatch.3 bear the following<br />
UCB license:<br />
Copyright (c) 1987, 1989, 1990, 1991, 1993, 1994<br />
The Regents of the University of California. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
VTUN<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Vtun is used to allow the <strong>iPrism</strong> administrator establish secure diagnostic tunnels as requested by the<br />
support team.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
VTun - Virtual Tunnel over TCP/IP network.<br />
Copyright (C) 1998-2000 Maxim Krasnyansky <br />
416<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
VTun has been derived from VPPP package by Maxim Krasnyansky.<br />
This program is free software; you can redistribute it and/or modify it under the terms of the GNU<br />
General Public License as published by the Free Software Foundation; either version 2 of the License,<br />
or (at your option) any later version.<br />
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;<br />
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR<br />
PURPOSE. See the GNU General Public License for more details.<br />
WUFTPd<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
WUFTPd is used to implement an FTP server.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Copyright (c) 1999,2000 WU-FTPD Development Group.<br />
All rights reserved.<br />
Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 The Regents of the University<br />
of California.<br />
Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.<br />
Portions Copyright (c) 1989 Massachusetts Institute of Technology.<br />
Portions Copyright (c) 1998 Sendmail, Inc.<br />
Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman.<br />
Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.<br />
Portions Copyright (C) 1991, 1992, 1993, 1994, 1995 1996, 1997<br />
Free Software Foundation, Inc.<br />
Portions Copyright (c) 1997 by Stan Barber.<br />
Portions Copyright (c) 1997 by Kent Landfield.<br />
Use and distribution of this software and its source code are governed by the terms and conditions of<br />
the WU-FTPD Software License (“LICENSE”).<br />
If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/<br />
license.html.<br />
$Id: COPYRIGHT,v 1.1.1.1 2000/07/21 16:08:05 danno Exp $<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
417
--------------------------------------------------------------------------------------------------------------<br />
Below are the copyrights of the individual contributors to wu-ftpd.<br />
--------------------------------------------------------------------------------------------------------------<br />
/Copyright (c) 1993, 1994 Washington University in Saint Louis<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement: This product includes software developed by the Washington University in Saint<br />
Louis and its contributors.<br />
4. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SO FTWARE IS PROVIDED BY WASHINGTON UNIVERSITY AND CONTRIBUTORS<br />
“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED<br />
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASHINGTON<br />
UNIVERSITY OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,<br />
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT<br />
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br />
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF<br />
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1996,1998 Berkeley Software Design, Inc. All rights reserved.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that this notice is retained, the conditions in the following notices are met, and terms applying<br />
to contributors in the following notices also apply to Berkeley Software Design, Inc.<br />
418<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement:<br />
This product includes software developed by Berkeley Software Design, Inc.<br />
4. Neither the name of the Berkeley Software Design, Inc. nor the names of its contributors may be<br />
used to endorse or promote products derived from this software without specific prior written<br />
permission.<br />
THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC.<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTI- TUTE GOODS DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT<br />
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1985, 1988 Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
419
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
/Copyright (c) 1988 The Regents of the University of California. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTO RS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE. /<br />
Copyright (c) 1994<br />
The Regents of the University of California. All rights reserved.<br />
This code is derived from software contributed to Berkeley by Jan-Simon Pendry.<br />
420<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Redistribution and u se in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSE- QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1989, 1993, 1994<br />
The Regents of the University of California. All rights reserved.<br />
This code is derived from software contributed to Berkeley by Guido van Rossum.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
421
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1985, 1988 The Regents of the University of California.<br />
All right used in source and binary forms are permitted provided that:<br />
(1) source distributions retain this entire copyright notice and comment, and<br />
(2) distributions including binaries display the following acknowledgement:<br />
“This product includes software developed by the University of California, Berkeley and its<br />
contributors” in the documentation or other materials provided with the distribution. Neither the name<br />
of the University nor the names of its contributors may be used to endorse or promote products derived<br />
from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
Copyright (c) 1988 Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted provided that the above copyright<br />
notice and this paragraph are duplicated in all such forms and that any documentation, and other<br />
materials related to such distribution and use acknowledge that the software was developed by the<br />
University of California, Berkeley. The name of the University may not be used to endorse or promote<br />
products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
Copyright (c) 1980, 1991 The Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
422<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1985 Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted provided that:<br />
(1) source distributions retain this entire copyright notice and comment, and<br />
(2) distributions including binaries display the following acknowledgement: “This product includes<br />
software developed by the University of California, Berkeley and its contributors” in the<br />
documentation or other materials provided with the distribution. Neither the name of the University<br />
nor the names of its contributors may be used to endorse or promote products derived from this<br />
software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND<br />
WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT<br />
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE.<br />
Copyright (c) 1989, 1991 The Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
423
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1983 Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
424<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1988 The Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1990 The Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted provided that:<br />
(1) source distributions retain this entire copyright notice and comment, and<br />
(2) distributions including binaries display the following acknowledgement: ``This product includes<br />
software developed by the University of California, Berkeley and its contributors'' in the<br />
documentation or other materials provided with the distribution. Neither the name of the University<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
425
nor the names of its contributors may be used to endorse or promote products derived from this<br />
software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
Copyright (c) 1990 The Regents of the University of California.<br />
All rights reserved.<br />
This code is derived from software contributed to Berkeley by Chris Torek.<br />
Redistribution and use in source and binary forms are permitted provided that: (1) source distributions<br />
retain this entire copyright notice and comment, and (2) distributions including binaries display the<br />
following acknowledgement: ``This product includes software developed by the University of<br />
California, Berkeley and its contributors'' in the documentation or other materials provided with the<br />
distribution.<br />
Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
Copyright (c) 1983, 1989 Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted provided that:<br />
(1) source distributions retain this entire copyright notice and comment, and<br />
(2) distributions including binaries display the following acknowledgement: ``This product includes<br />
software developed by the University of California, Berkeley and its contributors'' in the<br />
documentation or other materials provided with the distribution. Neither the name of the University<br />
nor the names of its contributors may be used to endorse or promote products derived from this<br />
software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND<br />
WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT<br />
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE.<br />
Copyright (c) 1988 Regents of the University of California.<br />
All rights reserved.<br />
426<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Redistribution and use in source and binary forms are permitted provided that the above copyright<br />
notice and this paragraph are duplicated in all such forms and that any documentation, and other<br />
materials related to such distribution and use acknowledge that the software was developed by the<br />
University of California, Berkeley. The name of the University may not be used to endorse or promote<br />
products derived from this software without specific prior written permission. THIS SOFTWARE IS<br />
PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE.<br />
Copyright (c) 1988 Regents of the University of California.<br />
All rights reserved.<br />
Redistribution and use in source and binary forms are permitted provided that:<br />
(1) source distributions retain this entire copyright notice and comment, and (2) distributions including<br />
binaries display the following acknowledgement: ``This product includes software developed by the<br />
University of California, Berkeley and its contributors'' in the documentation or other materials<br />
provided with the distribution. Neither the name of the University nor the names of its contributors<br />
may be used to endorse or promote products derived from this software without specific prior written<br />
permission.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br />
Copyright (c) 1983, 1995, 1996 Eric P. Allman<br />
Copyright (c) 1988, 1993<br />
The Regents of the University of California. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND<br />
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
427
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
Copyright (c) 1998 Sendmail, Inc. All rights reserved.<br />
Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.<br />
Copyright (c) 1988, 199<br />
The Regents of the University of California. All rights reserved.<br />
By using this file, you agree to the terms and conditions set forth in the LICENSE file which can be<br />
found at the top level of the sendmail distribution.<br />
SENDMAIL LICENSE<br />
The following license terms and conditions apply, unless a different license is obtained from Sendmail,<br />
Inc., 1401 Park Avenue, Emeryville, CA 94608, or by electronic mail at license@sendmail.com.<br />
License Terms:<br />
Use, Modification and Redistribution (including distribution of any modified or derived work) in<br />
source and binary forms is permitted only if each of the following conditions is met:<br />
1. Redistributions qualify as “freeware” or “Open Source Software” under one of the following terms:<br />
(a) Redistributions are made at no charge beyond the reasonable cost of materials and delivery.<br />
(b) Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to<br />
provide a copy of the Source Code for up to three years at the cost of materials and delivery.<br />
Such redistributions must allow further use, modification, and redistribution of the Source Code under<br />
substantially the same terms as this license. For the purposes of redistribution “Source Code” means<br />
the complete source code of sendmail including all modifications.<br />
Other forms of redistribution are allowed only under a separate royalty- free agreement permitting<br />
such redistribution subject to standard commercial terms and conditions. A copy of such agreement<br />
may be obtained from Sendmail, Inc. at the above address.<br />
428<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
2. Redistributions of source code must retain the copyright notices as they appear in each source code<br />
file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below.<br />
3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the<br />
disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other<br />
materials provided with the distribution. For the purposes of binary distribution the “Copyright<br />
Notice” refers to the following language:<br />
“Copyright (c) 1998 Sendmail, Inc. All rights reserved.”<br />
4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their<br />
contributors may be used to endorse or promote products derived from this software without specific<br />
prior written permission. The name “sendmail” is a trademark of Sendmail, Inc.<br />
5. All redistributions must comply with the conditions imposed by the University of California on<br />
certain embedded code, whose copyright notice and conditions for redistribution are as follows:<br />
(a) Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved.<br />
(b) Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
(i)Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
(ii) Redistributions in binary form must reproduce the above copyright notice, this list of conditions<br />
and the following disclaimer in the documentation and/or other materials provided with the<br />
distribution.<br />
(iii) Neither the name of the University nor the names of its contributors may be used to endorse or<br />
promote products derived from this software without specific prior written permission.<br />
6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL, INC.<br />
AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL<br />
SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR<br />
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
429
(Version 8.6, last updated 6/24/98)<br />
Copyright 1989 Massachusetts Institute of Technology<br />
Permission to use, copy, modify, distribute, and sell this software and its documentation for any<br />
purpose is hereby granted without fee, provided that the above copyright notice appear in all copies<br />
and that both that copyright notice and this permission notice appear in supporting documentation, and<br />
that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software<br />
without specific, written prior permission. M.I.T. makes no representations about the suitability of this<br />
software for any purpose. It is provided “as is” without express or implied warranty.<br />
M.I.T. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING<br />
ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL<br />
M.I.T. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR<br />
ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,<br />
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,<br />
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS<br />
SOFTWARE.<br />
This software is Copyright 1997 by Stan Barber.<br />
Permission is hereby granted to copy, reproduce, redistribute or otherwise use this software as long as:<br />
there is no monetary profit gained specifically from the use or reproduction of this software, it is not<br />
sold, rented, traded or otherwise marketed, and this copyright notice is included prominently in any<br />
copy made.<br />
The author(s) make no claims as to the fitness or correctness of this software for any use whatsoever,<br />
and it is provided as is. Any use of this software is at the user's own risk.<br />
Copyright (C) 1991, 92, 93, 94, 95, 96, 97 Free Software Foundation, Inc.<br />
This library is free software; you can redistribute it and/or modify it under the terms of the GNU<br />
Library General Public License as published by the Free Software Foundation; either version 2 of the<br />
License, or (at your option) any later version.<br />
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;<br />
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR<br />
PURPOSE.<br />
See the GNU Library General Public License for more details.<br />
You should have received a copy of the GNU Library General Public License along with this library;<br />
see the file COPYING.LIB. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite<br />
330, Boston, MA 02111-1307, USA.<br />
430<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
WU-FTPD SOFTWARE LICENSE<br />
Use, modification, or redistribution (including distribution of any modified or derived work) in any<br />
form, or on any medium, is permitted only if all the following conditions are met:<br />
1. Redistributions qualify as “freeware” or “Open Source Software” under the following terms:<br />
a. Redistributions are made at no charge beyond the reasonable cost of materials and delivery. Where<br />
redistribution of this software is as part of a larger package or combined work, this restriction applies<br />
only to the costs of materials and delivery of this software, not to any other costs associated with the<br />
larger package or combined work.<br />
b. Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide<br />
a copy of the Source Code for up to three years at the cost of materials and delivery. Such<br />
redistributions must allow further use, modification, and redistribution of the Source Code under<br />
substantially the same terms as this license. For the purposes of redistribution “Source Code” means all<br />
files included in the original distribution, including all modifications or additions, on a medium and in<br />
a form allowing fully working executable programs to be produced.<br />
2. Redistributions of Source Code must retain the copyright notices as they appear in each Source<br />
Code file and the COPYRIGHT file, these license terms, and the disclaimer/limitation of liability set<br />
forth as paragraph 6 below.<br />
3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the<br />
disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other<br />
materials provided with the distribution. For the purposes of binary distribution the “Copyright<br />
Notice” refers to the following language:<br />
Copyright (c) 1999,2000 WU-FTPD Development Group.<br />
All rights reserved.<br />
Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994<br />
The Regents of the University of California.<br />
Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.<br />
Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.<br />
Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman.<br />
Portions Copyright (c) 1998 Sendmail, Inc.<br />
Portions Copyright (c) 1989 Massachusetts Institute of Technology.<br />
Portions Copyright (c) 1997 Stan Barber.<br />
Portions Copyright (c) 1997 Kent Landfield.<br />
Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997<br />
Free Software Foundation, Inc.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
431
Use and distribution of this software and its source code are governed by the terms and conditions of<br />
the WU-FTPD Software License (“LICENSE”).<br />
If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/<br />
license.html<br />
4. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgement: “This product includes software developed by the WU-FTPD Development Group,<br />
the Washington University at Saint Louis, Berkeley Software Design, Inc., and their contributors.”<br />
5. Neither the name of the WU-FTPD Development Group, nor the names of any copyright holders,<br />
nor the names of any contributors may be used to endorse or promote products derived from this<br />
software without specific prior written permission. The names “wuftpd” and “wu-ftpd” are trademarks<br />
of the WU-FTPD Development Group and the Washington University at Saint Louis.<br />
6. Disclaimer/Limitation of Liability:<br />
THIS SOFTWARE IS PROVIDED BY THE WU-FTPD DEVELOPMENT GROUP, THE<br />
COPYRIGHT HOLDERS, AND CONTRIBUTORS, “AS IS” AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN<br />
NO EVENT SHALL THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS,<br />
OR CONTRIBUTORS, BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
7. USE, MODIFICATION, OR REDISTRIBUTION, OF THIS SOFTWARE IMPLIES<br />
ACCEPTANCE OF ALL TERMS AND CONDITIONS OF THIS LICENSE.<br />
$Id: LICENSE,v 1.1.1.1 2000/07/21 16:08:05 danno Exp $<br />
Apache<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Apache implements an HTTP server for <strong>iPrism</strong><br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
432<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
The Apache Software License, Version 1.1<br />
Copyright (c) 2000-2002 The Apache Software Foundation. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. The end-user documentation included with the redistribution, if any, must include the following<br />
acknowledgment:<br />
“This product includes software developed by the Apache Software Foundation (http://<br />
www.apache.org/).” Alternately, this acknowledgment may appear in the software itself, if and<br />
wherever such third-party acknowledgments normally appear.<br />
4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote<br />
products derived from this software without prior written permission. For written permission, please<br />
contact apache@apache.org.<br />
5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their<br />
name, without prior written permission of the Apache Software Foundation.<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN<br />
NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE<br />
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
This software consists of voluntary contributions made by many individuals on behalf of the Apache<br />
Software Foundation. For more information on the Apache Software Foundation, please see .<br />
Portions of this software are based upon public domain software originally written at the National<br />
Center for Supercomputing Applications, University of Illinois, Urbana-Champaign.<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
433
mod_ntlm_winbind<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
mod_ntlm_winbind implements an ntlm authentication modules for apache.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
mod_ntlm_winbind.c -- Apache ntlm_winbind module<br />
[Originally autogenerated via ``apxs -n ntlm_winbind -g'']<br />
Based on:<br />
mod_ntlm.c for Win32 by Tim Costello <br />
pam_smb by Dave Airlie <br />
Copyright Andreas Gal , 2000<br />
Copyright Sverre H. Huseby , 2000<br />
Copyright Tim Potter , 2001<br />
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES<br />
ARE DISCLAIMED.<br />
This code may be freely distributed, as long the above notices are reproduced.<br />
mod_ssl<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Mod SSL is used to provide SSL support to apache.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
_ _<br />
_ __ ___ ___ __| | ___ ___| | mod_ssl<br />
| '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL<br />
| | | | | | (_) | (_| | \__ \__ \ | www.modssl.org<br />
|_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org<br />
|_____|<br />
434<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
_____________________________________________________________________________<br />
''Ian Fleming was a UNIX fan!<br />
How do I know? Well, James Bond<br />
had the (license to kill) number 007,<br />
i.e. he could execute anyone.''<br />
-- Unknown<br />
LICENSE<br />
The mod_ssl package falls under the Open-Source Software label because it's distributed under a<br />
BSDstyle license. The detailed license information follows.<br />
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are permitted<br />
provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the<br />
following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and<br />
the following disclaimer in the documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display the following<br />
acknowledgment:<br />
“This product includes software developed by Ralf S. Engelschall for use in<br />
the mod_ssl project (http://www.modssl.org/).”<br />
4. The names “mod_ssl” must not be used to endorse or promote products derived from this software<br />
without prior written permission. For written permission, please contact rse@engelschall.com.<br />
5. Products derived from this software may not be called “mod_ssl” nor may “mod_ssl” appear in their<br />
names without prior written permission of Ralf S. Engelschall.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment:<br />
“This product includes software developed by Ralf S. Engelschall for use in<br />
the mod_ssl project (http://www.modssl.org/).”<br />
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL “AS IS” AND ANY<br />
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS<br />
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
435
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
====================================================================<br />
Xinetd<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
Xinetd is a program that is used to control the execution of various network services.<br />
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<br />
++++++++++++++++++++++++++++++++++++++<br />
(c) Copyright 1992, 1993 by Panagiotis Tsirigotis<br />
436<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Index<br />
A<br />
Abort (Exit option) 46<br />
About tab 36, 255<br />
absolutism 309<br />
Access Control List<br />
Adding to a Profile 65<br />
Categories 80, 81, 112<br />
Creating 71<br />
Deleting an ACL 83<br />
Editing Settings 82<br />
Locally Defined Categories 80<br />
Profiles and ACLs 57<br />
Viewing Filtering Properties 81<br />
Access Control Lists (ACLs) dialog box 77<br />
Access Denied (Error) 355<br />
Access Denied Page<br />
Default 98<br />
making quick changes to 123<br />
Options 97<br />
Access Menu 32<br />
Access Requests 19, 98, 104<br />
How to Request Access to a Site 104<br />
accounting services 321<br />
accounts 337<br />
ACL<br />
definition of 57<br />
Add Web Sites button 50<br />
Administrative Privileges 133<br />
ads 338<br />
Adult Sex Education 326<br />
Advanced Filter Creation screen 271<br />
advertising 320<br />
Adware 343<br />
adware 343<br />
affairs of state 314<br />
airlines 332<br />
Alcohol/Tobacco 324<br />
Alt/New Age 312<br />
anarchy 310<br />
anime 327<br />
anonymizer<br />
iGuard site rating category 333<br />
anonymizers<br />
detecting 12<br />
unsure 12<br />
reporting 12<br />
anonymous surfing 333<br />
anti-gay 309<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
437
anti-Semitism 309<br />
anti-spoof<br />
detecting 226<br />
anti-spoofing<br />
enabling 226<br />
Appliance Manager 27<br />
armaments 311<br />
arms 311<br />
arousal 323<br />
arsenal 311<br />
art gallery 313<br />
Art/Culture 313<br />
artillery 311<br />
asset planning 320<br />
astronomy 341<br />
atheism 316<br />
auction 321<br />
Authentication 177<br />
Auto-Login 146<br />
changing the authentication page 116<br />
Choosing an Authentication Mechanism 142<br />
Configuring Browsers for Authentication 345<br />
Creating User Accounts in <strong>iPrism</strong> 131<br />
Joining <strong>iPrism</strong> to an NT Domain 159<br />
Testing 177<br />
using an LDAP Server 150<br />
using an NTLM Server 159<br />
Authentication is Required (Error) 356<br />
Auto-Login 146<br />
Configuration Requirements 147<br />
Redirection Settings 162<br />
AV Scanning<br />
description 11<br />
enable/disable 42<br />
B<br />
Backup<br />
Backing Up <strong>iPrism</strong>’s Settings 228<br />
Backup/Restore tab 38, 229<br />
backyard wrestling 312<br />
bad language 310<br />
bankruptcy 320<br />
banks 320<br />
banners 338<br />
bars 325<br />
baseball 332<br />
basketball 332<br />
bed & breakfast 332<br />
beer 325<br />
438<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
elief 316<br />
betting 327<br />
bidding 321<br />
bigotry 309<br />
bikini 322<br />
Block Offensive (profile) 65<br />
Block/Unblock Site button 51, 257<br />
Blocked Sites<br />
Requesting Access to 104<br />
Blocking Access<br />
Blocking versus Monitoring 80<br />
Submitting Sites That You Want to Block 114<br />
Unblocking Sites 280<br />
body images 323<br />
bombs 311<br />
bonds 320<br />
bongs 325<br />
bookies 327<br />
bootleg 308<br />
breweries 325<br />
browser hijacker 343<br />
brutality 312<br />
bulletin boards 334<br />
Business 317<br />
Corporate Marketing 319<br />
Finance 320<br />
Job/Employment Search 320<br />
Professional Services 321<br />
Specialized Shopping 317<br />
C<br />
career 321<br />
casinos 327<br />
Categories 307<br />
Locally Defined 112, 114<br />
Central Mgmt. tab 38, 213<br />
chain letters 310<br />
chat 334<br />
cheats 327<br />
child education 340<br />
church 316<br />
CIA 314<br />
cigarettes 325<br />
city government 314<br />
classified ads 315<br />
clip art 313<br />
clubs 326<br />
cocaine 325<br />
codes 327<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
439
coercion 316<br />
collecting 328<br />
Colleges 339<br />
colleges 340<br />
Communication with Other IP Networks 195<br />
company info 320<br />
Computer Hacking 308<br />
computers 341<br />
condoms 326<br />
Configure <strong>iPrism</strong> button 50<br />
congress 314<br />
Connection Failed (Error) 357<br />
conservation 328<br />
conspiracy 310<br />
consulting 321<br />
contemporary art 313<br />
contests 327<br />
Continuing Education/Colleges 339<br />
contraceptives 342<br />
Copyright Infringement 308<br />
corporate info 320<br />
Corporate Marketing 319<br />
county government 314<br />
CPU Utilization 252<br />
crack 309<br />
crackz 309<br />
Create filters for recently blocked pages 281<br />
credit card fraud 342<br />
creed 316<br />
crime 312<br />
cruelty 312<br />
cruise 332<br />
cryptanalysis 309<br />
Cult 316<br />
currency 320<br />
Current Filters screen 270<br />
Current Overrides screen 283<br />
cursing 310<br />
Custom Filters 112, 259<br />
Deleting 269<br />
Editing 269<br />
How to Create 266<br />
customs 313<br />
D<br />
databases 341<br />
Date Editor dialog box 218<br />
Date setting 217<br />
Default Profiles 65<br />
440<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
democrat 314<br />
descrambler 308<br />
desktop themes 337<br />
dialer 343<br />
directories 339<br />
discrimination 309<br />
Discussion Forums 334<br />
diversion 328<br />
DNS<br />
Disable DNS option 203<br />
Using <strong>iPrism</strong> with Multiple DNS Servers 194<br />
doctors 325<br />
Documentation<br />
<strong>iPrism</strong> Installation <strong>Guide</strong> 4<br />
domain names 338<br />
DoS attacks<br />
detecting 226<br />
preventing 226<br />
downloads 337<br />
Drugs 325<br />
drunk 325<br />
Dutch auction 321<br />
E<br />
eBay 321<br />
economics 320<br />
Education<br />
Continuing Education/Colleges 339<br />
History 340<br />
K-12 340<br />
Reference Sites 341<br />
Science/Tech 341<br />
elementary 340<br />
email 337<br />
Email Alerts<br />
Creating and Configuring 184<br />
Deleting 187<br />
Editing 187<br />
Email Alerts tab 36, 184<br />
Email Host 336<br />
Enable LDAP Authentication (checkbox) 151<br />
Enable NT Authentication (checkbox) 160<br />
Entertainment 326<br />
Error Messages 351<br />
estate planning 320<br />
exclusive rights 308<br />
Exporting Local User Data 369<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
441
F<br />
faction 313<br />
faith 316<br />
family planning 326<br />
family safe 337<br />
fanaticism 309<br />
fascism 309<br />
FBI 314<br />
federal government 314<br />
fighting 312<br />
File Masks (in filters) 272<br />
Filter List Updates 221<br />
Filter Manager 51, 257<br />
Filtering<br />
Blocking versus Monitoring 80<br />
Categories 307<br />
Custom Filters 112<br />
Deciding What Gets Blocked 12<br />
Filtering Database 12<br />
How <strong>iPrism</strong> Filters Internet Activity 55<br />
Introduction to Filtering Profiles 56<br />
Finance 320<br />
fine art 313<br />
firms 321<br />
fitness 325<br />
flights 332<br />
football 332<br />
Foreign Language 312<br />
forums 334<br />
Forwarding Name Server<br />
Changing 194<br />
fraud 310<br />
Free Memory 252<br />
free MP3 308<br />
funding 320<br />
futures 320<br />
G<br />
galleries 313<br />
Gambling 327<br />
Games 327<br />
garish 311<br />
garters 322<br />
Gateway<br />
Changing <strong>iPrism</strong>’s Default Route on the Network 195<br />
goddesses 313<br />
golf 332<br />
Google web accelerator 12<br />
Government 313<br />
442<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
government agencies 314<br />
graphic pictures 323<br />
grassroots 314<br />
gross 311<br />
grotesque 311<br />
Group Mapping 168<br />
guns 311<br />
H<br />
hacking 309<br />
handicap 327<br />
hate speech 309<br />
hazing 312<br />
headhunter 321<br />
Health 324<br />
Adult Sex Education 326<br />
Alcohol/Tobacco 324<br />
Drugs 325<br />
Health (sub-category) 325<br />
K-12 Sex Education 341<br />
Health (sub-category) 325<br />
Help<br />
<strong>iPrism</strong>’s built-in help system 30<br />
Technical Support 3<br />
historical information 340<br />
History 340<br />
Hobbies/Interest 328<br />
homophobia 309<br />
horoscopes 313<br />
horror 311<br />
hospitals 325<br />
Host Name<br />
Changing <strong>iPrism</strong>’s Identity (Host Name) 190<br />
hostility 312<br />
hosting 338<br />
HTML Tags for Access Denied Page 119<br />
HTML Tags for Authentication Page 119<br />
HTML Template Manager 117<br />
humor 328<br />
I<br />
iGuard 12<br />
Site Rating Categories 308<br />
illegal 310<br />
illegal copy 308<br />
IM<br />
hybrid filtering<br />
description of 11<br />
provisioning 43<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
443
spam filtering 44<br />
Import Report 369<br />
Import/Export tab 31, 367<br />
Importing<br />
How to Import a User List 367<br />
preparing a User List For Import 366<br />
User Account Data into <strong>iPrism</strong> 141<br />
User names 141<br />
Importing User Data 365<br />
in bad taste 311<br />
in poor taste 311<br />
information technology service 321<br />
injury 312<br />
Installing <strong>iPrism</strong><br />
Pre-installation Notes 4<br />
Interface<br />
Changing <strong>iPrism</strong>’s Internal/External/Management Interface Mode 191<br />
Internal Name Server 194<br />
Internet 333<br />
Anonymizer 333<br />
Discussion Forums 334<br />
Email Host 336<br />
Online Auctions 321<br />
Online Chat 334<br />
Safe Search Engine 337<br />
Shareware Download 337<br />
Translators 334<br />
Web Banners 337<br />
Web Host 338<br />
Web Search 338<br />
Internet Explorer<br />
Configuring for Authentication 347<br />
Intolerance/Extremism 309<br />
Invalid Request (Error) 360<br />
Invalid URL (Error) 361<br />
investment 320<br />
<strong>iPrism</strong><br />
About <strong>iPrism</strong> tab 255<br />
Accessing <strong>iPrism</strong>’s User Interface 48<br />
How <strong>iPrism</strong> Works 10<br />
in-line installation 8<br />
Managing Multiple <strong>iPrism</strong> Units 242<br />
preferred operating mode 8<br />
testing 5<br />
web and IM/P2P filtering 8<br />
354, 362, 353, 351, 51<br />
IRC 334<br />
IRS 314<br />
444<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
J<br />
Job/Employment Search 320<br />
jobs 321<br />
jokes 328<br />
K<br />
K-12 340<br />
K-12 Sex Education 341<br />
kama sutra 326<br />
keylogger 343<br />
kids searches 337<br />
killing 312<br />
KKK 309<br />
knives 311<br />
L<br />
languages 335<br />
LDAP Server<br />
Communicating with 150<br />
Example using NT Active Directory 157<br />
Mask values in LDAP Configuration 154<br />
Query Attributes 154<br />
Setting Up the <strong>iPrism</strong> LDAP Client 151<br />
LDAP tab 151<br />
legal services 321<br />
legal software 337<br />
leisure pursuit 328<br />
libraries 341<br />
Lingerie/Bikini 322<br />
links 338<br />
liquor 325<br />
Load Balancing<br />
<strong>iPrism</strong> in a Load Balancing Environment 242<br />
loan 320<br />
Local Allow (ACL category) 113<br />
Local allow (ACL category) 80<br />
Local Categories 114<br />
Local Deny (ACL category) 113<br />
Local deny (ACL category) 81<br />
Locally Defined (ACL categories)<br />
How to Use 112<br />
Locally Defined Categories 80<br />
Lock ACL 84<br />
lotteries 327<br />
lyrics 310<br />
M<br />
Machine Account 162<br />
Maintaining 166<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
445
magazines 315<br />
mail order brides 322<br />
Malware 343<br />
malware 343<br />
manipulation 316<br />
Map List Items<br />
Sorting and Editing 174<br />
Mapping 174<br />
Mapping NT Groups to Privileges 174<br />
Mapping NT Groups to Profiles 170<br />
marijuana 325<br />
masturbation 326<br />
Mature Humor 328<br />
mature subjects 322<br />
medications 325<br />
military 314<br />
military hardware 312<br />
militias 309<br />
Miscellaneous Questionable 309<br />
Mobile filtering 89<br />
Mode<br />
Changing <strong>iPrism</strong>’s Interface Mode 191<br />
Monitor Offensive (profile) 65<br />
Monitoring Access 80<br />
Multiple <strong>iPrism</strong> Units 242<br />
museums 313<br />
mutilation 311<br />
mutual funds 320<br />
N<br />
Name Server 193<br />
Forwarding Name Server 194<br />
Internal Name Server 194<br />
nazism 309<br />
Netscape Navigator<br />
Configuring for Authentication 346<br />
Network Interface Settings<br />
Internal/External/Management 191<br />
Network Settings<br />
Accessing Network Settings 189<br />
Default Route (Gateway) 195<br />
Forwarding Name Server 194<br />
Host Name 190<br />
Internal Name Server 194<br />
Name Server 193<br />
Parent Proxy 200<br />
Port Assignments 204<br />
Using <strong>iPrism</strong> with Multiple DNS Servers 194<br />
Network Time Protocol (NTP) 219<br />
446<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Networking tab 37, 189, 190<br />
Network-level filtering 89<br />
Networks<br />
Defining Networks and Subnets in <strong>iPrism</strong> 89<br />
Networks tab 33<br />
News 315<br />
newsgroups 334<br />
newspapers 315<br />
No access (access level) 133<br />
Maintaining <strong>iPrism</strong>’s Machine Account 166<br />
Maintaining 166<br />
177, 175, 168, 170<br />
Communicating with 159<br />
Joining <strong>iPrism</strong> to an NT Domain 159<br />
Mapping NT Groups to Privileges 174<br />
Mapping NT Groups to Profiles 170<br />
160, 220<br />
nudes 323<br />
nudist colonies 323<br />
Nudity 323<br />
nutrition 326<br />
O<br />
odds 327<br />
On the Fly While You Surf button 50<br />
Online Auctions 321<br />
Online Chat 334<br />
online ordering 318<br />
online translation 335<br />
options 320<br />
Other (ACL categories) 81<br />
Override existing 368<br />
Override Location/Duration screen 103<br />
Override Management tab 34, 107, 108<br />
Override Privileges 99<br />
Override Who screen 102<br />
Override/Request Access button 97, 99<br />
Overrides 97<br />
How to Override a Blocked Site 99<br />
How to Revoke a Single Override 108<br />
How to Revoke All Overrides 108<br />
Managing Override Access 107<br />
P<br />
painting 313<br />
paraphernalia 325<br />
Parent Proxy 200<br />
Pass All (profile) 65<br />
password 309<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
447
Passwords<br />
creating user passwords 132<br />
past events 340<br />
pastime 328<br />
patent 308<br />
Pending Requests screen 277<br />
Phishing 342<br />
phishing 342<br />
physics 341<br />
piercings 324<br />
plagiarize software 308<br />
police 314<br />
political affairs 314<br />
Politics 314<br />
POP3 337<br />
Pornography 323<br />
Port Assignments 204<br />
Ports<br />
Adding Other Secured Ports 206, 207<br />
Secured Site Access (HTTPS Ports) 206<br />
Ports tab 37<br />
post 334<br />
pranks 312<br />
Preferences tab 35, 37<br />
Preferences tab (Reports) 245<br />
prejudice 309<br />
product info 320<br />
Product Support 3<br />
Profanity 310<br />
Professional Services 321<br />
Profile 168<br />
Profiles<br />
Assigning Profiles to Networks (Workstations) 89<br />
Assigning Profiles to Users 89<br />
Creating 60<br />
Default Profiles 65<br />
Deleting 70<br />
Editing 69<br />
How <strong>iPrism</strong> Uses Profiles 88<br />
Introduction to Filtering Profiles 56<br />
Profiles and ACLs 57<br />
Scheduling ACLs 65<br />
Profiles tab 33, 74<br />
programming 341<br />
promotion 320<br />
Prompt for action 368<br />
Proxies<br />
Changing <strong>iPrism</strong>’s Proxy Port 205<br />
Configuring Proxy Settings in Netscape 346<br />
448<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Proxy Settings in IE 349<br />
Setting Up a Parent Proxy 200<br />
Using for Filter and System Updates 203<br />
Proxy Exceptions 207<br />
Proxy Exceptions tab 34<br />
Proxy tab 38, 124<br />
public sale 321<br />
publications 315<br />
Q<br />
Questionable 308<br />
Computer Hacking 308<br />
Copyright Infringement 308<br />
Intolerance/Extremism 309<br />
Miscellaneous Questionable 309<br />
Profanity 310<br />
Tasteless 310<br />
Violence 311<br />
Weapons/Bombs 311<br />
Quick Submit 115<br />
R<br />
racism 309<br />
radicalism 309<br />
radio 326<br />
Rating<br />
Changing a site’s rating 272<br />
Reboot (Exit Option) 47<br />
Recent Blocks screen 282<br />
Recreation 326<br />
Entertainment 326<br />
Gambling 327<br />
Games 327<br />
Hobbies/Interest 328<br />
Mature Humor 328<br />
Sports 331<br />
Travel 332<br />
redirection settings (IP/DNS) 162<br />
redirects 338<br />
Reference Sites 341<br />
Registration Information 231<br />
Registration tab 38<br />
Religion 315<br />
religious conviction 316<br />
Report Preferences 245<br />
Reports<br />
Security Log 253<br />
Reports Manager button 49<br />
Reports Menu 34<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
449
eproduction 342<br />
republican 314<br />
Request Access 98<br />
How to Request Access to a Site 104<br />
Requesting Access to a Blocked Page 104<br />
Request Access screen 105<br />
reservations 332<br />
resources<br />
limiting consumption of 226<br />
restoring <strong>iPrism</strong><br />
from local backup 230<br />
to its original factory settings 230<br />
resume 321<br />
Retain existing 368<br />
retirement planning 320<br />
ripped 308<br />
Routes<br />
Changing <strong>iPrism</strong>’s Default Route on the Network 195<br />
Static Routes 196<br />
Routing Information Protocol (RIP)<br />
Enabling RIP Updates 196<br />
S<br />
sadism 312<br />
Safe Search Engine 337, 150<br />
Save & Exit option 46<br />
scat 311<br />
Scheduling ACLs within a Profile 65<br />
Science/Tech 341<br />
sculpture 313<br />
search engines 339<br />
secondary schools 340<br />
sect 316<br />
Secured Site Access Ports (HTTPS Ports) 206<br />
Adding Other Secured Ports 206, 207<br />
Security<br />
Adware 343<br />
<strong>iPrism</strong> Security Log 253<br />
Malware 343<br />
Phishing 342<br />
Spyware 343<br />
Security Log tab 36, 253<br />
Select Rating screen 268<br />
senate 314<br />
serialz 308<br />
Sex 322<br />
Lingerie/Bikini 322<br />
Nudity 323<br />
Pornography 323<br />
450<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
Sexuality 324<br />
sex techniques 326<br />
Sexuality 324<br />
Shared Configurations<br />
Adding a Slave to a Shared Configuration 215<br />
Changing the Master <strong>iPrism</strong> Device 215<br />
Configuring the Master <strong>iPrism</strong> Server 213<br />
<strong>iPrism</strong> in a Load Balancing Environment 242<br />
Managing Multiple <strong>iPrism</strong> Units 242<br />
Removing a Slave from a Shared Configuration 215<br />
Stand Alone Mode with Configuration Sharing 216<br />
Viewing Master/Slave Configuration Information 216<br />
shareware 337<br />
Shareware Download 337<br />
Shutdown (Exit option) 46<br />
Site Ratings<br />
Changing a URL’s Rating 112<br />
Checking a Site’s Rating 285<br />
site seeing 332<br />
skin heads 309<br />
smoking 325<br />
SMTP Relay Settings 199<br />
smut 323<br />
Society<br />
Alt/New Age 312<br />
Art/Culture 313<br />
Cult 316<br />
Government 313<br />
News 315<br />
Politics 314<br />
Religion 315<br />
Specialized Shopping 317<br />
Sports 331<br />
Spyware 343<br />
spyware 343<br />
Spyware/Adware 343<br />
St. Bernard Software Technical Support 3<br />
Stand Alone Mode 216<br />
state government 314<br />
Static Routes<br />
Adding 196<br />
Editing/Deleting 199<br />
Status tab 35, 251<br />
stocks 320<br />
Submitting Sites You Want to Block 114<br />
swearing 310<br />
swimsuits 322<br />
swords 311<br />
synagogue 316<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
451
System Memory 252<br />
System Menu 36<br />
System Settings<br />
Backing Up and Restoring <strong>iPrism</strong>’s Settings 228<br />
Date and Time 217<br />
Registration Information 231<br />
Restoring the Default/Factory Configuration 230<br />
System Software Updates 224<br />
System Updates 221<br />
T<br />
tab 42<br />
Tasteless 310<br />
tattoos 324<br />
taxes 320<br />
Technical Support 3<br />
temp agencies 321<br />
temple 316<br />
tennis 332<br />
time setting 217<br />
toolz 309<br />
torture 311<br />
totalitarianism 309<br />
tour 332<br />
tourist 332<br />
trade schools 340<br />
trading 321<br />
traditions 313<br />
Translators 334<br />
Travel 332<br />
travel agent 332<br />
trips 332<br />
trojan 343<br />
U<br />
UltraSurf proxy 12<br />
Unable to Determine IP Address (Error) 358<br />
Unblocking Sites 280<br />
underwear 323<br />
universities 340<br />
unrated URLs, automatically rating 259<br />
Updates<br />
Filter List Updates 221<br />
System Software Updates 224<br />
Using a Proxy for Filter and System Updates 203<br />
Uptime 251, 12<br />
URLs<br />
automatically rating 259<br />
unrated 259<br />
452<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
usenet 334<br />
User Accounts<br />
About 142<br />
Creating in <strong>iPrism</strong> 131<br />
editing 141<br />
Importing local account data 141<br />
User Admin Privileges 133<br />
User Import Report 369<br />
User Names<br />
Importing 365<br />
User names<br />
exporting 369<br />
How to Import a User List 367<br />
Importing into <strong>iPrism</strong> 141<br />
User-level filtering 88<br />
Users Menu 31<br />
Users tab 31, 141<br />
V<br />
vacation 332<br />
video games 327<br />
Violence 311<br />
virus 309, 343<br />
voodoo 313<br />
voting 314<br />
vulgar 311<br />
vulgarity 310<br />
W<br />
war 312<br />
warez 308, 309<br />
WCCP<br />
Using a WCCP Router with <strong>iPrism</strong> 200<br />
weaponry 311<br />
Weapons/Bombs 311<br />
Web 333<br />
Web Access<br />
Controlling Access to Individual Web Sites 111<br />
Web Banners 337<br />
Web Browsers<br />
Configuring for Authentication 345<br />
Web Host 338<br />
Web Search 338<br />
Web Sites<br />
Checking the Rating of 285<br />
white house 314<br />
wicca 313<br />
Windows NT LAN Manager (see ’NTLM Server’) 159<br />
wine 325<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong><br />
453
wire service 315<br />
witchcraft 313<br />
worm 343<br />
worship 316<br />
Write Error / Broken Pipe 364<br />
Z<br />
Zero Sized Reply (Error) 363<br />
454<br />
<strong>iPrism</strong> <strong>Administration</strong> <strong>Guide</strong>
<strong>Administration</strong> <strong>Guide</strong><br />
Version 6.0<br />
©2001-2008 St. Bernard Software, Inc. All rights reserved.<br />
The St. Bernard Software logo, <strong>iPrism</strong> and iGuard are trademarks of St. Bernard Software Inc.<br />
All other trademarks and registred trademarks are hereby acknowledged.<br />
Corporate Office - USA<br />
15015 Avenue of Science<br />
San Diego, CA 92128<br />
Main Phone:<br />
Toll Free:<br />
Fax:<br />
Email:<br />
Web:<br />
858-676-2277<br />
800-782-3762<br />
858-676-2299<br />
info@stbernard.com<br />
www.stbernard.com