iPrism Administration Guide - EdgeWave

800•782•3762 

www.stbernard.com 

Administration Guide 

Version 6.0

©2001 – 2008 St. Bernard Software Inc. All rights reserved. The St. Bernard 

Software logo, iPrism and iGuard are trademarks of St. Bernard Software Inc. All 

other trademarks and registered trademarks are hereby acknowledged. 

Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, MS, Windows, 

Windows NT/2000, Windows Terminal Server are either registered trademarks 

or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. 

Netscape Navigator ® is a registered trademark of Netscape Communications 

Corporation. 

Other product and company names mentioned herein may be the trademarks of 

their respective owners. 

The iPrism software and its documentation are copyrighted materials. Law 

prohibits making unauthorized copies. No part of this software or documentation 

may be reproduced, transmitted, transcribed, stored in a retrieval system, or 

translated into another language without prior permission of St. Bernard 

Software, Inc. 

iPrism Administration Guide

Contents 

Introduction ....................................................................................................................... 1 

Welcome .................................................................................... 1 

About this Manual ...................................................................... 2 

Who Should Use this Manual?................................................... 2 

Overview................................................................................ 2 

Technical Support ...................................................................... 3 

Installation Notes ....................................................................... 4 

Chapter 1 The Big Picture......................................................................... 5 

How iPrism Fits Into Your Network............................................. 5 

Proxy Mode ........................................................................... 5 

Bridge (Transparent) Mode.................................................... 8 

Using the Management Interface .......................................... 10 

How iPrism Works...................................................................... 10 

What’s New in iPrism 6.0?..................................................... 11 

The Filtering Database .......................................................... 12 

Getting Past Blocked Sites .................................................... 18 

Summary.................................................................................... 21 

Chapter 2 Overview of iPrism Software .................................................. 23 

Logging In .................................................................................. 24 

Using the Appliance Manager.................................................... 27 

Configuring your iPrism ......................................................... 30 

Web Interface............................................................................. 48 

Reports Manager................................................................... 49 

Add Web Sites Buttons.......................................................... 50 

System Admin Tools Buttons................................................. 50 

Chapter 3 Managing Internet Access ...................................................... 55 

How iPrism Filters Internet Activity ............................................ 55 

Introduction to Profiles........................................................... 56 

Profiles and ACLs.................................................................. 57 

Putting Your Profile to Work................................................... 58 

Creating Profiles ........................................................................ 60 

iPrism Administration Guide 

i

Creating a Profile ................................................................... 60 

Scheduling ACLs Within a Profile .......................................... 65 

Copying a Profile.................................................................... 69 

Deleting a Profile.................................................................... 70 

Creating Access Control Lists (ACLs) ........................................ 70 

Creating a New ACL .............................................................. 71 

Special Filtering Categories (Locally Defined / Other) ........... 80 

Viewing ACL Filtering Properties ........................................... 81 

Editing ACL Settings .............................................................. 82 

Deleting an ACL..................................................................... 83 

Lock ACL.................................................................................... 84 

Assigning Profiles....................................................................... 88 

How iPrism Uses Profiles....................................................... 88 

Authentication Systems and Assigning Profiles to Users....... 89 

Assigning Profiles to a Set of IP Addresses (Workstations)... 89 

Assigning Profiles to Remote or Mobile Users....................... 92 

Chapter 4 Blocked Pages and Overrides................................................. 97 

Access Denied Page Options..................................................... 97 

Using Override Privileges........................................................... 99 

Overriding a Blocked Web Site .............................................. 99 

Using Access Requests.............................................................. 104 

Managing Override Access ........................................................ 107 

The Override Management Page........................................... 108 

Revoking a Single Override ................................................... 108 

Revoking All Overrides........................................................... 108 

Chapter 5 Fine Tuning Your Web Filtering............................................... 111 

Controlling Access to Individual Web Sites ................................ 111 

Changing a URL’s Rating with Custom Filters ....................... 112 

Controlling URLs with Locally Defined Categories................. 112 

Submitting Sites to St. Bernard for Review ............................ 114 

Changing the Access Denied and Authentication Pages ........... 116 

Using the HTML Template Manager ...................................... 117 

ii 


Making “Quick Changes” to the Access Denied Page........... 123 

Changing the “Other” pages .................................................. 125 

Chapter 6 Users and Authentication ....................................................... 129 

Setting up Local Authentication ................................................. 131 

Creating User Accounts on the iPrism................................... 131 

Editing Administrative Privileges ........................................... 135 

Creating a new Administrative Profile.................................... 137 

Adding a New Administrative Profile ..................................... 141 

Deleting an Administrative Profile.......................................... 141 

Importing User Accounts into iPrism...................................... 141 

Editing User Accounts ........................................................... 141 

Choosing an Authentication Mechanism.................................... 142 

Assigning an Authentication Mechanism to an IP address range 142 

Auto-Login Details ................................................................. 146 

Communicating with an LDAP Server ................................... 150 

Communicating with a 

Microsoft Windows Authentication 

Server (NTLM)....................................................................... 159 

Mapping Groups to iPrism Resources................................... 168 

Authentication from the User’s Perspective............................... 177 

Logging in and out using the web interface ........................... 180 

Chapter 7 Email Alerts .............................................................................. 183 

Creating and Configuring an Email Alert ............................... 184 

Editing an Email Alert ............................................................ 187 

Deleting an Email Alert .......................................................... 187 

Chapter 8 Network Management.............................................................. 189 

Accessing iPrism’s Network Settings......................................... 189 

Changing iPrism’s Identity (Host Name)................................ 190 

Changing Network Interface Settings .................................... 191 

Enabling the Co-Management Network................................. 192 

Changing the Name Server Configuration............................. 193 

Changing iPrism’s Default Route........................................... 195 


iii

Communication with Other IP Networks..................................... 195 

About Static Routes................................................................ 195 

Enabling RIP Updates in iPrism............................................. 196 

Adding a Static Route............................................................. 196 

Editing or Deleting a Static Route .......................................... 199 

Configuring SMTP Relay Settings.............................................. 199 

Using a WCCP Router with iPrism ............................................. 200 

Setting Up a Parent Proxy......................................................... 200 

Setting Up a Parent Proxy...................................................... 201 

Using a Proxy for Filter and System Updates ............................ 203 

Changing iPrism’s Port Assignments ......................................... 204 

Changing iPrism’s Proxy Port ................................................ 204 

Transparent Mode Redirected Ports ...................................... 206 

Secured Site Access (HTTPs Ports) ...................................... 206 

Creating Filter Exceptions .......................................................... 207 

Specifying a Filter Exception.................................................. 208 

Chapter 9 Central Management ................................................................ 211 

Before You Begin ................................................................... 211 

Setting up a Master/Slave Arrangement ................................ 212 

Designating Slave Devices .................................................... 212 

Configuring the Master iPrism Server .................................... 213 

Adding a Slave to a Shared Configuration............................. 215 

Removing a Slave from a Shared Configuration.................... 215 

Changing the Master iPrism Device....................................... 215 

Forcing Slave Updates........................................................... 216 

Using Standalone Mode with Configuration Sharing.............. 216 

Chapter 10 System Settings ....................................................................... 217 

System Date and Time ............................................................... 217 

To Manually Set the Date and Time ....................................... 217 

Setting the Date to use the Network Time Protocol ............... 219 

Bypass Authentication................................................................ 220 

System Updates ......................................................................... 221 

iv 


Filter List Updates.................................................................. 221 

Checking iPrism’s Filter List Status........................................ 223 

System Software Updates ..................................................... 224 

Protecting Against DoS Attacks............................................. 226 

Anti-spoof detection............................................................... 226 

Configuring Filter List Failure Options ................................... 227 

Backing Up and Restoring iPrism Settings ................................ 228 

Backing Up ............................................................................ 228 

Restoring ............................................................................... 230 

Registration Information............................................................. 231 

Editing Registration Information ............................................ 231 

Using SSL Encryption............................................................ 233 

Managing iPrism Updates with the HotFix Manager.................. 234 

Using the HotFix Manager..................................................... 236 

Managing Multiple iPrism Units.................................................. 242 

iPrism in a Load Balancing Environment............................... 242 

Chapter 11 iPrism System Reports............................................................ 245 

Exporting Events Using Syslog.................................................. 246 

Determining the Number of Records in the Database........... 249 

Deleting Access Event Records ............................................ 249 

Audit Log.................................................................................... 250 

iPrism Status .............................................................................. 251 

iPrism Security Log .................................................................... 253 

About iPrism Tab........................................................................ 255 

Chapter 12 The Filter Manager ................................................................... 257 

Automatically Rating Unrated URLs .......................................... 259 

Sending Unrated Sites to iGuard for Rating .......................... 260 

Manually Rating Unrated URLs from iGuard ......................... 261 

Modifying URLs ..................................................................... 265 

Custom Filters............................................................................ 266 

Custom Filter Management ................................................... 266 

Editing or Removing a Custom Filter..................................... 269 


v

Import / Export Custom Filters.................................................... 273 

Exporting Custom Filters........................................................ 273 

Importing Custom Filters........................................................ 275 

Pending Access Requests ..................................................... 276 

Unblocking Blocked and Overridden Pages............................... 280 

Unblocking Recently Blocked Pages ..................................... 281 

Unblocking Recently Overridden Pages ................................ 282 

Viewing and Deleting Current IP-Host Map Entries.................... 284 

To view and delete current IP-Host Map Entries .................... 284 

Checking Site Ratings ................................................................ 285 

Checking a Site’s Rating ........................................................ 285 

Filter Manager Options............................................................... 287 

Chapter 13 Partitions and Delegation ........................................................ 291 

Partitions .................................................................................... 291 

Setting up Partitions............................................................... 292 

Partition Type ......................................................................... 293 

Partitions ................................................................................ 293 

Viewing................................................................................... 293 

Delegation .................................................................................. 296 

Defining Delegation................................................................ 297 

Setting Administrator Privileges ............................................. 299 

Managing Policies as a Delegated Partition Administrator......... 304 

Appendix A: Filtering Categories.......................................................................................... 307 

iGuard Site Rating Categories.................................................... 308 

Questionable.......................................................................... 308 

Foreign Language.................................................................. 312 

Society ................................................................................... 312 

Business................................................................................. 317 

Sex......................................................................................... 322 

Health..................................................................................... 324 

Recreation.............................................................................. 326 

Internet (Web) ........................................................................ 333 

vi 


Education............................................................................... 339 

Security Exploits .................................................................... 342 

Appendix B: Configuring Browsers for Authentication ......................................................345 

Configuring Browsers for Authentication.................................... 345 

Configuring Netscape Navigator for Authentication............... 346 

Configuring Internet Explorer for Authentication.................... 347 

Appendix C: iPrism Error Messages.....................................................................................351 

iPrism List Update Error ........................................................ 351 

iPrism List Error ..................................................................... 353 

iPrism Filter Service Expired Error ........................................ 354 

Access Denied Error.............................................................. 355 

Authentication is Required Error............................................ 356 

Connection Failed Error......................................................... 357 

Unable to Determine IP Address Error .................................. 358 

Invalid Request Error............................................................. 360 

Invalid URL (Error)................................................................. 361 

iPrism is in the Process of Reconfiguring Itself (Error) .......... 362 

Zero Sized Reply (Error)........................................................ 363 

Write Error / Broken Pipe....................................................... 364 

Appendix D: Importing/Exporting User Data........................................................................365 

Importing User Data into iPrism ................................................. 365 

Step 1: Prepare the User List For Import............................... 366 

Step 2: Import the User List into iPrism ................................. 367 

Exporting Local User Data from iPrism...................................... 369 

Exporting User Account Data ................................................ 370 

Index ................................................................................................................................... 437 


vii

viii 


Welcome 

Introduction 

This chapter introduces you to the iPrism Administrator’s Guide and how 

information is arranged and presented in this manual. This chapter also 

provides contact information for St. Bernard Software Technical Support, as 

well as installation tips for setting up iPrism. 

This manual does not include installation instructions. Please refer to the 

iPrism Installation Guide if you have not yet connected the iPrism to your 

network. 

Welcome 

Welcome to the iPrism Internet filtering appliance, the comprehensive 

Internet access management solution. The iPrism server appliance allows 

you to monitor, block and report on your organization’s Internet usage and 

is a critical tool for enforcing an Acceptable Use Policy (AUP). 

In addition to monitoring and blocking HTTP traffic, iPrism also allows you 

to filter Peer to Peer (P2P) and Instant Messaging (IM) traffic. 


1

About this Manual 

This manual explains how iPrism works and how it operates within the 

framework of a network. It’s important to have a thorough understanding of 

the iPrism appliance itself, as well as the bigger picture of how it functions 

within your network environment, in order to get the best performance 

possible from your appliance. This manual includes a detailed Table of 

Contents and an index to help you navigate to the information you need. 

Who Should Use this Manual? 

This manual was written for network administrators or those who are 

fulfilling that duty for their organizations. The requirements for 

understanding this manual include: 

• An understanding of TCP/IP networking 

• Knowledge of your network’s topology 

• The ability to configure networking settings on Windows workstations 

Overview 

Introduction gives you an introduction to the iPrism and the 

documentation to follow. 

Chapter 1: The Big Picture shows you how iPrism fits into your network, 

as well as giving you an overview of the capabilities of this system. 

Chapter 2: Overview of iPrism Software describes the major software 

components that iPrism uses, including Anti-Virus (AV) Scanning and IM 

Hybrid Filtering, and how they fit together. 

Chapter 3: Managing Internet Access shows you how to manage access 

to the Internet through the use of profiles and access lists. 

Chapter 4: Blocked Pages and Overrides explains what iPrism does when 

it blocks a page and how this block can be temporarily or permanently 

overridden. 

2 


Technical Support 

Chapter 5: Fine Tuning Your Web Filtering shows you how you can 

augment and fine tune iPrism web filtering. 

Chapter 6: Users and Authentication shows you how to create local 

iPrism users, as well as how to configure iPrism to use an external NTLM 

(Windows) or LDAP authentication database. 

Chapter 7: Email Alerts tells you how you can set up email alerts, so that 

you can receive an email notification of high network usage or other 

unusual conditions that require your attention. 

Chapter 8: Network Management describes in detail how to configure the 

iPrism’s network interface and other network-related settings. 

Chapter 9: Central Management describes the system configuration 

settings available to the administrator. 

Chapter 10: System Settings explains how to change iPrism’s internal 

settings and set your preferences for common iPrism activities. 

Chapter 11: iPrism System Reports contains information about the 

various configuration-based reports that can be generated. (For network 

traffic reports (Web, IM, P2P) see the iPrism Reporter’s Guide.) 

Chapter 12: The Filter Manager describes how to create custom filters to 

augment iPrism’s extensive filter database. 

Chapter 13: Partitions and Delegation describes how to set up and use 

partitions and delegation within iPrism. 

Technical Support 

If you are unable to resolve your issue using the manual, please contact the 

St. Bernard Software iPrism support team. When contacting tech support, 

please be sure to include all relevant information about how the iPrism is 

configured on your network (e.g., topology, other hardware, networking 

software, etc.). Have your iPrism serial number and registration key 

information handy. Also, in order to help our support staff solve your 

problem, it is helpful if you can send us a network diagram showing the 

basic hardware that is in use on your network. 


3

Support Web site: http://www.stbernard.com/products/support/iprism/ 

Installation Notes 

Important: This manual assumes that you have already connected 

the iPrism appliance to your network using the instructions in the 

iPrism Installation Guide. 

There are a few situations that can complicate an iPrism installation that are 

not addressed in the iPrism Installation Guide, such as: 

• If other proxy servers are configured on your network. 

• If you have a WAN serviced by a router that is also the Internet router. 

• If you have a unique network setup, and you are unsure of its ability 

to interact with iPrism. 

If one or more of these conditions exist on your network and you are not 

able to get iPrism to function properly, check the following locations for 

assistance: 

• Your iPrism installation CD: The support documents included on the 

CD describe how to set up iPrism under atypical circumstances. 

• The St. Bernard Software website: This site contains the very latest 

support information for iPrism. 

http://www.stbernard.com/products/support/iprism/support_iprism.asp 

If you are still unable to find a solution, you may request assistance with 

your installation from St. Bernard Software’s technical support team. (See 

“Technical Support” on page 3.) 

If your network uses a firewall or other device that masks IP addresses, it is 

important to install iPrism inside the firewall/device. Otherwise, it may 

prevent iPrism from tracking individual users on the network, in which case 

it will not be possible to perform user tracking. If you are unable to 

configure iPrism inside the firewall, some iPrism features will not be 

available to you. 

4 


How iPrism Fits Into Your Network 

Chapter 1 

The Big Picture 

This chapter describes how iPrism works and provides an overview of its 

features and capabilities. 


The iPrism system can be configured in either proxy mode or bridge 

(transparent) mode. 

Proxy Mode 

Proxy mode (Figure 1) is the simplest, and is the preferred mode in which to 

operate an iPrism when testing. In proxy mode, the iPrism uses a single 

internal interface to connect to the Internet. Only one (1) network (NIC) 

connection is used, as only the internal interface is connected to the local 

network. The iPrism acts as a filtering web proxy; web and IM network 

traffic that is explicitly directed to the iPrism is filtered. 

In this configuration, http and https requests are sent to the iPrism as proxy 

requests. The iPrism determines if the request should be allowed or blocked 


5


and, if it is allowed, forwards the request to the Internet. The reply goes 

back through the iPrism proxy to the user. 

In this mode, the iPrism is not able to detect or regulate P2P traffic. Also, 

the users can easily bypass the iPrism’s filtering by removing their proxy 

setting. 

Proxy mode is best for testing, as since the iPrism is not placed in a 

network-critical location, any problems that occur will not jeopardize your 

company’s entire access to the Internet. You can fine-tune the profile and 

network settings and test the results before moving the system into a 

network-critical environment. 

It also provides a way to demonstrate the capabilities of the iPrism before it 

is deployed for all users. 

If you choose to deploy the system in proxy mode, all you have to do is to 

make the iPrism a proxy server for all your users. (This can be done through 

group policy settings, or through a system administrator edict.) You must 

also change your firewall rules to allow only the iPrism to access the 

Internet, preventing anyone who didn’t change their proxy settings from 

directly accessing the Internet. 

6 



FIGURE 1. Deploying iPrism in Proxy Mode 

Refer the iPrism Installation Guide for detailed information. 


7


Bridge (Transparent) Mode 

In bridge (transparent) mode, the iPrism is an “in-line installation” which 

has 2 network (NIC) connections. This mode is recommended for 

deployment. 

All network traffic destined for the Internet (e.g., email and web) flows 

through the iPrism, and a single IP address is used by both interfaces. 

iPrism filters web and IM/P2P traffic only. It is best to position iPrism 

between the outbound Internet connection and an internal switch to limit 

traffic handling to outbound Internet traffic. This is the preferred mode in 

which to deploy and operate an iPrism (see Figure ). 

8 



FIGURE 2. Deploying iPrism in Bridge (Transparent) Mode 

Note: The iPrism can also act as a filtering web proxy when in bridge 

(transparent) mode. Users can configure their browsers to point at the 

iPrism, just as they do in proxy mode, although the iPrism is configured in 

bridge (transparent) mode. Web and IM/P2P traffic will be filtered for these 

users. 

For instructions on how to configure a browser to point at the iPrism, see 

Appendix C of the iPrism Installation Guide. 


9


Note: Older versions of iPrism (Versions 3.6 and earlier) had an additional 

mode called Router mode. This mode had been discontinued. Bridge 

(transparent) mode is now used in all situations where the iPrism is used in 

an in-line network environment. 

Using the Management Interface 

The iPrism has a third network interface called the Management Interface. 

Normally you can administer your iPrism from any system connected to the 

internal network. You can configure the system to only accept configuration 

from the management interface. This allows you to create a secure sub-net 

from which to control your iPrism. 

It also provides you with a secure way of transferring logging data from the 

iPrism to a management workstation. When you configure the iPrism to 

send you periodic reports or logging information, the information is 

transmitted in “plain text”. This means that anyone with a sniffer attached to 

your network could see that data. If you want to make your network 

extremely secure you can use the management interface to transfer this data 

on a secure network. 

The management interface is only needed if you require a high level of 

security. For more information on its configuration and use, see “Changing 

Network Interface Settings” on page 191. 

How iPrism Works 

In the simplest terms, iPrism is a filtering device that examines your 

Internet traffic stream for HTTP, HTTPS IM, and P2P traffic. In the case of 

HTTP requests, each URL request is checked against a database in which 

URLs are classified into fixed categories, based on their content. The 

client’s web request may be blocked or monitored by iPrism, depending on 

which categories the iPrism administrator has elected to place limits 

according to the rules in the user’s Web Access Profile. 

There are two independent type of blocking rules. The Web Access Profiles 

(Profiles) control web traffic, and the IM/P2P Profiles controls IM and P2P 

10 



traffic. For detailed information on profiles, refer to Chapter 3: Managing 

Internet Access. 

What’s New in iPrism 6.0? 

New features in iPrism 6.0 include enhanced system configuration utilities, 

IM Filtering, and Anti-Virus (AV) Scanning. 

IM Filtering 

iPrism’s IM filtering capabilities have been enhanced to allow you to both 

block and report on email and IM traffic. This is done by redirecting 

allowed IM traffic within your network to the filtering/archiving service at 

St. Bernard data centers. By subscribing to this service, you can provide an 

IM audit trail (reporting), block spam, viruses and phishing exploits, protect 

your network from email-borne threats, and protect both inbound and 

outbound email. 

For more information on setting up IM filtering, see page 42. 

Note: Bridge (transparent) mode (use of both the Internal and External 

NICs) is required for intercepting IM traffic. This is a standard IM filtering 

requirement, and not related to the hybrid filtering service. For information 

about bridge mode, see “Bridge (Transparent) Mode” on page 8. For 

information about the hybrid filtering service, see “To provision hybrid 

filtering” on page 43. 

Anti-Virus (AV) Scanning 

iPrism has been enhanced to provide virus detection and prevention via 

Anti-Virus (AV) scanning and reporting for HTTP traffic. AV is enabled by 

default for new installations (newly shipped appliances). 

When users try to access a virus file via HTTP, they will be notified that the 

page is blocked. 

This prevents the introduction of viruses, and identifies virus sources using 

the following reporting categories: 

• Virus 

• Worm 

• Other Malware 


11


For further details about AV Scanning, see page 38. 

Anonymizers 

Anonymizer functionality can now be blocked and reported. Generally, the 

actual URL is returned, as well as the following: 

• probable.ultrasurf.stub is reported for unsure anonymizers. 

• probable.googlewebaccelerator.stub is reported for Google 

Accelerator traffic. 

• The ultrasurf domain is reported when the behavior of the UltraSurf 

proxy is detected. 

• The google-web-accelerator domain is reported when Google web 

accelerator traffic is detected. 

• The http-proxy domain is reported when http-proxy traffic is detected 

on port 80. 

• Proxy URLs are collected and message groups are monitored daily for 

new anonymizers. 

• Manual searches for anonymizers are conducted using top search 

engines and a keyword list. 

The Filtering Database 

The process by which URLs are evaluated and categorized is called iGuard. 

As part of the iGuard process, each website in question is submitted to an 

Internet analyst who reviews the site and makes the appropriate category 

designations (e.g., adult, nudity, profanity, government, religion, drugs, 

games, etc.). In order to ensure that each iPrism unit is always operating 

with the very latest filtering database, the iPrism appliance automatically 

connects to St. Bernard’s server daily and downloads the most recent 

filtering database files. 

Deciding What Gets Blocked 

The first step in setting up your filter is to create a Access Control List 

(ACL). This is a list which tells iPrism what to do for each category of 

website. For example, you wish to block access to website of an “adult” 

nature (and monitor any attempt to access them), monitor any accesses to 

12 



site categorized as “adult” (and allow the user to access them), and let all 

other request through unmonitored and unblocked. 

To do this you need to create an ACL with the following settings: 

Category Monitor Blocked 

adult Yes Yes 

nudity Yes No 

everything else No No 

To create a ACL, start the iPrism configuration program, select the Access 

section, then the Profiles tab. In the Access Control section, click “New” to 

create a new ACL. 


13


FIGURE 3. Blocking setup in an ACL 

The ACL controls what is blocked and monitored. The iPrism system needs 

to know when to apply the ACL and who to apply it to. 

The schedule controls when an ACL is applied. Suppose the company 

policy is “No Shopping during working hours, but during lunch and after 

work, anything goes.” To implement this policy, we first create an ACL 

called “No Shopping” which blocks all shopping and online auction sites. 

We also create an ACL called “Wide Open” which does not block any sites. 

Next, we define a schedule that tells iPrism when to apply each of our two 

access lists, as shown in Figure 4. 

14 



FIGURE 4. Profiles and Scheduling 

In our example, we’ve created a schedule that applies to the entire company 

(Profile name = TheCompany). But sometimes you need to give different 

users different access rights. For example, the Purchasing department may 

legitimately need access to online shopping, and Finance may need access 

to online gambling. In addition, upper management and iPrism 

administrators may have access to everything. 

The iPrism system uses two different types of profiles: 

• Web Profiles (called “Profiles”) are used to filter web surfing or HTTP 

traffic. 


15


• IM/P2P Profiles filter IM and P2P usage. 

Each profile is associated with a group of users. One way of identifying 

users is by the IP address of the machine they are using. For example, you 

can define a profile called “Sales” which contains all the addresses in the 

range 192.168.77.0 to 192.168.77.255. 

Users can also be identified by a user name and password through an 

authentication process. There are a number of authentication systems 

available including NTLM (for Microsoft Windows users) and LDAP (for 

UNIX, Linux, and Novell users). 

Finally, you can manually add users to your iPrism. In practice, manual 

creation is usually only done for iPrism administrators and subadministrators. 

Assigning Profiles 

Now that have set up profiles, you need to learn how to associate a profile 

with the people to which it applies. The simplest way of doing this is to 

assign a profile to a set of IP addresses. Anyone using a machine which has 

one of these addresses will be assigned the same profile. This is useful when 

you have a lot of public or lab machines and wish to apply the same profile 

to everyone in the room. For example, if you’re running a school, you can 

assign a profile called “KidSafe” to all the machines in the student lab, and 

assign a profile called “NoBlocking” to the teacher’s offices. 

You can also assign profiles to a set of authentication users. (Authentication 

means that you have a username to work with which has been validated by a 

password.) Although each web access message contains the IP address of 

the computer making the request, there is no user identification included in 

the message. 1 

The iPrism system interfaces with Windows NTLM authentication as well 

as LDAP which is used UNIX, Linux, Novel. If you want to use “user 

level” authentication, Chapter 6: Users and Authentication contains simple, 

step-by-step instructions which will help you get your iPrism working with 

1. This is not always true. If you configure your iPrism and user computers just right, you 

can create a system where each web access message will contain user identification. This 

complex form of configuration is discussed in Chapter 6: Users and Authentication. 

16 



your existing authentication system. However, this situation is beyond the 

scope of this section. 

Assigning a Profile to a set of IP addresses 

The network to profile mapping dialog can be found in the Access section’s 

Network tab, as shown in Figure 5. 

FIGURE 5. Network to Profile mapping GUI 

In this example, we are defining a subnet for 192.168.x.x (IP range 

192.168.0.0 to 192.168.255.255). For web access, the profile 

“TheCompany” is used and for IM/P2P traffic the profile “BlockIMP2P” 

applies. 


17


No user level authentication is required in proxy or bridge (transparent) 

mode. 

At the top is a list of IP ranges. When iPrism sees network traffic, it will go 

down the list looking for a range which matches the IP address associated 

with the network request. If this address is on the 192.168.x.x network, the 

first entry in the list is matched, and profiles associated with that entry are 

used. 

If another address is making the request, the system falls through to the 

second entry which matches everything and uses it. For more information 

on configuring profiles for your network, see “Introduction to Profiles” on 

page 56. 

Getting Past Blocked Sites 

Users that have been granted the proper administrative privileges in iPrism 

have options when they encounter a blocked site. There is an Override/ 

Request Access button on the Access Denied URL that provides two 

different options for getting to a page that is being blocked by iPrism. 

The first option, Override, prompts you to login with your administrative 

password. Users can then specify whether they want to override just the 

blocked page, the entire domain, or the whole blocked category (see 

Figure 6). They can then select how long they want the override access to 

last before iPrism resumes normal blocking. 

If the user’s request to unblock a site is granted, that site will be unblocked 

for all users if you are using a custom filter to grant access (see “Custom 

Filters” on page 266 for information on how to do this). 

18 



FIGURE 6. Override Options 

The second option for gaining access to a blocked page is called an Access 

Request. When a user requests access, they can use iPrism’s interface to 

send a message to the administrator and explain why they need access to the 

blocked site. The administrator reviews these requests and makes a decision 

as to whether the individual user request will be approved (see Figure 7). 


19


FIGURE 7. Request Access Page 

20 


Summary 

Summary 

The iPrism is the award-winning Internet filtering solution that secures your 

organization from Internet-based threats such as malware, spyware, IM, 

P2P, and inappropriate content, and helps you enforce your acceptable use 

policies through user groups, profiles, and access control lists (ACLs). It is 

designed to be simple to use and administer, yet flexible enough handle 

even the most demanding situations. 


21


22 


Chapter 2 

Overview of iPrism 

Software 

The primary method of administering the iPrism is through the Appliance 

Manager. This program is available from the installation CD, and is also 

available online through your iPrism after you have gone through the initial 

configuration and assigned an IP address. 

The iPrism also provides you with a web interface which allows you to 

temporally unblock sites, add sites to the database, manage HotFixes, and 

customize the look and feel through the use of HTML templates. 

For the users, the iPrism will remain mostly invisible. The system may 

require them to authenticate themselves, and if they encounter a blocked 

site it allows them to request that it be unblocked. But for the most part, it 

just sits in the background and only shows up when they try to access a 

blocked site. 


23

Overview of iPrism Software 

Logging In 

To log in to iPrism: 

1. Open the Appliance Manager. 

2. Double-click the iPrism icon and select the tool that you want to use 

from the context menu (see “To manage an application, right click the 

appliance you wish to manage and select the desired tool, or select the 

appliance you wish to manage, then click Manage Selected Appliance.” 

on page 27 for more information). 

You can also click Manage Selected Appliance and choose a menu 

option. 

24 


Logging In 


25


3. Type your iPrism username and password and click Log In. In a few 

moments, the tool you selected in Step 2 will open. 

Note: If you have chosen the System Configuration tool, only one user can 

be logged in at a time. If a user is already logged in, the SuperUser can 

terminate the other session and proceed to log in. If this happens, the other 

user receives a warning, then their session is closed. 

26 


Using the Appliance Manager 


The Appliance Manager allows you to manage and administer the iPrism. 

When you start the Appliance Manager, it will automatically search for the 

iPrism appliances on your network, and will locate any iPrism appliances 

that are connected by their either the Internal or Management interface to 

your network. 2 

To manage an application, right click the appliance you wish to manage and 

select the desired tool, or select the appliance you wish to manage, then 

click Manage Selected Appliance. 

The management tools are as follows: 

• System Configuration: Launches the System Configuration tool. This 

tools allows you to change network and other system settings, assign 

profiles, create users, and create access lists. 

• Reports Manager: Produces reports. (See the iPrism Reporting Guide 

for more information.) 

• Filter Manager: Starts your Internet browser and points it to the webbased 

filter management tool. This tool allows you to selectively block 

and unblock sites, and create temporary overrides for blocked sites (see 

“The Filter Manager” on page 257). 

• HTML Template Manager: Starts your Internet browser and points it 

to the web-based HTML Template Manager. This tool allows you to 

define customized pages that are seen by normal iPrism users when a site 

is blocked, when a user wishes to request access to a blocked site, and 

other user interactions (see “Using the HTML Template Manager” on 

page 117). 

• System Diagnostics: Allows you to test network connectivity, system 

health, the rating of a given URL, and user authentication (i.e., can you 

connect to the NTLM domain). It also contains tools which are useful to 

technical support and can aid in diagnosing problems with your system. 

2. The iPrism must be on the same subnet as your workstation to be automatically discovered. 


27


• HotFix Manager: Starts your Internet browser and points it to the webbased 

HotFix Manager. Note: This tool should only be used under the 

direction of Technical Support. 

Managing the List of Applications 

When first started, the Appliance Manager will scan the local subnet for 

iPrisms and automatically display these systems in the main window. 

Sometimes it is necessary to manage appliances which are on a different 

subnet. In this case, the Appliance Manager must be configured to access 

these systems. From the main window, select an appliance and click 

Manage Selected Appliance. 

FIGURE 8. Manage Appliance List 

Clicking Add creates a new blank entry. You can then enter the IP address 

and HTTP port number of a remote appliance. The default port number for 

28 



an iPrism system is 80. It can be changed using the Configuration Tool. 

After an iPrism has been added to this list it can be managed normally. 

The Description field allows you to supply a description of the system. 

This description will appear in place of the IP address on the main screen. 

To remove an entry from the list, select the entry to be removed and click 

Remove. 

Appliance Manager Options 

Selecting Options allows you to configure the options for the Appliance 

Manager (see Figure 9). 

FIGURE 9. Appliance Manager Options 

The options under the General tab are: 

• Show Help Balloons — When checked, help tips will be displayed by 

the software for some features. 

• Close Manager after launching appliance tool — If checked, the 

Manager itself will exit after you access a configuration interface from 

the appliance. If unchecked, the Manager will remain active until you 

exit. (Note: Closing the Manager also closes the Java Console.) 


29


• Enable Java Console — If selected, a Java Console (a troubleshooting 

tool) will be shown when accessing a configuration interface of the 

appliance. This is generally used under the direction of Technical 

Support. 

Since communication with your appliance is done using the HTTP Protocol, 

the Appliance Manager must be able to access the HTTP Port of the 

appliance. If your appliance is located across an HTTP proxy from your 

workstation, enter the IP address and Port using the dialog in the Proxy tab 

(see Figure 10). 

FIGURE 10. Proxy Settings 

Configuring your iPrism 

The configuration tool is the main utility used to set up your iPrism. It is 

divided into two distinct areas: sections (along the left sidebar) and the 

configuration window (on the right). Most sections consist of a familiar 

multi-tabbed window; click a tab to view its associated window. 

The sections buttons are always in view, so you can easily switch between 

different sections. The bottom of the Configuration window is reserved for 

iPrism’s built-in help system. After clicking on the Help icon, move your 

30 



mouse pointer over a field to view its description at the bottom of the 

window. 

User Settings 

The six tabs in the Users section (see Figure 11) are used to create or edit 

local user accounts, change a user’s access rights, and set up 

communication with external authentication servers. 

• Local — Add or delete users, change a local user’s profile, and set 

administrative privileges.(See “Setting up Local Authentication” on 

page 131.) 

• LDAP — Configures iPrism to communicate with an external LDAP 

server for authentication. (See “Communicating with an LDAP Server” 

on page 150.) 

• Windows —Configures iPrism to communicate with an external 

Microsoft Windows NTLM server for authentication. (See 

“Communicating with a Microsoft Windows Authentication Server 

(NTLM)” on page 159.) 

• Profile Mapping — Assigns filtering profiles to groups. (See “Step 1: 

Mapping Groups to Profiles” on page 170.) 

• Privilege Mapping — Assign administrative privileges to groups. (See 

“Step 2: Mapping Groups to Privileges” on page 174.) 

• Import/Export — Import an existing list of users from a text file, or 

export iPrism’s user list to a text file. (See “Importing/Exporting User 

Data” on page 365.) 

Note: For more information about LDAP and Windows/NTLM 

authentication, see Chapter 6: Users and Authentication. 


31


FIGURE 11. User Settings 

Access Settings 

The Access section includes six different tabs (see Figure 12). Each of these 

controls a different facet of iPrism access, such as building access control 

lists, constructing profiles, managing network assignments, and more. 

32 



FIGURE 12. Access Settings 

• Profiles: Constructs new profiles for web access. Profiles are the 

instruction sets that tell iPrism what type of content to block and when. 

Actually, to be precise, a Profile is a list of access control lists (Acts) and 

a schedule indicating when each one is to be applied. The ACL contains 

a list of specific categories to block or monitor. (See “Creating Profiles” 

on page 60.) 

• IM/P2P Profiles: Constructs new profiles for IM and P2P access. (See 

“Creating Profiles” on page 60.) 

• Networks: Assigns network-based profiles and authentication settings 

(as opposed to individual user profiles). It supports individual 

workstations or a range of IP Addresses. (See “Assigning Profiles to a 

Set of IP Addresses (Workstations)” on page 89.) 


33


• Filter Exceptions: Designates workstations or servers that you do not 

want to use iPrism as a filter. Workstations that do not use iPrism as a 

filter will not be filtered or monitored. (See “Creating Filter Exceptions” 

on page 207.) 

• Override Management: Allows the iPrism administrator to revoke 

specific overrides to users. Override sessions are only available to users 

that have been assigned administrative privileges. (See “The Override 

Management Page” on page 108.) 

Report Settings 

The Reports section is used to configure and view iPrism and ERS reports, 

such as information about the health of the system, the filtering rate, and 

other internal information. 

You can also subscribe to reports on the web, IM, and P2P traffic; see 

“Hybrid Settings” on page 42. 

The Reports section contains six tabs as shown in Figure 13. 

34 



FIGURE 13. Report Settings 

• Preferences — Enables the logging (syslog) features in iPrism and 

allows you to purge log data from the system. The screen also contains 

statistics concerning the number of events stored in the reporting 

database. At the bottom of the screen, the “Reporting System” sub-panel 

allows you to select where you want your reporting data to be collected 

and processed. 

• Status — Provides information about iPrism’s system status and 

utilization statistics. (See “Audit Log” on page 250.) 


35


• Security Log — Displays iPrism’s security log, which lists information 

about the current filter list, the date and time iPrism was last updated and 

backed up, and a log of unauthorized IP accesses. (See “iPrism Security 

Log” on page 253.) Entries are also generated when the reporting 

system sends a report to a user via FTP or Email. 

• Audit Log — The Audit Log tracks changes made to policies, including 

who made them and when. (See “Audit Log” on page 250.) 

• Email Alerts — Sets up notification messages, called “Email Alerts” or 

“Triggers.” Email Alerts can be set up for many different events in 

iPrism, ranging from the activity of a single user to the total amount of 

activity associated with a particular category, or when bandwidth 

thresholds have been reached. (See “Creating and Configuring an Email 

Alert” on page 184.) 

• About — Displays the version of your current iPrism software and 

displays the contact information for St. Bernard Software. (See “About 

iPrism Tab” on page 255.) 

System Settings 

The System section contains seven tab windows, each allowing you to 

configure some aspect of iPrism’s inner workings. These are primarily 

hardware settings that affect iPrism’s identity on the network and how it 

interoperates with other equipment on the network (see Figure 14). 

36 



FIGURE 14. System Settings 

• Networking — Configures iPrism’s interfaces (Internal/External/ 

Management) and define its identity on the network. This includes 

options to define the name server, routing, SMTP relay, and WCCP 

router. You can also configure static routes from here. (See “Accessing 

iPrism’s Network Settings” on page 189.) 

• Preferences — Configures iPrism behaviors, including when to check 

for filter updates and system updates, when to backup. The supervisor’s 

password can also be changed here. 

• Ports — Specifies iPrism’s Proxy port and Configuration port. You can 

also add or delete Redirect ports and HTTPS ports. (See “Changing 

iPrism’s Port Assignments” on page 204.) 


37


• Proxy — Allows for the specification a different URL for iPrism’s 

“Access Denied” page. You may also designate a Proxy Parent host, or 

configure a proxy for filter list updates or system updates. (See “Setting 

Up a Parent Proxy” on page 200.) 

• Backups — Backup the current iPrism configuration settings, restore a 

previously saved configuration, or adjust “backup warning” preferences. 

(See “Backing Up and Restoring iPrism Settings” on page 228.) 

• Registration — Manages the vital information about your iPrism 

subscription. This includes the iPrism registration key, serial number, 

and expiration date. It is also where you can create an SSL certificate. 

You will need to revisit this page whenever you receive a new license 

key. (See “Registration Information” on page 231.) 

• Central Mgmt. — Manage multiple iPrism units running in tandem. 

(See “Managing Multiple iPrism Units” on page 242.) 

Note: If you are or plan to be using partitions, see Chapter 13: Partitions 

and Delegation. 

Global Settings 

iPrism has been enhanced to provide virus detection and prevention via 

Anti-Virus (AV) scanning and reporting for all HTTP traffic. All traffic will 

be analyzed against a frequently updated definition list (see Appendix A: 

Filtering Categories). AV is enabled by default for new installations (newly 

shipped appliances). This prevents the introduction of viruses, and identifies 

virus sources using the following reporting categories: 

• Virus 

• Worm 

• Other Malware 

To modify AV settings, select Global. The Lock ACL tab opens by default; 

here you can modify category settings. 

Note: Lock ACL allows you to lock category settings which no one can 

modify. Locks will be applied to all existing and new ACLs, and overrides 

any profile configurations (ie., Lock ACL takes priority regardless of how a 

profile is configured). 

38 



FIGURE 15. Global Settings tabs 

To modify the Web Lock Access Control List (ACL): 

1. Click Edit next to Web Lock ACL. 

2. Check Monitor or Block next to the categories you want to monitor or 

block, or you can monitor or block all categories by clicking Toggle All. 

3. Click OK to save your changes. 


39


FIGURE 16. Web Lock ACL 

To modify the IM/P2P Access Control List (ACL): 

1. Click Edit next to IM/P2P Lock ACL. 

2. Check Monitor or Block next to the categories you want to monitor or 

block, or you can monitor or block all categories by clicking Toggle All. 

3. Click OK to save your changes. 

40 



FIGURE 17. IM/P2P ACL 


41


To verify whether AV is enabled, select the AV Scanning tab and verify that 

Enable AV Scanning is checked. 

Note: Regardless of whether AV Scanning is enabled, you will still need to 

block viruses, worms and other malware via profiles. See “Profiles and 

ACLs” on page 57 for more information. 

To turn AV Scanning off, uncheck Enable AV Scanning. 

FIGURE 18. Enable/Disable AV Scanning 

Hybrid Settings 

To provide an IM audit trail (monitoring, filtering, and reporting), allowed 

IM traffic (i.e., not blocked by iPrism) within the customer network can be 

redirected to the IM filtering/archiving service at St. Bernard data centers. 

42 



To provision hybrid filtering 

To provision hybrid filtering, complete the following steps: 

1. Select Hybrid. 

2. Select the IM Settings tab and click Provision. 

Note: For your convenience, you can also provision IM hybrid filtering 

from the Access section. Select Access, select the IM/P2P Profiles tab, 

then select Provision. 


43


FIGURE 19. IM Hybrid Settings 

3. Once you have selected Provision, you will be taken to a website for 

instructions on how to contact iPrism Sales. Customer information is 

needed for data center provisioning and key creation. An email with 

instructions will be sent to you. Once this is done, you may proceed to 

step 4. 

4. Enter the validation key given to you in step 3, and click Submit. 

5. Check the boxes next to the protocols you want to provision: 

• AIM 

• MSN 

• Yahoo 

To set up a email filter 

You can filter out spam, viruses, malware and other unwanted messages by 

redirecting allowed IM traffic within your network to the filtering/archiving 

service at St. Bernard data centers. 

1. Select the Email Filter tab. 

2. Click Learn More to be taken to website with instructions on how to set 

up email filtering. 

44 



FIGURE 20. Email Filtering Setup 

Exit 

After editing iPrism’s setting in the configuration interface, you must 

properly save and exit from the interface in order for your changes to be 

applied. To do this, click Exit and choose the desired exit option. 


45


FIGURE 21. Exit Dialog 

• Save & Exit — Saves any changes you made in the iPrism configuration 

interface and close the software. 

• Abort — Closes the iPrism configuration interface without saving any 

changes you made. 

• Shutdown — Power down iPrism. For example, this option should be 

selected if you are preparing to move the iPrism appliance to a different 

physical location. If you choose this option accidentally, you will need to 

manually reboot iPrism to make it operational again. To do this, use the 

power switch on the iPrism appliance to power the unit off. Wait at least 

15 seconds, then power it back on again. Allow two minutes for iPrism 

to reboot. 

46 



• Reboot — Shut down and restart the iPrism server. The iPrism 

configuration interface will not be accessible while the unit is rebooting. 

Allow two minutes for iPrism to reboot. 


47


Web Interface 

In addition the interface supplied by the Appliance manager, the iPrism has 

a web-based interface which allows access to some other features. To access 

this interface, simply type in the address of your iPrism into your browser 

URL field. 

The web interface allows the administrator to temporally unblock sites, add 

sites to the database, manage HotFixes, and customize the look and feel 

through the use of HTML templates. When you surf to the iPrism system, 

the main web page is displayed as shown in Figure 22. 

FIGURE 22. Main Web Page 

The web interface main menu is divided into three sections: 

• Reports Manager: Opens a page which allows you to download a copy 

of the iPrism Appliance Manager program. This program allows you to 

access reports on the iPrism. (On older versions of the iPrism, this button 

48 


Web Interface 

would start a web-based reporting system. This has been replaced with 

the Reports Manager tool, which is started from the Appliance 

Manager.) 

Note: Use of this feature is discouraged. It is recommended that you 

start the Reporting tool from the Appliance Manager. 

• The two Add Web Sites buttons allow you to manually submit websites 

to be blocked in future filter updates. 

• The five System Admin Tools buttons provide access to iPrism’s main 

configuration software and several other utilities. In addition to setting 

up iPrism, these tools allow you to perform diagnostic testing on your 

network, create custom filters to block/unblock specific websites, 

manage iPrism updates (HotFixes), and customize aspects of the iPrism 

interface. 

Note: The Reports Manager, Configure iPrism, and iPrism Diagnostics 

all take you to a page which allows you to download a copy of the 

Appliance Manager. The web-based programs which formerly were started 

by these buttons are now located in the Appliance Manger. Use of these 

buttons is discouraged; they remain to help legacy users manage the system. 

Reports Manager 

The reporting system is now accessed through the Appliance Manager. If 

you do not have the Appliance Manager installed, this button takes to a page 

which allows you to download this program. (For information on the 

reporting system, see iPrism System Reports.) 

You can also use the “Web Start” feature of this page to start the Reporting 

application directly. (Although you have to go through a number of security 

checks before the application can actually start.) Whether you start the 

application through the Appliance Manager or through Web Start, the same 

application is run. 

For iPrisms using the mERS option for reporting, you will see a mERS 

Reports Manager button. This button performs the same function as the 

Reports Manager button described above, except that it allows you to access 

the mERS reporting system. 


49


Add Web Sites Buttons 

Although iPrism’s URL database is vast, there are new websites continually 

being created, so it reasonable that some sites may not be initially included 

in iPrism’s filter list. The buttons in this area provide two different ways 

that you can suggest sites to St. Bernard Software should you encounter a 

website that you feel should be included in iPrism’s URL database. 

Email to iPrism Support 

This button displays the URL Submission page in your web browser. This 

page provides instructions (and email links) for submitting URLs for 

consideration into the URL database. (See “Submitting Sites via Email” on 

page 115.) 

On-the-Fly While You Surf 

This button open an HTML page which instructs you to enable “quick 

submit” capability into your web browser. This will put a bookmark in your 

browser that allows you to instantly submit a website to St. Bernard 

Software while you surf the web. (See “Submitting Sites with Quick Submit 

– While You Surf!” on page 115.) 

System Admin Tools Buttons 

These buttons are all associated with configuring iPrism and providing 

various ways to test communications across your networking environment. 

The primary tool here is the Configuring iPrism button, which launches 

the iPrism System Configuration tool. Because this tool is the primary 

iPrism System Configuration tool, the remainder of this section includes an 

overview of this program. 

In order to access any of iPrism’s system administrator tools, you must have 

sufficient administrative privileges. You will be prompted to log in 

immediately after clicking any one of these buttons. 

Configure iPrism 

Like reporting, configuration is handled by a Java program. You can use 

this page to download the Appliance Manager, which can be used to access 

the program, or to start the program directly with “Web Start”. 

50 


Web Interface 

iPrism Diagnostics 

Diagnostics are also handled by a Java program. You can use this page to 

download the Appliance Manager, which can be used to access the 

program, or to start the program directly with “Web Start”. 

Block / Unblock Site 

This button provides access to iPrism’s Filter Manager interface, which 

performs several distinct functions via an HTML interface as shown in 

Figure 23. 

FIGURE 23. The Filter Manager Interface (Block / Unblock Site) 

The Filter Manager, as its name implies, gives you unique control over 

iPrism’s filtering capability. From here, you can send unrated, frequently 

accessed URL sites to iGuard for rating, as well as review and manually rate 


51


URL sites that cannot automatically be determined. You can create “custom 

filters” that can be used to block access to any web page, regardless of 

whether it is included in iPrism’s URL database. This is also where you 

process requests from network users (called “Override requests”), which 

lets you grant access to blocked web pages on a case-by-case basis. You can 

also issue a general override, which allows all users to access a web page 

(or site) which would otherwise be blocked by the active filtering profile. 

And there is even a tool where you can enter a website’s URL to see how 

that site is rated by iPrism’s URL database. 

For more information about all of these tools, see “The Filter Manager” on 

page 257. 

HotFix Manager 

The HotFix Manager button gives you access to the HotFix Manager 

interface, which makes it easy to keep track of updates and patches (called 

“HotFixes”) for your iPrism software. With the HotFix Manager you can 

instantly check for new HotFixes, view available HotFixes, and see which 

ones have already been installed on your iPrism. You can also use it to 

uninstall an active HotFix. 

The HotFix interface also makes it easier to manually install a private 

HotFix, which is sometimes required by iPrism’s Technical Support staff. 

For more information about the HotFix Manager, see “Managing iPrism 

Updates with the HotFix Manager” on page 234. 

HTML Template Manager 

This button opens the HTML Template Manager which allows you to 

completely customize the look of iPrism’s Authentication Page, Access 

Denied Page, Logout, Override, Request Access, Anti-spoof, and selected 

Error pages. 

• The Authentication Page is the “log in” page that appears when a user 

starts a new browsing session or needs to re-activate a session that has 

expired. The Authentication Page prompts users to enter their iPrism/ 

network user name and password. 

Note: Authentication only occurs when a manual authentication method 

52 


Web Interface 

has been enabled in iPrism. Depending on how you have iPrism 

configured, authentication may occur invisibly or not at all. 

• The Access Denied Page appears whenever a user tries to access a 

website that is being blocked by iPrism’s current filtering profile. The 

default Access Denied page simply notifies the user that “their 

organization has chosen to limit viewing of the site due to the rating of 

its content”. 

• The Logout page is used by the user to log out of the system. 

• The Override and Request Access pages are displayed when a site is 

blocked and the user is given the ability (depending on profile settings) 

to override the page or request access to it. 

• The Anti-Spoof page appears when the iPrism detects a spoofing attempt 

and wishes to warn the user about it. 

• Error Pages are displayed when an error is detected. (Not all error pages 

use the template manager.) 

These HTML pages cover most interactions that users will have with 

iPrism, so it is understandable that an organization may choose to customize 

these pages to reflect their own corporate image and promote their own 

Internet usage policies. For more information about the HTML Template 

Manager, see “Using the HTML Template Manager” on page 117. 


53


54 


How iPrism Filters Internet Activity 

Chapter 3 

Managing Internet 

Access 

This chapter describes how iPrism’s filtering mechanism works, and 

provides detailed procedures for creating and implementing your own 

filtering profiles. Instructions for controlling access to specific websites and 

other Internet services is also provided. 


As described earlier in this book (see “How iPrism Works” on page 10), 

iPrism filters both web access as well as IM and P2P services. Web access is 

filtered by checking each client’s web request against an extensive URL 

database. This database classifies each listed website as being in one or 

more categories (e.g. adult, pornography, violence, drugs, sports, 

entertainment, etc.). If the requested website belongs to a category to which 

the iPrism administrator has chosen to block access, then the client will see 


55

Managing Internet Access 

an “access denied” page instead. This page notifies the client that the web 

page they tried to access belongs to a category which is currently being 

blocked. 

The rules for IM and P2P filtering are application-based. In other words, the 

iPrism will check the application being run against the rules to see if the 

traffic is permitted. 

Besides blocking web, IM, and P2P activity, the administrator also has the 

ability to just monitor the traffic. For websites, you can select which 

categories are monitored and when this monitoring is to be done. For IM 

and P2P traffic, you can monitor based on the protocol used. 

Monitoring allows you to see how your network in being used; for example, 

who visits which sites and how often. All the power to block or monitor 

access lies in the hands of the administrator. iPrism just gives them the 

means by which to do it. 

Since a “one size fits all” approach to filtering is not suitable for most 

organizations, iPrism resolves the issue by using filtering profiles. The 

iPrism uses two different types of profiles – one for web access and another 

for IM/P2P traffic. A profile tells iPrism which categories of web traffic or 

what IM/P2P traffic to block or monitor at a particular moment. You can 

create as many different profiles as you need and assign them to different 

users, or different networks and subnets. 

This chapter explains profiles in iPrism – how to create them and how to 

assign them to subnets or an entire network. Details on how to assign these 

profiles to users will be covered in Chapter 5. 

Introduction to Profiles 

Profiles are the elements within iPrism that determine what information is 

blocked, monitored, or passed through. There are two types of profiles: 

URL Access Profiles, which determine which websites are filtered, and IM/ 

P2P Profiles, which determine which instant message (IM) and peer to peer 

(P2P) traffic is allowed. 

Profiles are at the very core of iPrism’s functionality. In addition to 

determining what gets blocked where, profiles also determine when traffic 

is blocked. Thus, you don’t have to manually change profiles to 

accommodate a situation where one group has access to the network for 

56 



some part of the day and another group has access to it for another. The 

active profile can automatically switch the filtering criteria at a designated 

time of day, so you can be assured of having the protection you need, when 

you need it. 

Profiles are flexible and accommodating, as each profile is actually made up 

of one or more individual filtering criteria, called an Access Control List 

(ACL). It is actually the ACL that specifies which traffic gets blocked or 

monitored. A profile can consist of a single ACL, which would provide the 

same degree of filtering all the time, or it can utilize several ACLs, allowing 

different degrees of filtering at specific times. This is how a single profile is 

able to provide a different level of filtering at various times of the day. 

Profiles and ACLs 

To demonstrate how profiles and ACLs work together, see Figure 24 on 

page 58, which demonstrates a web access profile being edited in iPrism’s 

System Configuration tool. (The IM/P2P profiles use the same system, 

except that the ACLs block different traffic.) 

This particular profile has been named “Office”, implying that it will be 

applied to the office staff or perhaps all of the workstations located in the 

office. Along the right side, you can see four different colored blocks; each 

of these represents an ACL (a set of filtering instructions) that has been 

created specifically for this profile. After creating an ACL, you need to drag 

it to the profile grid to schedule the times for which you want it to be active. 

For example: 

• The top ACL in the list is named “Allow All”, so named because it 

allows full Internet access. By looking at the profile grid, you can see 

that this ACL is active before and after working hours on Monday 

through Friday. That means users can have unrestricted access to the 

Internet during these times. 

• The two ACLs directly beneath it are named “Work” and “Lunch”, representing 

two different filtering levels that are applied during the work 

day. Again, by looking at the grid you can see that at 12:00 PM every 

weekday, iPrism automatically switches from the Work ACL to the 

Lunch ACL, and then switches back again at 1:00 PM. 


57


• On the weekends, the “Deny” profile is active. This profile (so named 

because it prevents any Internet access at all), ensures that no one will be 

coming in on the weekends just to surf the Net! 

FIGURE 24. Profile using multiple ACLs 

Putting Your Profile to Work 

Profiles, like the “Office” profile shown in Figure 24, can be utilized in a 

variety of ways. You can assign a profile to an IP address or an IP address 

range. If you have user authentication enabled, you can assign a profile to a 

user or group of users. 

58 



Note: User assignments take precedence over network assignments. 

Profiles assigned to a user are always applied to that user regardless of 

which workstation they log into. 

Figure 25 illustrates a profile where any IP address in the range 192.168.0.0 

to 192.168.0.250 will have web access filtered by the “BlockOffensive” 

profile, and IM/P2P access filtered by the “BlockIMP2P” profile. 

FIGURE 25. How Profiles are Assigned to a Network 

This ability to assign profiles in many different ways is what allows iPrism 

to successfully accommodate the filtering needs of even the most diverse 

networking environments. 


59


Creating Profiles 

In this section, you will learn how to create your own profiles, how to 

schedule ACLs within a profile, and how to delete unneeded profiles. 

Note: Creating a profile does NOT make it active. You must configure the 

iPrism to whom the profile applies (IP address range, users, or both) before 

it is active. 

Creating a Profile 

1. Open the iPrism System Configuration tool by clicking Manage 

Selected Appliance, then selecting System Configuration. 

2. Select Access, then the Profiles tab to create a web access profile, or 

select the IM/P2P Profiles tab to create an IM/P2P profile. 

3. In the Profile List frame, click Add. The ACL creation window opens 

(see Figure 26). 

4. In the Profile Name field, enter a name for this profile. 

• It is recommended that you use a descriptive name; one that 

distinguishes it from other profiles you create. 

• Profile names cannot contain space characters. 

5. Click OK. 

60 



As soon as you click OK, the Access Control Lists (ACLs) dialog box 

opens automatically. Figure 26 illustrates the ACL for a web profile and 

Figure 27 illustrates an ACL for a IM/P2P profile. 

FIGURE 26. ACL Creation Window (Web Profile) 


61


FIGURE 27. ACL Creation Window (IM/P2P Profile ) 

The iPrism system requires that there be at least one ACL in every profile 

(i.e., there can not be an empty cell in the profile grid). To ensure 

this, iPrism automatically creates this default ACL for you and applies it 

everywhere. 

This default ACL is initially named ‘ACL 1’, but you can change that at 

any time simply by editing the ACL Name field at the top of the ACLs 

dialog box. 

6. The default filtering ACL does not have any checkboxes marked initially 

– i.e., no categories are filtered until you check them, with the exception 

of the special category local denied, which is always checked. The Filter 

62 



Manager lets you assign web pages to this category. These web pages 

will always be blocked. 

7. Set the filtering properties for the profile by selecting the checkboxes 

next to the content you want to block or monitor. 

Note: Each profile owns all of the ACLs created within it, and these ACLs 

cannot be shared with another profile.This means the filtering settings you 

choose for the default ACL (or any other ACL) in this profile will not affect 

any other profile. Also each profile uses its own name space, so an ACL 

name “Fred” in one profile has nothing to do with anything named “Fred” in 

another. 

If you need assistance configuring the ACLs dialog box, refer to the 

following topics: 

• “Creating Access Control Lists (ACLs)” on page 70 

• Table 2, “Access Denied Page Options,” on page 79 

8. Check Deny access to the web under All Categories to deny all access 

to the web for everyone using this profile. This setting overrides the 

category settings and denies all Internet access. 

9. If you wish to force the user to use the “Safe Search” feature of Yahoo, 

Google, and other selected web search engines, check Enable Safe 

Search. 

10. Click OK to confirm your changes to the default ACL and close the 

ACL creation window. 

Notice how the default ACL is initially applied everywhere (see 

Figure 28). 


63


FIGURE 28. Default ACL (“ACL 1”) applied everywhere 

Note: If desired, you can create additional ACLs in this profile by clicking 

Add. (See “Creating Access Control Lists (ACLs)” on page 70.) 

11. Click OK. The new profile is added to the dropdown list in the Profile 

List frame. 

Now that we’ve defined a profile, we must tell iPrism to whom it applies. 

We can apply it to a set of IP addresses using the Networks tab, we can 

assign it to individual users with the Users tab, or both. User assignments 

take precedence over IP address assignments, so if a user logs into the 

network, the profile assigned to him/her will be used regardless of which 

machine s/he is on. 

64 



iPrism’s Default Profiles 

iPrism ships with six (6) preconfigured (default) profiles, three (3) for web 

filtering and three (3) for IM/P2P. This allows you to realize some level of 

filtering while you are learning how to create your own profiles. You may 

find these to be useful and decide to keep them or, once you start creating 

your own profiles, you may choose to edit or delete them. The six (6) 

preconfigured profiles are as follows: 

• Block Offensive: This web filtering profile blocks and monitors 

access to sites containing pornography, profanity, violence, bombmaking, 

etc. 

• Monitor Offensive: This profile allows access to the sites blocked by 

the Blocked Offensive profile, but monitors their use. 

• Pass All: This profile allows access to any site without monitoring. 

• BlockIMP2P: Blocks all IM and P2P traffic. 

• BlockP2P: Blocks all P2P traffic only. 

• PassIMP2P: Blocks no IM or P2P traffic. 

You will see these profiles listed along with the others you create, in the 

Profile dropdown list on the Profiles or IM/P2P Profiles tab (where 

profiles are created), on the Networks tab (where profiles are assigned to 

networks), and on the Users tab where profiles are assigned to users. 

Scheduling ACLs Within a Profile 

In order to have different filtering settings automatically “kick in” at 

different times, you must first create the ACLs that contain these settings. 

Once created, you must organize the ACLs within the profile’s scheduling 

grid, as described in this procedure. 

1. In the iPrism System Configuration tool, select the Access section, then 

the Profiles or IM/P2P Profiles tab. 

2. In the Profile List frame, select the profile you want to edit from the 

dropdown list. The current properties of that profile display in the 

Viewing frame. 


65


Note: By default, the profile window’s Time column is divided into 

hourly intervals. If you need finer intervals than this, click the magnifying 

glass icon under the Time column. This changes the time division to 

15-minute intervals. Click this icon again to toggle back to hourly intervals. 

3. If the ACL that you want to schedule has not been saved in this profile 

yet, create a new ACL now (see “Creating Access Control Lists (ACLs)” 

on page 70). 

66 



Note: You must have at least two ACLs defined before you can assign 

ACLs to different times. 

4. In the Access Control List frame, click the ACL that you want to 

schedule into this profile. The ACL will be highlighted. 

5. Schedule the ACL using the most convenient method described below: 

• The most common method is to “paint” the new ACL in the profile 

grid (see Figure 29). To do this, click in the starting cell and hold 

down the left mouse button. Now drag the mouse pointer to some 

other cell. You will notice a bold rectangular outline which indicates 

the area that will be painted with the selected ACL. When the proper 

area is outlined, release the mouse button. 


67


Drag 

from here 

to here 

FIGURE 29. Painting an ACL in the profile grid 

Besides “painting” an ACL in a profile, you can use the following methods 

to schedule an ACL in the profile grid. 

• To schedule the selected ACL in an individual cell, click once in that 

cell. 

• To schedule the selected ACL for an entire day, click that day’s 

heading bar. 

• To schedule the selected ACL to the same time (hour) across the 

entire week, click the starting time in the Time column. 

68 



• As an alternative to painting, you can schedule the selected ACL 

across any row or column by clicking on the first cell, pressing Shift, 

and then clicking on the last cell where you want it applied. All cells 

in-between will automatically receive the new ACL. 

FIGURE 30. Editing a Profile 

6. After you have scheduled all of the ACLs in the desired time slots, click 

OK. The profile is immediately updated with the new ACL settings. 

Copying a Profile 

To copy an existing profile: 


69


1. Select the profile from the Profile dropdown list. 

2. Click Copy Profile. 

3. Enter a name for the new profile. 

Deleting a Profile 

Profiles that are no longer used or needed can be deleted from iPrism. 

1. In the iPrism System Configuration tool, select Access, then the Profiles 

or IM/P2P Profiles tab. 

2. In the Profile List frame, select the profile you want to delete from the 

dropdown list. 

3. Click Delete. The Delete Profile dialog box appears. 

4. From the dropdown list, select a different profile that you want to replace 

the one you are deleting. (iPrism will substitute this profile in all places 

where the deleted profile may be in use.) 

5. Click OK. The profile you deleted is no longer on the Profile list. 

Creating Access Control Lists (ACLs) 

Access Control Lists (ACLs) are the building blocks that make up every 

filtering profile. They alone determine which types of traffic get blocked, 

what get monitored, and what are allowable for viewing. Unlike profiles, 

ACLs are not assignable to users or networks; they only exist in the context 

of a profile. 

When creating a new profile, a default ACL (called ‘ACL 1’) is always 

provided. 1 When a profile is created, this is the default value used for all 

squares on the time grid. You may create new ACLs and schedule them by 

applying them to the time grid. 

70 



Creating a New ACL 

1. Start the iPrism System Configuration tool. 

2. Select the Access section, then the Profiles tab (see Figure 31). 

1. Remember that each profile uses it’s own name space for ACLs. As a result there can be 

multiple lists named “ACL 1”, one for each profile. These lists have nothing to do with 

each other. 


71


Note: Although this example is for a web profile, the IM/P2P profiles 

use a similar interface. 

The lower (Viewing) frame shows the name of the profile currently 

selected in the Profile List frame. 

72 



Note: If you wanted to create a new profile (as opposed to editing the 

one shown), click Add in the Profile List frame. When the dialog box 

displays, type the profile name and click OK. 


73


FIGURE 31. The Profiles tab 

3. To create a new ACL, click Add in the Access Control List frame. The 

Access Control Lists (ACLs) dialog box displays (see Figure 32). 

The ACLs dialog box is divided into sections, each containing a collection 

of filtering categories. For web filtering these categories represent 

the different types of content that can be blocked or monitored by iPrism. 

The IM/P2P ACLs contain a list of clients and protocols which can be 

blocked or monitored by iPrism. 

74 



Note: A complete list of filtering categories can be found in “Filtering 

Categories” on page 307. 


75


76 



Access Denied 

Page Options 

Deny all 

checkbox 

Enable 

Safe Search 

checkbox 

All groups 

toggle bar 

Group bar 

Individual 

categories 

FIGURE 32. Access Control Lists (ACLs) dialog box 

The items on this dialog are as follows: 

Categories: You can block and monitor individual categories. If Monitor is 

checked, any access to a website belonging to that category will be 

recorded. Selecting Block causes the access to be blocked. Table 1 explains 

the combinations of access controls and what they mean. 

Table 1: Access Controls 

Access 

No monitoring 

No blocking 

Monitoring 

No blocking 

Meaning 

Web pages are supplied to the user; no record is kept. 

Web pages are supplied to the user; each access is recorded and 

can be viewed using the reporting system or the real-time monitor. 


77


Table 1: Access Controls 

Access 

No monitoring 

Blocking 

Meaning 

The user does not see the website, but no record is kept of it being 

blocked. 

Monitoring The website is blocked, and a record is kept of the attempted 

Blocking 

access. This information can be viewed in the real-time monitor 

or reporting system. 

When you choose to monitor a category, an orange square displays to the 

left of the category’s name. When you choose to block a category, a red 

square displays. This allows you to quickly scan the entire window and see 

which categories are monitored, blocked, or both. 

Group Bars: The group bars at the top of each section allow you to quickly 

change the selection of all the categories in the section. Clicking once will 

cause all the categories in that section to be monitored. Multiple clicks 

allow you to cycle through the list: 

• Monitored 

• Monitored and Blocked 

• Blocked 

• No selection 

Toggle All Bar: (near the top of the ACL dialog box) Toggles all options in 

all categories. 

78 



Access Denied Page Options: This frame allows you to see what happens 

when access to a page is denied. Table 2 lists the various options available 

to you. 

Table 2: Access Denied Page Options 

Access Configuration 

Override Link 

Description 

When selected, the Denied Access page will 

include an Override button, so users with override 

privileges can gain access to the page. (See “Creating 

User Accounts on the iPrism” on page 131.). 

Request Access Link 

When selected, the Denied Access page will 

include a Request Access button, which allows 

users to petition the administrator for access whenever 

they are blocked from a site. (See “Requesting 

Access to a Site” on page 104.) 

Deny access to the web: If this selected, all web access is not allowed for 

this ACL. This is a quick way of setting all categories (even local allowed) 

to Blocked. (This is the equivalent of setting everything to Blocked/ 

Monitored.) 

Enable Safe Search: If this is enabled, the iPrism will enable the safe 

search for Yahoo, Google, and other selected search engines. “Safe Search” 

will be turned on even if the user attempts to do a search with this feature 

turned off. 

4. When you are finished configuring the ACL, click OK to return to the 

Profiles tab. 

The new ACL is now listed to the right of the scheduling grid, and is 

ready to be applied to the currently active profile. 

5. Repeat this procedure as necessary to create additional ACLs. 


79


Special Filtering Categories (Locally Defined / Other) 

When looking at the selection bars in the Access Control Lists (ACLs) 

dialog box, there are two specialty items to consider: locally defined and 

other. 

Locally Defined Categories 

• local1, local2, etc. The iPrism system lets you use your own 

categories for websites, overriding the ones in the iGuard database. In 

order to allow for maximum flexibility, sixteen (16) additional 

categories have been added exclusively for your use: local1, local2, 

... local16. These sixteen (16) categories give you additional 

flexibility in customizing your filtering. 

Note: It is important to understand that local filters only have precedence 

over the ratings in iPrism’s URL database. For example, if you 

create a custom filter and edit a site’s rating so that it belongs to the 

adult and local1 categories, the site will still be blocked by any profile 

that blocks adult content even though local1 is allowed. This is 

because the local filter settings do not override other ratings that you 

assign locally (e.g., via custom filters). 

• local allow. This category is not blocked (by default) on any ACL, so 

any site whose rating includes this category will be viewable, 

assuming the site doesn’t also belong to some category that is being 

blocked by the active profile. 

80 



• local deny. This category is always blocked (by default) on all ACLs, 

so any website whose rating includes this category will be blocked. 

Additional information on local categories can be found later in this 

chapter. (See “Understanding the Local Allow and Local Deny Categories” 

on page 113) 

• Other. This category provides a way to let you block and/or monitor 

traffic to websites that are not currently rated by iPrism. 

Viewing ACL Filtering Properties 

To review the filtering properties of any ACL, do the following: 

1. In the iPrism System Configuration tool, select the Access section, then 

the Profiles or IM/P2P Profiles tab. 

2. In the Profile List frame, select the profile containing the ACL you want 

to view. 

The existing ACLs are listed on the right side of the profile (see 

Figure 24). 

3. Select the ACL you want to edit and click View. This opens a read-only 

version of the Access Control Lists (ACLs) dialog box (notice there are 

no checkboxes) where you can review the selections (see Figure 33). 


81


FIGURE 33. Viewing ACL Settings 

4. After reviewing the properties for this ACL, click OK. 

Editing ACL Settings 

1. In the iPrism System Configuration tool, select Access, then the Profiles 


2. In the Profile List frame, select the profile that owns the ACL you want 

to edit. 

That profile’s ACLs are listed on the right side of the profile grid (see 

Figure 24 on page 58). 

3. Select the ACL you want to edit and click Edit. The Access Control 

Lists (ACLs) dialog box opens. 

82 



4. Make the desired changes to the ACL’s settings. You can change the 

filtering settings, the access configuration, and the ACL name. 

For additional information, refer to the following sections: 

• “Creating Access Control Lists (ACLs)” on page 70 

• Table 2, “Access Denied Page Options,” on page 79 

5. Click OK to save the changes to this ACL. 

Deleting an ACL 

To completely remove an ACL from iPrism, use the following procedure. 

1. In the iPrism System Configuration tool, select Global, then the Profiles 


2. In the Profile List frame, select the profile that owns the ACL you want 

to delete. 

The existing ACLs are listed on the right side of the profile grid (see 

Figure 24). 

3. Select the ACL that you want to remove and click Delete. 

Note: You cannot delete the Default ACL (initially named “ACL 1”) 

from any profile. 


83


Lock ACL 

Lock ACL provides a way for the SuperUser and the Global Policy 

Administrator to globally enforce access restrictions on the same categories. 

By using Lock ACL, categories can be marked to be blocked or monitored; 

e.g., “pornography” and “nudity”. Once a category is blocked or monitored 

in Lock ACL, all the existing and newly created profiles (including those 

created by the SuperUser, Global Policy Administrator, or Delegated 

Partition Administrator) are updated and the category is blocked/monitored. 

However, if you unblock a category from Lock ACL, it does not 

automatically update all profiles, so the category will remain blocked in 

those profiles. You must manually unblock them in each profile. 

The Lock ACL tab is only available to the SuperUser or the Global Policy 

Administrator. 

84 


Lock ACL 

FIGURE 34. Lock ACL Tab 

1. From the Appliance Manager, select Global, then Lock ACL. 

2. Click Edit for either Web Lock ACL or IM/P2P Lock ACL. 

3. Select the categories you would like to lock, as shown in the sample in 

Figure 35. 


85


The Advanced settings are as follows: 

FIGURE 35. Web Lock ACL Sample 

• Allow administrators to override locked categories: This option is 

disabled by default. When a category is locked in the Lock ACL, it cannot 

be overridden by anyone, even if that person has override privileges. 

There may be some cases where you would like to allow some people to 

override these categories; select this option to allow this. 

86 


Lock ACL 

Only administrators or users with override privileges are allowed to 

access sites that have been rated with the locked category. 


87


Note: In order for ACLs to work, the ACLs in the profile(s) must have 

the Override Link option enabled. 

• Allow users to request access for pages with locked categories: You 

can allow users to request access to a site that has been blocked. When 

this option is selected, if a user tries to go to a website that is locked, a 

page displays with a link to the Request Access page. From there, the 

user can choose to send the administrator an email requesting access. If 

you do not want users to request access to blocked sites, leave this option 

unchecked. 


Once you have created your profile(s), the final step is to assign them so 

that iPrism will start filtering web traffic based on the profile’s settings. 

This section discusses the different ways that a profile can be used by 

iPrism and provides instructions for configuring each. 

How iPrism Uses Profiles 

There are three different ways that iPrism can make use of a filtering 

profile, depending on how iPrism is configured on your network and 

whether or not you are using authentication: 

1. User-level filtering. This type of filtering associates a profile with a 

given user. It does not matter which machine they use, the user will 

always get the same profile, as it is based on their username. 

User-level filtering works well in environments where you want some 

people to have significantly more (or less) access to the web than others. 

It also offers an additional layer of protection because the user’s profile 

follows them, regardless of which workstation they log into. 

Before a user can access the Internet s/he must be authenticated. The 

iPrism system provides a variety of authentication methods and can 

access authentication servers like NTLM (Microsoft Windows) and 

88 



LDAP (Unix, Linux). See Chapter 6: Users and Authentication for more 

information on authentication. 

2. Network-level filtering. For network level filtering, you specify a set of 

IP addresses and associate a profile with them. For example, if you are a 

library, you can have one profile for the computers in the children’s 

reading area, and another for the adult library users. 

3. Mobile filtering. For mobile filtering, you specify the profile for users 

connecting to iPrism through the external port; i.e., from outside the 

network. For example, if you are a company that provides laptops to 

employees, you can enforce a web profile on all employees trying to 

access the Internet from outside the company. 

Network-level and user-level filtering are not mutually exclusive. If you are 

using user-level filtering and a user cannot be authenticated, the system will 

fall back to network-level filtering. Thus you can create a system which 

forms a complete blanket of protection, covering both authenticated and 

non-authenticated users. 

Authentication Systems and Assigning Profiles to Users 

Users can authenticate themselves to the iPrism system using a wide variety 

of systems. See Chapter 6: Users and Authentication for detailed 

information and instructions. 

Assigning Profiles to a Set of IP Addresses (Workstations) 

The iPrism system makes it easy to assign a profile to an individual IP 

address or a range of IP addresses. 

Defining IP Address Ranges 

1. Start the iPrism System Configuration tool and select Access, then click 

the Networks tab (see Figure 36). 


89


FIGURE 36. Assigning a Profile to a set of IP Addresses 

2. In the Network List frame, click Add. 

3. In the Adding Network frame, define the IP address range to which you 

want to assign a web profile and an IM/P2P profile. 

Normally all your workstations will be connected to the internal network 

interface. If the IP addresses you specified are connected to the external 

interface, check External. 

Note: External machines can only use proxy mode filtering. Also P2P 

filtering is not possible for workstations located on the External interface. 

The iPrism system is most efficient if the network traffic reaches iPrism 

through the internal interface. Connecting local machines to the external 

interface is discouraged, as iPrism’s proxy features on its external inter- 

90 



face are normally disabled because this side is not protected by a firewall. 

If enabled, your iPrism may be used by anyone on the Internet. 

4. Select the web profile for this IP address range using the Web Profile 


5. Select the IM/P2P profile for this IP address range using the IM/P2P 

Profile dropdown list. 

6. Click OK. The address range is added to the Network List frame at the 

top of this window. 

7. Repeat steps 2 – 6 for each set of addresses you want to define. 

8. Order the items in the network list by selecting each item, then using the 

arrows to the right of the list to move it up or down accordingly. 

When the iPrism receives a network request, it will go through the list in 

order trying to find an IP address range that matches the system it is trying 

to filter. The first range that matches will be used. 

For example, if your address ranges are: 

10.0.0.0 - 10.255.255.255 

10.0.1.0 - 10.0.1.255 

0.0.0.0 - 255.255.255.255 

The second item in the list will never be used. Even though the IP 

address 10.0.1.33 is in range, it is also in the range of 10.0.0.0 - 

10.255.255.255. This range is matched first. 

The most specific entries should be first, followed by the more general 

ones. The default entry (0.0.0.0 to 255.255.255.255) should always be 

last on the list. Since this matches all IP addresses, any entries after it 

will not be processed. 

. 


91


Assigning Profiles to Remote or Mobile Users 

The iPrism system makes it easy to assign a profile to individuals who are 

trying to access the Internet using the company’s devices outside of the 

internal network. Simply enable the mobile filtering feature and select a 

web profile for all users connecting from outside the network, as follows: 

How to Configure Mobile Filtering 

1. Start the iPrism System Configuration tool and select Access, then select 

the Networks tab (see Figure 36). 

2. In the Network List frame, click Mobile. 

92 



Note: In order to enable Mobile Filtering you must be sure that you do 

not have an IP range 0.0.0.0 to 255.255.255.255 already defined in your 

Networks tab. If you do, please delete this range, define explicitly the IP 

ranges of your network and click Mobile. It is vital that you define these 

ranges so that all internal network device IP addresses fall into one of the 

ranges listed in the Network List, as any IP addresses not included in this 

list will no longer have the 0.0.0.0 to 255.255.255.255 range to fall 

through to, and will be denied access to the Internet unless configured to 

use the iPrism as a proxy. 

FIGURE 37. Assigning a Profile to Mobile or Remote Users 

3. Select the checkbox to Enable Mobile Filtering and choose the web 

profile you would like to apply to remote users. This profile will be 

applied to remote users who are not mapped to another profile by iPrism 

including: 

• All local users with “Use Network” checked as their profile. 

• All other users not mapped to another profile on the Profile Mappings 

tab. 


93


Note: Mobile users must be proxied to the iPrism to be filtered. Also 

IM/P2P filtering is not possible for workstations filtered from the External 

interface. 

4. If you want remote users to be able to access your internal network, 

select the Allow internal network access checkbox. 

5. Select the type of web authentication. There are three types of 

authentication for remote users: 

• HTTPS authentication. When the user first attempts to access the 

Internet, s/he is sent to a secure login page. This is the preferred 

authentication method when LDAP is enabled.. 

• Digest authentication. This is the most secure type of authentication, 

but iPrism must know the password of each user. Therefore, it cannot 

be used to authenticate NTLM or LDAP users, only local users. 

• NTLM authentication. This is the standard protocol used by 

browsers to authenticate with proxy servers. This is the preferred 

authentication method when NTLM is enabled. 

6. In the HTTPS Timeout frame, select the timeout settings to be applied 

to authenticated users. These settings apply only when HTTPS is 

selected. 

From the Style dropdown list, select one of the following timeout methods, 

and then enter the corresponding number of minutes in the Timeout 

field: 

• Fixed Duration. When selected, the Timeout value is the exact 

number of minutes between the authentication and the end of the 

session. After this number of minutes, iPrism will prompt the user to 

re-authenticate. 

• Inactivity. When selected, the Timeout value is the exact number of 

minutes between the last Web access and the end of the session. If 

there is no Web activity for the duration of the timeout value, the user 

will be asked to re-authenticate during the next Web access. In other 

words, each time that a Web access is made, the timeout restarts to its 

original value. 

94 



• Fixed Hourly. When selected, the Timeout value corresponds to the 

number of minutes past the hour at which the session will expire, 

independent of the original authentication time. The value of the 

timeout should be between 0 and 59 in this mode. This mode is useful 

is when users change activity on an hourly basis, such as students in 

class. 

7. Click OK. Mobile filtering is now enabled for users outside of the 

network ranges listed in the Access->Network List. 

Note: Mobile users must also be configured to use iPrism as their Internet 

proxy for mobile filtering to function. Also, when setting a new 

authentication type in the Mobile Filtering Configuration dialog, there 

may be a delay of up to 30 seconds after saving and exiting the configuration 

tool before the new authentication type is applied. 


95


96 


Access Denied Page Options 

Chapter 4 

Blocked Pages and 

Overrides 

When a browser tries to access a web page that is being blocked by iPrism, 

an ‘Access Denied’ page displays (see Figure 38). The iPrism system gives 

the user and the administrators a variety of options for handling blocked 

pages. This gives tremendous flexibility for dealing with blocked web 

pages, yet also allowing a great deal of control over Internet usage. 

Access Denied Page Options 

When a user encounters an Access Denied web page, depending on access 

configuration, there may be an Override/Request Access button at the 

bottom of it. This button provides access to iPrism’s override interface. 

Depending on the user’s filtering profile, this button can allow him/her to 

perform the following actions: 

• Override. When the user selects Override s/he is allowed to bypass 

the Access Denied page and view the blocked page, assuming s/he 


97

Blocked Pages and Overrides 

has the proper administrative privileges. The override request is 

recorded in the reporting system. 

• Request Access. The user can use the Request Access button to send 

a message to the master iPrism administrator to explain why they 

need access to the site. The administrator may review the request and 

decide whether or not to grant access. No administration privileges 

are required to submit an access request. (If a request is granted, the 

requesting users and all users will be allowed to access the site.) 

FIGURE 38. Default Access Denied Page with Override Button 

The Access Denied Page Options are controlled by the profile, and can be 

enabled in the ACLs window. See Table 2, “Access Denied Page Options,” 

on page 79 for more information. 

98 


Using Override Privileges 

By default, these options are disabled when you create a new ACL, so you 

must manually enable these if you want to provide Override/Request 

Access to users on your network. If both options are disabled, then the user 

has no recourse when they encounter the “Access Denied” page; they 

cannot view or even request access to the blocked site. 


Users that have been granted override privileges as part of their local user 

account will be able to bypass the Access Denied page and view the blocked 

site. You do not have to be using “full-fledged” authentication in order to 

assign these privileges; you can set up user accounts strictly for the purpose 

of granting override access. For example, you can use a network-level 

profile to control web access on the network, and if a user encounters a 

blocked site, s/he can click the Override link, enter their username/ 

password, and (assuming they have override privileges), view the blocked 

website. If users have single override privileges, they can override a block 

for themselves. If they have extended override privileges they can let 

themselves and other users access a blocked website. 

For information on giving local users override privileges, see “Fine Tuning 

Your Web Filtering” on page 111. 

Overriding a Blocked Web Site 

To override a blocked site, you must have a user account with override 

privileges, or the iPrism supervisor account. 

1. When the Denied Access page is encountered, click Override/Request 

Access. 

Note: If this button is not available, override access is being denied by 

the active ACL in the current profile. You cannot gain access to the site. 

You may wish to communicate with your iPrism administrator directly to 

gain access to the page. 

2. If the Select Mode page appears (Figure 39), select the Override radio 

button and click Next. 


99


FIGURE 39. Select Mode 

3. The iPrism Login dialog box will display as shown in Figure . 

100 



FIGURE 40. Login 

4. Enter your username and password in the appropriate fields and click 

Login. The Override Who page will appear as shown in Figure . 


101


FIGURE 41. Override Who 

5. On the Override Who page, select the user to whom you want to grant 

access so they can view the blocked site. The options that display here 

will vary depending on your override privileges. 

• Current Workstation [IP address]: Any user on the current 

workstation will be able to access the blocked URL. 

• Current User [user name]: Override the block for this user only. 

(Available only if user authentication is enabled.) 

• Following Network [network range]: Any user whose workstation is 

within the specified network range will be able to access the blocked 

URL. (This is available if you are using network only profiles.) 

• Current Profile [profilename]: Any user associated with the 

specified profile, from any workstation; or any user on a workstation 

102 



associated with the specified profile will be able to access the blocked 

URL. 

• Everyone: Any user from any workstation will be able to access the 

blocked URL, if the user has extended override privileges. 

6. If you just want to gain access to the blocked domain for a period less 

than one hour, you can click Finish now. The blocked web page will display, 

and access will be granted for one hour. If you want to override 

other URLs or change the override duration, go to the next step. 

7. Click Next. The Override Location/Duration page appears as seen in 

Figure 42. 

FIGURE 42. Override 

The options that appear here will vary depending on your override privileges. 


103


• This URL. Allows access to only the URL that is currently being 

blocked. 

• Domain. Allows access to all web pages in the domain of the URL 

that is being blocked. 

• Current Categories. Allows access to all web pages that would 

otherwise be blocked by the specified filter categories. 

• All URLs. Allows access to all web pages. 

8. In the Duration dropdown list, select how long you want the override 

privileges to last. 

9. Click Finish. 

The blocked site displays in the current browser and should be available 

to all users to whom you granted access. 

Using Access Requests 

Users that want to get past a blocked page but do not have override 

privileges have the option to plead their case to the iPrism administrator (or 

other authorized user with override privileges), who can subsequently grant 

or deny access to the page. In this scenario, the blocked user would use the 

Request Access button on the Denied Access page to send his request to the 

iPrism administrator. The request is emailed to the person whose email 

address is specified in the Block / Unblock Options page. If there is no 

email address specified on this page, the system will use the email address 

of the iPrism administrator found in the Registration tab in the System 

section of the System Configuration tool. 

Note: It is possible that the administrator may not get the email due to 

configuration/DNS problems. You may want to follow up your initial 

request until you are sure that this feature is working. 

Requesting Access to a Site 

1. When the Denied Access page is encountered, click the Override/ 

Request Access button. 

104 


Using Access Requests 

If this button is not available, then access is being denied by the active 

ACL in the current profile. You cannot request access to the site. 

2. When the Select Mode page displays (Figure 39), select the Request 

Access radio button and click Next. The Request Access page displays 

(Figure 43). 

The Location field is prefilled with the URL you are trying to access. 

Complete the remaining fields by entering your email address in the 

Email field and describing why you need access in the Comments field. 

FIGURE 43. Request Access page 

3. If you want to be notified by email of the administrators actions, check 

the checkbox below the Comments field. You may want to use this 

option in a situation where you are not sure your request will be granted. 


105


4. Click Next. The Request Access Confirmation page displays. This 

page reiterates your request so you can review it for accuracy (see 

Figure 44). 

FIGURE 44. Request Access Confirmation 

5. To send your request to iPrism administrator, click Finish. 

The Request Added page confirms that your request has been added, 

and the request is emailed to the appropriate person. 

Your request will be seen the next time the administrator reviews access 

requests. If you requested notification, you will receive an email after 

this review is complete. You cannot reply to this email. 

For instructions on how to process access requests, see “Pending Access 

Requests” on page 276. 

106 


Managing Override Access 


Override access allows users with the required privileges to be able to 

“overrule” the active filtering policy and gain access to web pages that 

would otherwise be blocked. In iPrism, override privileges are determined 

by a user’s administrator level assignment. 

From the Appliance Manager, open the System Configuration tool, select 

Access, then click the Override Management tab (see Figure 45). The 

iPrism administrator can review all of the currently active overrides and 

revoke them, if desired. 

FIGURE 45. Override Management Page 


107


The Override Management Page 

The columns in the Override Management page are: 

• Administrator. The privileged user who created the override. This is 

only relevant when using user authentication. The override will only 

be valid for the indicated user. When user authentication is not used, 

or when the override is valid for all users, this column will indicate 

“Any”. 

• Profile. The filtering profile affected by the override. This may be the 

name of the profile overridden by the user or it may read “Any” if the 

override is relevant to a network, not a profile. 

• User/Workstation. The user, workstation, or range of workstations 

affected by the override, using the IP addresses. If only one 

workstation is affected, this column will show its IP address. If 

several workstations are affected, this column will show the IP 

Network Range. 

• Expiration. The date and time at which the override will expire by 

itself. 

• URL or Category. The URL (single page or domain name) affected 

by the override. If the override was performed for a list of categories 

instead of a URL, the categories affected will be displayed. 

Revoking a Single Override 

1. From the Active Overrides frame, select the item you want to override. 

2. Click Revoke at the bottom of the page. 

Note: To restore the original settings on the Override Management tab, 

click Reset. 

3. To save the change, select Exit in the top right corner of the window, and 

select Save & Exit. 

Revoking All Overrides 

1. From the Active Overrides frame, click Revoke All at the bottom of the 

page. 

108 



Note: To restore the original settings on the Override Management tab, 

click Reset. 

2. To save the changes, select Exit in the top right corner of the window, 

and select Save & Exit. 


109


110 


Controlling Access to Individual Web Sites 

Chapter 5 

Fine Tuning Your 

Web Filtering 

The iPrism lets you have a finely detailed level of control over your Internet 

traffic. In this chapter you’ll learn how to customize the iPrism so that you 

can control exactly which individual sites are blocked or allowed. Through 

customization, you can have complete control over your web traffic. 


The iPrism web filter operates by comparing each URL request to a 

database of URLs which have been categorized according to their content 

(see Appendix A: Filtering Categories for specific category information). If 

the requested site belongs to a category that is being blocked by the active 

ACL, then the site is inaccessible. 

Although the iPrism database is extremely large and detailed, you may find 

that there are some websites that need special processing. The iPrism 

system gives you several ways customize the blocking or non-blocking of 


111

Fine Tuning Your Web Filtering 

individual sites. Even if an individual site is marked as “blocked” by the 

database, you can tell iPrism to pass it anyway. 

Note: You can instantly check a site’s category rating in the URL database 

using the Check Site Ratings tool in the Filter Manager. See “Checking Site 

Ratings” on page 285. 

Changing a URL’s Rating with Custom Filters 

A custom filter lets you change a URL’s rating (or create a rating for it if it 

does not already have one). It allows you to assign any URL to either an 

existing filter category (e.g. adult, nudity, business, politics, etc.) The 

iPrism system has additional special categories called local categories 

which can be used exclusively by your system for URL classification. 

These are local1, local2, local3, local4, local5, local6, local7, local8, 

local9, local10, local11, local12, local13, local14, local15, local16, local 

allow, and local deny. Once you make a custom assignment, iPrism will 

treat the URL as a member of that category and either allow or deny access 

to the site based on the active filtering profile. 

Custom filters are important because they provide the ability to restrict or 

allow access to any website, not just those included in iPrism’s URL 

database. 

Custom Filters are part of iPrism’s Filter Manager utility, accessed by 

clicking on the Block/Unblock Site button from the iPrism Main web page. 

For detailed instructions on how to build a custom filter, see “Automatically 

Rating Unrated URLs” on page 259. 

Controlling URLs with Locally Defined Categories 

If you have created ACLs or custom filters, you probably have noticed that 

there is a group of filtering categories named Locally Defined (see 

Figure 46). Locally defined categories are unique in that they have 

precedence over the (non-local) ratings assigned in the iPrism URL 

database. 

For example, consider a site that is ordinarily blocked, such as 

www.playboy.com, whose category rating in the URL database is nudity and 

pornography. If you create a custom filter for playboy.com and assign it to a 

local rating, such as local1, the site will become available under any profile 

112 



that does not explicitly block the local1 category. In other words, even 

though playboy.com is still classified as nudity and pornography and those 

categories are blocked by the active profile, the site will not be blocked as 

long as the local1 rating is not blocked. 

FIGURE 46. Locally Defined Categories 

Note: Local categories only have precedence over the ratings that are 

specified in iPrism’s URL database. Suppose we have a web page with the 

custom rating of nudity and local1. If all nudity is blocked, then the site 

would be blocked, regardless of the local1 category. The local1 setting does 

not supersede the other local settings, only the settings in the factory URL 

database. 

Using locally defined categories in your custom filters can give you a lot of 

individual control over which websites are accessible. For example, you can 

configure a profile to block access to all finance-related sites, but still allow 

access to a few select finance sites by creating custom filters for them and 

assigning them to a local category. To allow access to those sites, verify that 

the same local category is not being blocked by the profile. 

Understanding the Local Allow and Local Deny Categories 

Most of the local categories are named local1, local2, etc. However, there 

are two special names: local allow and local deny. These are intended to be 

used in a specific way. 

• Local Allow is reserved for web pages that you want everyone to access. 

It is automatically cleared (i.e., not blocked or monitored) in any new 

ACL that is created. iPrism uses this category as part of its Custom FiliPrism 


113


ters feature to grant clearance to blocked URLs. It is recommended that 

you keep this category cleared in any new or existing ACLs. 

• Local Deny is designed for web pages that no one should see. It is automatically 

checked (both blocked and monitored) in all new ACLs that 

are created, and should also be checked in all existing profiles (except 

the default “PassAll” profile). iPrism uses this category as part of its 

Custom Filters feature to let users instantly deny access to any URL. 

Important: The local allow and local deny categories are, by default, used 

internally by iPrism’s custom filters and override features. It is strongly recommended 

that you keep local allow cleared (unchecked) and local deny checked 

in all of your profiles. These settings will automatically be made by default in 

all new ACLs. If desired, you can change which categories iPrism uses to allow/ 

deny access. This is done from the Custom Filters tab in the Access section. 

Using Local Categories 

The numbered local categories (local1, local2, etc.) can be used for any 

filtering purpose. For example, if you want to block access to the websites 

of your competitors, you could do this: 

1. Create a custom filter for each website you want to block access to and 

assign all of them to the same local category (e.g. local5). 

2. In the Profiles tab, edit the active profile so that the local category (e.g. 

local5) is blocked (and monitored, if desired.) 

That’s it! Now, any website that belongs to the local5 rating will be 

blocked by this profile. 

Note: When using local filters, it is up to you to keep track of which sites 

you assigned to each category. 

Submitting Sites to St. Bernard for Review 

iPrism relies on the iGuard database and the web reviewers at St. Bernard 

Software to make judgements about sites that should be categorized, and 

which categories they should be assigned to. That means that any new site 

that goes up on the web could exist for some time before it is finally 

registered, reviewed, categorized, and downloaded into your iPrism. If you 

114 



encounter a website that you feel should be included in iPrism’s URL 

database, you can submit the site to St. Bernard Software for immediate 

review. 

Submitting Sites via Email 

1. From the Appliance Manager’s Main Menu - Administrator, click Via 

email to iPrism support under Add Web Sites. 

2. Submit your URL by clicking the hyperlink to one of the three options: 

• Email 

• Using the Filter manager interface (requires an Administrator login) 

• Using the Quick Submit feature 

Include the full URL to the website, as well as any additional information 

that you feel is important for the reviewers to know. 

Submitting Sites with Quick Submit – While You Surf! 

Quick Submit allows you to submit URLs to our iGuard URL Review team 

with a single mouse-click. 

1. From the Appliance Manager’s Main Menu - Administrator, click On 

the fly while you surf under Add Web Sites. 

2. Follow the instructions provided to bookmark the iPrism Quick Submit 

link. Once that is bookmarked, when you are surfing the web and find a 

site that you would like to see reviewed, simply select the bookmark 

while your browser is at the site in question. The URL of the site will be 

sent to the iGuard URL Review team and will be reviewed within 24 

hours. 


115


Changing the Access Denied and 

Authentication Pages 

The Access Denied page is an HTML page which appears whenever a user 

tries to access a website that is being blocked by the active iPrism profile. 

Unless the user has override privileges or is otherwise granted access by the 

administrator, the user will not be able to view the site. iPrism provides a 

default Access Denied page (see Figure ) but also includes an HTML 

Template Manager so you can fully customize this page or replace it with 

another HTML document. 

116 


Changing the Access Denied and Authentication Pages 

FIGURE 47. Access Denied Page 

Using the HTML Template Manager 

The HTML Template Manager allows you to fully customize the default 

Access Denied Page and the Authentication Page used by iPrism. To access 

the HTML Template Manager, go to the main iPrism web page, then click 

HTML Template Manager (under System Admin Tools). When prompted, 

enter your administrator username (iprism) and password. 

Note: Only the iPrism administrator account (iprism) can access the HTML 

Template Manager. 


117


FIGURE 48. HTML Template Manager 

Note: The interface and process for editing either the Access Denied page 

or the Authentication page is identical. 

118 



Editing the default HTML Pages 

If you wish to only change the current HTML page instead of replacing it 

entirely, do the following: 

1. From the HTML Template Manager page, select the page you want to 

edit (Authentication Page or Access Denied Page) and click the corresponding 

Customize button. 

2. The Customize page opens for the page you selected (see Figure 49). 

In the bottom pane of this page you can see the code for the current 

HTML page. Edit the HTML code here, then click Preview to preview 

your changes and/or Save Changes to save your changes. 

Use the following tags to insert relevant iPrism system information and 

tools into the document: 

Table 3: Custom HTML Tags for Access Denied Page 

Tag 

|OVERRIDE| 

|CONTACTINFO| 

|URL| 

|INFO| 

|RATING| 

Description 

An Override button, which allows for override access. 

The Administrator’s contact information. 

The URL of the site that is trying to be accessed. 

An Information button, which provides more information 

about the Access Denied page. 

the rating of the site trying to be accessed. 

Note: You can view these HTML tags on-screen at any time by clicking 

on the Tag Help button. 

Table 4: Custom HTML Tags for Authentication Page 

Tag 

FORM_START 

CACHE_USER 

Description 

The starting HTML FORM element. This tag must be 

placed before any form input elements. 

The value entered in as the username. Use this when an 

authentication attempt fails. On the next display of the 

page, the Username field is populated with the cached 

value. 


119


Table 4: Custom HTML Tags for Authentication Page 

Tag 

SUBMIT 

PROTO 

NTLM_DOMAINS 

PORT 

TIMEOUT 

LOGOUTLINK 

HOST 

ERROR_MESSAGE 

Description 

A Submit button to process the user authentication form. 

This tag must be placed last of all the HTML input elements. 

iPrism's protocol, either “HTTP” or “HTTPS”. 

The text label “NTLM Domains” and a dropdown select 

box of NTLM Domains. This tag will get replaced with an 

HTML table row containing a text label and a dropdown 

selection box containing your NTLM Domains. (This tag 

can only be used when NTLM is enabled and configured.) 

The port on which iPrism's web server is running. 

The configured default timeout value. 

A hyperlink to the logout page. 

The configured hostname or IP address of iPrism. 

An error message (if any.) 

3. To see what your page currently looks like, click Preview. After viewing 

the page, click Back to Customizing (at the top of the preview page) to 

continue customizing the page. 

Note: If necessary, you can revert back to the default template page at 

any time by clicking Use Default. 

4. When you have finished editing the page and are ready for it to “go 

live”, click Save Changes and close the HTML Template Manager window. 

120 



FIGURE 49. Customize Page 

Replacing the Current Page 

You can load a custom HTML document template into the iPrism for both 

the Authentication Page and the Access Denied Page. 

Note: Uploading an HTML file into the template will completely replace 

the current page. 


121


1. From the HTML Template Manager page, select the page you want to 

edit (Authentication Page or Access Denied Page) and click the corresponding 

Customize button. 

2. The Customize page opens for the page you selected (see Figure 49). 

The bottom pane of this page displays the code for the current HTML 

page. 

3. Click Upload Template. 

This opens the Upload HTML Template page (see Figure 50). 

122 



FIGURE 50. Upload HTML Template Page 

4. Click Browse to locate the HTML file that you want to upload. Choose 

your file and click Open. The path to the HTML file should now appear 

in the File to Upload field. 

5. Click Upload File. 

The contents of the file is moved into the HTML Template Manager. 

6. Click Save Changes to save the new page. 

7. If desired, you can edit the new HTML page as if it were the default page 

(change text, add custom HTML tags, etc.). See “Editing the default 

HTML Pages” on page 119. 

Making “Quick Changes” to the Access Denied Page 

If you want to make changes to the default Access Denied Page without 

having to directly edit HTML code, you can do this from iPrism’s 

configuration interface. Here, you can change the administrator’s contact 

information or specify a different web page (URL) to be used as the Access 

Denied Page. This method requires no HTML editing. 

Note: When you specify a different URL for the Access Denied Page, the 

new page you specify will only replace the top portion of iPrism’s default 

page; The Override/Request Access button remains at the bottom of the 

page as usual. If you do not change the URL, you can still add additional 

information about your system administrators, so users who encounter a 

blocked page will know who to talk to and how to contact them. 

Use the following procedure to change the URL or the contact info 

associated with the Access Denied page. 


2. Select the System section and select the Proxy tab (see Figure ). 

3. In the Denied Page Information frame, make the desired changes to the 

Access Denied page. 


123


• To add information to the current default page, select Contact Info. 

In the associated field, type the information you want to display on 

the Access Denied page. Usually, this is contact information for the 

iPrism administrator. 

• To change the web page that displays, select Custom Denied Page 

URL. Enter the full URL to the page you want to use in place of the 

default page. 

FIGURE 51. Denied Page 

4. Click Exit in the top right corner of the page, and select Save & Exit. 

124 



Test the new page by accessing a web page that you know to be blocked in 

the current profile. 

Changing the “Other” pages 

If you wish to change the appearance of a page other than the Access 

Denied or Authentication page, you can do so by using the Other Pages 

template manager. The pages customizable using this template manager 

include the Logout, Override, Request Access, Anti-spoof, and selected 

Error pages. 

Start by clicking Customize under Other Pages in the HTML Template 

Manager (Figure 52). The Other Pages Template Manager screen appears. 


125


FIGURE 52. Other Pages Template Manager 

The template manager allows you to define the background image and CSS 

style sheet for the pages. It also lets you define the HTML code to be used at 

126 



the top, bottom, left, and right of the page. The iPrism itself will supply the 

middle. 

To customize a page, under Theme, select Custom and complete the fields. 

Available fields include: 

Field 

Background Image URL 

Style Sheet URL 

Contact Info 

Organization 

Description 

The URL of a background image to be used. Note: 

Images must be hosted on a system other than the 

iPrism. If this field is left blank, no background image 

will be used. 

The URL for a style sheet. This file must be hosted on a 

system other than the iPrism. Default = no style set. 

Text to be used when the |CONTACTINFO| tag is 

encounter in the HTML code for the top, left, right, or 

bottom HTML code defined below. 

Text to be used when the |ORGANIZATION| tag is 

encounter in the HTML code for the top, left, right, or 

bottom HTML code defined below. 

Top HTML 

HTML code to be used for the top of the page. 

Bottom HTML 

HTML code to be used for the bottom of the page. 

Left HTML 

HTML code to be used for the left of the page. 

Right HTML 

HTML code to be used for the right side of the page. 

The buttons at the top of the page perform the following actions: 

Button 

Back to Manager 

Save Changes 

Preview 

Action 

Exit to the template manager, discarding changes. 

Save the current changes. 

Display a sample page with the current settings applied. 


127


128 


Chapter 6 

Users and 

Authentication 

The iPrism system can be configured to filter Internet traffic in a variety of 

ways: 

• By IP address. Each IP address range is assigned a Web Profile and 

an IM/P2P Profile. If, however, the user moves from one system to 

another (e.g., a desktop workstation with a very open profile to a lab 

machine with a very restricted profile), the more restrictive profile 

applies. 

• By username. Three different sources are accessed for user 

information: 

1. Redirect their first web access to an iPrism login page (see 

Figure 70 and Figure 71): Once s/he logs in, iPrism knows who 

they are and can provide filtering based on the profiles assigned to 

their username. 

2. Local authentication: For a limited set of users, a local user list 

resides on the iPrism itself, which does not require contacting an 

external authentication server (for more information, See “Setting 

up Local Authentication” on page 131.). 


129

Users and Authentication 

We recommend that you use local authentication only when you 

initially set up your iPrism. It is the simplest form of 

authentication and is extremely easy to set up. This will give you 

a chance to see how the iPrism authentication system works on a 

limited basis, without having to worry about what may be going 

on between a central authentication server and iPrism. 

3. Central authentication server: For a larger user base, the iPrism 

can be configured to use a Windows (NTLM) or LDAP (Unix, 

Linux, Novell, Microsoft Windows) authentication server. (See 

“Communicating with a Microsoft Windows Authentication 

Server (NTLM)” on page 159 for details on Windows 

authentication and “Communicating with an LDAP Server” on 

page 150 for information on LDAP). 

After you gain experience with the system, you’ll probably want 

to connect to a central authentication server by configuring your 

iPrism to use Windows (NTLM) or LDAP based authentication. 

This will expand your user base to a much wider audience. 

Note: iPrism can use a Windows (NTLM) or LDAP 

authentication server, but not both at the same time. 

The iPrism system can also determine who a user is in a variety of ways, 

such as several types of login screens, proxy-based authentication, and the 

auto-login feature. For details, see “Auto-Login Details” on page 146. 

Notes: 

• iPrism can only authenticate web-based connections. Because of the 

way that IM and P2P protocols work, user-based authentication is 

impossible, so the iPrism uses IP-based profile mapping for these 

protocols. 

• If a users cannot be authenticated, s/he will not be able to use the 

Internet. 

130 


Setting up Local Authentication 


The iPrism’s local authentication system lets you define a set of users on the 

iPrism itself. No central authentication server is involved. Even if you have 

an external authentication server, the local user list allows you to provide a 

small number of people administrative access rights to the iPrism system. 

Creating User Accounts on the iPrism 

1. Start the iPrism System Configuration tool and select the Users section, 

then select the Local tab (see Figure 53). 

2. Click Add beneath the iPrism Users frame. 

The Adding User frame becomes active, and “new_user” now displays 

in the Name field. 

3. In the Name field, type a new username. 

• Usernames cannot contain spaces. Only alphanumeric characters, 

underscores, hyphens, and periods are allowed (32 characters max.). 

• Names are not case-sensitive. All names are saved in lowercase by 

iPrism. 


131


FIGURE 53. Create New User (Local Authentication) 

4. In the Password field, enter a password for this account. 

• Passwords are case sensitive. 

• Valid passwords must be at least four (4) characters long and not 

more than thirty-two (32) characters in length. 

• For security, the password you type will display as asterisks (*). The 

number of asterisks that display in the Password and Confirm 

Password fields does not indicate the number of characters in your 

password. 

132 



5. Re-enter your password in the Confirm Password field. Make sure to 

type it exactly as before. 

6. Enter comments about this user in Notes, such as their job title, department, 

position, etc.. 

7. In the Profile dropdown list, select the web filtering profile to apply to 

this user. 

8. If you prefer that this user be assigned to the network-level profile that 

includes his/her workstation, click the Use Network checkbox. The Profile 

field will be grayed out, and this user will be governed by the profile 

designated on the Networks tab. 

9. To assign administrative privileges to this user, select the desired access 

level from the User Admin Privileges dropdown list. Otherwise, leave 

this field set to No access. 

iPrism’s administrator levels are: 

• Extended Override: Allows the user to log in to override 

management (see “The Override Management Page” on page 108) 

and grant access to others. 

• Filter Management: Allows the user to change the categories 

associated with a website (e.g., its site rating). Allows access to the 

Block/Unblock Site interface. 

• Full Access: Allows the user to reply to administrative requests 

(overrides, access, etc.). This user can access reports and the Block/ 

Unblock Site interface, but cannot access the Configuration interface 

or the Real-time Monitor. 

• Global Policy Admin: This role is a user or login that is in charge of 

global filtering policies, regardless of existing partitions. 

• No Access: This basic user account has no administrative privileges. 

• Reports Only: This user will be allowed access to iPrism’s report 

interface only. 

• Single Override: Allows a user to grant access to themselves only. 

They cannot grant access to others. 


133


If the iPrism is using mERS as its reporting system, and if the iPrism is 

the originator of an active mERS account, the administrator can also 

assign to the user the right to access mERS reporting services. This is 

done by checking the Allow access to mERS checkbox. 

10. After completing all the selections, click OK to add the new user to the 

iPrism user list. 

Note: You cannot exit the Users tab while you are creating or editing a 

user. Click Cancel to end your current editing session before exiting. 

134 



Editing Administrative Privileges 

The Administrative Profiles pull-down (Figure 55) assigns a local user an 

administrative profile based on a pre-defined list of values. The list of 

administrative profiles can be edited by clicking Edit/Add in the Adding 

User section as shown in Figure 53. 

FIGURE 54. Edit/Add button 


135


FIGURE 55. Administrative Profiles 

136 



Creating a new Administrative Profile 

1. Click Add. 

2. Type the name of the new profile in the Name field. 

3. Type a password in the Password field. 

4. Confirm the password and type any notes. 

5. Select a profile, or check Use Network to use a network profile. 

6. Select an administrative profile from the dropdown list in Admin Privileges 

(you can also click Edit/Add for a more detailed profile breakdown. 

Available profiles are as follows: 

• Extended Override: Allows the administrator to log in to override 

management (see “The Override Management Page” on page 108) 

and grant access to others. 

• Filter Management: Allows the user to change the categories 

associated with a website (e.g., its site rating). Allows access to the 

Block/Unblock Site interface. 

• Full Access: Allows the user to reply to administrative requests 

(overrides, access, etc.). This user can access reports and the Block/ 

Unblock Site interface, but cannot access the Configuration interface 

or the Real-time Monitor. 

• Global Policy Admin: This role is a user or login that is in charge of 

global filtering policies, regardless of existing partitions. 

• No Access: This basic user account has no administrative privileges. 

• Reports Only: This user will be allowed access to iPrism’s report 

interface only. 

• Single Override: Allows a user to grant access to themselves only. 

They cannot grant access to others. 

7. In the Rights - Report Access section, select which level of access this 

administrative profile will have to the reporting system: 

• None. No access to the reporting system. 

• Full. Complete access to the reporting system. 


137


• Access To Profile. Users can only access a specific profile selected 

from the list to the right of this selection. The special profile [User] 

indicates the profile currently in force for the user. 

• Access To Network Range. The user can only run reports on a 

limited range of IP addresses. The specific addresses are entered in 

the two adjacent fields. 

Note: Report restrictions are silently applied when the user runs 

reports. For example, if a user is restricted to a given IP address 

range, all reports will contain data for just that IP address range, even 

if a larger range was specified in the report itself. 

8. In the Custom Filters section, select a filter. These control access to the 

Filter Manager (see “The Filter Manager” on page 257 for information). 

• Select None to prevent users from accessing the Filter Manager 

• Select Full to give them complete access 

9. The Override Privileges section can be seen in Figure 56 below. This 

section allows you to fine-tune the user’s ability to override a blocked 

request. 

138 



FIGURE 56. Administrative Profiles (Continued) 

10. The Overrides subsection selects the users for whom this class of 

administrators can create an override: 

• Can Not Override: disables the user’s ability to override, even for 

himself/herself. 

• Self Only: The user can create an override for himself/herself, but no 

one else. 

• Users As Follows: The user can create overrides for a group of users 

specified in the Users definition section. 


139


• Current Workstation: The administrator can override URLs 

only for the workstation s/he is currently using. Since the 

overrides exist for a specific time period, it is possible for the user 

to log in to a workstation, create an override, and log out, then 

another user to log in and benefit from the override setting. 

• Current User: The administrator can create an override for 

himself/herself only. 

• Current Partition: If partitions are enabled, the administrator can 

create an override for the users in her/his partition. 

• Network Range: The administrator can create an override for a 

range of IP addresses as specified. 

• Profile: The administrator can create an override for all users who 

use a specific profile. The special profile [User] indicates the 

profile current in force for the administrator. 

• Everyone. The administrator has complete override ability. 

11. The Contents section specifies what the administrator can override. 

• Current URL: Only the entire URL can be overridden. 

• Current Path: A specific path can be overridden, regardless of the 

host name. The path component is the part of the URL which appears 

after the host name. 

• Current Domain: A specific domain name can be overridden. The 

domain name of the host part of the URL; e.g., yahoo.com is the 

domain name of http://www.yahoo.com. The iPrism system is aware 

of country codes, so the domain for http://www.amazon.com.uk/ 

index.html is amazon.co.uk. 

• Current Category: The administrator to override all users which 

belong to the category of the URL being requested. 

• All URLs: The administrator can override any URL. 

12. From the Duration dropdown list, select the amount of time an override 

can remain in effect. 

13. Click Ok to create the new profile, or Cancel to cancel it. 

14. Click Ok at the bottom of the pane. 

140 



Adding a New Administrative Profile 

1. In the Administrative Profile section, click New. 

2. Enter the name of the new profile in the Name field (see Figure 55). 

3. The values of the various administrative privileges are set using the same 

steps as in the section “Editing Administrative Privileges” on page 135. 

Deleting an Administrative Profile 

1. Select the profile to be deleted in the Administrative Profiles dropdown 

list. 

2. Click Delete. 

Importing User Accounts into iPrism 

The import facility lets you create local user accounts by specifying the user 

data in an external file. The format of this file and the import process are 

described in “Importing User Data into iPrism” on page 365. 

Editing User Accounts 

You can edit a user’s account to change a user’s name, password, filtering 

profile, or administrative privileges. To edit an account: 

1. Select the Users section. 

2. In the iPrism Users frame, select the user to edit and make your 

changes. 

3. Click OK when you are finished. 


141


Choosing an Authentication Mechanism 

Network-based profiles do not require authentication to be enabled. If, 

however, authentication is enabled, users must authenticate to reach the 

Internet. 

Assigning an Authentication Mechanism to an IP address 

range 

1. Start the iPrism System Configuration tool, select the Access section, 

then select the Networks tab (see Figure 57). 

142 



FIGURE 57. Authentication control in Networks tab 

2. In the Network List frame, select the network on which you want to 

enable authentication. The default IP address range (0.0.0.0. to 

255.255.255.255) covers all the IP addresses. Select this if you want to 

apply the authentication settings across the entire network. 

• Select the network in the Network List to which you want to apply 

the authentication settings. You can only edit one network at a time. 

• If you want to define a new network, click Add and define the IP 

address range below. See “Defining IP Address Ranges” on page 89. 


143


• If you want to remove a network, select the network from the 

Network list and click Delete. 

• Click View All to view the profile mappings and network settings. 

• Use the up/down arrows to move a selected network up or down the 

list. 

3. In the Web Authentication type(s) on this network section, select 

which types of authentication you wish to allow in Proxy Mode and 

Bridge (Transparent) Mode. (For a review of each mode, see “Proxy 

Mode” on page 5 and “Bridge (Transparent) Mode” on page 8.) 

• No Authentication: No user authentication is done, and the 

system uses IP address-based profile mapping. 

• HTTPS: (Secure http protocol; the preferred authentication 

method.) When the user first attempts to access the Internet, s/he 

is sent to a secure login page. 

Note: HTTPS (SSL) traffic on port 443 is now strictly enforced. If 

you do not use SSL but use port 443 for your traffic, either change 

the application port to a port other than port 443, or set up a filter 

exception for the client/server IP addresses. To learn how to set up 

filter exceptions, see “Creating Filter Exceptions” on page 207. 

• HTTP: Like https, only the protocol used is the insecure http 

protocol. This authentication type is not recommended because 

usernames and passwords are sent as clear text. Anyone with a 

sniffer on your network can obtain them. 

• Basic: (Proxy mode only) This is the standard protocol used by 

browsers to authenticate with proxy servers. Basic authentication 

is browser session-based. When the user exits the browser, the 

session is ended and the authentication goes away. When the user 

starts the browser again, they will have authenticate again. 

Note: This authentication type does not work if you have a proxy 

server between the user’s workstation and the iPrism. 

• [Disabled] - No authentication is done. The user is not allowed 

web access. The [Disabled] authentication can be used in proxy 

mode to force everyone to use bridge (transparent) mode; i.e., you 

can use [Disabled] to turn off proxy mode while leaving bridge 

(transparent) mode functioning. 

144 



• Auto-Login - This allows for the system to automatically log in a 

user based on the Windows NTLM or LDAP authentication 

protocol. See “Auto-Login Details” on page 146 for details. 

Note: If the system can not automatically log in a user, it will fall 

back to the selected authentication method. 

When LDAP Auto-Login is enabled, you can use the LDAP 

group->profile mapping if you want to apply profiles to the users 

based upon their LDAP memberships (recommended). If you do 

not map profiles to groups, then all users will get the default 

fallback profile. LDAP authentication can be either configured 

with Auto-Login or with manual login. Profile mapping can also 

be used with manual authentication. 

4. In the HTTP/HTTPS Timeout frame, select the timeout settings to be 

applied to authenticated users. These settings apply to any mode for 

which either HTTP or HTTPS is selected. 

Note: These fields are grayed out if a valid mode is not selected. 

From the Style dropdown list, select one of the following timeout methods, 

then enter the corresponding number of minutes in the Timeout field: 

• Fixed Duration. When selected, the Timeout value is the exact 

number of minutes between the authentication and the end of the 

session. After this number of minutes, the user will be prompted 

by iPrism to re-authenticate. 

• Inactivity. When selected, the Timeout value is the exact number of 

minutes between the last Internet access and the end of the session. If 

there is no Internet activity for amount of time specified in the 

timeout value, the user will be asked to re-authenticate the next time 

the Internet is accessed. In other words, each time that an Internet 

access is made, the timeout restarts to its original value. 

• Fixed Hourly. When selected, the Timeout value corresponds to the 

number of minutes past the hour at which the session will expire, 

independent of the original authentication time. The value of the 

timeout should be between 0 and 59 minutes in this mode. This mode 

is useful is when users change activity on an hourly basis, such as 

students in a class. 


145


5. Click OK. If you defined a new network, it is added to the Network List 

frame. 

Note: The Network List is an ordered list that is searched from the top 

down. To avoid confusion, broader networks must appear after narrower 

ones, as the broad network may overlap or include the specific subnet. 

Use the arrow keys to the right of the Network List to change the order 

of the selected network. If the order is not correct, you will get a message 

to change it when you try to exit. 

6. Select Exit, then Save & Exit to save your changes. Wait a few 

moments for iPrism to reset, then test the authentication settings by logging 

in from a workstation on the network. 

Recommended Authentication Settings 

Proxy Mode: If you are using NTLM or LDAP, the recommended 

authentication settings is Auto-Login with Basic enabled. If you are not 

using NTLM or LDAP, the recommended authentication setting is 

HTTPS. 

Bridge (Transparent) Mode: The recommended authentication setting 

is Auto-Login with HTTPS enabled. 

iPrism and External Certificate Authorities 

iPrism does not currently link to external Certificate Authorities. End users 

that are running HTTPS authentication will likely receive a warning from 

their browser that the certificate is not recognized. You should tell your 

browser to accept the certificate and proceed. Once a certificate has been 

accepted, the warning should not reappear. 

Auto-Login Details 

Auto-Login provides a mechanism by which authentication is automated. 

The mechanism is different if you are using Windows or LDAP. 

Windows 

When using Windows, rather than requiring a user to manually enter their 

account information, it is automatically obtained from the browser. 2 The 

146 



details vary somewhat depending on which mode (proxy or bridge 

(transparent)) is in effect. The mode details are explained separately below, 

as well as the system requirements required to successfully enable Auto- 

Login. 

When using Windows, the iPrism system is able to authenticate any 

workstation as long as the user is logged in to a domain trusted by iPrism’s 

domain controller and the browser is configured to allow automatic 

authentication. If the Auto-Login fails, iPrism will revert to its regular 

authentication interface and prompt the user for his/her account credentials. 

LDAP 

When using LDAP, rather than requiring a user to manually enter their 

account information, iPrism queries the Novell eDirectory networkaddress 

attribute that keeps track of the IP address of the user’s workstation. When 

the user logs on, the attribute is populated with the IP address and the 

appropriate profile is applied. When the user logs off, the attribute is 

cleared. 

Using Auto-Login in Bridge (Transparent) Mode 

For Auto-Login to work in bridge (transparent) mode, the following 

network/system requirements must be met: 

Windows 

• Windows authentication must be configured, enabled, and operational 

on iPrism (see “Communicating with a Microsoft Windows 

Authentication Server (NTLM)” on page 159). 

• The primary web browser is either Internet Explorer or Firefox. 

• In Internet Explorer, one of the following modes must be in place to 

verify that the user is logged in to a domain trusted by iPrism’s 

domain controller. 

2. Some web accesses do not involve a browser (e.g., Windows Update). In this case the 

application may not honor the protocol used for automatic authentication. When this happens, 

the iPrism is unable to select a profile based on the user name, so it falls back to IP 

address-based profiles. 


147


• IP-based mode. Under this configuration, the IP address of 

iPrism (i.e., not the DNS name or WINS name) must be in the 

local Intranet zone of the browser. (This can be done networkwide 

by configuring the domain controller, or each workstation 

can be configured manually using the procedure below.) 

- OR - 

• DNS-based mode. This approach requires that the browser be 

able to resolve iPrism’s non-fully qualified host name to an IP 

address. This can be done network-wide by configuring your 

local DNS forward lookup zone[s] to contain an A record for 


• Firefox must be configured to use NTLM authentication through 

the about:config page. The parameter 

network.automatic-ntlm-auth.trusted-uris must include 

http:, where is the IP address of the 


• In the Networks tab, the Auto-Login checkbox must be checked in 

the Bridge (Transparent) Mode row (see Figure 58). 

FIGURE 58. Auto-Login in Bridge (Transparent) Mode 

For LDAP 

• LDAP authentication must be configured, enabled, and operational on 

the iPrism (see “Communicating with an LDAP Server” on 

page 150). 

• Internet Explorer is the primary web browser. 

• Auto-Login LDAP Server requirements: 

• Novell eDirectory 8.7.3 or 8.8, on Novell NetWare 

• LDAP Auto-Login is supported for Windows/Linux users running 

a Novell “NMAS capable” (Novell Modular Authentication 

148 



Service) login client, meaning a Novell login client version 4.90 

and higher. 

• End users must login to the Novell eDirectory using a Novell client. 

• In the Networks tab, the Auto-Login check box must be checked in 

the Bridge (Transparent) Mode row (see Figure 58). 

Note: Auto-Login requires precise configuration in order to work 

properly. Please check the iPrism tech notes page for up-to-date information. 

http://www.stbernard.com/products/docs/ip_technotes/Auto-Login.pdf 

Using Auto-Login in Proxy Mode 

Auto-Login capability is implemented differently in proxy mode than in 

bridge (transparent) mode. Here, it is not an extension of the IP-mapped 

authentication, but rather a session-based authentication system which 

authenticates on a per-connection basis. By using the same credentials that 

were used to log in to the workstation and authenticating against the same 

domain controller, Auto-Login can uniquely identify users and securely 

apply the correct profile to their browsing session. To make this work, 

Internet Explorer and Firefox open a number of socket connections to 

iPrism, each of which must succeed the authentication process. These 

connections can then transfer any number of URL requests without reauthenticating. 

Not using a connection for more than a minute will usually cause the 

browser to close the connection, but it will automatically open and 

authenticate more connections as necessary. Most browsers use one to four 

active connections, depending on the amount of URL traffic being 

transferred. 

For Auto-Login to work in proxy mode, the following network/system 

requirements must be met: 

• Internet Explorer v5.0 (or later), and iPrism v3.4 (or later). 

• Firefox (all versions). 

• The browser must be configured to use iPrism as a proxy. See 

“Configuring Browsers for Authentication” on page 345. 

• Workstations must participate in and log into a Windows domain. 

iPrism must have a shared trust in this same domain. 


149


• NTLM authentication must be enabled, configured, and operational 

on iPrism. See “Configuring Browsers for Authentication” on 

page 345. 

• The authentication method must be set to Basic in the Networks tab. 

(This is necessary to support software that does not, or cannot, 

support NTLM authentication.) 

• In the Networks tab, the Auto-Login check box must be checked in 

the Proxy Mode row. (See Figure 59) 

FIGURE 59. Auto-Login in Proxy Mode 

Auto-Login can be enabled simultaneously for both proxy mode and bridge 

(transparent) mode operation, as long as the network/system requirements 

for each configuration are met. 

Communicating with an LDAP Server 

LDAP centralizes and makes user information available on a network.The 

iPrism can authenticate users and, optionally, obtain access information (an 

iPrism Access Profile name) for those users from an LDAP server. 

Each user object within the LDAP directory may contain many attributes to 

associate with the user (such as password, phone number, full name, etc.). 

For the iPrism to utilize users on a remote LDAP server, that server must 

perform simple LDAP binds (authentications) to the user’s node. When 

these binds fail (i.e., passwords don’t match), then the iPrism considers the 

authentication to have failed, and the associated service access (Web Proxy) 

consequently fails. 

Note: LDAP authentication does not implement the Simple Authentication 

and Security Layer (SASL) mechanism. 

150 



Refer to the “Configuration example (using NT Active Directory)” on 

page 157 to understand how the iPrism performs lookups. 

Setting Up the iPrism LDAP Client 


then select the LDAP tab (see Figure 60). 

2. Check Enable LDAP Authentication. 

• Presets. Click Presets to display the LDAP Presets dialog box, which 

contains a useful selection of common configurations to pre-load the 

LDAP screen with place holder and default values that you can 

modify. Select a configuration (Active Directory (Multi-Domain), 

Active Directory (Single-Domain), or NDS) and click Apply. The 

LDAP fields will be prefilled based on your selection. 


151


FIGURE 60. LDAP Tab 

3. In the LDAP Server frame, provide the requested information about the 

LDAP server to which iPrism will connect. 

• Server. Enter the DNS name or IP address of your LDAP Server 

from which user authentication and profile information will be 

retrieved. 

Note: iPrism requires plain text authentication to be enabled on 

the server. 

• Port. Enter the TCP port number used by LDAP. The default 

LDAP port is 389. For NT/Win2k Active Directory, the global 

catalog port is 3268. 

• Backup Server. You can configure a optional backup LDAP 

server that replicates the primary server’s information. If iPrism 

fails to establish a connection to your LDAP server, it will try the 

backup server. Enter the DNS name or IP address of your LDAP 

Server, or leave it blank if there is no backup server. 

• Backup Server Port. If designating a backup server with a port 

other than 389, enter the port associated with this server. 

• Binding DN or UPN. Bind is the LDAP user authentication. The 

DN/UPN should be a domain user account with privileges to 

query the LDAP server. Non-Windows LDAP servers may accept 

only LDAP distinguished name (DN) format: 

CN=domain_user_account, DC=your_domain_name, DC=com. 

Windows 2000 and above servers accept DNs, but also accept 

RFC 822 User Principal Name (UPN) format: 

domain_user_account@stbernard.com, where stbernard.com is a 

domain name. 

Note: If left empty, an anonymous bind is performed. A common 

problem is that anonymous binds lack administrative rights to 

perform a sufficient search of the LDAP tree. 

• Binding DN or UPN Password (only used with Binding DN or 

UPN). The password associated with the Binding DN or UPN 

username on the LDAP server. It can be left empty if the LDAP 

server does not require a password. 

152 



• Base DN. This parameter indicates the common root of all 

information that will be considered when iPrism queries the 

LDAP server for user data. Base DN will typically be some 

representation of your organization. LDAP data is stored 

conceptually in a tree, containing nodes, or branches of 

information. This describes how the LDAP information is 

organized in the source server. Changing the Base DN can restrict 

to searching a given group on the LDAP server. The setting 

depends on your LDAP vendor: 

• Novell NDS: o=organization 

• Windows Active Directory: dc=domain, dc=com 

• InterGate: o=organization 

It can also be left empty for servers that accept an empty Base 

DN, such as NDS, and iPrism will default to the root of the LDAP 

server. Base DNs can use domain components (DC) to search as 

subdomain, as in: “DC=mySubdomain, DC=mydomain, 

DC=com.” 

• Use UID. Selecting the checkbox automatically activates the 

simple Mask value of uid=%1. 

Note: Since the pound sign (#) is used as the attribute value 

separator, it must be considered an illegal character in any 

attribute value (uid, name, organization, etc.) 

• Mask. The mask is a way to designate the attribute(s) that will 

cause the LDAP access to result in a unique user node. The syntax 

for the Mask field uses a combination of attribute (attrNUM) and 

value (%NUM) separated by the equals sign (=). Multiple 

attribute/value pairs must be separated by the # character. 

attrNUM is the actual name of the attribute, and %NUM 

indicates the position in which a user would enter the information 

in the name field of an authentication prompt. So the syntax is as 

follows attr1=%1[#attr2=%2[...]]. 


153


The two examples in Table 5 should help clarify the matter: 

Table 5: Mask values in LDAP Configuration 

Mask 

uid=%1 

name=%1#organization=%2 

User login example 

bill 

sally#accounting 

In the first row, the LDAP server is going to search for the unique 

node that has the uid attribute equal to bill. In the second row, 

the matching node will have the name attribute equal to sally 

and the organization attribute equal to accounting. This 

flexibility allows the organization to have the same username 

(sally) in two different departments. 

• Require Attribute. Check this box if you want to force the LDAP 

server to supply the profile name attribute. As a consequence, 

fallback profiles are not used. If this box is checked and a profile 

name attribute is not obtained, authentication will fail. 

Note: This method is no longer recommended, but is supported 

for users with iPrism prior to version 5.0. Instead, use Profile 

Mapping to map LDAP user profile results with iPrism profiles; 

See “Mapping Groups to iPrism Resources” on page 168.. 

• Attribute / SubQuery Attribute. Each LDAP node will usually 

have many attributes of information about the user. iPrism can run 

up to two LDAP queries to determine a user’s profile. If the value 

in the Attribute field is a distinguished name, iPrism will perform 

a second query, searching for the SubQuery attribute. This allows 

the ability to use groups to define profiles, so you will not have to 

reconfigure individual users. For example: 

Query for user returns 

the values 

memberOf = 

memberOf = 

154 



The iPrism LDAP client will then query each ‘memberOf’ 

group until it finds a valid attribute. Since there is no mapping yet, 

the first valid attribute is used. 

iPrism can also just retrieve a single attribute to use as the name of 

an access profile on iPrism. This will then be associated with the 

user for access privileges. If you want to use this feature, 

configure your LDAP server to provide such information under a 

specific attribute name, and list that name in the Attribute field. 


155


If a SubQuery Attribute is defined, iPrism will proceed as 

follows: 

• Authenticate the user using provided credentials 

• Look up the value of the (primary) attribute for the user 

• If the attribute is a DN, look up this DN 

• Search for the secondary (SubQuery) attribute of this DN 

• Use the value of the secondary attribute as the iPrism filtering 

profile name 

Note: For multi-valued attributes, the first valid (meaning the 

value maps to an existing iPrism profile) match will be used. 

• Use Legacy Profile Resolution: When un-checked, it enables 

LDAP group-to-profile mapping via the Profile Mapping tab. 

When checked, it disables access to the Profile Mapping tab, 

implying you wish to use an pre-existing LDAP configuration as 

is. 

Note: This method is no longer recommended, but is supported 

for users with iPrism prior to version 5.0. 

• Encryption Type. This dropdown menu supports secure 

connectivity and contains the values of none (default), SSL, and 

TLS. SSL (Secure Sockets Layer) and TLS (Transport Layer 

Services) enable encrypted traffic between iPrism and eDirectory 

for improved security. When selecting SSL, change the port to 

636. 

4. When you have finished configuring the LDAP server, click Test to test 

LDAP server connectivity. Once connected, an LDAP bind attempt 

using administrative credentials is made to configure the base. If either 

the primary server or backup server test is successful, a notice indicating 

that the test was successful is displayed. If the server test is successful, 

the backup server is not tested. If the server fails, then the backup server 

is tested. If there is an error with the connection or binding, a notice indicating 

at which point in the test failed is displayed. 

5. To test the Backup Server and Backup Server Port, enter incorrect 

Server and Port information and click Test. When the server test fails 

due to the incorrect information, the backup server is tested. The connect 

156 



and bind process described above for the server test is attempted for the 

backup server and the appropriate success or error notice is displayed. 

Configuration example (using NT Active Directory) 

User John: 

DN = samaccountname=John, dc=company, dc=com 

email = John@company.com 

location = San Diego 

memberOf = cn=group1, dc=company, dc=com 

memberOf = cn=group2, dc=company, dc=com 

Group1 

DN = cn=group1, dc=company, dc=com 

attr1 = value1.1 


Group2 




iprism = BlockOffensive 

Group3 




iprism = undefined_value 

iPrism configuration : 

Attribute = memberOf 

SubQuery attribute = iprism 

Profiles = BlockOffensive, Pass All, 

MonitorOffensive 

Notes: 

When John tries to 

authenticate, iPrism will lookup 

the group’s ‘memberOf’ 

attribute attached to John's 

user settings. 

John is a member of group1 

and group2. iPrism will first 

look up group1 and search for 

the 'iprism' attribute; there is no 

such attribute in group1 so 

iPrism will move on to group2 

and find the value 

BlockOffensive, which is used 

as John's profile. 

Group3's ‘iprism’ attribute is 

not valid because the value 

does not correspond to a 

profile on iPrism; it would be 

skipped. 


157


Troubleshooting LDAP Authentication 

To start the LDAP diagnostic utility from the Appliance Manager, start the 

System Diagnostics tool and select the LDAP tab. 

To test authentication: 

FIGURE 61. LDAP Diagnostics 

1. Type a user name in the Username field and a password in the Password 

field. 

2. Click Test to test authentication 

158 



How Profiles are Assigned 

When users on your network authenticate through a LDAP authentication 

server, you can configure iPrism to access user information directly from 

the LDAP domain controllers. After authenticating, iPrism can obtain group 

assignments, and each of these groups can be mapped directly to an iPrism 

profile. The group mapping for profiles is done from the Profile Mappings 

tab (page 170), and the mapping for assigning iPrism administrator 

privileges is done from the Privilege Mappings tab (page 174) in the Users 

section. 

Communicating with a 

Microsoft Windows Authentication 

Server (NTLM) 

The Microsoft Windows authentication feature lets iPrism access Microsoft 

Windows users information directly from one or more Microsoft Windows 

domain controllers. This allows iPrism to seamlessly authenticate Microsoft 

users and obtain Microsoft group assignments. With this information, 

iPrism can control and/or monitor user access to the Internet. iPrism 

provides a simple mapping scheme in which Microsoft Windows groups are 

associated with iPrism access profiles and administrative privileges. This 

allows for extremely detailed control of externally authenticated users. 

Configuring Microsoft Windows authentication on iPrism requires only a 

few steps. In fact, depending on the complexity of your Microsoft Windows 

environment, and the granularity with which you want to control/monitor 

users, it can be extremely easy. The next few sections will show you how to 

join iPrism to your Microsoft Windows Domain and map Microsoft groups 

to iPrism’s profiles and administrator privileges. 

1. Join iPrism to a Microsoft Windows Domain 

Joining iPrism to a Microsoft Windows domain requires configuring a small 

number of Microsoft Windows parameters, such as the domain name and 

the WINS server addresses, if needed. After you have supplied sufficient 

Microsoft Windows administration credentials, clicking Join will create a 

Microsoft Windows account for iPrism. It is under this account that iPrism 

will securely communicate with the domain controllers. 


159


1. Start the iPrism System Configuration tool, select the Users section and 

click the Windows tab (see Figure 62). 

Note: The Windows tab is where iPrism is told how to participate in the 

Microsoft Windows domain. Outside of establishing a “machine 

account” on the domain, iPrism acts strictly as an authentication client, 

querying for user and group memberships. 

2. Select Enable Windows Authentication. When selected, all items 

related to Windows authentication can be modified. 

160 



FIGURE 62. Joining iPrism to an Microsoft Windows Domain 

3. Select either NT4 Domain authentication system or one which uses 

Active Directory. 

• If you choose to use a NT4 Domain authentication system, type the 

name of the NT domain in which iPrism will participate in the NT4 

Domain field. This entry should be a single domain name. 

Note: All NT “trust” domains associated with the NT domain listed 

here will be detected and provided as selectable domains in all iPrism 

authentication screens. All NT groups from this domain and the 

trusted domains will be available for mapping to access profiles and 

administrator privileges. 


161


• If you choose Active Directory, type the name of the Active 

Directory Server. 

4. In the Machine Account field, specify a unique machine account name 

for iPrism. (iPrism must establish a machine account on the NT domain.) 

Note: The account will be created with this name and should be defined 

so as to not conflict with other machine accounts on the domain. This 

new account must remain, as created by the Join operation, for the duration 

of iPrism’s participation within the domain. If the account is accidentally 

removed from the NT server, the Join procedure must be 

repeated again. 

5. In the NT Admin Name and NT Admin Password fields, type the user 

name and password of the Windows administrator account that will be 

used for the Join operation. The user should have the authority to perform 

the Join operation. 

6. If you intend to use Auto-Login, then you must specify a redirect 

method. This defines how iPrism will verify that users are logged in to a 

trusted domain. Select the desired method from the Auto-Login redirection 

settings frame (only pertains to Bridge (Transparent) Mode Auto- 

Login). 

• IP Address: (default) To use this method, the IP address of 

iPrism (i.e., not the DNS name or WINS name) must be in the 

local Intranet zone of the browser. This can be done networkwide 

by configuring the domain controller, or by manually configuring 

each workstation. 

• DNS: To use this method, the browser must be able to resolve 

iPrism’s host name to an IP address. This can be done networkwide 

by configuring your local DNS zone[s] to contain an a 

record for iPrism. 

Note: Depending on the redirection setting you choose, you will need to 

configure either your browser/workstation, domain controller, or the 

DNS server (as appropriate) to support that choice. If you require more 

information about why you would use DNS versus IP address redirections 

for Auto-Login, refer to the iPrism Auto-Login tech-note on the 

iPrism support web page: 

162 



http://www.stbernard.com/products/support/iprism/support_iprism-tnotes.asp 

7. Click Join. 

Initially, a dialog box will indicate that the Join operation is in progress. 

After this dialog box goes away, the status (success or failure) will be 

displayed at the bottom of the Join the NT Domain frame. 

Once iPrism has successfully joined the domain, you are ready to proceed. 

Advanced Windows Authentication 

Clicking Advanced in the Windows screen (Figure 62) brings up a dialog 

which allows you to configure your iPrism if you are dealing with a 

customized Windows Authentication environment (Figure 63). 

FIGURE 63. Advanced Windows Authentication Options 

• Specify the IP addresses of the domain controllers you wish to use in 

the Domain Controllers field. Multiple IP addresses must be 

separated by commas. 


163


• If your network is configured to use NetBIOS protocol, check Enable 

NetBIOS. 

• The LMHosts file provides a mapping between IP address and 

NETBIOS computer names for networks without WINS Servers (or 

networks with broken WINS Servers). If you have a LMHosts file on 

your workstation you can transfer it to the iPrism by clicking Import 

and selecting the LMHosts file from the window that appears. You 

can also edit this file manually by clicking Edit, which brings up an 

editing window as shown in Figure 64. Check Enable LMHosts to 

use this file. 

FIGURE 64. Edit LMHosts 

• If you are using WINS services, type the IP addresses of your WINS 

servers in the WINS Servers field. 

• The Auto-Login Script Generator frame allows the generation of 

the logon/logoff scripts for deployment to users. Bridge (transparent) 

mode filtering configurations can benefit from client-side logon/ 

logoff scripts. They support immediate Windows authentication to 

164 



iPrism when users log on to their workstations. This provides up-front 

user identification without requiring web browsing to establish the 

authenticated session with iPrism, providing timelier authentication 

for bridge (transparent) mode users. 

For example, a user can be profiled/reported-on by username for an 

IM/P2P application without the user browsing the Internet first to 

establish an authenticated iPrism session. Another benefit is that the 

first browsed website may now be an HTTPS (secure) website, which 

will be profiled by username, instead of IP address. Basic requirements 

for successfully using these scripts are as follows: 

• Windows Authentication and Transparent-Mode Auto-Login are 

working. 

• Transparent Auto-Login Timeout compatibility check. 

• Script generation using iPrism. 

For more information, refer to the Auto-Login tech-note on the iPrism 

support web page: 

http://www.stbernard.com/products/support/iprism/support_iprismtnotes.asp 

• Select whether to Generate Login Script or Generate Logoff 

Script. 

• If the Auto-Login redirection setting is configured to resolve 

iPrism’s IP address using DNS, an iPrism DNS Name should be 

displayed. If the setting is configured using an IP address, an iPrism 

IP Address should be displayed. 

• The iPrism Port Number defaults to 80. If you are using a different 

port number for HTTP, you may change this value. 

• The Script Loop Delay (minutes) determines the frequency of user 

authentication by the iPrism logon script. 

Note: The Script Loop Delay should be less than the value used for 

the Fixed Duration Timeout or Inactivity Timeout options for the 

Transparent Auto-Login Timeout setting in the Network tab. The 

Fixed Hourly style should not be used, as users could generate IM/ 

P2P traffic without username recognition (See “Using Auto-Login in 

Bridge (Transparent) Mode” on page 147.). 


165


• Click Create to generate the Auto-Login Script and a notice appears for 

confirmation. Click OK to save the script using the Auto-Login VPSscript 

File Location window that follows. 

• Click OK in the Advanced window to save these settings or Cancel to 

discard them. 

Maintaining iPrism’s Machine Account 

The process of joining a domain (establishing the machine account and 

defining the encryption key by which all communications will be encoded) 

is a one-time event. Once a client has “joined” the domain, it is not 

necessary to rejoin, unless some event occurs on either the domain or the 

iPrism that causes the shared encryption key to be lost, such as the 

following: 

• The machine account is deleted from the domain. 

• The domain controller encounters a failure in which all machines 

must rejoin the domain. 

• A replacement iPrism is deployed and is configured from scratch. 

Debugging Windows Authentication Problems 

If you encounter difficulties which prevents users from accessing the 

system, launch the System Diagnostics tool from the Appliance Manager. 

Click the NTLM tab to bring up the authentication tool (Figure 65). 

You can also access additional NTLM diagnostic information from the 

Users section’s Profile Mappings tab. Click Policy Test. This tool allows 

you to determine what profile will be applied to a user given the current 

system configuration. 

166 



FIGURE 65. NTLM Diagnostic Tool 

To check to if a user can be authenticated, complete the following steps: 

1. Type the user name in the Username field and the password in the Password 

field. 

2. Select the correct domain name from the Domain list. 

3. Click Auth and the system will attempt to validate the user. The results 

will be displayed in the large text field below the blanks. 

To run a report on which groups a user belongs to, complete the following 

steps: 

1. Click User. 

2. Type the username in the Username field. 


167


3. Select the correct Domain and click User. A list of groups to which this 

user belongs appears in the large text field. 

The Domain button lists the trusted domains. 

The Secret button checks if the shared secret used by iPrism to authenticate 

to the domain controller is valid. 

Step 2: How Profiles are Assigned 

When users on your network authenticate through a Microsoft Windows 

authentication server, you can configure iPrism to access user information 

directly from the Windows domain controllers. After authenticating, iPrism 

can obtain group assignments, and each of these groups can be mapped 

directly to an iPrism profile. The group mapping for profiles is done from 

the Profile Mappings tab (page 170), and the mapping for assigning iPrism 

administrator privileges is done from the Privilege Mappings tab 

(page 174) in the Users section. 

Mapping Groups to iPrism Resources 

Once iPrism has successfully joined the domain, you will need to map the 

user groups to iPrism’s access profiles and administrator privileges. Users 

who have been authenticated from a domain controller must be associated 

with an iPrism access profile. This is accomplished on the Profile 

Mappings and Privilege Mappings tabs in the Users section. The strategy 

for both configuration screens is the same, namely to map user groups. This 

means that all users who are members of a particular user group can be 

mapped to a particular iPrism access profile or administrator privilege. 

Before doing any mapping, you should review the following guidelines. 

Rules and Guidelines for Group Mapping 

Users on iPrism are controlled based on their group memberships. This is 

accomplished by mapping a group to an iPrism resource; in this case, an 

access profile via the Profile Mappings tab. User groups (fully qualified 

with the DOMAIN\groupname notation) are mapped to iPrism access 

profiles. 

Notes: 

168 



• It is very important to recognize that this particular list editor is 

ordered. 

• LDAP mapping profiles use Attributes and Subquery Attributes, 

rather than the DOMAIN\groupname notation. 

When mapping groups to profiles, the following principles should be kept 

in mind: 

• As iPrism is determining a user’s profile, a top-to-bottom search is 

performed on the list, with the default assignment applied last (if no 

match is found). 

• For the first group on the list in which the user is a member, the 

corresponding profile for that map item is associated with the user. 

iPrism then uses this profile to define this user’s access to iPrism. 

• If the user is not a member of any group mappings on the list, the user 

is associated with the Web Fallback and IM/P2P Fallback profiles. 

• Whatever defines the group (DOMAIN or groupname) can be 

wildcarded (replaced with a single asterisk (*)). The asterisk wildcard 

means that all domains or all groups are covered by the mapping 

entry. An example of this convenience is if you want members of the 

‘staff’ group (in any domain) to be mapped to the MonitorAll profile 

( [*\staff -> MonitorAll] ). 

Likewise, a wildcard can be used in the group position to cover all 

groups within a particular domain (e.g., [DOMAIN\* -> 

BlockOffensive] ). 

• The Web Fallback and IM/P2P Fallback profiles are checked last and 

have the implied [*\* -> default profile] map. 

The default profile should be carefully assigned, since any user who 

is not a member of one of the group mappings will be associated with 

this profile. A common strategy is to plan that most users will obtain 

the default profile, and use explicit mappings on the list for 

exceptions. 

Note: Since *\* is implicitly mapped to the default profile, explicitly 

mapping *\* on the list is not allowed. 

In summary, an effective way to view mappings is to set the default profile 

as what most users will be controlled by. Exceptions to the default profile 


169


can be configured via mappings, with the most specific exceptions to be 

ordered at the top. 

Step 1: Mapping Groups to Profiles 

Once iPrism has successfully joined the domain, you can start mapping the 

user groups to iPrism’s profiles and an administrative privilege. 

Notes: 

• The Profile Mappings tab is used to map groups from either Windows or 

LDAP authentication. Depending on this authentication type, the panels 

will appear differently. This section describes Windows profile mapping 

and highlights the differences for LDAP profile mapping. 

• You cannot perform LDAP profile mapping if Use Legacy Profile Resolution 

is checked in the LDAP tab. 

1. From the iPrism System Configuration tool, select the Users section, 

then the Profile Mappings tab. 

The Windows Group to Profile map list at the top of this tab shows 

your existing map entries, if any (see Figure 68). 

Note: When LDAP profile mapping, the LDAP Attribute to Profile 

map list appears instead. 

2. To add a new group/profile map, click Add. To delete a group/profile 

map, select the map from the list, then click Delete. 

3. Click View All to view profile mappings, overrides and email alerts. 

4. To perform a check on all mapped groups to determine if any do not 

exist in your directory, click Group Check. 

5. To check what profile a user will get given the last saved policy configuration, 

click Policy Test. This will bring up the Policy Tester tool, which 

allows you to enter a username, password, domain and IP Address. Click 

Test to show the profile that will be applied to the user. 

Note: If you made policy changes in the same session, you need to Save 

and Exit to save your changes, then log back in to test your policy. 3 

170 



FIGURE 66. Policy Tester window 

6. To get a summary view of the policy, click View All. A browser window 

opens where you can print your policy from. If you are using partitions, 

the group mapping for all partitions also displays. 

7. In the Domain dropdown list, select the domain that includes the group 

you want to map. This dropdown list includes the main domain, all 

trusted domains, plus the wildcard (*) option. This combines with the 

Group (see next step) to fully define the user group. 

Note: When LDAP profile mapping, the Domain and Group fields are 

replaced by a single field containing the Attribute and Subquery Attribute 

defined in the LDAP tab. You can manually enter a value, or to 

view and select available attribute values on the current session’s LDAP 

server, click Select. The LDAP Attribute Selector window (Figure 67) 

is displayed. Select an attribute from the list, then click Apply to popu- 

3. If you have unchecked “Close Manager after launching appliance tool” in your Appliance 

Manager Options, you will not need to log back in to test your policy. 


171


late the field. If desired, click Refresh to redisplay/refresh the list. Otherwise, 

click Cancel to exit the window with no action. 

FIGURE 67. LDAP Attribute Selector window 

8. In the Group field, type the group name that you want to map in this 

field. 

Note: The domain comes from the Domain field; do not enter the 

domain here. 

172 



FIGURE 68. Mapping Groups to Profiles 

9. In the Web Access Profile dropdown list, select the iPrism web profile 

that you want to associate with the users in the specified domain\group. 

Click View to view a profile’s configuration. 

10. In the IM/P2P Access Profile dropdown list, select the iPrism IM/P2P 

profile that you want to associate with the users in the specified 

domain\group. Click View to view a profile’s configuration. 

11. Click OK. The new Group-to-Profile map item is added to the list. 

Note: As a group-to-profile mapping is added to the list, a verification is 

made to the domain controller to ensure that the defined group really 

exists. A warning dialog will be presented when the group cannot be 


173


resolved on the domain. You can run this verification at any time by 

clicking Group Check. 

12. In the Web Fallback Profile dropdown list, select a default web profile 

that will apply to all members who are not part of a designated group. 

Note: On this list, the Use Network option will assign a profile according 

to the user’s IP address (network), as specified in the Access section’s 

Networks tab. 

13. In the IM/P2P Fallback Profile dropdown list, select a default IM/P2P 

profile that will apply to all members who are not part of a designated 

group. 

Note: On this list, the Use Network option will assign a profile according 

to the user’s IP address (network), as specified in the Access section’s 

Networks tab. 

14. Repeat this process to add additional mappings. Otherwise, save the settings 

by selecting Exit, then Save & Exit. 

Sorting and Editing Map List Items 

Items on the Group to Profile map list can be reordered by selecting an 

item, and clicking the arrows on the right side of the list to move it up or 

down. An attempt is made to identify incorrect ordering in which a 

wildcarded mapping overrides an item lower on the list. A mapping such as 

this means that the lower item will never be reached; a message will appear 

at the bottom of the tab area when incorrect ordering exists. 

To edit an item on the list, select the list item and make the desired changes 

to the Domain, Group, or Access Profile fields. Click OK to save the 

revised settings. 

To remove an item from the list, select the list item and click Delete. 

Step 2: Mapping Groups to Privileges 

This process is very much the same as the previous procedure for mapping 

profiles. The difference is that Profile Mappings can only View existing 

profiles, while Privilege Mappings provides the capability to Edit/Add the 

privileges. 

174 



When mapping groups to privileges, be aware that only the iPrism account 

will gain access to the Configuration tool; Full Access will not work. 

1. From the Configuration interface, select the Users section, then the 

Privilege Mappings tab. 

The list at the top of this tab shows your existing map entries, if any.(See 

Figure 69 on page 176) 

2. To add a new group/privilege map, click Add. To delete a group/privilege 

map, select the map from the list, then click Delete. 

3. In the Domain dropdown list, select the domain that includes the group 

you want to map. This dropdown list includes the main domain, all 

trusted domains, plus the * wildcard option. (This combines with Group 

(see next step) to fully define the group.) 

4. In the Group field, type the group name that you want to map in this 

field. 

Note: The domain comes from the Domain field; do not enter the 

domain here. 


175


FIGURE 69. Configuring User Privileges 

5. In the Admin Privilege dropdown list, select the iPrism privilege level 

that you want to assign to the users in the specified group. 

6. Click Edit/Add to add or edit a new a administrative privilege. See 

“Editing Administrative Privileges” on page 135 for more information. 

7. Click OK. The new Group-to-Profile map item is added to the list. 

Note: As a group-to-profile mapping is added to the list, a verification is 

made to the domain controller to ensure that the defined group really 

exists. A warning dialog will be presented when the group cannot be 

resolved on the domain. You can run this verification at any time by 

clicking Group Check. 

176 


Authentication from the User’s Perspective 

8. In the Fallback Privilege dropdown list, select a default administrator 

privilege. This will apply to all members who are not part of a designated 

group. 

9. Repeat this process to add additional mappings. Otherwise, save the settings 

by selecting Exit, then Save & Exit. 

10. The final step in configuring iPrism to communicate with y our Microsoft 

Windows or LDAP authentication server is to choose the form of 

authentication you want to use (proxy mode/bridge (transparent) mode). 

This will enable iPrism’s authentication features. See “Choosing an 

Authentication Mechanism” on page 142 for more information. 


When a user first accesses the Internet, s/he will be authenticated. If Auto- 

Login is enabled and functioning, this will be transparent to him/her. 

Otherwise s/he will see a Network Password dialog box (Figure 70) or a 

web-based login page (Figure 71). 

The user must enter their username and password to be allowed onto the 

network. 


177


FIGURE 70. Browser-Based Login 

178 



FIGURE 71. Transparent Authentication Login 


179


Logging in and out using the web interface 

When the user is presented with a web based login page (Figure 72), s/he 

should bookmark this page because it contains a link to the logout page. 

(Figure 72). If the user is on a shared computer, s/he should logout when s/ 

he is finished. If s/he does not, the next person who uses the machine will be 

able to access the Internet using his/her profile. 

Note: The logout page can be accessed directly through the url: http:// 

/logout. Where is the IP address of the 

iPrism system. 

Even if a user fails to logout, the system will automatically log him/her out 

based on the time entered in the Timeout field. 

Note: You can only change the Timeout field to a value less than the default 

specified by the administrator. 

180 



FIGURE 72. iPrism Logout Page 


181


182 


Chapter 7 

Email Alerts 

iPrism includes a powerful feature called “Email Alerts” to keep you aware 

of specific Internet-related events. Email Alerts work by sending an email 

notification to the iPrism administrator each time a certain type of event 

occurs, or a certain threshold of activity is exceeded. Email Alerts are useful 

when the ACLs are configured to monitor activity, rather than blocking it, 

such as the following activities: 

• You want to be immediately notified every time a particular employee 

surfs for more than 2MB of material from the job/employment search 

category in any 1-hour timeframe. 

• You want to be immediately notified whenever any workstation whose 

profile monitors pornographic material attempts to surf to more than 10 

web pages with pornographic content within 10 minutes. 

• You want to receive an email when the combined bandwidth from all 

workstations within a low-priority Internet lab exceeds 100MB during 

any 30-minute period. 

Once created, email alerts can be turned on and off as desired, so you can 

control when you are notified of events. 


183

Email Alerts 

Creating and Configuring an Email Alert 


2. Select the Reports section and select the Email Alerts tab (see Figure 

73). 

The first time you use this feature, the details of a email alert named 

“Example” display in the Email Alerts List frame. This alert is included 

with iPrism to demonstrate the feature. 

FIGURE 73. Email Alerts Tab 

3. In the Email Alerts List frame, click Add. 

4. In the Type frame, select whose activity you want to monitor: 

184 


• Any: The access of any user (or from any workstation) will be 

considered when determining if alert conditions are met. 

• User: Only the specified user will be tracked for alert consideration. 

Enter the user’s iPrism username or the workstation’s IP address in 

the associated field. 

• Profile: Only users monitored by the profile selected from the 

dropdown list will be considered. 

• IP Range: Only workstations that have an IP address within the 

specified IP range will be monitored for alert events. To track a single 

workstation, type the workstation’s IP address in both the IP Start 

and IP End fields. 

5. In the Watch frame, select which parameter should be watched and 

specify the threshold of activity that will cause an email alert to be sent. 

• Threshold: This is always an integer value and can represent 

kilobytes, pages, hits, or time spent, depending on what you select in 

the Data field below. 

• Data: This defines what parameter goes with the Threshold value 

you entered above. To aid in the understanding of these parameters, 

the following descriptions tell you what would happen with the 

Threshold value set to “10”. 

• Bandwidth (KB): An email alert will be sent every time 10 kilobytes 

of data is accessed by those defined in the Type frame 

within the time range specified in the Time span field. 

• Pages: An email alert will be sent every time 10 pages are 

accessed by those defined in the Type frame within any time 

span. A page is defined as an HTML access with a MIME content 

type of text/*. This includes blocked attempts as well. 

• Hits: An email alert will be sent every time 10 web accesses of 

any content type are accessed by those defined in the Type frame 

within any time span. Generally, Pages are a more useful selection 

type than Hits, since Hits will track data for every access 

(images, etc.), even though they all fall within a single page. 

Session Duration (minutes). An email alert will be sent after the 

user(s) specified in the Type frame have spent more than 10 minutes 


185

Email Alerts 

within any time span. Since it is impossible for computer software 

alone to track exactly how long someone spends browsing at a 

particular site, real-world usage heuristics have been used to 

approximate the time spent browsing. 

• Time span. This is the duration over which the email alert tracker 

counts access information. Anytime the number of counts exceeds the 

threshold value within this time span, an email alert is sent. 

• Grouped. Instead of tracking information for individual users or 

workstations (as defined in Type), checking this option will set 

iPrism to track the accesses of all members within the group as 

defined by Type (e.g., “Any”, “IP Range”, etc.). For example, when 

the Type is set to “Any” and Grouped is enabled, iPrism will 

combine all User, Profile and IP Range accesses into a single email 

alert. Collectively, these accesses will trigger the alert according to 

the Watch settings. 

Note: This selection will have no effect if selected Type is User, or if 

the IP Range specifies a single workstation. 

6. (Optional) In the Categories frame, you can narrow the scope of the 

alert event even further by requiring that the web accesses be to sites that 

belong to one of the categories you specify here. 

To select (or deselect) categories, click Set to open the Email Alerts-Category 

List window and select the desired categories. When finished, 

click OK to close this window. 

7. In the Adding Email Alerts frame, enter a descriptive name for this alert 

in the Name field. 

8. If you want this email alert to be disabled (i.e., inactive) for now, check 

Disabled. 

9. In the Recipient box, type the email address of the person to whom 

email alert notifications should be sent. 

Note: Generally, the email generated by an email alert is sent at the same 

exact time that the specified threshold is exceeded. But occasionally 

186 


(under heavy load), the email delivery can be delayed for as long as 5 

minutes. 

10. Click OK. The new email alert item is added to the dropdown list in the 

Email Alerts List frame. 

Editing an Email Alert 


2. Select the Reports section, then the Email Alerts tab (see Figure 73). 

3. In the Email Alerts List frame, select the alert item you want to edit 

from the dropdown list. (If the list is grayed out, click OK or Cancel at 

the bottom of the tab to close the current editing session.) 

4. Make the desired changes to the information in the Editing frame. (For 

descriptions of each field, see “Creating and Configuring an Email 

Alert” on page 184) 

Note: If you change the name of the email alert, a new alert will not be 

created. It will overwrite the current email alert. 

5. Click OK. The changes are now saved to this email alert. 

Deleting an Email Alert 

If you no longer require the service of an email alert, you can remove it 

from the system. 


2. Select the Reports section , then the Email Alerts tab (see Figure 73 on 

page 184). 

3. In the Email Alerts List frame, select the alert item that you want to 

delete from the dropdown list. (If the list is grayed out, click OK or Cancel 

at the bottom of the tab to close the current editing session.) 

4. Click Delete. 


187

Email Alerts 

The Email Alert is removed from the list. 

188 


Accessing iPrism’s Network Settings 

Chapter 8 

Network 

Management 

This chapter describes how to change iPrism’s network settings. This may 

be necessary if you make changes to your network environment, or if you 

change iPrism’s network topology. The parameters you can change include 

iPrism’s host name, IP address(es), interface settings, its designated name 

server, its default route (gateway), and more. 



2. Select the System section and click the Networking tab. (See Figure 74 

on page 190) 

The Networking tab is where you can change iPrism’s identity, interface 

settings, name server, and routing settings. 


189

Network Management 

FIGURE 74. Networking tab in the System section 

If at any point you want to restore your network settings to what they 

were before you made changes, click Reset. 

3. When you have finished making changes in the Networking tab, you 

must save your iPrism configuration. Click Exit, then Save & Exit. 

Changing iPrism’s Identity (Host Name) 

To change iPrism’s identity on the network, enter the new iPrism host name 

in the Host Name field, located in the Identity frame. (This should be a 

fully qualified standard Internet host name.) 

190 



Note: If you use a host name to connect to iPrism, be sure to define it within 

your name server. Otherwise, you will only be able to access iPrism through 

the IP address that you assigned to iPrism. 

Changing Network Interface Settings 

iPrism supports the following Ethernet Interfaces: 

• auto detect 

• 10 BaseT/half duplex 

• 10 BaseT/full duplex 

• 100 BaseTX/half duplex 

• 100 BaseTX/full duplex 

• disabled (External and Management only) 

The MTU blank allows you to change the Maximum Transfer Unit (MTU) 

for packets sent by this interface. This parameter should only be set by 

network experts doing high performance network tuning. 

The iPrism system uses the following interfaces: 

Internal. This interface is connected to your internal network. 

External. In bridge (transparent) mode, this interface is connected to the 

Internet. (See “How iPrism Fits Into Your Network” on page 5.). In proxy 

only mode, this interface is not connected. This interface has the same IP 

address as the internal interface. 4 In proxy mode, this interface is not used 

and should be disabled. 

Management. This interface allows the iPrism to be connected to a 

separate network for configuration and report traffic. Both E-mail and FTP 

transmit data “in the clear”. 5 This means that anyone who has access to your 

internal network could use a sniffer to grab this data as it’s being 

4. In older versions of iPrism you could set the internal and external interfaces to different 

IP addresses and run in something called router mode. This mode has been eliminated in 

iPrism 4.0. 

5. The FTP protocol even transmits passwords in the clear. 


191


transmitted. This problem can be avoided by connecting the management 

interface to a secure (and hopefully sniffer proof) network. Any reports 

transmitted to machines on this network will not appear on the internal 

network. Configuration done by workstations on this network can not be 

seen by anyone on the internal network. 

Enabling the Co-Management Network 

The ability to access iPrism’s configuration software is normally disabled 

for addresses located on the external interface of iPrism. To enable this 

ability, you can define a co-management network. 

Note: Defining a co-management network does not affect the 

ability to access the configuration software from iPrism’s internal 

interface. 

To define an IP range on the co-management network: 

1. Start the iPrism System Configuration tool. Select the System section 

and click the Preferences tab (see Figure 75). 

192 



FIGURE 75. System Preferences 

2. In the Co-Management Network frame, use the IP Start and IP End 

fields to define the range of IP addresses. Only workstations in this range 

will be able to configure iPrism via the External interface. 

3. Select Exit, then Save & Exit. 

Changing the Name Server Configuration 

iPrism’s Name Server setting is located on the Networking tab. 

Note: Although it is possible to run iPrism without specifying a name 

server, it is not advised. Many of iPrism features such as the anti-spoofing 


193


filter depending on being able to contact a name server and will not work if 

no DNS server is available. 

iPrism constantly resolves Internet host names to their IP address, as well as 

reverse map IP addresses to their host names. If iPrism's installed 

environment allows direct Internet access, it will (by default) use its built-in 

name resolver to perform all DNS tasks. However, some installations 

require that iPrism defer all DNS lookups to another name server, called the 

“forwarder” name server. In these cases, you’ll need to designate the IP 

address of this forwarder name server. 

If the specified name server is not available the iPrism will attempt to 

resolve name through a root name server if the DNS Fallback to Root 

option is checked. 

Changing the Name Server 

To change the name server, enter the IP address of your forwarder name 

server in the Forwarder field, located in the Name Server frame. In this 

case, iPrism will forward all DNS queries to this server. 

Note: When using a forwarder, it is highly desirable to use the 

same DNS server as used by the workstations. In this way, the 

DNS information will be cached when iPrism asks for it, reducing 

the latency of the request. 

Configuring iPrism to use its Internal Name Server 

To use iPrism as a stand alone DNS server, it must be able to issue DNS 

queries to the Internet. This requires that iPrism be able to access the 

Internet for the DNS protocol. In this case, the Forwarder field should be 

left empty. 

Note: Although iPrism ships with an internal DNS server, it is always 

preferable (i.e., faster) to use a name server instead. 

Using iPrism with Multiple Name Servers 

It is possible to configure iPrism to use up to three parent servers, to ensure 

that iPrism will always be able to resolve host names to IP addresses (and 

vice versa), even if the primary parent server is not available. 

194 


Communication with Other IP Networks 

To specify multiple parent servers, enter their IP addresses, separated by a 

comma, in the Forwarder field. Enter the IP addresses in the order that you 

want them to be accessed. For example: 

192.168.0.1,192.168.0.2,192.168.0.3 

Note: In forwarding mode, iPrism is at the mercy of its parent name server. 

If the parent server fails (the first server in this list), iPrism will not be able 

to resolve names and consequently, not operate effectively. iPrism will not 

keep hunting for an answer when configured with multiple name servers. 

Changing iPrism’s Default Route 

The iPrism system must have a default route set. In more complex situations 

you may need to set static routes as well. 

To edit iPrism’s default route, enter the desired IP address in the Default 

Route field, located in the Routing frame. 


The iPrism system may be required to communicate with other networks in 

order to service the clients located there. This section shows you how to 

establish static routes to such networks and enable the Routing Information 

Protocol (RIP) to keep iPrism current with changes on the network. 

About Static Routes 

iPrism is a network appliance, and as such, must know how to exchange 

packets with workstations and servers at your organization, as well as 

servers on the Internet. By default, iPrism monitors workstations and 

servers that are attached to the same IP network. However, if you want 

iPrism to communicate with workstations on other IP networks, you must 

define “static routes” to these networks so iPrism can access them. In other 

words, if you have a local network that is not reachable via the default route, 

then you must provide iPrism with information about how to access this 

network. 


195


Enabling RIP Updates in iPrism 

Some routers constantly exchange this type of network information via 

Routing Information Protocol (RIP) updates. If your routers support RIP, 

you can have iPrism listen for these updates. 

Note: iPrism supports versions 1 and 2 of the RIP protocol. 

To enable this functionality in iPrism, check the Listen box in the Routing 

frame. When iPrism is listening to RIP updates, changes to local network 

configurations will automatically propagate to iPrism. 

If using RIP is not an option, you will need to create static routes in order 

for iPrism to “see” workstations that are on a different IP network. 

Adding a Static Route 

1. Start the System Configuration tool, select the System section, then click 

the Networking tab (see Figure 76). 

196 



FIGURE 76. System Networking 

2. In the Routing frame, click Advanced. The Static Routes dialog box 

opens (see Figure 77 on page 198). 


197


FIGURE 77. Static Routes Dialog Box 

3. In the Static Routes dialog box, click Add. 

4. To change the range of addresses behind the static route, in the IP field, 

type the base IP address of the subnet that lays behind the route. 

5. Use your mouse to drag the slider under the Mask control until the 

Range field shows the desired mask value. This defines the series of 

workstations in the remote location that you want to reach. 

6. In the Gateway field, type the IP address of the Internal router/gateway 

that connects iPrism to the workstations you specified above. 

7. Click OK. The new route displays in the Static Routes frame. 

8. Repeat this procedure as necessary to create additional static routes in 

iPrism. When you are finished, click Close. 

198 


Configuring SMTP Relay Settings 

Editing or Deleting a Static Route 

1. In the Routing frame, click Advanced. The Static Routes dialog box 

opens (see Figure 77 on page 198). 

2. In the Static Routes frame, select the route that you want to edit or 

remove. 

3. To remove this route, click Delete. Otherwise, make the desired changes 

to the IP, Mask, and Route values. 

4. Click OK to save the changes. 

5. Click Close to close the Static Routes dialog box. 

Configuring SMTP Relay Settings 

iPrism uses the SMTP protocol to perform the following types of 

communications: 

• reports 

• email alerts 

• system notifications (upgrades, filter list problems, registration) 

• access requests 

By default, iPrism will perform a DNS (MX record) lookup to deliver these 

emails. If iPrism is installed in a network where a DNS server is not 

available and a SMTP Smarthost is used (for efficiency), its IP address can 

be configured here, in the SMTP Relay field. 

If a SMTP relay is specified, iPrism will delegate the delivery of the email 

to the relay and not attempt to directly contact the recipient's mail server. 


199


Using a WCCP Router with iPrism 

iPrism supports the WCCP v1 protocol providing all the advantages of 

iPrism’s transparent mode. WCCP provides fault tolerance by automatic 

detection and re-routing to eliminate network downtime in the event that 

iPrism is turned off, disconnected, or a system failure occurs. 

The configuration is straightforward and involves deploying iPrism V3.200 

or greater and a router which supports WCCP. When the client workstation 

generates traffic outbound to web servers on the Internet, the router detects 

that it is HTTP traffic (TCP port 80) and diverts that traffic to iPrism using a 

GRE tunnel. iPrism then makes the request to the server on behalf of the 

client, and responds directly to the client. However, from a client 

perspective the response appears to come directly from the origin server, so 

the client does not even know it is communicating with iPrism. 

Note: iPrism can be placed on either side of the router. 

Configuring WCCP Settings in iPrism 

1. In the System section, click the Networking tab. 

2. In the WCCP Router field, enter the IP address of the WCCP router. 


Note: Refer to the Tech Notes section on iPrism’s support website for 

information on configuring various versions of the WCCP router. 

http://www.stbernard.com/products/support/iprism/support_iprism-tnotes.asp 

Setting Up a Parent Proxy 

Under normal circumstances, iPrism contacts remote sites (that aren't 

blocked) and retrieves web pages on behalf of the original requester. 

However, if you have a local web-caching server, you will want iPrism to 

make all of its unblocked requests to the caching server, so you can realize 

200 



the benefits of the caching set up. This is achieved by designating a proxy 

parent host and the port on which it communicates. 

Notes: 

• In many cases, it will be desirable to disable iPrism’s DNS functionality 

when iPrism is using a parent proxy. (See “Changing the Name Server 

Configuration” on page 193.) 

• The parent proxy feature only works when the users are using the iPrism 

in proxy mode. In other words, they must configure their browsers to use 

the iPrism as a proxy. The parent proxy setting does not affect transparent 

mode. 


Make sure that iPrism is able to connect to the proxy server before 

performing this procedure. 

1. Start the System Configuration tool. 

2. Select the System section and click the Proxy tab (see Figure 78). 


201


FIGURE 78. System Proxy Settings 

3. In the Parent Proxy frame, check Slave To. 

4. Enter the IP address or host name (e.g. domainname.com) of the parent 

proxy server in the text box above the Port field. 

Note: It is actually advantageous to use IP addresses instead of host 

names. Hostnames will not work if DNS is disabled. 

5. In the Port field, enter the port number for the parent proxy. 

202 

6. In the Direct Connection To field, enter any domains to which direct 

(i.e., non-slaved) connections should be made (e.g., anotherdoiPrism 

Administration Guide

Using a Proxy for Filter and System Updates 

main.com). Enter one domain name per line. You may want to use this 

for your own domain’s website or for Intranet sites. 

7. If you want to completely disable iPrism’s DNS functionality, check the 

Disable DNS checkbox. 

Note: The only time you should disable DNS functionality is when 

iPrism is configured to use a slave proxy server. Email functionality in 

iPrism will NOT work if DNS functionality is disabled. 

8. To save your new configuration, click Exit, then Save & Exit. 

Using a Proxy for Filter and System Updates 

You can configure a proxy server to handle iPrism’s communications with 

St. Bernard Software’s update servers. There are several variations available 

depending on whether you are using a parent proxy. 


2. Select the System section, then the Proxy tab (see Figure 78). 

3. In the Filter List / System Update Proxy frame, select the appropriate 

radio button option, and configure as necessary. 

• None. When you choose this option, iPrism can access external 

HTTP servers directly and does not use a parent proxy. This is the 

default setting. 

• Same as parent port. When you choose this option, iPrism will use 

the parent proxy you configured for all HTTP traffic in the Parent 

Proxy frame (if applicable). If you use a parent caching proxy for 

HTTP traffic and you want it to also be used for traffic to St. Bernard 

Software's upgrade server, select this option. 

• Custom. Choose this option if you want the traffic to St. Bernard 

Software's servers to use a different proxy. Configure the proxy here, 

using the fields in the Settings frame. You will need to indicate the 

location of the proxy using the Host and Port fields. You can also 


203


specify a username and a password if the parent proxy requires user 

authentication. 

4. If you want to change your Proxy settings back to the way they were 

before you started editing, click Reset. 

5. To save your new configuration, click Exit, then Save & Exit. 

Changing iPrism’s Port Assignments 

Depending on how you deploy iPrism in your network, it may be necessary 

to change the port setting(s) that iPrism uses to listen to proxy requests, 

access the configuration program, and proxy to non-standard secure ports. 

These settings are made from iPrism’s Ports tab, located in the System 

section (see Figure 79). 

Changing iPrism’s Proxy Port 


2. Select the System section, then the Ports tab (see Figure 79). 

204 


Changing iPrism’s Port Assignments 

FIGURE 79. System Ports Screen 

3. In the Ports frame, make the desired changes to the Port settings. 

• Proxy Port. The Proxy Port is the TCP port that iPrism uses to listen 

for proxy requests. In general, you would only want to change this 

when you are using iPrism as a direct proxy, that is, when the 

browsers are configured to use iPrism as their proxy. The default 

Proxy Port is 3128. 

• Configuration Port. The Configuration Port is the port used to 

access iPrism's configuration tools. The port can be any value 

between 1 and 65,535 but cannot be the same as the Proxy Port. 


205


After changing the configuration port, you will be able to access the 

iPrism configuration tools via your web browser by entering the following 

type of URL: 

http://[iprism IP address]:[configuration port] 

For example: http://iprism.yourdomain.com:8080 

Note: When the default port value (80) is used, you do not need 

to specify the port value in the URL. 

4. Click Exit, then Save & Exit to save your changes. 

Transparent Mode Redirected Ports 

Redirect ports are ports that iPrism will filter in transparent proxy mode. By 

default, iPrism will only filter port 80 traffic, but more ports can be added 

here. Traffic on the ports configured here should be HTTP only. 

Adding Other Redirected Ports 



3. In the Redirected Ports frame, click Add. 

4. In the Adding item frame, enter the number of the secured port that you 

want to add in the Port field. 

5. Click OK. 

6. Repeat steps 3 – 5 for each port you want to add. 


Secured Site Access (HTTPs Ports) 

HTTPs Ports are used to proxy to non-standard secure ports for HTTPs. By 

default, iPrism only allows access to secure ports 443 and 563. If you are 

206 


Creating Filter Exceptions 

running in direct mode and you require access to secured sites on other 

ports, you can define them here. 

Adding Other Secured Ports 



3. In the HTTPs Ports frame, click Add. 

4. In the Adding item frame, enter the number of the secured port that you 

want to add in the Port field. 

5. Click OK. 

6. Repeat steps 3 – 5 for each port you want to add. 



iPrism’s goal on your network is to act as a web filter for access to the 

Internet. In fact, this is how it is able to perform its monitoring and blocking 

tasks. However, there may be some addresses for which you do not want 

iPrism to intervene. For example, you may want the iPrism to ignore all 

requests going between local machines. 

Normally your iPrism is used to filter traffic going between your internal 

network and the Internet. Local traffic is not normally routed through the 

iPrism. However, you may encounter a situation in which you have to send 

some internal traffic through the iPrism. Filter exceptions may be used to 

accommodate this situation and give you complete access to your internal 

network. 


207


Note: HTTPS (SSL) traffic on port 443 is now strictly enforced by default. 

If you do not use SSL but do use port 443, either change the application port 

or create a filter exception for the client/server addresses. 

Specifying a Filter Exception 

1. From the iPrism System Configuration tool, select the Access section, 

then the Filter Exceptions tab. 

FIGURE 80. Filter Exceptions 

2. In the Filter Exception List frame, click Add. 

3. In the Name field, type a name for this filtering rule. 

208 



4. The filter can be limited to a specific sending set of machines (the 

Source IP blanks) and a specific set of receiving machines (the Destination 

IP blanks.) Enter a range of IP addresses in the Start and End 

blanks for these two types of addresses. If you wish to filter based on 

only one IP address, type it in both the Start and End fields. 

5. Select the ports you filter in the Ports section. Multiple ports must be 

separated by commas. A range of ports can be specified as well (e.g., 80 

– 120). 

6. The Protocol blanks lets you filter based on whether the protocol is TCP 

or UDP. If you select both TCP and UDP all IP protocols will be 

blocked including ICMP and others. (At least one must be selected.) 

7. The bottom selection list tell the iPrism how you want it to treat this traffic: 

No Filter: Do not filter this traffic at all. 

Block: Block all access for the specified traffic. 

No Authentication: Allow access and do not require the user to authenticate 

themselves for web based accesses. 

NAT (Network Address Translation): This causes the traffic from the 

internal network to be transformed so that the IP address of the sender is 

replaced by the IP address of the iPrism. A reverse translation is done to 

any responses coming back. To the workstation on the internal network, 

the communications look like normal TCP/IP packets. To the outside 

world, they look as they are coming from the iPrism. This setting is good 

if you wish to hide the IP addresses of your internal workstations from 

the Internet. 

No Authentication & NAT: Similar to NAT, only no authentication is 

required. 

8. Select Exit, then Save & Exit to save your changes. 

If there is a conflict between the rules, and multiple actions are possible for 

a given transaction, the following priority list applies: 

1. No Filter 


209


2. Block 

3. NAT (Network Address Translation) 

4. No Authentication 

5. No Authentication & NAT 

For example, if one rule tells the system to block port 80 traffic and another 

tells it to allow it (No filter), the No Filter exception applies. 

Filter rules are displayed in priority order, so the first rule which applies will 

be the one that is used. 

210 


Chapter 9 

Central 

Management 

iPrism’s central management features lets you manage a large set of iPrism 

systems using a single configuration manager. The system works by letting 

you designate a single master system and one or more slave systems. Any 

configuration changes made to the master system will be automatically 

copied by the slaves. 

Before You Begin 

Prior to setting the Configuration Sharing properties, each iPrism (master 

and slaves) should be installed using the Installation Wizard, so as to set the 

networking parameters and the minimum configurations. Once that is done, 

decide which systems should be slaves and which system will be the master. 

There are not specific criteria in the choice of the master; however, you 

must observe the following guidelines. 

• There should be only one master system designated at any given time. 


211

Central Management 

• Other systems need to be set as slaves if they want to participate in 

the configuration sharing. If you do not want them to participate in 

the shared arrangement, you must designate them as standalone units. 

• All communications are implemented over the HTTP protocol. This 

means that master and slave iPrisms should be able to contact 

themselves with HTTP in both directions. This may be done using 

direct connections or an HTTP proxy. This may impact your IP 

filtering configuration if you have a firewall between the master and 

the slave systems. 

• All communications are encrypted so as not to expose your 

configuration to network sniffing. 

Note: The master iPrism will never try to modify the Networking 

configuration of a slave (IP addresses and mask, routes, interface settings) 

because these are unique and/or system dependent. 

Setting up a Master/Slave Arrangement 

There are only two steps to setting up a master/slave arrangement, but you 

must proceed in the following order: 

1. Designate slave unit(s). 

2. Configure the master unit. 

Designating Slave Devices 


2. Select the System section, then the Central Mgmt. tab (see Figure 81). 

212 


FIGURE 81. Central Mgmt. Tab 

3. In the Mode Selection frame, open the Mode dropdown list and choose 

Slave. 


5. Repeat this procedure on each iPrism unit you want to designate as a 

slave. 

Configuring the Master iPrism Server 




213


3. In the Mode Selection frame, open the Mode dropdown list and select 

Master. 

4. In the Connection Timeout field, enter the timeout setting for the Master 

iPrism unit only. When sharing the configuration data, the connection 

timeout is the number of seconds after which the master will fail. The 

default is 5 seconds, which is long enough for most networks; however, 

you can assign a higher value if there is high latency between the master 

and the slaves. 

5. In the Password field, type an alphanumeric password to protect the 

central management settings for this iPrism unit. Reenter the password in 

the Password Confirmation field. 

Note: The Current Config field is an information-only field, which displays 

the current configuration of either the master or of individual 

slaves. 

6. In the Slave Configuration frame, click Add. 

7. In the Adding Item frame, type the IP Address of the first slave device 

in the Address field. 

8. Click OK to add the IP address to the iPrism Systems list. 

9. Repeat steps 5-8 to add other slave units, as necessary. 

10. Save your settings by selecting Exit, then clicking Save & Exit. 

The master iPrism will start sharing its configuration with all the slaves. 

The configuration is sent by the master each time a configuration change 

is made. If a slave can not be reached at this point, the master will retry 

periodically (every 15 minutes). 

Note: It is also possible to force an immediate update of the slaves by 

clicking Force in the Mode Selection frame. 

214 


Adding a Slave to a Shared Configuration 

1. Install the new iPrism system and run its Configuration Wizard. 

2. From the master iPrism system, open the System Configuration tool, 

select the System section, then select the Central Mgmt. tab. and add 

the slave's IP address to the list of the existing slaves. (See “Configuring 

the Master iPrism Server” on page 213). 

Removing a Slave from a Shared Configuration 



3. In the Slave Configuration frame, select the IP Address you want to 

remove in the iPrism Systems list. 

4. Click Delete. The IP Address is removed. 

Changing the Master iPrism Device 

Changing which system is your master is a transparent operation. The only 

case where this is useful is when the original master will be unavailable for 

a long period of time, such as when they are network problems, a hardware 

failure, etc. 

Note: There is one important criteria to take into account for this operation: 

it is important to use a slave with an up-to-date configuration. If you 

chose a slave system that was not reachable by the master, the shared 

configuration will not be up-to-date. If your iPrism detects that another 

slave has a more recent configuration, you will be prompted for 

confirmation. 

1. Choose which slave should become the new master and start its System 

Configuration tool. 



215


3. In the Mode Selection frame, open the Mode dropdown list and change 

the mode from Slave to Master. 

4. Select Exit, then Save & Exit to save the configuration. 

Forcing Slave Updates 

Normally the configuration on the slaves is updated every time a change is 

made to the master system. (Remember, changes are only applied after you 

exit the configuration tool.) You can update manually by clicking Update 

in the Mode Selection frame. 

Using Standalone Mode with Configuration Sharing 

It is possible to configure a system (master or slave) as a Standalone system 

(this is actually the default configuration when Configuration Sharing is not 

used). Do this by selecting the System section, then the Central Mgmt. tab; 

select Stand Alone from the Mode dropdown list in the Mode Selection 

frame. 

If you reconfigure your master as a standalone iPrism, the slaves will not be 

updated until a new master is chosen and configured. 

216 


System Date and Time 

Chapter 10 


This chapter shows you how to change iPrism’s internal settings and set 

your preferences for common iPrism activities. This includes how to change 

the system date and time, set your update and backup preferences, enter new 

registration information, manage iPrism updates (HotFixes), and change the 

supervisor password. This also includes instructions on how to reset the 

iPrism system if you ever need to perform a “clean install”. 


In iPrism, you can set the system date and time manually, or configure 

iPrism to use the Network Time Protocol (NTP). 

To Manually Set the Date and Time 


2. Select the System section and click the Preferences tab (see Figure 82). 


217


FIGURE 82. System Preferences 

3. In the Current Date frame, make sure the Use NTP checkbox is not 

checked. 

4. Click Set. The Date Editor dialog box opens (see Figure 83). 

218 



FIGURE 83. Date Editor dialog box 

5. To change the date, type the current date in the Date field, using the mm/ 

dd/yyyy format. 

6. To change the time, type the current time in the Time field, using 

hh:mm:ss format. 

iPrism uses a 12-hour clock, so you must select AM or PM from the 

adjacent dropdown list. 

7. In the Time Zone list, select a city that is in your time zone and shares 

the same local variations, such as Daylight Savings Time. (This is usually 

the city that is closest to you geographically.) This list is alphabetized 

by Continent/City. 

8. Click Apply to save your changes. 

Setting the Date to use the Network Time Protocol 


2. Select the System section, then the Preferences tab. 

3. In the Current Date frame, check Use NTP. 

4. Click Set. The NTP server window opens (see Figure 84). 


219


FIGURE 84. Use NTP dialog box 

5. In the NTP Server field, type the IP address of the server that handles 

NTP requests. 

6. Select a city whose time zone matches your own from the Timezone list. 

The list is sorted alphabetically by Continent/City. 

Note: It is still possible to configure the time zone settings using the 

standard zone names (PST, EST, AST, etc.), but by using the time zone 

definitions, the administrator can configure iPrism based on the local differences. 

7. Click Apply. 

Bypass Authentication 

Some tools, such as Microsoft Windows Update, access the Internet without 

authentication. If your iPrism is configured to require authentication, then 

these tools will no longer work. If you select 3rd Party Software Updates, 

then the iPrism will allow connections to third party software update sites 

(i.e. http://update.microsoft.com) without authentication. 

220 


System Updates 


iPrism automatically checks for updates to its filtering database and system 

(software) files once each day. You can disable this function to allow only 

manual updates, or specify the time of day when you want iPrism to run its 

update utility. 6 By default, iPrism is set up to automatically check for 

system updates in the early morning hours, when network traffic is likely to 

be at a minimum. If this is convenient for you, there is no reason to change 

the default setting. 

Filter List Updates 

Filter list updates help to keep your iPrism’s URL database current with the 

constantly updated iGuard database. 

Scheduling Filter List Updates 


2. Select the System section, then the Preferences tab (sse Figure 85). 

6. Disabling automatic updates is not advised. With automatic updates disabled, your system 

will not automatically install critical HotFixes. 


221


FIGURE 85. System Preferences Tab 

3. In the Filter List Update frame, click in the Filter List field and enter 

the time of day that you want iPrism to check for filter updates. iPrism 

uses a 12-hour clock, so you must also specify AM or PM from the adjacent 


4. Make sure Automatic is checked. 

222 

Note: If the Automatic box is already checked and you still are not 

receiving filter updates, then there may be a network problem that preiPrism 

Administration Guide


vents iPrism from downloading the filter list. Contact your network 

administrator. 

5. Save your iPrism configuration by selecting Exit, then Save & Exit. 

Manually Updating the Filter List 

Normally the iPrism system will automatically update the filter list. If for 

some reason the iPrism has been unable to communicate with St. Bernard 

Software for over three days, you may want to update the filter list 

manually. 

You may also be required to update the filter list under the direction of 

technical support. 

To update the filter list manually, complete the following steps: 



3. In the Filter List Updates frame, click ASAP. 

A notice message will display, asking you to confirm your decision, and 

notifying you that the update will take place within 15 minutes. Download 

time will vary depending on network load. 

4. Click OK to confirm the update. 

Checking iPrism’s Filter List Status 

To determine the last time your system received a filter list update: 


2. Select the Reports section, then the Security Log tab. 

3. At the top of the report window, note the filter list age and the configuration 

changes. 

If no update was available the last time iPrism checked, the status will 

read “empty update”. 


223


FIGURE 86. iPrism Security Log 

System Software Updates 

System updates keep your iPrism unit up-to-date with the latest software 

enhancements. 

Scheduling System Updates 



224 



3. In the System Updates frame, select either Automatic, Check only or 

Manual from the dropdown list. To perform an immediate update, click 

ASAP. 

If you have selected Automatic or Check only, enter the time of day 

when you want to update the system. iPrism uses a 12-hour clock, so you 

must also select AM or PM from the adjacent dropdown list. 

Notes: 

• It is recommended that automatic updates be done during the late 

night or early morning hours (e.g., 2:30 AM) when the network load 

is the lightest. 

• Manual updates are not recommended, as the Internet changes on a 

daily basis and St. Bernard is continually updating the filtering 

information. 

• If you want iPrism to check for updates but not install them, select 

Check only. 


Performing an Immediate Update 



3. In the System Updates frame, click ASAP. 

You will be prompted to confirm your decision, and will be notified that 

the update will take place within 15 minutes. Download time will vary 

depending on network load. 

4. Click OK. 


225


Protecting Against DoS Attacks 

A DoS (Denial of Service) attack occurs when a malicious person tries to 

shutdown a system by flooding it with network traffic. Usually the traffic is 

designed to use the maximum amount of system resources; e.g., initiating a 

connection but not finishing the process. (This consumes the memory 

needed to hold the information on the half-open connection.) 

To enable DoS protection, do the following: 



3. In the Network Hardening frame, check Enable DoS Protection. The 

iPrism will now detect DoS attacks and limit the resources that a malicious 

machine can consume on the system. 

Anti-spoof detection 

Spoofing occurs when the name in the URL for a HTTP request does not 

match the IP address for that request; e.g., when http:// 

www.cnn.com/index.html is sent to an IP address owned by 

playboy.com. (One way this can happen is if the user modifies a local hosts 

file.) 

If the Anti-Spoofing feature is enabled, the iPrism will detect spoofing and 

prevent the user from accessing the any blocked pages. 

To enable Anti-Spoofing, do the following: 



3. In the Anti-Spoofing frame, select an option from the dropdown list: 

• Disabled: This will disable iPrism Anti-DNS Spoofing functionality. 

• Check iGuard database only: Check the iPrism’s internal database 

only. This database is updated based on the options you specified in 

“Scheduling Filter List Updates” on page 221. 

226 



• Check iGuard database and DNS Check the IP address being 

requested against the iPrism’s internal database. If it’s not there, 

perform a reverse DNS lookup on the IP address to verify that the 

requested host name and the IP address are consistent. 

Configuring Filter List Failure Options 

Filter Failover Mode determines how iPrism will respond in the event that a 

filter list error occurs and iPrism cannot perform its normal filtering duties. 

Filter failures occur when a filter list fails to download, or when iPrism is 

unable to download a fresh filter list for an extended period of time 

(typically 30 days). 

Note: iPrism will send an email to the administrator’s email address (as 

defined in the Registration tab) if it is unable to download a filter after 

three days. 

To configure filter failover mode, do the following: 



3. In the Filter Failover Mode frame, select an option: 

• Pass Traffic (Unfiltered): This setting allows all Internet traffic to 

pass, as though all categories are allowed access. Users will have full 

access to the web. 

• Block Traffic: This setting effectively blocks all HTTP activity, not 

allowing any web surfing to occur until the problem is resolved and 

the filter list can be updated. If in bridge (transparent) mode, all other 

services will work normally. 

Regardless of the option you choose, the rest of your network will continue 

to work normally if iPrism is not operating. 


227


Backing Up and Restoring iPrism Settings 

Backing Up 

Backing up your iPrism configuration stores all of your settings to a file on 

your local hard drive. If necessary, you can restore your settings from this 

file. 

Note: The data in Backup files are encrypted for security. 

Setting Backup Preferences 

By default, iPrism automatically prompts you, when you exit the System 

Configuration tool, to back up your iPrism system configuration. You can 

change the frequency of the prompts by doing the following: 


2. Select the System section, then the Backups tab (see Figure 87). 

3. To perform an immediate backup, click Backup. 

228 


Backing Up and Restoring iPrism Settings 

FIGURE 87. Backups Tab 

Setting Backup Reminders 

1. To set your backup reminder preferences, select your desired options: 

• Prompt when Exiting: You will be prompted to back up your system 

when you exit an iPrism session. 

• Prompt when Starting: You will be prompted to back up your 

system when you start an iPrism session. 

• Specify the intervals at which you want to be prompted by typing a 

number between 1 and 30, then selecting Days or Sessions next to the 

Every (1-30) field. This is how often you will be prompted to back 

up. For example, if you want to be prompted once a month, enter 30 

and select Days. If you want to be prompted every 10th time you 


229


open/close the iPrism configuration software, enter 10 and select 

Sessions. 

Note: The default setting is to prompt every 6 days when exiting. 


Restoring 

You can restore your iPrism from a local backup or to its original factory 

configuration. 

Restoring your system from a local backup 



3. In the Restore frame, select Restore from backup and click Restore. 

Notes: 

• iPrism v4.0 introduced a new database format. Backups created prior 

to version 4.0 are NOT compatible and cannot be restored. 

• You can backup 4.0 settings and restore them on a 4.1 system. 

However, in general it is not a good idea to change software versions 

between backup and restore. 

Restoring iPrism to its Default (Factory) Configuration 

Restoring the iPrism to its factory settings will clear all user-defined 

configuration information. You should do a backup of your current 

configuration before performing this procedure. (See “Backing Up” on 

page 228). 



3. In the Restore frame, select Restore Factory Configuration. 

Note: This will restore iPrism to its “out of the box” state. All settings, 

including network settings, are lost or set back to their default values. 

230 


Registration Information 

4. Click Restore. 

A dialog box appears to inform you about the ramifications of the choice 

you have made. 

5. Click OK to proceed with the restoration that you selected. If you want 

to cancel this process now, click Cancel. 

If you clicked OK, the iPrism unit will reboot within two minutes, and 

your iPrism session will end. 

When you log into iPrism again, you will be presented with the installation 

wizard, as if you were setting up iPrism for the first time. Refer to 

your iPrism Installation Guide for assistance with this wizard. 


The registration information, which you entered when you initially set up 

iPrism and ran the installation wizard, should only be changed if you are 

updating your iPrism license or changing the iPrism administrator’s 

information. For example, if you are updating your temporary registration 

key to a permanent key, you may need to access these settings.You can also 

change the administrator’s email address here. 

Editing Registration Information 


2. Select the System section, then the Registration tab (see Figure 88). 


231


FIGURE 88. Registration Tab 

3. In the Registration Information frame, make the desired changes: 

• Serial Number: This is unique serial number for your iPrism, which 

can found on the back of the iPrism appliance. The software will 

retrieve the serial number directly from the hardware. This field 

cannot be edited. 

• Key: The field contains your iPrism’s Product key. To complete this 

field, simply upload the key file (included with your iPrism unit, or 

received from your iPrism sales associate) on the same computer that 

the iPrism software is installed. Using the key file (as opposed to 

232 



manually entering this number) ensures that it is entered correctly. 

The Key value is case sensitive. 

Note: If you do not have an iPrism registration key, a message displays 

warning you that filter and system updates will not occur. You 

will receive an email notification from St. Bernard Software, Inc. 

when your filter list is about to expire. 

• Subscription Expiration: Select the month, day, and year that your 

subscription ends. This information was included with your iPrism 

unit or received from your iPrism sales associate, along with the 

Registration key file. You will not be able to receive filter list updates 

from St. Bernard Software’s URL database past this date. 

• Administrator Email: Enter your email address here for notification 

purposes. The iPrism will send status information (e.g., “Your license 

key is about to expire”) and override requests, as well as other 

information, to this email address. 

• Administrator Name. This field identifies the owner of the iPrism 

unit. This field is not currently used by iPrism. 

Note: The other fields on this tab (City, State, Country) are used for 

creating SSL Certificates. See “Using SSL Encryption” on page 233. 


Using SSL Encryption 

In order to provide secure network-level communications during 

authentication and other administrative procedures, a server certificate is 

required on each SSL-enabled web server. This certificate is attached to 

iPrism’s IP address and, once created, should not have to be changed unless 

you change the IP address of your iPrism appliance. 

To create a certificate: 


2. Select the System section, then the Registration tab. 

3. Verify that all of the following fields are completed in the Registration 

tab: 


233


City: Enter the name of the city where your organization is located. 

State: Enter the full name of the state where your organization is located. 

Country: Enter the two-character country code for the country where 

your organization is located. 

Organization: Enter the full name of your company or organization. 

4. Click Create. 

A “Working” dialog box displays while the certificate is being generated, 

and the status line under the Organization field will read “Creating 

a new certificate”. If the certificate is completed successfully, the status 

line will change to “Your certificate is valid”. 

5. Install the SSL Certificate in each browser. 

The first time that end users access an SSL-enabled service on iPrism, 

their web browser will display the certificate information. Users can 

choose to accept the certificate permanently, or only for the current session. 

To avoid being prompted each time, you should install the certificate 

permanently; it will then be valid until the certificate expires. 

Managing iPrism Updates with the HotFix 

Manager 

The HotFix Manager provides a convenient interface for tracking iPrism 

updates and patches (called “HotFixes”). With the HotFix Manager you can 

instantly check for new updates, view available updates, view which ones 

have already been installed, and manually install/uninstall a HotFix. 

The iPrism administrator can access the HotFix Manager from the iPrism’s 

main web page by clicking Manage Selected Appliance, then choosing 

HotFix Manager (under System Admin Tools). After entering the 

username and password, the HotFix Manager interface opens (see 

Figure 89). 

Note: Only the iPrism administrator account (iprism) can access the HotFix 

Manager. 

234 


Managing iPrism Updates with the HotFix Manager 

FIGURE 89. The HotFix Manager Interface 


235


Using the HotFix Manager 

The HotFix Manager functionality is accessible directly from the HotFix 

Manager interface as shown above. The following sections describe the 

different actions that can be performed with the HotFix Manager. 

Viewing Installed HotFixes 

HotFixes that have already been installed are listed in the Installed 

HotFixes list. You can view additional information about an installed 

HotFix by selecting it from this list and clicking Details. 

Viewing Available HotFixes 

HotFixes that have not yet been installed are listed in the Available 

HotFixes list. To view more information about a particular HotFix, select it 

from this list and click Details. 

You can update this list to include the very latest HotFixes by clicking 

Check for new HotFixes. 

Installing a New HotFix 

To install a new HotFix, select it from the Available HotFixes list and click 

Install. If no new HotFixes are available, a message will display; otherwise, 

if there are available HotFixes, the Install HotFixes web page opens. You 

will be prompted to confirm your decision to install that HotFix. 

If the HotFix you selected is dependent upon earlier HotFix(es) that you 

have not installed, then all required HotFixes will be installed automatically 

once you authorize the installation of the new HotFix. 

Note: The same dependency principle applies when uninstalling HotFixes. 

Uninstalling a HotFix on which others are dependent will result in all 

dependent HotFixes being uninstalled. 

To proceed with the installation, click Install HotFixes. Otherwise, click 

Cancel Installation to return to the main HotFix Manager page. 

236 



Uninstalling a HotFix 

Although it is unlikely you will ever need to do this, you can uninstall a 

HotFix if you suspect that it is causing issues with your iPrism. To do this, 

select the HotFix you want to remove from the Installed HotFixes list and 

click Uninstall. 

When the Uninstall HotFixes page appears, verify that this is the HotFix 

you want to remove and click Uninstall HotFixes. 

Note: If you Uninstall a HotFix on which others are dependent, all 

dependent HotFixes will also be uninstalled. 

Checking for New Updates 

By default, iPrism automatically checks for new updates each night, using 

the iPrism System Update settings specified in the System section’s 

Preferences tab, in the System Updates frame (see Figure 90). 


237


FIGURE 90. Preferences Tab 

When the System Updates are set to Automatic, updates will be 

downloaded and any new HotFixes will automatically be listed on the 

Available HotFixes list. 

Note: When Automatic System Updates are enabled, critical updates will be 

installed automatically. 

You can also manually check for new updates at any time directly from the 

HotFix Manager page. To do this, click the Check for new HotFixes 

button. Checking for new HotFixes may take several minutes, during which 

a new page will appear to let you know the status of the process. If no new 

updates are available, a message will indicate that iPrism’s HotFix Database 

is up-to-date. If a new HotFix is found, it is added to the Available 

HotFixes list so you can install it. If a critical HotFix is downloaded and 

238 



iPrism is configured to automatically perform system updates, it will be 

installed for you. 

Viewing the Details of a HotFix 

The details associated with a HotFix include its HotFix ID, Priority, Extra 

Arguments, and a Description as shown in Figure 91 and described below. 

When you have finished viewing the HotFix Details, click Back to HotFix 

Manager to return to the main HotFix Manager page. 

FIGURE 91. HotFix Details Page 

The following information can be found in the HotFix Details page: 

HotFix ID: This is the official version number of the HotFix. 

Priority: This specifies the importance of the HotFix. HotFixes can be 

classified as either critical, optional, or private. 


239


• Critical HotFixes are important HotFixes provided to help resolve 

known issues and to protect your iPrism from known security 

vulnerabilities. It is highly recommended that these always be 

installed. 

Note: When the System Updates are set to Automatic (see page 237), 

critical HotFixes will automatically be installed for you. 

• Optional HotFixes are usually feature enhancements and are 

considered non-vital to the operation of your iPrism. These HotFixes 

are never automatically installed. 

• Private HotFixes must be manually installed. Private HotFixes are 

specific to only your iPrism and are intended to resolve issues 

specific to your iPrism. If your iPrism requires a private HotFix, 

details on installing the HotFix will be given to you by Technical 

Support. 

• Extra Arguments: Some HotFixes will support extra arguments or 

user-supplied options. If the HotFix supports extra arguments, 

information regarding what they do and how to use them will be 

documented in the HotFix’s Description field. You can edit the 

arguments for an installed HotFix by selecting it from the Installed 

HotFixes list and clicking Edit Args. When the HotFix is NOT 

installed, the Extra Arguments field always displays as n/a and the 

user is not allowed to change it. 

• Description: This describes the purpose of the HotFix, such as 

correcting an existing problem or adding additional features. 

Manually Installing a HotFix 

Manual installations are used to install “Private HotFixes”. Private 

HotFixes are those that are specific to your iPrism and are intended to 

resolve issues specific to your iPrism. HotFixes should only be installed 

manually when instructed to do so by Technical Support. 

240 



FIGURE 92. Manually Installing a HotFix 

To manually install a HotFix you must know its ID, which will be given to 

you by Technical Support. 

1. Type the HotFix ID in the HotFix ID field. 

2. If any extra arguments are needed, enter them into the Extra Arguments 

field. 

3. Click Manual Install to install the HotFix. 

Rebooting iPrism 

After installing (or uninstalling) a HotFix, the changes will not take effect 

until you reboot iPrism. You do not have to reboot iPrism right away, just be 

aware that the changes to your system will not take place until you do. 


241


To reboot iPrism, click Reboot iPrism in the HotFix Manager web page. 

You will be prompted to confirm your decision to reboot. After clicking 

Yes, iPrism will be rebooted and will take several minutes to restart. 

Managing Multiple iPrism Units 

This section is intended for administrators who employ several iPrism 

appliances on their network. iPrism units can share configuration 

information with each other, which makes managing them much easier. 

This is achieved by designating one of your iPrism units as the “master” 

unit. You need only make the desired configuration changes on the master 

iPrism and the changes will be automatically applied to the other, dependent 

iPrism systems. 

The following situations demonstrate possible scenarios in which you 

would install multiple iPrisms: 

• As a load-balancing solution, to handle the load of high-bandwidth networks. 

• As part of a fault tolerance solution. 

• If your network configuration has multiple connections to the Internet, 

and filtering needs to be implemented for each one. 

• Each iPrism is running the same version of the software and each has the 

same set of HotFixes installed. 

Configuration Sharing does not feature sharing of the Report Interface and 

the Active Override. Reports should be handled separately for each iPrism. 

When used in a load-balancing environment, an override will only be 

effective if the load balancer can be configured to always use the same 

iPrism for a given workstation. Please refer to your load balancer’s 

documentation and to the technical notes available on the St. Bernard 

Software’s website at www.stbernard.com. 

iPrism in a Load Balancing Environment 

iPrism can be integrated with web traffic load balancers to achieve higher 

throughput and fault tolerance. Visit www.stbernard.com/support/iprism for 

242 


Managing Multiple iPrism Units 

updated white papers regarding specific load-balancer deployments with 



243


244 


Chapter 11 

iPrism System 

Reports 

The iPrism system has an extensive reporting tool designed to give you 

access to event data, as well as the iPrism security, status, build ID, and 

other information through the Reporting section of the System 

Configuration tool. 

Detailed information about the reporting tool is also available in the iPrism 

Reporting Guide. 


245

iPrism System Reports 

Exporting Events Using Syslog 

The reporting tool’s real-time monitor gives you instant access to all 

monitored Web, IM, and P2P events. This is the preferred tool for viewing 

these events. 

The iPrism system can output Web, IM, and P2P events using the syslog 

protocol. In order to use this feature, you will need a system with a syslog 

client running and configured to accept events from an external system. 7 

Syslog is a common UNIX, Linux and FreeBSD communication protocol 

used for communicating system event information. There are also a few 

Microsoft Windows-based syslog clients available. 

To enable event export using syslog, open the System Configuration tool; 

select the Reports section, then the Preferences tab (see Figure ). Type the 

name of the system which will receive the logging information in the 

“Syslog Host” field. 

7. Most UNIX based systems do not accept external connections by default. This is a security 

feature. 

246 



FIGURE 93. Reports Preferences Tab 

Note: The syslog protocol uses UDP datagrams. Events may get dropped by 

the network if the load is high. 

The format of an HTTP access syslog message is described in Table 6. 

Table 6: HTTP access syslog information (Web traffic only) 

Field Name 

Syslog 

header 

Type 

Protocol 

Contents 

Information added by the syslog program (varies 

from client to client) 

WEB (IM and P2P events will use IM or P2P for this 

field. See below.) 

http, https 


247


Table 6: HTTP access syslog information (Web traffic only) 

Field Name 

Time 

Action 

IP 

Profile 

User 

Bandwidth 

URL 

Rating 

Duration 

Method 

Status 

Contents 

Time of access 

Action taken 

B — Blocked 

P — Passed 

O — Overriden 

I — Override Initiated 

IP address of the system making the request 

Active Profile 

User name 

In bytes 

Url of the request 

Rating of the site (comma separated list of categories) 

Duration calculation estimate 

GET or other HTML method 

Status code for this URL 

Mime 

Mime type 

IM and P2P events contain the information listed in Table 7. 

Table 7: IM and P2P access syslog information 

Field Name 

Syslog 

Header 

Type 

Protocol 

Action 

IP 

Profile 

Contents 

Header added by the syslog client. This varies from system to system. 

IM or P2P 

IM or P2P protocol 

Action takes 

IP Address 

Active Profile 

248 



Table 7: IM and P2P access syslog information 

Field Name 

User 

Application 

Contents 

User name 

Application used 

Determining the Number of Records in the Database 

Information about the number of records in the database, as well as the time 

of the oldest record, can also be found in the Preferences tab (see 

Figure 93). 

Deleting Access Event Records 

There are times when you may wish to purge event data from the machine, 

such as if an iPrism is transferred from one department to another. To delete 

data from the system, select the Reports section, then the Preferences tab 

(see Figure ). 

Click Delete All to delete all of the access event records, or type a date and 

click Delete to delete all the event records occurring before that date. 


249


Audit Log 

The Audit Log tracks changes made to policies, including who made them 

and when. 

FIGURE 94. Audit Log 

250 


iPrism Status 

iPrism Status 

You can view information about the status of your iPrism unit, as well as 

utilization data, in the Reports section’s Status tab (see Figure 95). All 

fields on the Status tab are view-only. 

FIGURE 95. Status tab 

In the System Status frame, you can view the following information: 

• Uptime: The days, hours, and minutes that your iPrism has been continuously 

running. 


251


• System Memory: The amount of system memory that your iPrism is 

consuming while running. 

• Free Memory: The amount of memory (in MB) available on iPrism 

while running. 

• CPU Utilization: The percentage of CPU that your iPrism system is utilizing 

while running. 

In the Raid Status frame, you can see the status of the RAID disk system if 

your iPrism model contains RAID (available on iPrism models 30h, 50h, 

and 100h). 

In the Filtering Status frame, you can view the following information: 

• Web Proxy: Number of URLs processed and blocked for systems using 

the iPrism as a proxy. 

• Bridge: Number of URLs processed and blocked for systems using the 

iPrism in bridge (transparent) mode. 

• Number of Clients: Number of client workstations serviced by iPrism. 

In the Network Utilization frame, you can view the following information: 

• Traffic received (internal interface): Amount of IP traffic (measured in 

bytes, for all protocols) received by the internal interface. 

• Traffic Received (external interface): IP traffic received for the external 

interface, if one is being used (bridge (transparent) mode only). 

• Traffic Received (management interface): IP traffic received by the 

management interface. 

252 


iPrism Security Log 

iPrism Security Log 

iPrism automatically detects and logs security events. This information can 

be viewed in the Reports section’s Security Log tab (see Figure 96). 

FIGURE 96. Security Log tab 

The following security events are logged by iPrism: 

• Each override performed on the system, along with the name of the user 

who performed it and the parameters used (who and what was overridden). 


253


• Any attempt to access the HTTP server from the external interface. 

Access to the Configuration and Report Interfaces are only allowed on 

the internal interface. 

• Any attempt to access Proxy services from the external interface. Access 

to iPrism’s proxy is only allowed on the internal interface. 

• Any attempt to access configuration services from the external interface. 

Access to the configuration services (used by the interface) is only 

allowed on the internal interface. 

• Any attempt to access console services (telnet) from the external interface. 

• If an attempt is made to access the iPrism internal web server from the 

outside, it will generate an event in the security log. Systems listed in the 

co-management list are allowed to access the internal web server. These 

accesses do not generate a security event. 

This log will also show: 

• Date and time of the last filter list update. 

• Date and time of the last configuration changes. 

• Date and time of the last backup. 

• The date and time of the last reporting database maintenance operation. 

• The date and time each emailed report was sent. 

254 


About iPrism Tab 

About iPrism Tab 

The Reports section’s About tab displays version information about your 

iPrism software, as well as the model numbers and serial numbers of your 

iPrism appliance. Contact information for St. Bernard software can also be 

found here. 

FIGURE 97. About tab in the Reports menu 


255


256 


Chapter 12 

The Filter Manager 

This chapter describes how to use iPrism’s Filter Manager utility, accessed 

by clicking the Block/Unblock Site link on the iPrism Main Menu 

(Figure 98). This will take you to the Filter Manager (Figure 99), which 

allows you to perform the following functions: 

• Automatically submit unrated, frequently accessed URLs to iGuard 

for rating and review, and manually rate URLs that cannot 

automatically be determined by iGuard. 

• Create and edit a custom filter, which can be used to restrict/allow 

access to any website – even those not listed in the URL database. 

• View and process requests from users who have been blocked from a 

website and have submitted access requests to the administrator. 

• Review the websites that have been recently blocked by iPrism and, if 

desired, grant access to them. 

• Check the category rating of URLs in the iPrism database. 


257


FIGURE 98. iPrism Main Menu - Administrator 

258 


Automatically Rating Unrated URLs 

FIGURE 99. Filter Manager 


iGuard allows iPrism to automatically rate unrated, frequently accessed 

URLs. After a period of seven (7) days the top 100 currently unrated, 

frequently accessed URLs for a given iPrism are sent to iGuard for rating. 

You can opt to get an email message when the list of sites is sent and when 

the rating is complete (see “Sending Unrated Sites to iGuard for Rating” on 

page 260), which normally occurs within a few days. You can also view 


259


those sites that could not be rated automatically and rate them manually. 

The number of sites listed and the need to manually submit URLs for 

review or inclusion should decline with the frequent and consistent use of 

the iGuard rating function. 

Notes: 

• The capability to send unrated sites to iGuard can also be enabled during 

the iPrism installation process. Refer to the iPrism Installation Guide for 

detailed instructions. 

• If the total number of unrated sites is less than 100, all of them are sent to 

iGuard. 

Sending Unrated Sites to iGuard for Rating 

1. From iPrism’s main web page, click Block/Unblock Site. 

2. When prompted to log in, type your administrator username and password 

and click Login. 

Note: If iPrism is joined to an domain, choose LOCAL from 

the domain list. 

3. From the Filter Manager page (see Figure 99 on page 259), click Send 

unrated sites to iGuard. 

4. From the Send unrated sites to iGuard page (Figure ), select the options 

you want. You can elect whether to be notified via email here. 

• The Admin E-Mail Address is the default and automatically displays 

the iPrism administrator’s email address. 

• To have notifications sent to a different email, select Custom E-Mail 

Address and type the email address. 

A list of URLs automatically sent to iGuard for rating is sent, via 

email, to the iPrism administrator or the custom email address specified. 

Within a few days the sites are rated and an email is sent indicating 

the iGuard rating response. 

260 



FIGURE 100. Send Unrated Sites to iGuard 

5. To save the settings and exit, click Save Settings. To exit without saving, 

click Cancel. 

Manually Rating Unrated URLs from iGuard 

Some URLs may not be ratable by iGuard, such as private/internal websites 

or websites that require a login. Such URLs can be rated manually. 

1. Click the “here” hyperlink (see Figure 101) and manually rate URLs 

that iGuard was unable to rate. A list of current URLs that are un-ratable 

by iGuard appears (see Figure 102). 


261


FIGURE 101. Hyperlink to iGuard 

FIGURE 102. Unrated URLs 

2. Select one or more locations to rate, then click Re-rate Selected. A 

Select Categories page appears (Figure 103). 

262 



FIGURE 103. Select Categories 

3. Select one or more categories that apply to all of the selected locations. 

(See Appendix A for category definitions.) Click Next to proceed. 

4. A list of the categorized URLs is displayed in the Confirm Re-rating 

Unratable URLs page (Figure 104). To make any changes, click Back 

to return to the Current URLs un-ratable by iGuard page. Otherwise, 

click Finish to proceed. 

5. The Current Filters page displays (Figure 105). Click Finish if you are 

done, or to re-rate items, click Cancel to return to the previous page. 


263


FIGURE 104. Confirmation page 

264 



FIGURE 105. Current Filters page 

Modifying URLs 

• To search for a current URL and its settings, type the search string in 

the Match Location field and click Search. 

• To change the sort order, click the triangle next to the Location or 

Rating column. The filters will be sorted according to the selected 

column. Clicking twice on a column will reverse the sort order. 

• To edit a location on the list, click the Edit link next to the location. 

The Advanced Filter Settings page displays (see Figure 109). Click 

Next to proceed to the Select Categories page (Figure 103) or Clear 

to reset the page to the default settings. 


265


• To remove URLs from the Location list and return them to the list of 

iGuard unratable sites, select the checkbox next to the location(s) to 

be returned. Click Delete Selected. The site(s) will remain on the 

iGuard unratable list. 

6. To submit the sites to St. Bernard Software with their new manual rating 

for inclusion in the filtering database, check the checkbox next to the 

URLs you wish to submit and click Submit Selected to St. Bernard 

Software. A confirmation page is displayed. Click Send, or if you want 

to cancel this process, click Cancel. 

Custom Filters 

Custom Filters allow you to locally change the category rating of any 

website. This can be used to block access to an offensive website that may 

not yet be listed in iPrism’s URL database, or to provide access to a website 

that would otherwise be blocked. An understanding of how custom filters 

and iPrism’s local categories work together will bring some powerful 

capabilities to your iPrism experience. For more information, see: 

• “Changing a URL’s Rating with Custom Filters” on page 112 

• “Controlling URLs with Locally Defined Categories” on page 112 

Custom Filter Management 

When creating custom filters, accuracy and organization count. You can 

verify that you have the correct URL by copying the URL from your 

browser to the URL field in the Filter Manager. 

Note: Do not create multiple filter exceptions for the same URL, as the first 

matching URL in the custom filter list will be used by iPrism. For instance, 

if you create a custom filter that identifies http://www.playboy.com 

as “online shopping” and later add a filter that identifies it as “adult 

content”, iPrism will treat it as “online shopping”. 

266 



Creating a Custom Filter 

1. From the main iPrism web page, click Block/Unblock Site. 

2. When prompted to log in, enter your administrator username and password 


Note: If iPrism is joined to an domain, choose LOCAL from 

the domain list. 

3. When the Filter Manager page appears, click the Block/Unblock Site 

(Create a filter) link. 

4. In the Enter Location page, type the URL that you want to block in the 

Location field. 

(For example: http://www.blockthissite.com.) 

5. Click Next to go to the Select Rating page (Figure 106). 


267


FIGURE 106. Select Rating page 

6. In the Select Rating page, assign this site to one of the filter categories 

by clicking the appropriate radio button: 

• Allow Access (rating: local allow): Allows all users to access this 

site. This changes the URLs rating to include the Local Allow 

category, which is not blocked in any ACL (by default), and overrides 

any other category ratings that may otherwise block access. 

• Deny Access (rating:local deny): Denies all users access to this 

URL. It changes the URLs rating to include the Local Deny category, 

which is blocked and monitored in all ACLs (by default). 

Note: Local Deny is blocked and monitored by default in all new 

ACLs. 

• Select Categories: Use this option to assign this URL to a specific 

filtering category (e.g., adult, business, finance, etc.). When you click 

Next, you will be presented a category list where you can select 

which categories you want to add to this site’s rating. 

7. When you have checked the categories you want to assign, click Next. 

The Create Filter page displays with the URL and category selections 

you have made (see Figure •). 

Note: If you feel that the website you filtered should be part of St. Bernard’s 

standard URL database, check the box on this page. The URL will 

be reviewed by St. Bernard’s web analysts and, if appropriate, assigned 

to an existing category in the database. This addition will usually 

become available within 24 hours, after iPrism is updated. 

268 



FIGURE 107. Create Filter 

8. Click Finish to return to the main Filter Manager page. 

9. At the very top of the main page, click the Save Changes link. After a 

few moments, you should be notified that the save was successful and 

that the changes will be applied shortly. 

Editing or Removing a Custom Filter 

1. From the main iPrism web page click Block/Unblock Site. 

2. When prompted to log in, type your administrator username and password, 

then click Log in. 

3. From the Filter Manager page, click the View and Edit Custom Filters 

link. The Custom Filters page displays, listing all of the custom filters 

you have created (see Figure 108). 


269


FIGURE 108. Current Filters page 

4. To search the locations, type the search string in the Match Location 

field and click Search. 

5. To change the sort order, click the triangle next to the Location or Rating 

column. The filters will be sorted according to the selected column. 

Clicking twice on a column will reverse the sort order. 

6. To delete one or more filters, check the box next to each URL you want 

to remove and click Delete Selected. 

270 



7. To submit the selected site to St. Bernard Software for review and possible 

inclusion in the filtering database, select the checkbox next to the 

URL you wish to submit and click Submit Selected to St. Bernard 

Software. 

8. To edit an entry, locate a URL that you want to edit, then click Edit. The 

Advanced Filter Creation page displays (see Figure 109). 

FIGURE 109. Advanced Filter Creation page 

9. In the Location field, type the location (the beginning of the URL) to be 

blocked. This can be a simple url such as http://www.playboy.com 

or it can contain a wildcard such as http://*.playboy.com. 

In the second case, the wildcard causes the location to match 


271


all sites which end in playboy.com. You can also include a path in the 

location such as http://www.playboy.com/images. 

The wildcard character can be used in any place in the Location. For 

example: 

*://www.playboy.com: No access is allowed to www.playboy.com no 

matter what protocol is used. 

*://*.playboy.com: No access to any playboy site is allowed no matter 

what protocol is used. 

10. In the File Mask section, you can select specific types of media that will 

be denied from blocked sites. For instance, if you select the Images 

option, the .jpg and .gif graphics on the blocked website will not display, 

but all other content (such as text) will be available, even though the 

site’s category is blocked in the ACL. To use this, the site’s category 

must be designated as “blocked”, otherwise all content on the site will 

display. 

The wildcard character (*) can be used to match zero or more characters; 

e.g., “*.jpg” matches all files which end in “.jpg”. 

For the purposes of seeing if this filter matches, the Location is matched 

against the beginning of the URL and the File Mask is matched against 

the end. 

11. In the Rating section, you can change the site’s rating or change its current 

category designation: 

• To allow all users access to this site, select Allow Access. This 

assigns the URL to the Local Allow category, which is not blocked 

on any ACL (by default). 

• To deny all users access to this URL, select Deny Access. This 

assigns the URL to the Local Deny category, which is blocked on all 

ACLs (by default). 

• To change or alter which category this site is assigned to, select Select 

Categories, then Submit Filter. You will be presented with the 

Select Categories page, where you can select the categories with 

which you want this site to be associated. 

272 


Import / Export Custom Filters 

12. In the Confirm Filter Creation page, review the settings for the custom 

filter and click Confirm. 

13. At the top of the main page, click Save Changes. 


You can save a list of custom filters by exporting them. This list then can be 

imported into iPrism at a later time. 

Exporting Custom Filters 

1. From the iPrism main web page, click Import / Export Custom Filters. 

2. The Import / Export screen is displayed (Figure 110). 


273


FIGURE 110. Import/Export Filters 

3. Click Export File. A dialog will appear which allows you to specify the 

name of the export file. 

Import / Export File Format 

The custom filter list information is stored in text format. A typical custom 

filter list looks like: 

* http://*.playboy.com * la 

+ http://*.sex.com * pfs,j/emp,cpm,bshp 

* http://*.whitehouse.gov *.jpg,*.gif la 

Each line consists of four fields separated by white space (any number of 

spaces or tabs). 

Note: The text file uses as its end-of-line 

separator. This is the Microsoft Windows standard line terminator. UNIX, 

Linux, and Macintosh use different conventions. If you use these systems, 

make sure your text editor can handle the line termination properly. 

1. The first field indicates whether or not this is a “final filter”. Entries 

which begin with an * are considered final, while entries which start with 

+ are not. 

2. The next field contains the URL (with wildcards) for this filter. 

3. This is followed by the specification of the file types to be blocked. An 

entry of * blocks all files. An entry such as *.jpg,*.png blocks all files 

with the .jpg and .png extensions. 

4. The fourth and final field specifies the short category names for this 

entry. For example, the entry for “playboy.com” is in the single category 

la (Local Allow) while “sex.com” is in four different categories. 

A list of categories is available through the iPrism online help system (see 

http:///help/categories.html). 

274 



Importing Custom Filters 

1. From the main iPrism web page, click the Import / Export Custom Filters 

link. 

2. The Import / Export screen is displayed (see Figure 110). 

3. Type the name of the file you wish to import in the File to Import field, 

or click Browse to locate the file. 

4. Click Import File to import the file. 

5. The system displays a screen showing the number of filters successfully 

imported (Figure 111). 


275


FIGURE 111. Import Completion Screen 

Pending Access Requests 

When a user requests access to a blocked web page, it goes into a pending 

request queue. These can be viewed from the iPrism web interface. 

Reviewing Access Requests 

1. From the main iPrism web page, click the Block/Unblock Site link. 

2. When prompted to log in, type your administrator username and password, 

then click the Login. 

3. When the Filter Manager page displays, click View pending requests. 

The Pending Requests page displays, listing all of the requests that have 

been sent (see Figure 112). 

Each request row shows the URL to which the user wants to gain access, 

the type of request, the user’s name (if authentication is used), and the 

comments the user provided. 

276 



FIGURE 112. Pending Requests page 

4. Review each request, then check the checkbox next to each request (or 

check Select All to select all requests) and click the appropriate link in 

the Action column: 

• Grant Selected: Gives the user access to the requested site. Granted 

requests are handled differently depending on whether or not 

partitioning is enabled on your iPrism: 

If partitioning is not enabled, then the effect of granting a request 

depends on the Grant pending request preference in the filter manager 

options. If the option is to grant access using a custom filter, 

then granting access creates a custom filter that assigns the site to the 

'local allow' category. With this filter in place, all users will have 

access to the specified site (not just the user who requested it). This 

filter remains in effect until you manually edit it from the Filter Manager 

'View and Edit custom Filters' page (See “Editing or Removing a 


277


Custom Filter” on page 269). If the option is to grant access using 

overrides, then granting access to the site will create an override with 

unlimited duration. You can delete this unlimited override in both the 

configuration UI or in the View and Delete recently overridden 

pages in the Filter Manager. 

If partitioning is enabled, then the effect of granting a request 

depends on the privilege of the administrator who is granting the 

request. If the administrator is a Delegated Administrator (DA) 

of the partition where the request originated, then an override of that 

site will be created with an unlimited duration. This override will 

apply only to users belonging to the same partition as the user whose 

request was granted. In this case granted requests can be viewed or 

deleted along with other overrides in the Filter Manager View and 

Delete recently overridden pages page. A given override will be 

visible to the delegated administrator of the same partition as the user 

whose request was granted, as well as to the Global Policy Administrator 

and to the super user (iPrism account). If the administrator 

granting the request has global filter manager privileges (super 

user, global policy admin (GPA), or user with filter manager privileges), 

then the effect of granting the request will depend on the 

Grant pending request preference setting in the filter manager 

options, as described in the previous section. 

• Deny Selected. The site remains blocked to this user. No changes are 

made to the site’s filtering. 

• Edit Request. Opens the Advanced Filter Creation page where you 

can manually make changes to the URLs filter settings. (See 

Figure 109 on page 271) 

Use the options in the Rating section to change the site’s category 

rating, which affects all users. You can also use the Select Categories 

option to manually change the site’s category designation. 

Use the options in the File Mask section to “mask out” certain types 

of content. For example, you can prevent the user from being able to 

view images, movies, music, or other file types that you specify. To 

apply a file mask, the URL must be designated as “blocked”. When a 

mask is applied, the user will be able to see everything else on the site 

except what has been masked. 

278 



To apply the filtering changes you made, click Submit Filter. If you 

chose the Select Categories option, the Select Categories page will 

display so you can choose the new filter categories for this site. Click 

Next when you are finished. 

5. When the Confirm Grant Request page displays (See Figure 113), 

review your decision and then click the appropriate button to confirm it. 

Depending on the option you chose, one of three buttons will be available: 

Grant, Deny, or Confirm. 

You are returned to the Pending Requests page so you can review the 

remaining requests. 


279


FIGURE 113. Confirm Grant Request 

Unblocking Blocked and Overridden Pages 

As an administrator, you may find yourself in a situation where you are 

getting pummelled with access requests, all pertaining to one or more 

websites. In this situation, rather than dealing with each request 

individually, you may just choose to unblock the page(s) in question so that 

everyone can view it. 

iPrism has built in functionality that lets you review all of the blocked sites 

that have recently had hits (access attempts) on them, and then unblock 

those sites as desired. There is also a similar utility that lets you do the same 

thing for overridden pages. That is, if there is a blocked web page that is 

being frequently accessed by users with override privileges, you can 

280 



unblock the page so it can be accessed by everyone — without going 

through the override process. 

For information about how to enable Overrides in iPrism, see “Using 

Override Privileges” on page 99. 

Unblocking Recently Blocked Pages 


You must be an iPrism administrator in order to access the Block/ 

Unblock Site interface. 

2. When prompted to login, enter your username and password, then click 

Login. 

3. From the Filter Manager page, click the Create filters for recently 

blocked pages link. The Recent Blocks page displays (see Figure 114). 

4. The table lists all the websites that have been blocked in chronological 

order, and the users who tried to access them. Each site’s current category 

rating is also shown. To unblock a site, click the Allow Access link. 

The site’s rating is changed to ‘local allow’ and you are returned to the 

main Filter Manager page. 

If you want to deny access to this site again, you must remove the filter 

you just created. See “Editing or Removing a Custom Filter” on 

page 269. 


281


FIGURE 114. Recent Blocks page 

Unblocking Recently Overridden Pages 




3. From the main Filter Manager page, click the Unblock recently overridden 

pages link. The Current Overrides page displays (see 

Figure 115). 

This table lists all the websites that have been recently blocked, but then 

accessed using override privileges. It also shows information about the 

user who granted the override and which categories were overridden. 

282 



FIGURE 115. Current Overrides page 

4. To unblock a site in this list, just click the Allow Access link, located in 

the right-most column. 

Note: Remember that you are unblocking this site for all users, not just 

the user(s) that tried to access it. 

The site’s rating is changed to ‘local allow’ and you are returned to the 

main Filter Manager page. 

If you want to deny access to this site again, you must remove the filter 

you just created. (See “Editing or Removing a Custom Filter” on 

page 269.) 


283


Viewing and Deleting Current IP-Host Map 

Entries 

Spoofing occurs when the host name of HTTP request is different from the 

IP address in the request. In other words, if the HTTP request says 

“www.yahoo.com” and connects to the IP address of “www.sex.com”, the 

iPrism spoofing detector is triggered if spoof detection is enabled. 

If spoof detection is enabled, the user is directed to a blocked page and may, 

depending on his/her profile, be able to override the block. 

If this override is successful, the host name of the request and the IP address 

of where the request really went are added to the IP-Host map. 

The IP-Host Map page shows a list of the names (good sites) and the 

spoofed IP addresses they connected to (bad sites). The controls allow the 

administrator to delete one or more entries from this list. 

To view and delete current IP-Host Map Entries 

1. From the main iPrism web page, click View and Delete current IP- 

Host Map Entries. 



3. The Current IP-Host Map page appears with a list of the current 

entries. 

4. To delete an entry, select the entry and click Delete. 

284 


Checking Site Ratings 

Checking Site Ratings 

A website’s rating determines whether or not it will be blocked by the active 

filtering profile. All of the websites included in iPrism’s URL database have 

a “site rating” based on their content. For example, a political website 

would have a rating that included the category “Politics”, and potentially 

other categories as well. If the current profile in iPrism is set to block sites 

in the “Politics” category, then this site would be blocked when someone 

tries to access it. A simple way to check the category rating of any website 

is to do the following: 

1. From the Filter Manager main page, click Check Site Ratings. 

2. In the Enter Site Location page, type the full URL of the website whose 

ratings you want to check. 

Note: This shows you only how the site is rated in iPrism’s database, and 

not in any custom filters you may have created for that site. 

Checking a Site’s Rating 

1. From the main web page in iPrism, click the Block/Unblock Site button. 

2. When prompted to log in, enter your username and password. 

3. In the Filter Manager page, click the Check Site Ratings link. 

4. In the Location field, type the full URL of the site you want to check 

and click Next (see Figure 116). 

5. The Site Ratings page appears with any ratings assigned the given website. 


285


FIGURE 116. Site Ratings page 

6. To perform another check, click New Check. 

286 


Filter Manager Options 


To modify Filter Manager Options, click the Options link from the main 

Filter Manager page. The Options page appears as shown in Figure 117. 

FIGURE 117. Filter Manager Options 


287


Timeout: The amount of idle time (in minutes) before a override request 

session times out. 

Font Size: The size of the font to be used in the override request reports. 

Report Lines: The number of lines to be displayed in each override request 

report page. 

E-Mail Address: If set, override requests will be sent to this email address. 

By default, this is the email address of the iPrism administrator. (This 

option is only available under the iprism account.) 

E-Mail Preference: By default, an email will be sent for each request. If 

this is set to Daily Consolidation, one email containing all requests will be 

sent each day. 

Daily Request Limit: The maximum number of requests that can be made 

by all users in a given day. (This option is only available under the iprism 

account.) 

Assigned Categories - Allow 

Assigned Categories - Deny 

For both of these fields, you can select the default categories used by the 

system when creating a filter to unblock a URL (Allow) or to block a URL 

(Deny). The default settings (‘local allow’ and ‘local deny’) are 

recommended unless you always use the same categories when adding a 

filter. Administrators can always override the default category when 

creating the filter. (This option is only available under the iprism account.) 

Grant Pending Request Preference: In previous versions of iPrism, when 

access is granted for a specific URL, a custom filter is created and the URL 

is rated as local ratings, such as ‘local allow’. If you use an override to grant 

access, the outcome is not the same. The URL keeps its original rating 

provided by St. Bernard Software, but the Blocked action is overridden and 

the URL request goes through. This enables you to see the original rating of 

the URL for reporting purposes. The difference is invisible to the end user. 

If you have partitions enabled, the Delegated Partition Administrator can 

only use an override to grant access. 

Local Category Descriptions: Each of the local categories may be given 

a unique description. These descriptions will be displayed on the 

category selection panels that exist in the Filter Manager, 

Configuration Manager, and Reports. 

288 



7. To apply these settings, click Save Settings. To discard the settings, 

click Cancel. 


289


290 


Partitions 

Chapter 13 

Partitions and 

Delegation 

Through the use of partitions and delegation, multiple users can have 

administrative rights (with limits) in iPrism. 

Partitions 

Creating partitions enables you to divide the iPrism into smaller sections 

(partitions) that you can delegate to different administrators. Then, each of 

these administrators can independently manage the web filtering policies of 

their own partition. 

Partitioning can be done by network or by group. Creating partitions by 

network is based on IP address ranges. There is no overlap allowed in this 

type of partition. If your organization uses Windows Active Directory or 

LDAP directory, partitions can be created based on user groups. This 

enables different administrators to manage policies for different groups of 

users. Fine-tuned profile mapping can be created within the partition. It is 


291

Partitions and Delegation 

possible for the user to belong to multiple groups. To resolve which 

partition the user belongs to, the partitions are ordered. The first partition 

the user matches decides the web access profile to which the user is 

assigned. Group partitions are authenticated against the active directory for 

both LDAP and NTLM. It can also use LDAP authentication against any 

LDAP server. 

Setting up Partitions 


then select the Local tab (see Figure 118). 

2. Click Add beneath the iPrism Users frame. 

FIGURE 118. Partitions 

The Partitions tab allows you to view, add, delete or modify partitions.The 

Partitions window consists of the following sections: 

• Partition Type 

292 


Partitions 

• Partitions 

• Viewing 

Partition Type 

Before you start to partition iPrism, decide what type of partitions there 

should be. There are three options: to partition by network ranges, to 

partition by groups, or to not partition your iPrism. In this field, select 

either: 

• None: By default, None is selected. iPrism is not partitioned, and iPrism 

behaves as in version 4.2 or older. 

Caution: If partitions have already been defined, selecting this option 

deletes all partitions. 

• by Network: Partitions are created by network ranges (IP addresses). 

• by Group: Partitions are created by NTLM or LDAP groups. 

Partitions 

This section contains a list of the currently defined partitions. Select an 

entry to display the partition’s information in the Viewing window to the 

right. 

The Add button creates a new partition and enables the partition data to be 

edited in the Viewing window. The Delete button deletes the selected 

partition. 

Viewing 

This window enables you to view or modify the settings of the selected 

partition and change its attributes. 

1. In the Name field, enter the partition’s name. Names should be between 

1 and 16 characters long and only contain alpha-numeric characters or 

underscores (_). Names cannot contain spaces. 

2. In the Description field, enter the description of the partition. These 

comments are not used by iPrism. 


293


3. In the IP Start field, enter the starting IP address for the partition, if the 

partition is by Network. If it is a partition by Group, this field is not displayed. 

4. In the IP End field, enter the ending IP address for the partition, if the 

partition is by Network. If it is a partition by Group, this field is not displayed. 

5. If the partition is by group, and Windows authentication is enabled, the 

Domain setting is needed. The Domain is either the Windows domain, 

all trusted domains, or the wildcard (*). The Domain and the Group 

(next field) combine to fully define the partition. If this partition uses 

LDAP authentication, this setting is not displayed. 

6. If the partition is by Group, enter the Windows or LDAP group name. If 

this is a network-based partition, this setting is not displayed. 

Note: For Windows authentication, the domain comes from the 

Domain selector - do not enter the domain here. 

7. The Web Profile field displays global profiles. Global profiles are created 

by the Super User iPrism account or by the Global Policy Administrator 

(GPA) in the Access > Profiles tab. The profiles describe the web 

categories that users can access. When the partition is added, a copy of 

the selected global profile is assigned to the selected partition. The profile 

is granted to users belonging to that partition. 

8. The IM/P2P Profile displays global profiles. Global profiles are created 

by the Super User iPrism account or by the Global Policy Administrator 

(GPA) in the Access > Profiles tab. The profiles describe the IM/P2P 

categories that users can access. When the partition is added, a copy of 

the selected global profile is assigned to the selected partition. The profile 

is granted to the users belonging to that partition. 

9. In the Admin Email field enter the email address of the partition administrator. 

The email address is used by iPrism to send diagnostic information 

about the partition to the administrator. 

294 


Partitions 

10. The Administrator field displays all of the administrators for the current 

partition. 

Note: After a partition is created, initially there are no administrators 

delegated. You have to add administrators for the partition. 

Administrators are assigned to the partition by defining a local 

user or Windows/LDAP group with the role of Delegated Partition 

Administrator (DPA) for this partition. When a partition is 

added, iPrism automatically creates an administrative privilege 

with these rights. The name of this privilege is partition_DA. You 

can use this privilege and assign it to any local users, Windows 

groups, or LDAP groups. To do this go to the Users > Local or 

Users > Privilege Mappings tab. 


295


Delegation 

Delegation allows multiple users to control aspects of iPrism. The available 

roles for delegation are: 

• Super User - this role is the same as in most software programs. There is 

only one Super User in iPrism, and that person, or login, controls all 

iPrism access, configuration, and reporting. Only the user iprism has this 

role. It cannot be delegated. 

• Global Policy Administrator (GPA) - The GPA has the right to log in 

to system configuration tools and administer global filtering policies. 

The GPA can also access reports, filter management, and overrides. Use 

this role to delegate management policies of the entire iPrism to a user. 

• Delegated Partition Administrator (DPA) - The DPA has the right to 

log in to the System Configuration tool to administer the filtering policies 

for the selected partition(s). It also has full access to the reports and 

overrides of the partition(s). This user does not have the right to manage 

custom filters, only the GPA and the Super User (iPrism account) can do 

this. Use this role to delegate the management policies of a partition to a 

different administrator. 

In addition to these administration roles, there are two other roles: 

• iPrism-wide Privileged User - This role assigns specific rights for the 

entire iPrism. For example, with this option, you can create a privilege 

that has full reporting access and overrides for the entire iPrism. 

• Partition-wide Privileged User - This role assigns specific rights for 

the selected partition(s). For example, with this option, you can create a 

privilege that has full reporting access for a specific partition. 

Note: In relation to rights and roles, only the iPrism Super User 

can create custom filters. 

296 


Delegation 

Defining Delegation 

To define delegations, click on the Users icon. 

FIGURE 119. Delegation 

1. To create a new user, click Add. The right side of the window becomes 

active. 

2. In the Name field, type the user’s name, for authentication. The user 

name should be between 1 and 32 characters long and cannot contain 

spaces. 


297


3. In the Password field, type the user’s password. Passwords should be a 

minimum of 4 characters long, and a maximum of 32. The password 

field must match the password confirmation field. 

4. In the Confirm Password field, type the user’s password again. This 

must match the Password field. 

5. In the Notes field, type any comments about the user. This is for your 

own use; the comments are not used by iPrism. 

6. Select a profile in the Profile field. (Profiles are created in the Access > 

Profiles tab.) The profile is given to the user if authentication is enabled. 

If the user moves from one network to another, the profile remains the 

same. 

7. Click View to display details about the currently selected profile. 

8. If you select Use Network, the filtering profile given to the user after 

authentication is inherited from the IP network the user is currently 

accessing. If the user moves to another network, they will be filtered 

according to the profile for the workstation used. Profiles are assigned to 

Networks in the Access section’s Network tab. 

9. In the Admin Privileges field, you can assign local users’ administrative 

privileges: 

• Extended Override: Can override websites for others. 

• Filter Management: Can access the filter manager only. 

• Full Access: Can access reports, filter manager, and overrides. 

• Global Policy Admin (GPA): Can log in to the configuration UI to 

set filtering policies, access reports, filter manager, and overrides. 

• No Access: Can only use iPrism as a regular user; has no access to 

administrative functions. 

• Reports Only: Can only run reports. 

• Single Override: Can override single web pages for the specific 

workstation. 

10. Click Edit/Add to create or edit a set of administrative privileges. 

298 


Delegation 

When the parameters for the user have been entered, click OK. The user 

displays in the iPrism Users section of the window. 

To delete a user, select the user from the iPrism Users section, and click 

Delete. 

Setting Administrator Privileges 

By clicking Edit/Add, you can assign other Administrative Profiles to a 

user, including: Global Policy Administrator, Delegated Partition 

Administrator, iPrism-wide Privileged User, and Partition-wide Partition 

User. 

To assign one of these profiles to a user, select the Administrative Profile 

from the Administrative Profile dropdown menu. Or, to add a new profile, 

click Add. 


299


FIGURE 120. Administrative Profiles 

300 


Delegation 

1. The Roles section defines the type of role that a user or group will have. 

Each role has some rights. The Global Policy Administrator and Partition 

Delegated Administrator roles are pre-defined. The iPrism-wide and 

Partition-wide Privileged Users roles can be customized. 

• Global Policy Administrator (GPA): The GPA has full management 

rights to manage global policies, including Web/IMP2P profile 

mapping, Lock ACL, and logging in to system configuration tools 

and administer global filtering policies. The GPA can also access 

reports, filter management, and overrides. Use this role to delegate 

management policies of the entire iPrism to a user. 

• Delegated Partition Administrator (DPA): The DPA has the right 

to log in to the system configuration tool to administer the filtering 

policies for the selected partition(s). It also has full access to the 

reports and overrides of the partition(s). This user does not have the 

right to manage custom filters; only the GPA and the Super User 

(iPrism account) can do this. Use this role to delegate the 

management policies of a partition to a different administrator. 

• iPrism-wide Privileged User: This role assigns specific rights for the 

entire iPrism; e.g., you can create a privilege that has full reporting 

access and overrides for the entire iPrism. 

• Partition-wide Privileged User: This role assigns specific rights for 

the selected partition(s); e.g., you can create a privilege that has full 

reporting access for a specific partition. 

2. The Rights - Report Access section defines the access an administrator 

has to reporting. The following options are available: 

• None: No access is allowed to the reporting system. 

• Full: Allows complete access to the reporting system. 

• Access To Profile: Users can only access a specific profile selected 

from the list to the right of this selection. The special profile [User] 

indicates the profile currently assigned to the user. 

• Access To Network Range: Users can only run reports on a limited 

range of IP addresses. The specific addresses are entered using the 

two IP address fields: 


301


Note: Report restrictions are silently applied when the user runs 

reports. For example, if a user is restricted to a given network range, 

all reports contain data for just that network range, even if a larger 

range was specified in the report itself. 

3. The Custom Filters section controls access to the Filter Manager. Select 

None to prevent users from accessing the Filter Manager and Full to 

give them complete access. This right is only available for iPrism-wide 

Privileged Users or Global Policy Administrators. 

4. The Override Privileges section fine-tunes the ability of the user to 

override a blocked request. The options are: 

• Can Not Override: The user can not override any URLs, even for 

themselves. 

• Self Only: The user can create an override for her/himself, but no one 

else. 

• Users As Follows: The user can create overrides for a group of users 

specified in the Users definition section. If Users As Follows is 

selected, the class of users for which the administrator can create 

overrides must be specified. The options are: 

• Current Workstation: The administrator can override URLs 

only for the workstation s/he is currently using. Since the 

overrides exist for a specific time period, the user can log in to 

a workstation, create an override, and log out, allowing 

another user to log in and benefit from the override setting. 

• Current User: The administrator can create an override for 

himself. 

• Current Partition: The administrator can create an override 

for the selected partition(s). This option is available for 

Partition-wide Privileged Users or Delegated Partition 

Administrators only. 

• Network Range: The administrator can create an override for 

a range of IP addresses. The specific addresses are specified in 

the Network section using the IP Start and IP End fields. This 

option is available for iPrism-wide Privileged Users or Global 

Policy Administrators only. 

302 


Delegation 

• Profile: The administrator can create an override for all users 

assigned a specific profile. The special profile [User] indicates 

the profile currently assigned to the administrator. For 

Partition-wide Privileged Users or Delegated Partition 

Administrators, the only available Profile is [User]. 

• Everyone: The administrator has complete override 

capability. 

5. The Contents section defines which URLs can be overridden: 

• Current URL: Only the entire URL can be overridden. 

• Current Path: The path component is the part of the URL which 

appears after the host name. This allows overriding based on a 

specific path, regardless of the host name. 

• Current Domain: The domain name of the host part of the URL. For 

example, the domain for http://www.yahoo.com is yahoo.com. The 

iPrism system is aware of country codes, so the domain for http:// 

www.amazon.co.uk/index.html is amazon.co.uk. 

• Current Category: This option allows the administrator to override 

all users that belong to the category of the URL being requested. 

• All URLs: The user can override any URL. 

6. The Maximum Duration field defines the amount of time an override 

can remain in effect. 

7. Once you have selected the appropriate options for the profile, click OK. 

Or, to cancel the changes, click Cancel. 


303


Managing Policies as a Delegated Partition 

Administrator 

Delegated Partition Administrators (DPAs) see a subsection of the screens 

available to the Super User. The main areas available to a DPA are Users, 

Access, and Reports. 

The options available to the DPA in the Users screen vary, depending on 

what privileges they have been assigned. The DPA in the screen above was 

given Full Access privileges. 

304 


Managing Policies as a Delegated Partition Administrator 

FIGURE 121. DPA Access screen 

The DPA in the screen above has Full Access privileges, giving them access 

to all of the tabs in the Access section of the iPrism 


305


configuration. 

As with the previous screens, the DPA’s view is dependent upon the 

privileges they have been assigned. The DPA in the screen above was given 

reporting access. 

306 


Appendix A 

Filtering 

Categories 

This appendix lists the filtering categories in the iGuard database. This is 

the URL database that iPrism uses to determine a URL’s category 

designation. These are also the categories of content that you can choose to 

block and/or monitor when configuring an Access Control List in iPrism. 

Note: Local categories are not included here; the only categories that are 

included here are those that are determined by the iGuard database. 

The iGuard database is constantly being updated, and the categories are 

subject to change as new and different types of content are encountered. To 

see the very latest list of categories, as well as descriptions of each, you 

should refer to the online resource at: 

http://www.stbernard.com/products/support/iprism/support_iprism-cats.asp 


307

iGuard Site Rating Categories 

Questionable 

Copyright Infringement 

This category refers to sites that offer media, software, MP3, 

DVD movies or any other copyrighted materials that are 

bootlegged or illegally available for purchase or download. This 

category is often blocked to protect iPrism owners from liability 

caused by the download and installation of bootlegged software. 

Note that this category does not refer to sites that are specific to 

computer hacking. 

Examples: 

http://www.bitoogle.com/ 

http://www.mp3search.com/ 

http://www.ugpirates.com/ 

Keywords: 

bootleg, illegal copy, plagiarize software, descrambler, serialz, 

warez, ripped and free MP3, patent, exclusive rights 

Computer Hacking 

This category refers to any site promoting questionable or illegal 

use of equipment and/or software to crack passwords, create 

viruses, gain access to other computers, and so on. This includes 

any site that offers instruction on how to hack as well. This does 

not include legitimate security information sites that are focused 

on the prevention of hacking. 

Examples: 

308 



http://www.2600.com 

http://www.hackersplayground.com/ 

http://www.illegalworld.com/ 

Keywords: 

hacking, crack, toolz, warez, cryptanalysis, virus, password, 

crackz 

Intolerance/Extremism 

This category refers to any site advocating militant activities or 

extremism. This includes groups with extreme political views and 

intolerance to individuals and/or groups based upon 

discriminating or racial distinction. 

Examples: 

http://www.kukluxklan.bz/ 

http://www.stormfront.org 

http://www.godhatesamerica.com/ 

Keywords: 

KKK, skin heads, nazism, fascism, anti-Semitism, homophobia, 

hate speech, totalitarianism, absolutism, anti-gay, discrimination, 

racism, militias, bigotry, prejudice, fanaticism, radicalism 

Miscellaneous Questionable 

This category refers to sites that are considered questionable in 

nature and may involve illegal activities, but do not fall under 

another, more specific “questionable” category. These are sites 

that could contain information about conspiracy, scams or any 

other suspected fraudulent behavior or activity. 

Examples: 

http://www.stopwishing.com/ 


309

http://www.geniuspapers.com 

http://a4a.mahost.org/ 

Keywords: 

anarchy, conspiracy, fraud, illegal, chain letters, pyramid scams, 

essay/term papers for sale 

Profanity 

This category refers to any site that contains profanity of any kind 

that is NOT classified under the SEX category. These are sites 

that have language that would not be permitted in common social 

situations. This may include swearing, blasphemy, vulgarity or 

any dialog with malicious intent. It should be noted that this 

category should also contain sites with language that implies 

profanity like some jokes, poems, letters, greeting cards, etc. 

Examples: 

http://www.tshirthell.com/ 

http://www.eviladam.com 

http://www.wtfpeople.com/ 

Keywords: 

swearing, cursing, vulgarity, strong lyrics, bad language 

Tasteless 

This category refers to sites that contain information on subjects 

such as mutilation, torture, horror, grotesque or any behavior that 

may be considered inappropriate for public audience. This will 

not include pornography, nudity, or sites dealing with sexuality, 

which have their own specific classifications. 

Examples: 

http://www.rotten.com 

310 



http://www.deathgallery.com 

http://www.freakhole.com/ 

Keywords: 

mutilation, horror, grotesque, torture, scat, gross, in bad taste, in 

poor taste, garish, vulgar 

Weapons/Bombs 

This category refers to any site promoting the use of weapons and/ 

or bombs and the making of bombs. This does not include sites 

related to gun control (social issues). 

Examples: 

http://www.gunsamerica.com/ 

http://www.thefiringline.com 

http://www.imperialweapons.com 

Keywords: 

guns, bombs, swords, knives, arms, armaments, artillery, arsenal, 

weaponry, military hardware 

Violence 

This category refers to sites that contain visual representations of 

or invitations to participate in violent acts. This may include war, 

crime, pranks, hazing, etc. A violent act may be considered any 

activity that uses physical force designed to injure another living 

being. 

Examples: 

http://www.fightworld.com 

http://www.fightauthority.com/ 

http://www.whoopasstv.com/ 


311

Keywords: 

war, crime, pranks, hazing, injury, killing, backyard wrestling, 

fighting, hostility, brutality, cruelty, sadism, carnage 

Foreign Language 

This category refers to any site that is exclusively in a language 

other than English. If possible, the site should still be rated by 

subject matter if that is able to be determined. The “foreign 

language” category is strictly internal. It is not sent to our 

customers. When this rating is assigned, the URL is placed in a 

table to be rated again when the Analyst team is expanded to 

include foreign languages. 

Note: In many cases these sites have an “English” link that 

provides a translation of the site allowing an accurate rating. 

Examples: 

http://www.dmi.dk/ 

http://www.hankooki.com/ 

http://www.stchi.com/ 

Society 

Alt/New Age 

This category refers to any site relating to the advocacy and/or 

information pertaining to the occult (i.e. witchcraft, voodoo, black 

arts) astrology, ESP or similar forms of telepathy, fortune telling, 

out-of-body experience, magic, spirituality, and UFOs. Note that 

common horoscopes found in daily newspapers are not a part of 

this category. Any site that relates to new age meditation practices 

or the study of new age principles should be included in this 

category. 

312 



Note: Occult will be defined as anything pertaining to any system 

claiming use or knowledge of secret or supernatural powers or 

agencies. 

Examples: 

http://www.crystalhealing.co.nz/ 

http://www.pandbox.com 

http://wicca.net/ 

Keywords: 

horoscopes, goddesses, witchcraft, voodoo, Wicca, spells, palm 

reading, fortune telling 

Art/Culture 

This category refers to any site relating to the arts or culture. 

Culture includes the beliefs, customs, practices, and social 

behavior of a particular nation or people. The arts include the 

creation of beautiful or thought-provoking works, for example, in 

paintings, pictures, drawings, or writings. Sites falling into this 

category include virtual art galleries, museums, architecture, 

contemporary and fine art. 

Examples: 

http://www.binggallery.com 

http://www.ago.net/ 

http://www.kamat.com/ 

Keywords: 

clip art, museums, galleries, traditions, customs, art gallery, 

contemporary art, fine art, painting, sculpture 

Government 

This category refers to any site that is associated with 

governments and/or their militaries. This includes federal, state, 


313

county, city and local governments as well as any government 

agency. This does not include general information about a 

specific geographical location (state, city, etc) – these sites should 

be classified as Travel. A strong indication is a domain identifier 

of either “gov” or “mil”. 

Examples: 

http://www.whitehouse.gov 

http://www.dmv.ca.gov 

http://www.nic.mil 

Keywords: 

military, white house, senate, congress, FBI, CIA, IRS, federal, 

state, county, city government, government agencies, regime, fire 

dept., post office, foreign governments 

Politics 

This category refers to any site that is associated with political 

advocacy of any type or the opinions of the government. This 

includes any site promoting or containing information on any 

political party, pro or con. This includes registered and officially 

recognized political parties. Sites that inform or promote an 

election of any political office receive this rating. It does not 

include official government sites. 

Examples: 

http://www.northernvirginiagop.com 

http://www.rnc.org/ 

http://www.declareyourself.com/ 

Keywords: 

republican, democrat, grassroots, voting, political affairs, affairs 

of state and policy, mayoral races, local districts, elections 

314 



News 

This category refers to any site that is associated with online 

newspapers, headline news sites, news wiring services, 

personalized news services and mainstream publications. Some 

online magazines will be given this rating along with another (i.e. 

www.wired.com will be news and Science & Tech). This does not 

include Usenet (classified as discussion forums). 

Examples: 

http://www.cnn.com 

http://www.suntimes.com 

http://www.usatoday.com 

Keywords: 

newspapers, magazines, wire service, publications, headlines 

Classifieds 

Sites that offer and advertise ads for barter or sale of merchandise 

or services. 

Examples: 

http://www.usfreeads.com/ 

http://www.oodle.com 

http://classifieds.suntimes.com 

http://www.southsoundclassifieds.com/ 

Keywords: 

place an ad, post ads, sell an item 

Religion 

This category refers to any site that pertains to mainstream 

religions, religious activities or participation. This includes 


315

information relating to any common religious organization. This 

is a stand-alone category. 

Examples: 

http://www.homechurch.com 

http://www.gospel.com 

http://www.wop.com 

Keywords: 

church, synagogue, temple, worship, ministries, atheism, faith, 

belief, creed, religious conviction, bible study, youth ministry 

Cult 

This category refers to any site that advocates or discusses 

information relating to the use of or membership in cults. Cults 

are defined as a group or movement exhibiting great or excessive 

devotion or dedication to some person, idea or thing. Cults 

employ unethical, manipulative or coercive techniques of 

persuasion and control designed to advance the goals of the group 

leaders, to the detriment of the members, their families or the 

community. Sites that relate to the practice or advocacy of 

common religions do not belong here as well as any site that 

serves to educate on the perils of cult activity. 

Examples: 

http://lastdaysministry.com 

http://www.rael.org 

http://www.the600club.com 

Keywords: 

coercion, manipulation, sect, faction, satanic 

316 



Alternative Lifestyle 

Sites that contain information relating to gay, lesbian or bisexual 

lifestyles. This excludes sites that are about social issues or 

contain sexual content. Sites that promote the lifestyle but are of 

business or professional nature are not included in this category. 

Examples: 

http://www.outproud.org/ 

http://gbltc.asuw.org/ 

http://www.thetaskforce.org/ 

http://www.sgn.org/ 

http://www.glaad.org/ 

Keywords: 

GLBT communities, news, organization 

Business 

Specialized Shopping 

This category refers to any site that sells a specific item(s) or 

product(s) that can be purchased using the Internet or telephone 

with minimal effort using information on the site. This rating is 

sometimes accompanied by another rating depending on the 

subject matter of the items sold. 

Examples: 

http://www.art.com 

http://www.carparts.com 

http://www.furniture.com 

Keywords: 


317

online ordering, shopping cart, visa/mc accepted, add to cart, 

purchase 

Dining/Restaurant 

Sites that list, review, promote, market or advertise food 

service and eating establishments. Included are catering services, 

dining guides and recipes. 

Examples: 

http://www.tonyromas.com 

http://restaurants.com 

http://cooker.com 

http://www.restaurantrow.com/ 

http://ruthschris.com/ 

Keywords: 

menus, locations, online recipes, dining guide, reviews, cooking, 

reservations 

Real Estate 

Information or services related to buying/selling, renting or 

financing property. 

Examples: 

http://www.sandiegohomes.com/ 

http://www.remax.com/ 

http://www.realtor.com 

http://www.rent.com/ 

http://www.apartments.com/ 

Keywords: 

rentals, listings, apartments, condos, realtor, residential homes, 

commercial property, home finance, mortgages, property search 

318 



Automotive 

Sites that offer repair, maintenance, parts, sale or other services. 

Examples: 

http://www.convoyautorepair.com 

http://www.automotive.com/ 

http://www.autonews.com/ 

http://autopedia.com/ 

http://www.cars.com 

Keywords: 

new cars, used cars, blue book, vehicle make/model, auto dealers, 

mechanics, motorcycles, off road vehicles 

Internet Services 

Site that offer services to assist in Internet communication. 

Examples: 

http://www.earthlink.net/ 

http://mydatanet.com/ 

http://www.juno.com/ 

http://www.isp.com 

http://www.netzero.net/ 

http://www.voiceoveripserviceproviders.com/ 

Keywords: 

web design, Internet access, wireless service, high speed, 

broadband, isp, web hosting services 

Corporate Marketing 

This category refers to any site that offers corporate info and 

product information, but does not specifically sell their products 

online. 


319

Examples: 

http://www.deltaco.com 

http://www.honda.com 

http://www.mcdonalds.com/ 

Keywords: 

corporate info, product info, company info, advertising, 

promotion 

Finance 

This category refers to any site that provides investment 

information, stocks, bonds, mutual funds, newsletters, tips, and 

firms that offers these services (including banks). 

Examples: 

http://investing.lycos.com 

http://www.etrade.com 

http://www.datek.com 

Keywords: 

loans, futures, options, currency, estate planning, asset planning, 

retirement planning, taxes, bankruptcy, stocks, bonds, mutual 

funds, banks, economics, investment, funding 

Job/Employment Search 

This category refers to sites that provide jobs or employment 

services. Includes temp agencies, career resources and resume 

services. Corporate sites containing a “Jobs” section should have 

the specific jobs area classified in this category. 

Examples: 

http://www.monster.com 

320 



http://www.hotjobs.com 

http://www.kellyservices.com/ 

Keywords: 

jobs, temp agencies, career, resume builder, headhunter 

Professional Services 

This category refers to business related sites that include technical 

and professional services. Normally these businesses sell a 

service such as legal or consulting rather than a product. This 

excludes professional sites relating to health (doctors, hospitals, 

etc) that should be classified as ‘Health’. 

Examples: 

http://www.ei.com 

http://www.c2graphics.com 

http://www.leveltendesigns.com/ 

Keywords: 

firms, consulting, legal services, accounting services, insurance 

Online Auctions 

This category refers to sites that involve participating in online 

auctions, where the site visitor can bid on various items. 

Examples: 

http://www.ebay.com 

http://auctions.yahoo.com 

http://www.atozbid.com 

Keywords: 

eBay, bidding, trading, auction, public sale, Dutch auction 


321

Sex 

Adult 

This category refers to sites that are adult in nature and are not 

defined in other rating categories. Sites that have adult themes are 

those that are associated with the following concepts: Adult 

oriented entertainment not defined as Porn, sale of penis 

enlargement products, erectile dysfunction products, online 

pharmacies, and mail order brides. These sites are usually 

intended for mature persons. 

Examples: 

http://www.mailorderbrides.com/ 

http://www.personals.com 

http://www.matchmaker.com 

Keywords: 

mature subjects, mail order brides, penis enlargement, Viagra/ 

Cialis, online pharmacy 

Lingerie/Bikini 

This category refers to sites displaying or dedicated to bikini or 

lingerie that could be considered for adults only. Sites about 

modeling would not be included in this area. 

Examples: 

http://www.bikinihangout.com/ 

http://www.victoriassecret.com 

http://www.outdoorgirl.net/ 

Keywords: 

bikini, swimsuits, garters, underwear (male and female) 

322 



Nudity 

This category refers to sites that provide images or representations 

of nudity. They may be in any artistic or non-artistic form like 

magazines, pictures, paintings, sculptures, etc. This category 

should be assigned to those sites that display both partial and full 

nudity but the images are not pornographic in nature. 

Examples: 

http://www.photo.net/nudes 

http://www.naturistart.com/ 

http://www.naturistworld.com/ 

Keywords: 

nudes, body images, nudist colonies, before/after pictures of 

cosmetic surgery 

Pornography 

This category covers anything relating to pornography, including 

mild depiction, soft pornography and hard-core pornography. 

Pornography pertains to writings, photographs, movies, etc. 

intended to arouse sexual excitement. Also, any site offering 

memberships that may provide access to other pornographic sites 

will fit into this category. 

Examples: 

http://www.playboy.com 

http://www.penthouse.com 

http://www.persiankitty.com 

Keywords: 

smut, graphic pictures, arousal, sex, escorts, erotica 


323

Sexuality 

This category contains sites that provide information, images or 

implications of body piercing, tattoos and any form of body art. 

Sites not in this category are those that contain images or 

information about sexual acts as discussed in the Pornography 

and Nudity categories. 

Note: This category implies adult content in nature; therefore a 

rating of ‘Adult’ and ‘Sexuality’is not necessary. 

Examples: 

http://piercing.org 

http://www.tattoonow.com/ 

http://www.thechateau.com/ 

Keywords: 

tattoos, piercing, body art, skin art, henna 

Health 

Alcohol/Tobacco 

This category refers to sites that support the use of alcohol and 

tobacco products. They may be commercial sites, such as Philip 

Morris and Anheuser Busch, or sites that support the use of 

alcohol and tobacco related products. This category does not refer 

to sites that contain educational info about the hazards of alcohol 

and tobacco products. 

Examples: 

http://www.budweiser.com 

http://www.richardsliquors.com 

http://www.cigarettesexpress.com 

Keywords: 

324 



cigarettes, beer, wine, liquor, smoking, drunk, breweries, bars 

Drugs 

This category refers to sites associated with the use, legalization 

or advocacy of illegal drugs and the illegal use of prescription 

drugs. Exempt from this category are sites that attempt to relay 

educational information about the dangers of drug use and sites 

relating to the products of pharmaceutical companies (should be 

classified as ‘Health’). 

Examples: 

http://www.yahooka.com 

http://www.homemadedrugs.net/ 

http://www.norml.org 

Keywords: 

bong, marijuana, cocaine, paraphernalia 

Health 

This category refers to sites that claim to improve an individual's 

well being either medically, organically or through support. 

Examples: 

http://www.webmd.com 

http://www.deltadental.com 

http://health.yahoo.com 

Keywords: 

doctors, hospitals, medications, fitness, nutrition, dentists, weight 

loss, massage, cosmetic surgery, day spas, diet, clinics, 

ophthalmology 


325

Adult Sex Education 

This category refers to sites that provide sexual education 

information to anyone who has graduated from high school. 

Topics would include how to put on a condom, masturbation and 

other adult topics such as orgasm and ejaculation. Topics that are 

dealt with in the adult themes category or sexuality category 

would not be covered here. 

Examples: 

http://www.sexualcounselling.com/ 

http://www.sexhealth.org/ 

http://www.sexhealthinplainenglish.com/ 

Keywords: 

kama sutra, sex techniques/tips, masturbation, condoms 

Recreation 

Entertainment 

This category refers to sites associated with passive activities – 

meaning visitors are looking for “sit back and entertain me” sites 

such as those dealing with theatre, online comics, anime, 

amusement parks, clubs, etc. 

Examples: 

http://www.theatre.com 

http://www.playbill.com 

http://www.comics.com 

Keywords: 

clubs, anime, comics, e cards, theatre, plays, musicals 

326 



Gambling 

This category refers to any site that presents information about 

gambling for the purpose of advocating its practice. These sites 

can provide instruction on any gaming activity that involves 

gambling or provide actual on-line gambling. Sites that attempt to 

educate the public on the dangers and/or cures for gambling 

problems do not belong in this category. 

Examples: 

http://www.betexchange.net 

http://www.beverlyhillsbookie.com/ 

http://www.gambling.com 

Keywords: 

casinos, betting, bookies, odds, handicap, gaming, poker 

Games 

This category refers to any site that is associated with traditional 

board games, role-playing games and pursuits. This includes sites 

that promote game makers (Mattel), electronic games, video 

games, computer games or online games. This category includes 

both game hardware & software. Also included are tips, advice 

and cheat codes on playing computer/Internet based games and 

websites hosting games and contests. 

Examples: 

http://www.solitaire.com 

http://games.yahoo.com 

http://www.gamespot.com 

Keywords: 

cheats, codes, clans, video games, contests, fantasy sports, 

lotteries, bingo 


327

Hobbies/Leisure 

This category refers to any site associated with the noncompetitive 

active pursuits or interests outside one's regular 

occupation or an activity engaged in for pleasure and relaxation 

during spare time. This would include pet lover sites, sewing, 

model building/making, woodcarving, stamp/coin collecting, 

mountain biking, hiking, etc. Note that sites dealing with 

competitive pursuits should be considered as sports. 

Examples: 

http://www.nmra.com/ 

http://www.stamps.org/ 

http://www.boat-show.com 

Keywords: 

collecting, pastime, leisure pursuit, diversion, sideline, model 

trains, personal homepages (non-offensive) 

Mature Humor 

This category refers to any site that contains mature themes and 

humor that may not be suitable for children, but do not contain 

pornography or strong profanity. These sites may contain a 

limited amount of “PG-13” profanity without a profanity rating. 

Examples: 

http://www.theonion.com 

http://www.laughgallery.com 

http://www.fark.com/ 

Keywords: 

jokes, humor, anecdotes 

328 



Television /Movies 

Sites that promote or provide content relating to television 

programming or movies. 

Examples: 

http://abc.go.com/ 

http://nbc.com 

http://pixar.com 

http://allmovie.com 

http://imdb.com 

Keywords: 

film, TV, Local Listings, episodes, movie database 

Note: Sites that contain streaming media or downloadable files 

such as previews or trailers should include the rating of digital 

media. 

Music 

Sites that promote music for entertainment purposes relating to 

bands, concerts, festivals, orchestras, symphonies and disc 

jockeys. 

Examples: 

http://www.trapt.com 

http://discjockeys.com 

http://metallica.com 

http://rcarecords.com 

http://www.philorch.org 

Keywords: 

DJs, tour dates, fanzone, discography, albums 

Note: Sites that provide mp3, streaming or other downloadable 

media will also be rated digital media. 


329

Digital Media 

Digital audio, video and other technologies that can be accessible 

to stream, download or share. 

Examples: 

http://www.ifilm.com 

http://www.youtube.com/ 

http://www.videoegg.com/ 

http://www.jumpcut.com/ 

Keywords: 

upload/download videos, watch, create, share, mp3, mp4, mpeg 

Radio Stations 

Sites whose purpose is to provide and/or promote music, talk or 

sports radio. These sites have live streams and/or archived 

listening available. 

Examples: 

http://www.kioz.com 

http://www.wrko.com/ 

http://www.wfan.com/ 

Keywords: 

streaming audio, listen now, on air, live feed 

Social Networking / Dating 

Sites that offer free or paid services that promote interaction, 

dating or other networking through forums, chat, email or other 

methods. 

Examples: 

330 



http://www.match.comhttp://www.myspace.com 

http://friendfinder.com 

http://eharmony.com 

http://okcupid.com 

http://www.friendster.com/ 

Keywords: 

singles, online dating, personals, connections, find/make friends, 

matchmakers 

Special Interests 

Interest groups/clubs that include environmental, worker, social, 

and philanthropic organizations. These include alumni 

associations and all non-profit organizations. 

Examples: 

http://www.amexp.org/ 

http://charity.org 

http://surfrider.org 

http://www.ncna.org/ 

http://www.teamsters.com/ 

Keywords: 

associations, foundations, charities, chapters, non-profits, 

donations, alumni 

Sports 

This category refers to any site that contains information about 

sports or sports related activities. This includes sites that provide 

sports scores or games. These sites may also contain information 

about sporting events, camps, teams or outings. Sports are defined 

as organized and competitive athletics. 


331

Examples: 

http://www.espn.com 

http://www.mlb.com 

http://www.nba.com 

Keywords: 

baseball, football, tennis, basketball, golf, teams, motor sports, 

NCAA, high school sports, little league 

Travel 

This category refers to sites specializing in travel and travelrelated 

information or activities. This includes travel destinations, 

reservation services, discount travel listings, leisure travel 

package listings, and special events in various cities. Also 

included are sightseeing guides, airlines and online flight booking 

agencies, accommodations and rental cars. Additional items such 

as chamber of commerce or non-government information 

pertaining to a given city or region can also be assigned this 

category. 

Examples: 

http://www.lasvegastours.com 

http://www.visit.hawaii.org 

http://www.travelocity.com 

Keywords: 

bed & breakfast, reservations, flights, trips, airlines, travel agent, 

cruise, vacation, site seeing, tourist, tour, voyage, timeshare, 

rental cars 

332 



Web Log (Blog) 

Journals, diaries or newsletters that can be updated daily usually 

involving personal thoughts/opinions on Internet, social or 

political issues. Other categories can be added to further classify. 

Examples: 

http://krose.typepad.com/kevinrose/ 

http://blogger.com 

http://globeofblogs.com 

http://joelion.com/ 

http://cnewmark.com/ 

Keywords: 

blogroll, posts, comments, post thoughts, archives 

Internet (Web) 

Anonymizer 

This category refers to sites that allow the user to surf the net 

anonymously. It also refers to sites that allow the user to send 

anonymous emails. This also includes sites providing proxy 

bypass information or services. 

Examples: 

http://www.silentsurf.com 

http://www.proxify.com/ 

http://www.anonymizer.com 

Keywords: 

anonymous surfing, fake email, proxy bypass, web based proxy 


333

Discussion Forums 

This category refers to sites dedicates to Usenet, Usenet news, 

forums, newsgroups, online bulletin board system. 

Examples: 

http://discussions.apple.com 

http://www.driverforum.com 

http://www.smr-archive.com 

Keywords: 

forums, newsgroups, bulletin boards, Usenet 

Online Chat 

This category refers to any site that offers access to, software for 

or participation in any Internet chat forum. The notion of chat 

should be associated with any online conversation involving at 

least two people that takes place in real time. If a site offers chat 

as one of it's services, then the exact location where chat is taking 

place will be rated as 'Chat'. 

Examples: 

http://chat.yahoo.com 

http://chat.msn.com/ 

http://www.chat.net 

Keywords: 

chat, post, IRC, ICQ 

Translators 

This category refers to any site that offers the service of 

translating a page, URL, or phrase into various different 

languages. 

334 



Examples: 

http://world.altavista.com 

http://www.freetranslation.com/ 

http://www.translation2.paralink.com/ 

Keywords: 

languages, online translation 

Image Host 

Sites that provide image hosting, linking and/or sharing. This 

includes videos and pictures. 

Example: 

http://imageshack.us/ 

http://www.streamdump.com/ 

http://tinypic.com/ 

http://photobucket.com/ 

http://www.freeimagehosting.net/ 

http://www.webshots.com/ 

http://www.easyavatar.com/ 

http://www.flickr.com/ 

Keywords: 

create/ link/ share/ host image, jpg, gif, tif, png 

File Host 

Sites that offer hosting, backup and sharing of files on the 

Internet. 

Examples: 

http://www.filefactory.com/ 

http://www.fileden.com/ 


335

http://www.fileburst.com 

http://www.tradebit.com/ 

http://www.turboupload.com/ 

http://rapidshare.de/ 

Keywords: 

file management, file storage, file sharing, upload files, 

storage 

Peer to Peer 

Sites that provide client software to enable peer to peer file 

sharing and transfer. 

Examples: 

http://www.gnutella.com/ 

http://kazaa.com 

http://www.zeropaid.com/ 

http://www.avvenu.com/ 

http://www.limewire.com 

Keywords: 

file sharing, P2P, client-server, ad-hoc, tor 

Email Host 

Sites that provide email accounts, free or otherwise. 

Examples: 

http://www.hotmail.com 

http://mail.yahoo.com 

http://www.gmail.com/ 

Keywords: 

336 



email, POP3, accounts 

Safe Search Engine 

This category refers to any search site that is specifically targeted 

toward families and children. Safe search engines will not allow 

the child or family member to search for pornography. 

Examples: 

http://www.yahooligans.com 

http://www.dibdabdoo.com/ 

http://www.ajkids.com 

Keywords: 

kids searches, family safe, kid safe 

Sharewares Download 

This category refers to sites that specialize in the downloading of 

*legal* software. 

Examples: 

http://www.shareware.com 

http://www.jumbo.com/ 

http://www.tucows.com 

Keywords: 

desktop themes, wallpapers, screen savers, legal software, 

downloads, shareware, freeware 

Web Banners 

This category refers to sites that provide service links/ banners/ 

ads for websites. This could also include redirect services. 


337

Examples: 

http://www.banner-link.com 

http://www.123banners.com 

http://www.free-banners.com 

Keywords: 

links, banners, ads, redirects, spam urls, gibberish urls 

Web Host 

This category refers to sites that offer web hosting services, free 

or otherwise. These sites would usually offer domain names and 

web spaces to host end-user web pages. 

Note: Sites that offer web hosting as one of their services would 

get rated as web host only at the location where actual web hosting 

is taken place. 

Examples: 

http://www.geocities.com 

http://www.tripod.com 

http://www.angelfire.com 

Keywords:hosting, domain names 

Web Search 

This category refers to sites that specialize or offer a Web search 

engine. Sites containing links to other search engines or sitespecific 

search functionality do not qualify for this rating. 

Examples: 

http://www.yahoo.com 

http://www.google.com 

http://www.altavista.com 

338 



Keywords: 

search engines, directories 

Portals 

Sites that offer multiple web based services to assist a users 

experience on the Internet. 

Examples: 

http://www.aol.com/ 

http://www.msn.com/ 

http://www.buzzle.com/ 

Keywords: 

email, search, marketplace, forums, news, directory 

Education 

Continuing Education/Colleges 

This category refers to sites that contain institutions/colleges 

offering formal course studies for adults. College homepages will 

fall into this category as well as distance education, degree 

programs for part time students, vocation and adult education. 

Examples: 

http://www.grossmont.edu/ 

http://www.ucsd.edu 

http://www.photofieldschool.com 

Keywords: 


339

colleges, universities, junior colleges, trade schools, vocational 

schools, ESL 

History 

This category refers to sites that offer a systematic, written and 

methodical record of past events. These events are arranged as to 

show the connection of causes and effects, to give an analysis of 

motive and action, etc. 

Examples: 

http://www.civilwarsite.com 

http://www.thehistorychannel.com 

http://www.history.com 

Keywords: 

past events, historical information, genealogy 

K-12 

This category refers to sites dealing with the education of 

children. Also included in this category are sites with the 

identifier of “K12” (Kindergarten through 12 th grade) in the URL. 

Preschools and day care centers also qualify for this rating. 

Examples: 

http://www.cathedralcatholic.org/ 

http://www.goshenschools.org 

http://www.forestlake.org 

Keywords: 

high schools, elementary, junior high, child education, school 

districts, preschools, day care 

340 



Reference Sites 

This category refers to site specifically dedicated to providing a 

research method on one or more subject matters. 

Examples: 

http://www.radnorlibrary.org 

http://www.mvls.info/ 

http://www.libraryspot.com/ 

Keywords: 

libraries, databases, yellow pages, people finder 

Sci/Tech 

This category refers to sites that relate specifically to education in 

Science and Technology. Also included in this category are sites 

relating to education with emphasis on computers, astronomy, 

programming, physics, etc. 

Examples: 

http://www.pcworld.com/ 

http://www.astronomy.com 

http://www.aip.org/ 

Keywords: 

astronomy, computers, programming, physics, NASA 

Sex Education 

This category refers to sites that are associated with sex education 

of children. This includes sites that offer information about sex, 

AIDS, sexually transmitted diseases, human reproduction, 


341

contraceptives, medical research or any other sexually oriented 

material used to educate. Information within these sites may be 

minimal in nature as in technical journals, dictionaries, 

encyclopedias or other reference materials. Sites may also display 

subtle images or graphics showing sexual organs. 

Note: If a site is rated as 'K-12 Sex Education', it must not have 

any other rating. 

Examples: 

http://www.sxetc.org 

http://www.siecus.org 

http://www.teensource.org/ 

Keywords: 

reproduction, contraceptives, family planning, safe sex 

Security Exploits 

Phishing 

Deceptive websites that trick end-users into revealing personal 

data such as credit card numbers, account usernames, passwords, 

social security numbers, etc. These websites pretend to be those 

of common, well-known sites such as banks and credit card 

companies. 

Examples: 

http://www.dotnetsql.com 

http://www.acctaccess-es.com 

http://www.paypal.com-cgi.us/ 

Keywords: 

phishing, credit card fraud, identity theft 

342 



Spyware/Adware 

Websites that are known to distribute or contain code that displays 

unwanted advertisements or gathers information about the user 

without the users knowledge. This information is oftentimes 

relayed to advertisers or other 3rd parties. 

Examples: 

http://www.gamebar.net 

http://www.esurveiller.com/ 

http://www.seeq.com 

Keywords: 

spyware, adware, browser hijacker, keylogger 

Malware 

Websites that are known to contain harmful code that may modify 

a users system without the users knowledge. 

Examples: 

http://www.ivstil.ru/ 

http://www.buddylinks.net 

http://www.1weight.us/ 

Keywords: 

malware, virus, trojan, dialer, worm 


343

344 


Configuring Browsers for Authentication 

Appendix B 

Configuring 

Browsers 

for 

Authenticati 

on 


To enable browser-based authentication through iPrism, you must configure 

each browser to use iPrism as a proxy server. (Do NOT do this if you are 

using bridge (transparent) mode.) The following procedures describe how 

to make the necessary proxy settings in both Netscape Navigator and 

Internet Explorer web browsers. 


345

Configuring Netscape Navigator for Authentication 

1. In Netscape Navigator, open the Edit menu and select Preferences to 

display the Preferences window. 

2. In the Category list, double-click the word Advanced. This opens the 

Advanced menu so you can view the various menu options. 

3. Select Proxies from the Advanced menu to display the Proxies page. 

(See Figure 122) 

FIGURE 122. Proxy Settings in Netscape 

Select Proxies 

from the list of 

Advanced 

menu options. 

Select either Manual proxy configuration or Automatic proxy 

configuration, then enter the IP address that you assigned to the iPrism 

unit in the appropriate field(s). When using the manual configuration, enter 

the IP address in the FTP Proxy, HTTP Proxy, and SSL Proxy fields. 

4. Since you will be assigning the same IP address to each protocol, you 

must select the Manual proxy configuration option. 

Enter the IP address that you assigned to your iPrism server in the FTP 

Proxy field, the HTTP Proxy field, and the SSL Proxy field. In the 

adjacent Port fields, enter the value “3128” next to each proxy field. The 

346 



following example shows the proxy settings for iPrism unit that has an 

IP address of 192.168.0.6 and is using the default iPrism port (3128). 

Note: iPrism is not a SOCKS proxy. Leave the SOCKS Host 

field empty. 

5. After entering the settings, click OK. Your Netscape browser is now 

configured to use the new proxy settings. 

Configuring Internet Explorer for Authentication 

1. From within Internet Explorer, select the Tools menu, then select Internet 

Options. 

2. Select the Connections tab. 

3. Click LAN Settings to open the Local Area Network (LAN) Settings 

dialog box (see Figure 7). 


347

FIGURE 123. LAN Settings 

4. In the Proxy Server frame, check the Use a proxy server checkbox. 

5. In the Address field, enter the IP address that you assigned to your 

iPrism server. (You do not have to put “http://” in front of it.) The example 

in Figure 7 shows the settings for an iPrism unit with the IP address 

192.168.1.1. 

6. In the Port field, enter “3128”. 

7. Note: If you want to manually specify the proxy address and port settings 

for each protocol (FTP, HTTP, etc.), click Advanced and type the 

information in the Proxy Settings dialog box. Uncheck the Use the same 

proxy server for all protocols checkbox, and type the iPrism IP address 

in the HTTP, Secure, FTP, and Gopher fields. Assign each line the Port 

value “3128”. (See Figure 124). 

8. Click OK. 

348 



FIGURE 124. Manually Configuring Proxy Settings in IE 

9. If you do not want iPrism to filter local (e.g., Intranet) traffic, check 

Bypass proxy server for local addresses. 

10. Click OK.This browser is now configured to authenticate through 



349

350 


Appendix C 

iPrism 

Error 

Messages 

This section describes the more common error messages that you may 

encounter while using iPrism. 

The error conditions are listed by error name/type, one per page, and in no 

particular order. A description of the conditions that cause each error is 

provided as well as a screen shot showing the typical error page that is 

generated. Beneath each screen shot is a “What to Do” section that suggests 

how to correct the condition. 

Note: This appendix covers only the more common error messages; errors 

that occur only rarely are not included. 

iPrism List Update Error 

By default, iPrism downloads its filter list once per day. During the actual 

download, web access is not impacted. However, once the download is 


351

complete, iPrism will need to reload its filter list. (This also occurs when 

custom filters are added or edited in the system.) The reload process 

typically lasts 2-5 seconds. During this time, iPrism will display the “iPrism 

List Update” message as shown in Figure 125. 

FIGURE 125. iPrism List Updates Error 

What to Do: 

This message is not an error message and should only last for a few 

seconds. Contact St. Bernard Technical Support (www.stbernard.com/ 

products/support/support.asp) if the message does not disappear. 

352 


iPrism List Error 

iPrism needs a filter list to operate correctly. If a system is missing its filter 

list, it is possible to configure iPrism to ‘pass all’ or ‘block all’ HTTP traffic 

using the settings in the System section’s Preferences tab. Click 

Advanced in the Filter List Updates frame to access these settings. 

If iPrism is set to block all traffic when the filter list is missing, it will 

display the error shown below. Otherwise, all traffic will be passed 

unfiltered. 

FIGURE 126. iPrism List Error 

What to Do: 

This is an error condition. Contact St. Bernard Technical Support 

(www.stbernard.com/products/support/support.asp) to resolve this issue. 


353

iPrism Filter Service Expired Error 

If iPrism’s subscription to the filter list update expires, the error message 

shown in Figure 127 will be displayed: 

FIGURE 127. iPrism Filter Service Expired Error 

What to Do: 

iPrism’s registration key must be updated before access is possible. Contact 

St. Bernard Technical Support (www.stbernard.com/products/support/ 

support.asp). 

354 


Access Denied Error 

The error shown in Figure 128 will display if any of the following 

conditions occur: 

• The IP address of the workstation trying to access iPrism is not allowed 

to access iPrism. If needed, the configuration can be updated by the system 

administrator from the Networks tab in the Access section. 

• The mode used by the workstation is not allowed. Workstations can 

access iPrism in proxy (direct mode), where the browser or application is 

configured to use iPrism as a proxy, or in bridge (transparent) mode (no 

browser configuration needed). Each mode can be independently disabled 

from the Networks tab in the Access section. 

• iPrism detected a routing loop. A routing loop occurs when the traffic 

that iPrism is sending to reach a website is being routed via iPrism again, 

causing iPrism to filter its own traffic. This is typically the result of configuring 

iPrism’s default gateway as a machine located on the internal 

interface of the appliance. 


355

• 

FIGURE 128. Access Denied Error 

What to Do: 

Check iPrism’s configuration (access and authentication) for the client 

workstation’s IP address; if looping occurs, check the routing setup. 

Authentication is Required Error 

The “Authentication is Required” error displays when a workstation 

operating in proxy mode does not authenticate or provide valid credentials 

(username and password). This may occur if the profile associated with the 

username is invalid (typically, an LDAP configuration error). 

356 


FIGURE 129. Authentication is Required Error 

What to Do: 

Reload the page and provide your user credentials when prompted. 

Connection Failed Error 

If you get the “Connection Failed” message (see Figure 130), iPrism is not 

able to connect to the desired web server. This is typically the result of one 

of the following conditions: 

• The remote server is temporarily unavailable. 

• You entered a URL with an incorrect port number. 

• The connection is being denied by upstream equipment, such as a firewall. 


357

FIGURE 130. Connection Failed Error 

What to Do: 

• Check the URL to verify it is correct. 

• Try accessing the site again later. 

• Check your network environment for devices that may prohibit the connection. 

Unable to Determine IP Address Error 

The error “Unable to determine IP address from host name for ” 

indicates that iPrism is not able to resolve the hostname of the desired URL. 

If this happens only for a small number of websites, it is probably a 

transient network error with the web server’s DNS service, in which case 

you can try again later. 

358 


If multiple (or all) web servers are showing the same symptoms, iPrism’s 

DNS service is unable to operate because its DNS master (if one is used) 

may be unreachable, or because it can not perform direct DNS requests. 

This would occur if a firewall were blocking ports UDP/53 and/or TCP/53. 

FIGURE 131. Unable to Determine IP Address from Host Name Error 

What to Do: 

Wait awhile and check the URL again; if the error occurs across multiple 

web servers, check iPrism’s DNS configuration and status. 


359

Invalid Request Error 

The “Invalid Request” error occurs when the syntax of the HTTP request 

submitted to iPrism is not valid and does not follow the HTTP protocol. A 

possible reason is that the request did not include the HTTP/1.x information 

on the HTTP request line. This error is infrequent in web browsers and 

more often occurs with other HTTP applications. 

FIGURE 132. Invalid Request Error 

What to Do: 

Check the request syntax as displayed by iPrism and fix the client software. 

360 


Invalid URL (Error) 

Much like the “Invalid Request” error on the previous page, the “Invalid 

URL” error occurs if iPrism detects that the request does not respect the 

HTTP RFC. In short, the syntax of the URL is incorrect. The usual reason 

this occurs has to do with invalid characters in the URL, and may happen if 

the web page contains such an invalid URL as a link. 

FIGURE 133. Invalid URL Error 

What do Do: 

Check the request’s syntax. If the URL is a link on a web page, you can also 

inform the remote website’s administrator. 


361

iPrism is in the Process of Reconfiguring Itself (Error) 

iPrism will display the message shown in Figure 134 while a 

reconfiguration is in progress. 

If the administrator made a change to the configuration, iPrism will reload 

its configuration. This is short-lived condition and the message should go 

away within 10 seconds. 

FIGURE 134. iPrism is in the Process of Reconfiguring Error 

What to Do: 

Retry after a few seconds. If the error message does not go away, Contact 

St. Bernard Technical Support (www.stbernard.com/products/support/ 

support.asp). 

362 


Zero Sized Reply (Error) 

The “Zero Sized Reply” error occurs when no data is returned in the HTTP 

connection. This may happen under the following conditions: 

• The remote web server did not send actual data and closed the connection 

too early (typically a script error). 

• The remote web server is unable to reply. 

FIGURE 135. Zero Sized Reply Error 

What to Do: 

This is a problem on the web server you are trying to reach. Try again later 

or contact the web server’s administrator. 


363

Write Error / Broken Pipe 

This message is shown when iPrism is not able to establish a connection to 

a web server. A common reason is that an upstream firewall is closing 

connections (TCP resets), usually because it has reached a threshold in the 

maximum number of connections it will allow from iPrism (such as 

CISCO’s PIX). 

This can be addressed by managing the maximum number of connections 

on the firewall. 

FIGURE 136. Write Error 

What to Do: 

Check the network environment (firewall logs, routing). 

364 


Importing User Data into iPrism 

Appendix D 

Importing/ 

Exporting 

User Data 

If you decide to use local authentication through iPrism, then you have the 

option of either creating new user accounts or importing this data from an 

existing user database. Use the Import instructions provided in this chapter 

to help you properly prepare and transfer your data into iPrism. 

Once you have your user’s accounts properly configured, you have the 

option of exporting the user database as a backup measure. Follow the 

instructions provided later in this chapter. 


iPrism can import user data from a properly delimited text-based file. 

Follow the steps outline in this section to ensure that your data is properly 

formatted for import. 


365

Step 1: Prepare the User List For Import 

1. Prepare the user database so the fields will be exported in the order and 

data format specified in Table 8. (Name, Password, Admin Privilege 

Name, Use Network Profile? (Boolean), Profile Name, Notes.) This is 

the order in which iPrism will import the fields. 

2. Save or export the user records to a simple text-based format using either 

a comma, pipe(|), or Tab character between each field. (The same delimiter 

must be used for all records.) 

Table 8: Import Field Properties 

* If Use Network 

Profile is True, then 

a Profile Name is 

not required. 

Field Name Data Type Required 

Name Text Yes 

Password Text Yes 

Admin Privilege Name Text Yes 

Use Network Profile? Boolean Yes 

Profile Name* Text Yes 

Notes Text No 

Figure 137 shows an example of what a properly formatted user list 

should look like, using comma delimiters. 

FIGURE 137. Example of Comma-Delimited Import List 

judy,judypass,No access,false,BlockOffensive,normal user 

sandy,sandypass,Full Access,true,BlockOffensive,power admin 

bill,billpass,Single Override,true,PassAll,override me only 

jill,jullpass,Extended Override,true,BlockOffensive,override any 

sam,sampass,Reports Only,true,BlockOffensive,reporter 

Note: In this example, the Notes field is used to describe what 

the users access level would be. 

366 



Step 2: Import the User List into iPrism 

Make sure you have properly prepared your import list before importing it 

into iPrism. 

1. Start the iPrism System Configuration tool, select the Users section, and 

click the Import/Export tab (see Figure 138). 

FIGURE 138. Import/Export Tab 

2. In the Import Users frame, click the Duplicate User Policy dropdown 

list and choose how you want iPrism to handle duplicate entries if they 

are encountered. 


367

• Prompt for action. iPrism will notify you each time a duplicate 

iPrism username is encountered, then ask you whether or not to overwrite 

the existing entry. 

• Retain existing. iPrism will keep your existing iPrism user intact 

when it encounters duplicate users. 

• Override existing. iPrism will replace a currently existing iPrism 

user matching the username encountered in the import list. 

3. In the Import Users frame, click the Field Delimiter dropdown list and 

select the delimiting character that is used in the import file. (Comma, 

Pipe (“|”), or Tab). 

4. If you want to do a dry run of your import without actually making any 

changes to iPrism, click Preview and follow the onscreen instructions. 

This will report duplicate names as well as invalid data records, giving 

you a chance to make changes before performing the actual import. 

5. When you are ready to import the data, click Import. (If a Notice message 

displays, read it, then click OK.) 

The User Import File Location dialog box opens. 

6. Select the file you want to import and click Open. 

If duplicate records occur, you will be prompted to resolve them individually. 

When all the records are imported, a User Import Report dialog 

box displays the results (See Figure 139). This report shows each username 

that was imported and indicates whether that username was created 

(new) or replaced in the user list. 

368 


Exporting Local User Data from iPrism 

FIGURE 139. iPrism User Import Report 

7. Click OK to close the Report dialog box. 

That’s it! When you click the Users tab, you will notice that the names 

you imported are now listed in the iPrism Users frame. If necessary, you 

can edit these records using the instructions in the next section. 

Exporting Local User Data from iPrism 

If you are using local authentication, then you either manually created user 

accounts in iPrism, imported them into iPrism, or perhaps both. If ever you 

need to re-use this information, such as to import it into another iPrism unit 

or another database, you can export all of the user names that are stored in 

iPrism. You may also want to do this just to keep a backup of your user data 


369

in the event it is ever lost. This is done from the Import/Export tab on the 

Users section. (See Figure 138) 

Exporting User Account Data 

1. From the iPrism System Configuration tool, select the Users section, and 

click the Import/Export tab. 

1. In the Export Users frame, click the Field Delimiter dropdown list and 

select the delimiter character that you want inserted between adjacent 

fields in the exported list. (Comma, Pipe (“|”), or Tab. 

2. Click Export. A notice message opens, informing you that a file dialog 

will appear in which you specify the name and location of the export file. 

This is the file where the exported data will be stored on your local hard 

drive. 

Note: Passwords are encrypted in the export file, but they can be reimported 

into iPrism. 

3. Click OK to clear the notice message. The User Export File Location 

dialog box opens. 

4. Select the directory where you want the file saved and enter the desired 

name for the export list in the File name field. The default file name is 

“all_users.iprism”. 

5. Click Save. 

The names are exported to the specified file in text format. 

370 


iPrism Software License 

iPRISM SOFTWARE LICENSE AND SUPPORT AGREEMENT 

-IMPORTANT- 

Read This Carefully Before Completing Installation of your iPrism Internet Filtering System 

READ THE TERMS AND CONDITIONS OF THIS iPrism SOFTWARE LICENSE AND SUPPORT 

AGREEMENT CAREFULLY. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN 

YOU AND ST. BERNARD SOFTWARE, INC. BY COMPLETING THE INSTALLATION OF THE 

iPRISM APPLIANCE AND SOFTWARE (OR AUTHORIZING ANY OTHER PERSON TO DO 

SO), YOU ACCEPT THIS SOFTWARE LICENSE AND SUPPORT AGREEMENT. IF YOU DO 

NOT ACCEPT THE TERMS AND CONDITIONS OF THIS SOFTWARE LICENSE AND 

SUPPORT AGREEMENT, YOU MAY RETURN THE MEDIA PACKAGE, LICENSED 

SOFTWARE, APPLIANCE AND ALL ACCOMPANYING ITEMS (INCLUDING WRITTEN 

MATERIALS AND BINDERS OR OTHER CONTAINERS) WITHIN TEN (10) DAYS OF YOUR 

RECEIPT OF THIS MEDIA PACKAGE, TO THE PLACE YOU OBTAINED THEM FOR A FULL 

REFUND. ST. BERNARD SOFTWARE MAY REVISE TERMS OF THIS AGREEMENT 

WITHOUT PRIOR NOTIFICATION. 

1. DEFINITIONS. 

“System” means the iPrism filtering appliance, documentation, software and URL Database access 

provided by St. Bernard Software, Inc. (“St. Bernard”). 

“Equipment” means the hardware component of the System. 

“Appliance” means Equipment. 

“URL Database” means the list of Internet URL's and their associated content categorization ratings 

and provided from time to time as part of the System. 

“Specifications” means the iPrism standard features current as of the date of shipment. 

“Technical Support” means the Software Remedy, telephone-based technical support during Support 

Hours 

“Software Subscription” means free software Updates, and offers to purchase new add-ons, Upgrades 

and access to the latest iPrism URL Database. 

“Update” means a minor modification or addition that includes corrections or modifications (other 

than an Upgrade) to correct errors, provide patches or bug fixes or minor enhancements. 

“Upgrade” means a major revision or modification which changes its utility or efficiency and/or which 

adds features, functions, applications or modules. 


371

“License” means the number of workstations to be filtered via the System. 

2. GRANT OF LICENSE. 

(a) In exchange for your payment to St. Bernard of the then current license fee (“License Fee”), St. 

Bernard Software, Inc. and its affiliates, including, without limitation, any parent, subsidiary, and 

successor and any entity merged into or with St. Bernard Software, grants to you, the end user, a 

personal, nonexclusive, nonsublicensable, nontransferable, nonassignable, terminable license 

(“License”) to use a single copy of (i) this software program in machine readable form on the 

Equipment, and (ii) all related documentation, including any Updates, additional modules, or 

additional software provided by St. Bernard (the “Licensed Software”), solely for your own use, and 

solely in accordance with the terms and conditions of this software license and support agreement 

(“Agreement”). 

(b) Unless you have paid the License Fee to St. Bernard, St. Bernard, grants to you, the end user, a onetime 

personal, nonexclusive, nonsublicensable, nontransferable, nonassignable, terminable license 

(“Trial License”) to use a single copy of the Licensed Software for thirty (30) days from your first use 

of the Software (“Trial Period”), solely for your own use, and solely in accordance with the terms and 

conditions of this Agreement. Upon the lapse of the Trial Period and provided that you do not pay the 

License Fee then the Software will become non-functional. You must then cease using all software and 

return the software and equipment. 

3. COPYRIGHT AND COPIES. 

The Licensed Software (including any copy thereof), is owned by St. Bernard and/or its licensors and 

is protected by United States, local and international copyright and/or patent laws and international 

treaty provisions. The Licensed Software contains pieces contributed by third parties or licensed from 

third parties. Copyrights in the software are claimed by St. Bernard and other contributors, as indicated 

by proprietary notices and credits contained in the Licensed Software and the documentation. The 

Licensed Software copy is licensed, not sold to you, and you are not an owner of any copy thereof. You 

may either (a) make one copy of the Licensed Software solely for backup or archival purposes, or (b) 

transfer the Licensed Software to a single hard disk provided you keep the original solely for backup or 

archival purposes. You may not otherwise copy the Licensed Software, and you may not copy the 

written materials accompanying the Licensed Software unless such copies of the associated written 

materials are solely for your own internal use. St. Bernard hereby reserves all rights not explicitly 

granted in this Agreement. 

4. MODIFICATIONS AND REVERSE ENGINEERING. 

Except as otherwise provided herein, you shall not copy, modify, reverse engineer, map, decompile, 

enhance, or make derivative works, translations, or compilations or portions or otherwise derive the 

source code, internal structure, organization or any other aspect of the Licensed Software, the URL 

372 


Database, the System or any part thereof or directly or indirectly aid, abet or permit others to do so. 

Any unauthorized modifications, derivative works, translations, or any other intellectual property, 

created directly or indirectly using or referring to the Licensed Software, the URL Database, the 

System, or components thereof, or enhancements of the Licensed Software and the System, shall 

belong exclusively to St. Bernard and you hereby assign any and all rights in them (and agree to forego 

enforcement of any moral rights) to St. Bernard. You hereby agree to promptly enter into any further 

documentation required by St. Bernard in its sole discretion to legally or commercially effect such 

assignment, including, without limitation, ensuring that your employees and/or contractors do the 

same. You hereby expressly waive any rights you may obtain inconsistent with the foregoing through 

application of the law of any other country or otherwise. You hereby acknowledge that you have no 

right whatsoever and shall have no right whatsoever, whether by the express terms of this Agreement 

or by any course of conduct, to use, review, or access the source code for the Licensed Software or the 

URL Database. 

5. OTHER RESTRICTIONS. 

You may not rent or lease the Licensed System, but you may transfer the System and accompanying 

written materials on a permanent basis if you receive St. Bernard's written permission and provided 

you retain no copies and the recipient agrees to the terms of this Agreement. If the Licensed Software 

is an Update, any transfer must include the update and all prior versions. You may not modify or 

translate the Licensed Software. You further agree (i) not to remove any Licensed Software 

identification or notices of any proprietary or copyright restrictions from the Licensed Software or any 

support material; (ii) except for archival or backup copies, not to copy the Software, or any derivative 

or part thereof; develop any derivative or composite works thereof or include any portion of the 

Software in any other software program; (iii) not to provide use of the Licensed Software or System in 

a computer service business, rental or commercial timesharing arrangement; and (iv) not to develop 

methods to enable unauthorized parties to use the Licensed Software or URL Database. 

6. EQUIPMENT. 

Ownership and risk of loss (by fire, theft or the like) to the Equipment shall pass to you upon delivery, 

however, you give St. Bernard a security interest in the equipment, together with the right to repossess 

the Equipment without liability, until all payment obligations have been met. 

7. LIMITED WARRANTY AND REMEDY. 

St. Bernard warrants that (i) for a period of sixty (60) days from the original retail purchase date the 

physical media (e.g. diskette(s) or CD-ROM), and the physical documentation, will be free of defects 

in materials and workmanship (“Media Warranty”), and (ii) for the duration of the period purchased by 

you (twelve or thirty-six months as documented on St. Bernard's invoice shipped with the Licensed 

Software) and beginning with the original retail purchase date (“Warranty Period”) the Software and 


373

Equipment will substantially conform to the functionality described in the physical documentation 

(“System Warranty”) (the Media Warranty and System Warranty are collectively the “Limited 

Warranty”). This warranty applies only to equipment that has not been modified except with the prior 

written permission of St. Bernard. This warranty does not apply to damage caused by neglect or 

misuse, accident, electric power failure or causes other than ordinary use. This warranty is voidable by 

St. Bernard, at the option of St. Bernard, if you use the Equipment for any other purpose other than as 

an Internet filtering Appliance. If St. Bernard receives notification (i) within the period of sixty (60) 

days from the original retail purchase date with respect to the Media Warranty, or (ii) within the 

Warranty Period with respect to the System Warranty of any such defects, and you demonstrate such 

defects by identifying a bug or error which can be reproduced consistently, and none of the Exceptions 

specified below exist, then St. Bernard will, at its sole option and discretion, repair or replace the 

media, documentation (“Media Remedy”), repair or replace the Equipment (“Equipment Remedy”) or 

repair the Software or provide you a full refund (“Software Remedy”). If a refund is made, you will 

deliver to the place of purchase the Equipment and the media containing the Software and certify to St. 

Bernard that you have returned the Software and that you have returned, erased and/or destroyed your 

one backup copy. The foregoing is your sole and exclusive remedy and states St. Bernard's entire 

liability arising out of this Limited Warranty. Any other warranty claim, if any, must be brought to the 

distributor (or reseller), if any, who you agree shall be the sole party you look to for warranty claims 

and damages beyond the express, Limited Warranty set out herein if you obtained the Software 

through a distributor (or reseller). Moreover, this Limited Warranty is void if the damage or defect has 

resulted from accident, abuse, misuse or misapplication of the Software and/or media (collectively 

“Exceptions”). 

8. SUPPORT AND SUBSCRIPTION SERVICES. 

St. Bernard will provide technical support, software subscription and maintenance services. 

(a) TECHNICAL SUPPORT. During the Warranty Period and any Additional Warranty Period, St. 

Bernard shall provide you with Support as follows. St. Bernard's obligation to provide Support is 

conditioned on your first attempting to resolve your technical issues by consulting the Technical Tips, 

Frequently Asked Questions, and the technical iPrism product documentation including but not limited 

to the iPrism Installation Guide and the iPrism Administrator's Guide all of which are published online 

by St. Bernard (“Support Information”). If after reviewing the electronic Support Information, you are 

unable to resolve the issue, you may enter a service request (“Support Request”) by contacting St. 

Bernard as set forth below in Section 8. Telephone support shall be provided solely to you during the 

hours of 7:00 a.m. - 4:00 p.m. Monday through Friday, Pacific Daylight Time (for US, Canada, Pacific 

Rim and Latin America), 0830 - 1730 GMT (Europe, Middle East and Africa), except for Holidays 

(“Support Hours”). St. Bernard shall respond to all requests for Support pursuant to the timeline 

schedule set forth in Section (c) below or, if the request for Support is received outside of the Support 

Hours, by noon of the next business day. 

374 


(b) TECHNICAL SUPPORT CONTACT. To contact St. Bernard Software for technical support, 

choose the location appropriate to your region: 

US, Canada, Pacific Rim and Latin America: Corporate Headquarters - San Diego, CA, USA, Phone: 

858-676-5050, Fax: 858-676-5055, Email: iprism-support@stbernard.com, Hours: 7:00am - 4:00pm 

Pacific Time 

Europe, Middle East and Africa, EMEA Office - Surrey, UK, Phone: +44-1276-609-992, Fax: +44- 

1276-609-558, Email: support@stbernard.org.uk, Hours: 0830 - 1730 GMT 

Communications should include a complete description of the software behavior, version of the 

product installed, your iPrism serial number and your contact information. 

(c) TECHNICAL SUPPORT REQUEST LEVELS. St. Bernard shall classify Support Requests using 

the following definitions: 

Fatal: System is inoperable by you. 

Severe: System is operational, but you are experiencing loss of major functionality. 

Degraded: Sporadic System behavior - non-essential functions are disabled. 

Minimal Impact: All other issues 

All Support Requests shall be reported only during the Support Hours. St. Bernard shall provide you 

with an acknowledgment of the Support Request and will use commercially reasonable efforts to 

respond, as necessary in its sole discretion, according to the following schedule: 

Support Request Acknowledgment Period of time to respond 

Fatal Within four (4) hours Not more than two (2) business days 

Severe Within eight (8) hours Not more than four (4) business days 

Degraded Operations Within forty-eight (48) hours Not more than ten (10) business days 

Minimal Impact Within five (5) business days Not more than twenty (20) business days 

(d) SOFTWARE SUBSCRIPTION. You have the right to extend the Warranty Period with respect to 

the System Warranty for additional twelve (12) month periods (each an “Additional Warranty Period”) 

by paying to St. Bernard the annual support fee (“Support Fee”) as established by St. Bernard, and 

modified from time to time, before the expiration of the Warranty Period or within thirty (30) days 

before the expiration of any applicable Additional Warranty Period. A renewal notification and invoice 

will be sent seventy-five days (75) in advance of the renewal date and provided that you pay this 

invoice prior to the renewal date, your Support will continue uninterrupted. [CRR1] St. Bernard is not 

obligated to provide you any Support during an Additional Warranty Period unless the Support Fee for 

that particular Additional Warranty Period has been timely paid in advance by you. St. Bernard retains 


375

the right to modify its Support services program so long as its modifications do not decrease Support 

provided to you under this Agreement. St. Bernard has the right to cease providing Support services 

described herein upon two (2) months' prior written notice to you if St. Bernard generally ceases to 

provide Support services to its other customers and St. Bernard will provide you with a prorated refund 

for the remaining term, if any, of the Warranty Period. All of the provisions set forth in Section 6 above 

for the System Warranty shall equally apply to Support services during any Additional Warranty 

Period. If you need to manage web access for additional machines, you may purchase an additional 

machines license. The amount charged will be calculated based on the number of additional machines 

licensed and a prorated amount for the remaining months of the original Support subscription. 

Therefore, the subscription for the original and additional machines licenses are co-terminus. When 

renewed, you will be charged for the Support subscription based on the new License level. If the 

subscription lapses, you will no longer receive URL Database updates, and the system will cease to 

function. St. Bernard collects some program information from the local system. This information is not 

sold or rented to any 3rd parties. 

9. NO OTHER WARRANTIES. 

THE LIMITED WARRANTY ABOVE IS EXCLUSIVE AND IN LIEU OF ALL OTHER 

CONDITIONS AND WARRANTIES FOR THE LICENSED SOFTWARE, EQUIPMENT AND 

DOCUMENTATION. ST. BERNARD AND ITS LICENSORS MAKE NO OTHER CONDITIONS, 

GUARANTEES, OR WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND 

EXPRESSLY DISCLAIM ALL OTHER CONDITIONS AND WARRANTIES, INCLUDING BUT 

NOT LIMITED TO IMPLIED CONDITIONS OR WARRANTIES OF MERCHANTABILITY AND 

FITNESS FOR A PARTICULAR PURPOSE. ST. BERNARD, IN NO WAY, REPRESENTS OR 

WARRANTS THAT ANY OF THE THIRD-PARTY SOFTWARE PROGRAMS, UPDATES, 

ENHANCEMENTS, VERSIONS OR ANY OTHER MEDIA (“THIRD-PARTY SOFTWARE”) 

DOWNLOADED BY YOU THROUGH YOUR USE OF ST. BERNARD SOFTWARE, IS FREE 

FROM DEFECT AND MAKES NO OTHER REPRESENTATIONS, GUARANTEES, OR 

WARRANTIES OF ANY KIND RELATING TO THE THIRD-PARTY SOFTWARE. YOU 

UNDERSTAND THAT ST. BERNARD SHALL NOT BE LIABLE TO YOU, OR ANY OTHER 

PARTY, FOR ANY DAMAGE OF ANY KIND, INCLUDING, WITHOUT LIMITATION, SYSTEM 

FAILURE, LOSS OF DATA OR INFORMATION AND/OR ANY OTHER DAMAGE OR LOSS 

RESULTING FROM THE DOWNLOADING AND/OR ACCESS OF THIRD-PARTY SOFTWARE. 

YOU UNDERSTAND THAT ALL USE OF THIRD-PARTY SOFTWARE IS SUBJECT TO THE 

TERMS AND CONDITIONS OF SUCH THIRD-PARTY LICENSE AGREEMENTS WITH ITS 

USERS AND ST. BERNARD SHALL NOT BE RESPONSIBLE FOR ANY CLAIMS RELATING 

TO ANY INFRINGEMENT OF THE THIRD-PARTY SOFTWARE. 

376 


10. DISCLAIMER OF OTHER REPRESENTATIONS. 

ALL REPRESENTATIONS OR WARRANTIES MADE OR AGREEMENTS EXECUTED BY ANY 

OTHER PARTY, INCLUDING, WITHOUT LIMITATION, ANY DISTRIBUTOR AND/OR 

RESELLER SHALL BE SUCH PARTY'S SOLE RESPONSIBILITY. 

11. LIMITATION OF LIABILITY. 

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT AND 

UNDER NO LEGAL THEORY SHALL ST. BERNARD OR ITS SUPPLIERS BE LIABLE TO YOU 

FOR ANY COSTS OF SUBSTITUTE PRODUCTS, OR FOR ANY CONSEQUENTIAL, SPECIAL, 

INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES OF ANY KIND ARISING OUT OF THE 

LICENSE OF, USE OF, OR INABILITY TO USE ANY ST. BERNARD SOFTWARE OR 

DOCUMENTATION, OR YOUR INABILITY TO ACCESS AND USE THIRD-PARTY 

SOFTWARE OR ANY CLAIMS RELATING TO THE INTELLECTUAL PROPERTY RIGHTS OF 

ANY THIRDPARTY SOFTWARE, EVEN IF ST. BERNARD HAS BEEN ADVISED OF THE 

POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL ST. BERNARD'S OR ITS 

SUPPLIERS' LIABILITY EXCEED THE LICENSE FEE PAID BY YOU. THIS LIMITATION OF 

LIABILITY AND RISKS IS REFLECTED IN THE PRICE OF THE SOFTWARE LICENSE. 

12. INDEMNIFICATION. 

(a) You agree to defend, release, indemnify and hold St. Bernard harmless for any claims made by any 

third party that your use of Third-Party Software infringes the intellectual property rights of such third 

party. In no event shall you be entitled to bind St. Bernard to any settlement. 

(b) St. Bernard warrants that it either owns or has the right to sublicense the Licensed Software and has 

full power and authority to grant the rights described in this Agreement. In addition, St. Bernard shall 

indemnify and hold you harmless from any and all damages, losses or expenses which you or any of 

your respective officers or directors may incur, suffer or become liable for as a result of or in 

connection with any claim that any part of the Licensed Software infringes the rights of a third party in 

or to any patent, copyright or trademark, provided that you: (i) notify St. Bernard in writing promptly 

upon becoming aware of the claim, (ii) give St. Bernard such information and assistance as is 

reasonable under the circumstances, and (iii) give St. Bernard the right, at St. Bernard's sole discretion, 

to defend or settle the claim at St. Bernard's expense. St. Bernard will pay any resulting costs and 

damages finally awarded by a court with respect to any such claims. If you are prevented from using 

the Software due to an actual or claimed infringement, then at St. Bernard's option, St. Bernard shall 

promptly either obtain for you the right to continue using the intellectual property in question, replace 

or modify the intellectual property in question so that it becomes non-infringing, or terminate this 

License as it relates to the intellectual property and refund the payments paid by you for the Software, 

less reasonable amortization for use over the commercially reasonable life of the Licensed Software. 


377

THIS PARAGRAPH SETS OUT THE ENTIRE EXPOSURE OF ST. BERNARD FOR ANY 

INTELLECTUAL PROPERTY CLAIMS OR ACTUAL INFRINGEMENTS. 

13. CONSUMER PROTECTION LAWS. 

EACH OF THE PRODUCTS IS A BUSINESS PRODUCT, THE APPLICATION OF WHICH IS 

COMMERCIAL, RATHER THAN CONSUMER-ORIENTED, IN NATURE. IN EXECUTING THIS 

AGREEMENT, THE PARTIES RECOGNIZE, TO THE MAXIMUM EXTENT PERMITTED BY 

APPLICABLE LAW, THAT CONSUMER PROTECTION LAWS IN THE TERRITORY DO NOT 

APPLY. 

14. GOVERNMENT RESTRICTED RIGHTS. 

The Software and accompanying documentation are provided with Restricted Rights. You agree to 

meet all requirements necessary to ensure that such rights will be honored by the Federal Government 

and/or any international laws or regulations. Disclosure, use or reproduction of the Software and 

Documentation are subject to restrictions set forth in the Commercial Computer-Restricted Rights 

clause at Federal Acquisition Regulation 52.227-19, when applicable, or in the Department of Defense 

Federal Acquisition Regulations Supplement 252.227-7013, or any of their international equivalents. 

15. TERM. 

Upon payment of the License Fee to St. Bernard the License will remain effective until the expiration 

of term of your paid support and subscription, or any extension thereto. Unless the License Fee is paid 

before the lapse of the Trial Period, the Trial License will automatically terminate. You may terminate 

the License at any time by destroying the Software together with all copies, modifications and merged 

portions in any form. It will also terminate automatically upon your failure to comply with any term or 

condition of this Agreement. In the event of any termination of the License or lapse of the Trial 

License, you agree to promptly destroy the Software together with all copies, modifications and 

merged portions in any form. You agree that upon St. Bernard's request, you will provide St. Bernard 

with a signed certificate representing that such destruction has occurred. ST. BERNARD MAY TER- 

MINATE PROVIDING UPDATES FOR THE LICENSED SOFTWARE, IN ITS SOLE 

DISCRETION. 

16. GOVERNING LAW. 

You acknowledge that St. Bernard is based in the State of California, U.S.A. and requires uniformity 

and consistency in the laws under which it deals directly or indirectly with all of the licensees and 

sublicensees of its Software, documentation and trademarks. In addition, you acknowledge that St. 

Bernard is the proponent of this Agreement and the business transactions contemplated by this 

Agreement. Accordingly, this Agreement shall be governed by and interpreted only in accordance with 

the laws of the State of California, U.S.A., without reference to conflict of laws principles, and to the 

378 


maximum extent permitted under applicable law, you expressly waive any rights to the application of 

any other law or regulation on the effect thereof. 

17. FORUM SELECTION AND DISPUTE RESOLUTION. 

(a) Except as otherwise provided below, any controversy or claim arising out of or relating to this 

Agreement shall be submitted to final and binding arbitration before, and in accordance with, the rules 

of the American Arbitration Association (“AAA”) as modified herein. If the claim seeks damages of 

U.S. $100,000 or less, it shall be decided by a single independent arbitrator. If the claim seeks damages 

in excess of U.S. $100,000, it shall be decided by three independent arbitrators, one nominated by each 

party and one selected by the AAA, in accordance with AHA's rules and procedures. All arbitrators 

shall have expertise in the subject matter of the dispute. The arbitration process, including selection of 

the arbitrator or arbitrators, exchanges of requests for information and the arbitration hearing, shall be 

completed within sixty (60) days following the initiation of the arbitration by either party, and the 

actual arbitration hearing shall be limited to one (1) day. The arbitrator(s) shall issue a written 

judgment within ten (10) days following the arbitration hearing. Judgment upon any arbitration award 

may be entered in any court having jurisdiction thereof. This provision is self executing, and in the 

event that either party fails to appear at any properly noticed arbitration proceeding, an award may be 

entered against such party notwithstanding said failure to appear. This clause shall survive the 

termination of this Agreement. 

(b) Notwithstanding the foregoing: (1) any claim between the parties relating to the validity of the St. 

Bernard Software, the St. Bernard trademarks, or other proprietary technology or intellectual property 

shall not be determined by arbitration, but only by a court located in the Southern District of 

California, to whose sole jurisdiction the parties hereby consent or such other court in the United States 

which St. Bernard, in its sole discretion as owner of the licensed intellectual property, shall select; and 

you expressly waive any right you may have to any other forum; and (2) you acknowledge that any 

breach of your obligations under this Agreement which relates to the proprietary rights, or which is 

otherwise not subject to remedy by monetary damages, will cause St. Bernard irreparable harm, and 

that St. Bernard accordingly will be entitled to injunctive and other equitable relief in addition to all 

other remedies provided by this Agreement or available at law, in any court of competent jurisdiction. 

18. DISCLAIMER AND ACKNOWLEDGEMENTS. 

You acknowledge that the iPrism web filtering System may not be completely successful blocking user 

access to inappropriate websites. St. Bernard is not responsible if your users access inappropriate 

websites and will not be liable for any damages that might result from such access. You acknowledge 

that your organization is solely responsible for user access to any website on the Internet. You 

understand that each computer on your network must be configured to use the Appliance as a proxy 

server for the System filtering to apply to that device. You acknowledge that additional software must 

be installed on each computer or a router/firewall filter is necessary to reduce the risk of a user 


379

ypassing the System filter. You acknowledge the ability of your organization to enter a System Rating 

and that rating will take precedence over previously defined System Ratings. IN NO EVENT WILL 

ST. BERNARD BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT SPECIAL OR 

CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION ARISING OUT OF CONTRACT, 

NEGLIGENCE OR TORT, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE ST. 

BERNARD SYSTEM THAT ENABLES ACCESS TO WEB SITES OR INFORMATION OVER 

THE INTERNET THAT IS DEEMED INAPPROPRIATE OR OBJECTIONABLE FOR A 

PARTICULAR USER, OR THAT BLOCK ACCESS TO AN OTHERWISE APPROPRIATE SITE. 

19. MISCELLANEOUS. 

This is the entire Agreement between you and St. Bernard, and supersedes any prior agreement, or 

representations of St. Bernard, or Distributor, if any, whether written or oral, relating to the subject 

matter of this Agreement. The parties disclaim the application of the United Nations Convention on the 

International Sale of Goods. You may not export or re-export the Software or documentation without 

the appropriate United States or foreign government licenses. If any provision of this Agreement is 

ruled invalid, such invalidity shall not affect the validity of the remaining portions of this Agreement. 

Third Party Licenses 

iPrism employs a number of third party software packages to implement its functionality. The 

copyrights and terms of use for these licenses are provided below. If you have any questions regarding 

these, please feel free to contact St. Bernard Software for clarification. 

FreeBSD 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

# iPrism utilizes the FreeBSD operating system as its runtime environment. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

FreeBSD: src/COPYRIGHT,v 1.4 1999/09/05 21:33:47 obrien Exp $#@(#)COPYRIGHT8.2 

(Berkeley) 3/21/94 

All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is 

copyrighted by The Regents of the University of California. 

Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 

380 


The Regents of the University of California. All rights reserved. Redistribution and use in source and 

binary forms, with or without modification, are permitted provided that the following conditions are 

met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the 

following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and 

the following disclaimer in the documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following 

acknowledgement: 

This product includes software developed by the University of California, Berkeley and its 

contributors. 

4. Neither the name of the University nor the names of its contributors may be used to endorse or 

promote products derived from this software without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND 

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 

PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS 

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 

ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 

POSSIBILITY OF SUCH DAMAGE. 

The Institute of Electrical and Electronics Engineers and the American National Standards Committee 

X3, on Information Processing Systems have given us permission to reprint portions of their 

documentation. In the following statement, the phrase “this text” refers to portions of the system 

documentation. 

Portions of this text are reprinted and reproduced in electronic form in the second BSD Networking 

Software Release, from IEEE Std 1003.1-1988, IEEE Standard Portable Operating System Interface 

for Computer Environments (POSIX), copyright C 1988 by the Institute of Electrical and Electronics 

Engineers, Inc. In the event of any discrepancy between these versions and the original IEEE Standard, 

the original IEEE Standard is the referee document. 

In the following statement, the phrase “This material” refers to portions of the system documentation. 


381

This material is reproduced with permission from American National Standards Committee X3, on 

Information Processing Systems. Computer and Business Equipment Manufacturers Association 

(CBEMA), 311 First St., NW, Suite 500, Washington, DC 20001-2178. The developmental work of 

Programming Language C was completed by the X3J11 Technical Committee. 

The views and conclusions contained in the software and documentation are those of the authors and 

should not be interpreted as representing official policies, either expressed or implied, of the Regents 

of the University of California. 

NOTE: The copyright of UC Berkeley's Berkeley Software Distribution (“BSD”) source has been 

updated. The copyright addendum may be found at ftp://ftp.cs.berkeley.edu/pub/4bsd/ 

README.Impt.License.Change and is included below. 

July 22, 1999 

To All Licensees, Distributors of Any Version of BSD: 

As you know, certain of the Berkeley Software Distribution (“BSD”) source code files require that 

further distributions of products containing all or portions of the software, acknowledge within their 

advertising materials that such products contain software developed by UC Berkeley and its 

contributors. 

Specifically, the provision reads: 



“This product includes software developed by the University of California, Berkeley and its 

contributors.” 

Effective immediately, licensees and distributors are no longer required to include the 

acknowledgement within advertising materials. Accordingly, the foregoing paragraph of those BSD 

Unix files containing it is hereby deleted in its entirety. 

William Hoskins 

Director, Office of Technology Licensing 

University of California, Berkeley 

382 


LibPCAP & TCPDump 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

These OpenSource products provide a means to capture, manage, and decode packets from a network 

interface. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Redistribution and use in source and binary forms, with or without modification, are permitted 

provided that the following conditions are met: 





3. The names of the authors may not be used to endorse or promote products derived from this 

software without specific prior written permission. 

THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED 

WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 

VI 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

This is an editor that is included with iPrism to facilitate development and debugging. It is not end-user 

accessible. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

The vi program is freely redistributable. You are welcome to copy, modify and share it with others 

under the conditions listed in this file. If any company (not any individual!) finds vi sufficiently useful 

that you would have purchased it, or if any company wishes to redistribute it, contributions to the 

authors would be appreciated. 

Copyright (c) 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. 

Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996 Keith Bostic. All rights reserved. 


383









This product includes software developed by the University of California, Berkeley and its 

contributors. 














384 


Perl5 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Perl5 is used extensively in iPrism as a high level programming language. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

The “Artistic License” 

Preamble 

The intent of this document is to state the conditions under which a Package may be copied, such that 

the Copyright Holder maintains some semblance of artistic control over the development of the 

package, while giving the users of the package the right to use and distribute the Package in a more-orless 

customary fashion, plus the right to make reasonable modifications. 

Definitions: 

“Package” refers to the collection of files distributed by the Copyright Holder, and derivatives of that 

collection of files created through textual modification. 

“Standard Version” refers to such a Package if it has not been modified, or has been modified in 

accordance with the wishes of the Copyright Holder as specified below. 

“Copyright Holder” is whoever is named in the copyright or copyrights for the package. 

“You” is you, if you're thinking about copying or distributing this Package. 

“Reasonable copying fee” is whatever you can justify on the basis of media cost, duplication charges, 

time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but 

only to the computing community at large as a market that must bear the fee.) 

“Freely Available” means that no fee is charged for the item itself, though there may be fees involved 

in handling the item. It also means that recipients of the item may redistribute it under the same 

conditions they received it. 

1. You may make and give away verbatim copies of the source form of the Standard Version of this 

Package without restriction, provided that you duplicate all of the original copyright notices and 

associated disclaimers. 

2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain 

or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard 

Version. 


385

3. You may otherwise modify your copy of this Package in any way, provided that you insert a 

prominent notice in each changed file stating how and when you changed that file, and provided that 

you do at least ONE of the following: 

a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by 

posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major 

archive site such as uunet.uu.net, or by allowing the Copyright Holder to include your modifications in 

the Standard Version of the Package. 

b) use the modified Package only within your corporation or organization. 

c) rename any non-standard executables so the names do not conflict with standard executables, which 

must also be provided, and provide a separate manual page for each non-standard executable that 

clearly documents how it differs from the Standard Version. 

d) make other distribution arrangements with the Copyright Holder. 

4. You may distribute the programs of this Package in object code or executable form, provided that 


a) distribute a Standard Version of the executables and library files, together with instructions (in the 

manual page or equivalent) on where to get the Standard Version. 

b) accompany the distribution with the machine-readable source of the Package with your 

modifications. 

c) give non-standard executables non-standard names, and clearly document the differences in manual 

pages (or equivalent), together with instructions on where to get the Standard Version. 


5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any 

fee you choose for support of this Package. You may not charge a fee for this Package itself. However, 

you may distribute this Package in aggregate with other (possibly commercial) programs as part of a 

larger (possibly commercial) software distribution provided that you do not advertise this Package as a 

product of your own. You may embed this Package's interpreter within an executable of yours (by 

linking); this shall be construed as a mere form of aggregation, provided that the complete Standard 

Version of the interpreter is so embedded. 

6. The scripts and library files supplied as input to or produced as output from the programs of this 

Package do not automatically fall under the copyright of this Package, but belong to whoever 

generated them, and may be sold commercially, and may be aggregated with this Package. If such 

scripts or library files are aggregated with this Package via the so-called “undump” or “unexec” 

methods of producing a binary executable image, then distribution of such an image shall neither be 

386 


construed as a distribution of this Package nor shall it fall under the restrictions of Paragraphs 3 and 4, 

provided that you do not represent such an executable image as a Standard Version of this Package. 

7. C subroutines (or comparably compiled subroutines in other languages) supplied by you and linked 

into this Package in order to emulate subroutines and variables of the language defined by this Package 

shall not be considered part of this Package, but are the equivalent of input as in Paragraph 6, provided 

these subroutines do not change the language in any way that would cause it to fail the regression tests 

for the language. 

8. Aggregation of this Package with a commercial distribution is always permitted provided that the 

use of this Package is embedded; that is, when no overt attempt is made to make this Package's 

interfaces visible to the end user of the commercial distribution. Such use shall not be construed as a 

distribution of this Package. 

9. The name of the Copyright Holder may not be used to endorse or promote products derived from 

this software without specific prior written permission. 

10. THIS PACKAGE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED 


MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 

The End 

Sendmail 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Sendmail is a mail transfer agent used by iPrism to send email to the administrator for a variety of 

reasons. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

SENDMAIL LICENSE 

The following license terms and conditions apply, unless a different license is obtained from Sendmail, 

Inc., 6425 Christie Ave, Fourth Floor, Emeryville, CA 94608, or by electronic mail at 

license@sendmail.com. 

License Terms: 

Use, Modification and Redistribution (including distribution of any modified or derived work) in 

source and binary forms is permitted only if each of the following conditions is met: 

1. Redistributions qualify as “freeware” or “Open Source Software” under one of the following terms: 


387

(a) Redistributions are made at no charge beyond the reasonable cost of materials and delivery. 

(b) Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to 

provide a copy of the Source Code for up to three years at the cost of materials and delivery. 

Such redistributions must allow further use, modification, and redistribution of the Source Code under 

substantially the same terms as this license. For the purposes of redistribution “Source Code” means 

the complete compilable and linkable source code of sendmail including all modifications. 

2. Redistributions of source code must retain the copyright notices as they appear in each source code 

file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below. 

3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the 

disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other 

materials provided with the distribution. For the purposes of binary distribution the “Copyright 

Notice” refers to the following language: 

“Copyright (c) 1998-2001 Sendmail, Inc. All rights reserved.” 

4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their 

contributors may be used to endorse or promote products derived from this software without specific 

prior written permission. The name “sendmail” is a trademark of Sendmail, Inc. 

5. All redistributions must comply with the conditions imposed by the University of California on 

certain embedded code, whose copyright notice and conditions for redistribution are as follows: 

(a) Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved. 

(b) Redistribution and use in source and binary forms, with or without modification, are permitted 


(i) Redistributions of source code must retain the above copyright notice, this list of conditions and the 


(ii) Redistributions in binary form must reproduce the above copyright notice, this list of conditions 

and the following disclaimer in the documentation and/or other materials provided with the 

distribution. 

(iii) Neither the name of the University nor the names of its contributors may be used to endorse or 


6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL, INC. 

AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, 

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 

SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR 

388 


CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

$Revision: 1.1.1.1 $, Last updated $Date: 2001/06/13 21:52:18 $ 

OpenSSL 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

OpenSSL is used to implement TLS and Secure Sockets Layer. These are used in the HTTPs protocol 

implementation. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

LICENSE ISSUES 

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and 

the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both 

licenses are BSD-style Open Source licenses. 

In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. 

OpenSSL License 

Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 








acknowledgment: 


389

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. 

(http://www.openssl.org/) 

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote 

products derived from this software without prior written permission. For written permission, please 

contact openssl-core@openssl.org. 

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in 

their names without prior written permission of the OpenSSL Project. 

6. Redistributions of any form whatsoever must retain the following acknowledgment: 

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit 

(http://www.openssl.org/)” 

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED 

OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 

DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE 

LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 







==================================================================== 

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This 

product includes software written by Tim Hudson (tjh@cryptsoft.com). 

Original SSLeay License 

Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. 

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The 

implementation was written so as to conform with Netscape’s SSL. 

This library is free for commercial and non-commercial use as long as the following conditions are 

adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, 

lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is 

covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). 

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. 

390 


If this package is used in a product, Eric Young should be given attribution as the author of the parts of 

the library used. This can be in the form of a textual message at program startup or in documentation 

(online or textual) provided with the package. 



1. Redistributions of source code must retain the copyright notice, this list of conditions and the 






“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)” 

The word 'cryptographic' can be left out if the routines from the library being used are not 

cryptographic related :-). 

4. If you include any Windows specific code (or a derivative thereof) from the apps directory 

(application code) you must include an acknowledgement: 

“This product includes software written by Tim Hudson (tjh@cryptsoft.com)” 

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED 

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN 

NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 

INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 

DAMAGE. 

The licence and distribution terms for any publicly available version or derivative of this code cannot 

be changed. i.e. this code cannot simply be copied and put under another distribution licence 

[including the GNU Public Licence.] 


391

GNU V1 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Several open source packages utilize the GNU license. Below specific packages will refer to a GNU 

license. Note there are 3 GNU licenses, the V1, V2 and The Library license. These are different 

licenses and each product with call out which specific license governs it's use. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

GNU GENERAL PUBLIC LICENSE 

Version 1, February 1989 

Copyright (C) 1989 Free Software Foundation, Inc. 

675 Mass Ave, Cambridge, MA 02139, USA 

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it 

is not allowed. 

The Free Software Foundation has exempted Bash from the requirement of Paragraph 2c of the 

General Public License. This is to say, there is no requirement for Bash to print a notice when it is 

started interactively in the usual way. We made this exception because users and standards expect 

shells not to print such messages. This exception applies to any program that serves as a shell and that 

is based primarily on Bash as opposed to other GNU software. 

Preamble 

The license agreements of most software companies try to keep users at the mercy of those companies. 

By contrast, our General Public License is intended to guarantee your freedom to share and change 

free software--to make sure the software is free for all its users. The General Public License applies to 

the Free Software Foundation's software and to any other program whose authors commit to using it. 

You can use it for your programs, too. 

When we speak of free software, we are referring to freedom, not price. Specifically, the General 

Public License is designed to make sure that you have the freedom to give away or sell copies of free 

software, that you receive source code or can get it if you want it, that you can change the software or 

use pieces of it in new free programs; and that you know you can do these things. 

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to 

ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you 

distribute copies of the software, or if you modify it. 

392 


For example, if you distribute copies of a such a program, whether gratis or for a fee, you must give the 

recipients all the rights that you have. You must make sure that they, too, receive or can get the source 

code. And you must tell them their rights. 

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which 

gives you legal permission to copy, distribute and/or modify the software. 

Also, for each author's protection and ours, we want to make certain that everyone understands that 

there is no warranty for this free software. If the software is modified by someone else and passed on, 

we want its recipients to know that what they have is not the original, so that any problems introduced 

by others will not reflect on the original authors' reputations. 

The precise terms and conditions for copying, distribution and modification follow. 


TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 

0. This License Agreement applies to any program or other work which contains a notice placed by the 

copyright holder saying it may be distributed under the terms of this General Public License. The 

“Program”, below, refers to any such program or work, and a “work based on the Program” means 

either the Program or any work containing the Program or a portion of it, either verbatim or with 

modifications. Each licensee is addressed as “you”. 

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any 

medium, provided that you conspicuously and appropriately publish on each copy an appropriate 

copyright notice and disclaimer of warranty; keep intact all the notices that refer to this General Public 

License and to the absence of any warranty; and give any other recipients of the Program a copy of this 

General Public License along with the Program. You may charge a fee for the physical act of 

transferring a copy. 

2. You may modify your copy or copies of the Program or any portion of it, and copy and distribute 

such modifications under the terms of Paragraph 1 above, provided that you also do the following: 

a) cause the modified files to carry prominent notices stating that you changed the files and the date of 

any change; and 

b) cause the whole of any work that you distribute or publish, that in whole or in part contains the 

Program or any part thereof, either with or without modifications, to be licensed at no charge to all 

third parties under the terms of this General Public License (except that you may choose to grant 

warranty protection to some or all third parties, at your option). 

c) If the modified program normally reads commands interactively when run, you must cause it, when 

started running for such interactive use in the simplest and most usual way, to print or display an 

announcement including an appropriate copyright notice and a notice that there is no warranty (or else, 


393

saying that you provide a warranty) and that users may redistribute the program under these 

conditions, and telling the user how to view a copy of this General Public License. 

d) You may charge a fee for the physical act of transferring a copy, and you may at your option offer 

warranty protection in exchange for a fee. Mere aggregation of another independent work with the 

Program (or its derivative) on a volume of a storage or distribution medium does not bring the other 

work under the scope of these terms. 

3. You may copy and distribute the Program (or a portion or derivative of it, under Paragraph 2) in 

object code or executable form under the terms of Paragraphs 1 and 2 above provided that you also do 

one of the following: 

a) accompany it with the complete corresponding machine-readable source code, which must be 

distributed under the terms of Paragraphs 1 and 2 above; or, 

b) accompany it with a written offer, valid for at least three years, to give any third party free (except 

for a nominal charge for the cost of distribution) a complete machine-readable copy of the 

corresponding source code, to be distributed under the terms of Paragraphs 1 and 2 above; or, 

c) accompany it with the information you received as to where the corresponding source code may be 

obtained. (This alternative is allowed only for noncommercial distribution and only if you received the 

program in object code or executable form alone.) Source code for a work means the preferred form of 

the work for making modifications to it. For an executable file, complete source code means all the 

source code for all modules it contains; but, as a special exception, it need not include source code for 

modules which are standard libraries that accompany the operating system on which the executable 

file runs, or for standard header files or definitions files that accompany that operating system. 

4. You may not copy, modify, sublicense, distribute or transfer the Program except as expressly 

provided under this General Public License. Any attempt otherwise to copy, modify, sublicense, 

distribute or transfer the Program is void, and will automatically terminate your rights to use the 

Program under this License. However, parties who have received copies, or rights to use copies, from 

you under this General Public License will not have their licenses terminated so long as such parties 

remain in full compliance. 

5. By copying, distributing or modifying the Program (or any work based on the Program) you indicate 

your acceptance of this license to do so, and all its terms and conditions. 

6. Each time you redistribute the Program (or any work based on the Program), the recipient 

automatically receives a license from the original licensor to copy, distribute or modify the Program 

subject to these terms and conditions. You may not impose any further restrictions on the recipients' 

exercise of the rights granted herein. 

394 


7. The Free Software Foundation may publish revised and/or new versions of the General Public 

License from time to time. Such new versions will be similar in spirit to the present version, but may 

differ in detail to address new problems or concerns. 

Each version is given a distinguishing version number. If the Program specifies a version number of 

the license which applies to it and “any later version”, you have the option of following the terms and 

conditions either of that version or of any later version published by the Free Software Foundation. If 

the Program does not specify a version number of the license, you may choose any version ever 

published by the Free Software Foundation. 

8. If you wish to incorporate parts of the Program into other free programs whose distribution 

conditions are different, write to the author to ask for permission. For software which is copyrighted by 

the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions 

for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of 

our free software and of promoting the sharing and reuse of software generally. 

NO WARRANTY 

9. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 

FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 

OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 

PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER 

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 

ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH 

YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL 

NECESSARY SERVICING, REPAIR OR CORRECTION. 

10. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 

WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 

REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR 

DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL 

DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM 

(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED 

INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF 

THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER 

OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

END OF TERMS AND CONDITIONS 


395

Appendix: How to Apply These Terms to Your New Programs 

If you develop a new program, and you want it to be of the greatest possible use to humanity, the best 

way to achieve this is to make it free software which everyone can redistribute and change under these 

terms. 

To do so, attach the following notices to the program. It is safest to attach them to the start of each 

source file to most effectively convey the exclusion of warranty; and each file should have at least the 

“copyright” line and a pointer to where the full notice is found. 

That's all there is to it! 

GNU v2 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

GNU V2: This is version 2 of the GNU license. Programs which use this will call it out below. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 


Version 2, June 1991 

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 

675 Mass Ave, Cambridge, MA 02139, USA 

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it 

is not allowed. 

Preamble 

The licenses for most software are designed to take away your freedom to share and change it. By 

contrast, the GNU General Public License is intended to guarantee your freedom to share and change 

free software--to make sure the software is free for all its users. This General Public License applies to 

most of the Free Software Foundation's software and to any other program whose authors commit to 

using it. (Some other Free Software Foundation software is covered by the GNU Library General 

Public License instead.) You can apply it to your programs, too. 

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses 

are designed to make sure that you have the freedom to distribute copies of free software (and charge 

for this service if you wish), that you receive source code or can get it if you want it, that you can 

change the software or use pieces of it in new free programs; and that you know you can do these 

things. 

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to 

ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you 

distribute copies of the software, or if you modify it. 

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the 

recipients all the rights that you have. You must make sure that they, too, receive or can get the source 

code. And you must show them these terms so they know their rights. 


397

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which 

gives you legal permission to copy, distribute and/or modify the software. 

Also, for each author's protection and ours, we want to make certain that everyone understands that 

there is no warranty for this free software. If the software is modified by someone else and passed on, 

we want its recipients to know that what they have is not the original, so that any problems introduced 

by others will not reflect on the original authors' reputations. 

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger 

that redistributors of a free program will individually obtain patent licenses, in effect making the 

program proprietary. To prevent this, we have made it clear that any patent must be licensed for 

everyone's free use or not licensed at all. 

The precise terms and conditions for copying, distribution and modification follow. 


TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 

0. This License applies to any program or other work which contains a notice placed by the copyright 

holder saying it may be distributed under the terms of this General Public License. The “Program”, 

below, refers to any such program or work, and a “work based on the Program” means either the 

Program or any derivative work under copyright law: that is to say, a work containing the Program or a 

portion of it, either verbatim or with modifications and/or translated into another language. 

(Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is 

addressed as “you”. 

Activities other than copying, distribution and modification are not covered by this License; they are 

outside its scope. The act of running the Program is not restricted, and the output from the Program is 

covered only if its contents constitute a work based on the Program (independent of having been made 

by running the Program). Whether that is true depends on what the Program does. 

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any 

medium, provided that you conspicuously and appropriately publish on each copy an appropriate 

copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to 

the absence of any warranty; and give any other recipients of the Program a copy of this License along 

with the Program. 

You may charge a fee for the physical act of transferring a copy, and you may at your option offer 

warranty protection in exchange for a fee. 

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based 

on the Program, and copy and distribute such modifications or work under the terms of Section 1 

above, provided that you also meet all of these conditions: 

398 


a) You must cause the modified files to carry prominent notices stating that you changed the files and 

the date of any change. 

b) You must cause any work that you distribute or publish, that in whole or in part contains or is 

derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties 

under the terms of this License. 

c) If the modified program normally reads commands interactively when run, you must cause it, when 

started running for such interactive use in the most ordinary way, to print or display an announcement 

including an appropriate copyright notice and a notice that there is no warranty (or else, saying that 

you provide a warranty) and that users may redistribute the program under these conditions, and telling 

the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not 

normally print such an announcement, your work based on the Program is not required to print an 

announcement.) 

These requirements apply to the modified work as a whole. If identifiable sections of that work are not 

derived from the Program, and can be reasonably considered independent and separate works in 

themselves, then this License, and its terms, do not apply to those sections when you distribute them as 

separate works. But when you distribute the same sections as part of a whole which is a work based on 

the Program, the distribution of the whole must be on the terms of this License, whose permissions for 

other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. 

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by 

you; rather, the intent is to exercise the right to control the distribution of derivative or collective works 

based on the Program. 

In addition, mere aggregation of another work not based on the Program with the Program (or with a 

work based on the Program) on a volume of a storage or distribution medium does not bring the other 

work under the scope of this License. 

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or 

executable form under the terms of Sections 1 and 2 above provided that you also do one of the 

following: 

a) Accompany it with the complete corresponding machine-readable source code, which must be 

distributed under the terms of Sections 1 and 2 above on a medium customarily used for software 

interchange; or, 

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge 

no more than your cost of physically performing source distribution, a complete machine-readable 

copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on 

a medium customarily used for software interchange; or, 


399

c) Accompany it with the information you received as to the offer to distribute corresponding source 

code. (This alternative is allowed only for noncommercial distribution and only if you received the 

program in object code or executable form with such an offer, in accord with Subsection b above.) 

The source code for a work means the preferred form of the work for making modifications to it. For 

an executable work, complete source code means all the source code for all modules it contains, plus 

any associated interface definition files, plus the scripts used to control compilation and installation of 

the executable. However, as a special exception, the source code distributed need not include anything 

that is normally distributed (in either source or binary form) with the major components (compiler, 

kernel, and so on) of the operating system on which the executable runs, unless that component itself 

accompanies the executable. 

If distribution of executable or object code is made by offering access to copy from a designated place, 

then offering equivalent access to copy the source code from the same place counts as distribution of 

the source code, even though third parties are not compelled to copy the source along with the object 

code. 

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under 

this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and 

will automatically terminate your rights under this License. However, parties who have received 

copies, or rights, from you under this License will not have their licenses terminated so long as such 

parties remain in full compliance. 

5. You are not required to accept this License, since you have not signed it. However, nothing else 

grants you permission to modify or distribute the Program or its derivative works. These actions are 

prohibited by law if you do not accept this License. Therefore, by modifying or distributing the 

Program (or any work based on the Program), you indicate your acceptance of this License to do so, 

and all its terms and conditions for copying, distributing or modifying the Program or works based on 

it. 

6. Each time you redistribute the Program (or any work based on the Program), the recipient 

automatically receives a license from the original licensor to copy, distribute or modify the Program 

subject to these terms and conditions. You may not impose any further restrictions on the recipients' 

exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties 

to this License. 

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason 

(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or 

otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of 

this License. If you cannot distribute so as to satisfy simultaneously your obligations under this 

License and any other pertinent obligations, then as a consequence you may not distribute the Program 

400 


at all. For example, if a patent license would not permit royalty-free redistribution of the Program by 

all those who receive copies directly or indirectly through you, then the only way you could satisfy 

both it and this License would be to refrain entirely from distribution of the Program. 

If any portion of this section is held invalid or unenforceable under any particular circumstance, the 

balance of the section is intended to apply and the section as a whole is intended to apply in other 

circumstances. 

It is not the purpose of this section to induce you to infringe any patents or other property right claims 

or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of 

the free software distribution system, which is implemented by public license practices. Many people 

have made generous contributions to the wide range of software distributed through that system in 

reliance on consistent application of that system; it is up to the author/donor to decide if he or she is 

willing to distribute software through any other system and a licensee cannot impose that choice. 

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of 

this License. 

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by 

copyrighted interfaces, the original copyright holder who places the Program under this License may 

add an explicit geographical distribution limitation excluding those countries, so that distribution is 

permitted only in or among countries not thus excluded. In such case, this License incorporates the 

limitation as if written in the body of this License. 

9. The Free Software Foundation may publish revised and/or new versions of the General Public 

License from time to time. Such new versions will be similar in spirit to the present version, but may 

differ in detail to address new problems or concerns. 

Each version is given a distinguishing version number. If the Program specifies a version number of 

this License which applies to it and “any later version”, you have the option of following the terms and 

conditions either of that version or of any later version published by the Free Software Foundation. If 

the Program does not specify a version number of this License, you may choose any version ever 

published by the Free Software Foundation. 

10. If you wish to incorporate parts of the Program into other free programs whose distribution 

conditions are different, write to the author to ask for permission. For software which is copyrighted by 

the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions 

for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of 

our free software and of promoting the sharing and reuse of software generally. 

NO WARRANTY 


401

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 









12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 










Appendix: How to Apply These Terms to Your New Programs 

If you develop a new program, and you want it to be of the greatest possible use to the public, the best 

way to achieve this is to make it free software which everyone can redistribute and change under these 

terms. 

To do so, attach the following notices to the program. It is safest to attach them to the start of each 

source file to most effectively convey the exclusion of warranty; and each file should have at least the 

“copyright” line and a pointer to where the full notice is found. 

You should have received a copy of the GNU General Public License along with this program; if not, 

write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 

Also add information on how to contact you by electronic and paper mail. 

If the program is interactive, make it output a short notice like this when it starts in an interactive 

mode: 

Gnomovision version 69, Copyright (C) 19yy name of author 

Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 

This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for 

details. 

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General 

Public License. Of course, the commands you use may be called something other than `show w' and 

`show c'; they could even be mouse-clicks or menu items--whatever suits your program. 

You should also get your employer (if you work as a programmer) or your school, if any, to sign a 

“copyright disclaimer” for the program, if necessary. Here is a sample; alter the names: 

Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes 

passes at compilers) written by James Hacker. 

, 1 April 1989 

Ty Coon, President of Vice 

This General Public License does not permit incorporating your program into proprietary programs. If 

your program is a subroutine library, you may consider it more useful to permit linking proprietary 

applications with the library. If this is what you want to do, use the GNU Library General Public 

License instead of this License. 

Bind 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Bind implements a name server used to resolve DNS names into IP addresses. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Copyright (c) 1993-2000 by Internet Software Consortium, Inc. 

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is 

hereby granted, provided that the above copyright notice and this permission notice appear in all 

copies. 


403

THE SOFTWARE IS PROVIDED “AS IS” AND INTERNET SOFTWARE CONSORTIUM 

DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL 

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL 

INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, 

OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 

LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, 

NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 

WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 

Internet Software Consortium 

950 Charter Street 

Redwood City, CA 94063 

Tel: 1-888-868-1001 (toll free in U.S.) 

Tel: 1-650-779-7091 

Fax: 1-650-779-7055 

Email: 

RSA 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Portions of BIND include code from RSA which provide enhanced security. That code is governed by 

the following license: 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

DNSSAFE LICENSE TERMS 

This BIND software includes the DNSsafe software from RSA Data Security, Inc., which is 

copyrighted software that can only be distributed under the terms of this license agreement. 

The DNSsafe software cannot be used or distributed separately from the BIND software. You only 

have the right to use it or distribute it as a bundled, integrated product. 

The DNSsafe software can ONLY be used to provide authentication for resource records in the 

Domain Name System, as specified in RFC 2065 and successors. You cannot modify the BIND 

software to use the DNSsafe software for other purposes, or to make its cryptographic functions 

available to end-users for other uses. 

404 


If you modify the DNSsafe software itself, you cannot modify its documented API, and you must grant 

RSA Data Security the right to use, modify, and distribute your modifications, including the right to 

use any patents or other intellectual property that your modifications depend upon. 

You must not remove, alter, or destroy any of RSA’s copyright notices or license information. When 

distributing the software to the Federal Government, it must be licensed to them as “commercial 

computer software” protected under 48 CFR 12.212 of the FAR, or 48 CFR 227.7202.1 of the DFARS. 

You must not violate United States export control laws by distributing the DNSsafe software or 

information about it, when such distribution is prohibited by law. 

THE DNSSAFE SOFTWARE IS PROVIDED “AS IS” WITHOUT ANY WARRANTY 

WHATSOEVER. RSA HAS NO OBLIGATION TO SUPPORT, CORRECT, UPDATE OR 

MAINTAIN THE RSA SOFTWARE. RSA DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED 

OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED 

WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

NON-INFRINGEMENT OF THIRD PARTY RIGHTS. 

If you desire to use DNSsafe in ways that these terms do not permit, please contact RSA Data Security, 

Inc., 100 Marine Parkway, Redwood City, California 94065, USA, to discuss alternate licensing 

arrangements. 

Magelang 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Magelang produces some Java based GUI components that are used in portions of the user interface. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Use this code at your own risk! MageLang Institute is not responsible for any damage caused directly 

or indirectly through use of this code. 

SOFTWARE RIGHTS 

TabSplitter, version 2.0, Scott Stanchfield, MageLang Institute 

We reserve no legal rights to this code--it is fully in the public domain. An individual or company may 

do whatever they wish with source code distributed with it, including the incorporation of it into 

commercial software. 

However, this code cannot be sold as a standalone product.We encourage users to develop software 

with this code. However, we do ask that credit is given to us for developing it. 


405

By “credit”, we mean that if you use these components or incorporate any source code into one of your 

programs (commercial product, research project, or otherwise) that you acknowledge this fact 

somewhere in the documentation, research report, etc... If you like these components and have 

developed a nice tool with the output, please mention that you developed it using these components. In 

addition, we ask that the headers remain intact in our source code. As long as these guidelines are kept, 

we expect to continue enhancing this system and expect to make other tools available as they are 

completed. 

The MageLang Support Classes Gang: 

@version TabSplitter 2.0, MageLang Institute, Jan. 18, 1998 

@author Scott Stanchfield, MageLang Institute 

GNU Java regexp 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

The GNU Java regexp packages is used to perform regular expression pattern matching in the user 

interface. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

See “GNU v2” on page 310 

LibBF 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

This library provides blowfish encryption capabilities used by iPrism. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) 

All rights reserved. 

This package is an Blowfish implementation written by Eric Young (eay@cryptsoft.com). 

This library is free for commercial and non-commercial use as long as the following conditions are 

adhered to. The following conditions apply to all code found in this distribution. 

406 


Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. 









This product includes software developed by Eric Young (eay@cryptsoft.com) 

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED 



NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 







DAMAGE. 

The license and distribution terms for any publicly available version or derivative of this code cannot 

be changed. i.e. this code cannot simply be copied and put under another distribution license [including 

the GNU Public License.] 

The reason behind this being stated in this direct manner is past experience in code simply being 

copied and the attribution removed from it and then being distributed as part of other packages. This 

implementation was a non-trivial and unpaid effort. 

OpenLDAP 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

OpenLDAP is used by iPrism to implement the LDAP protocol. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 


407

++++++++++++++++++++++++++++++++++++++ 

Copyright 1998-2000 The OpenLDAP Foundation, Redwood City, California, USA 


Redistribution and use in source and binary forms are permitted only as authorized by the OpenLDAP 

Public License. A copy of this license is available at http://www.OpenLDAP.org/license.html or in file 

LICENSE in the top-level directory of the distribution. 

This work is derived from the University of Michigan LDAP v3.3 distribution. Information concerning 

is available at http://www.umich.edu/~dirsvcs/ldap/ldap.html or from ldap-support@umich.edu. 

This work also contains materials derived from public sources. 

Additional Information about OpenLDAP can be obtained at: 

http://www.openldap.org/ 

or by sending e-mail to: 

info@OpenLDAP.org 

Portions Copyright (c) 1992-1996 Regents of the University of Michigan. 


Redistribution and use in source and binary forms are permitted provided that this notice is preserved 

and that due credit is given to the University of Michigan at Ann Arbor. The name of the University 

may not be used to endorse or promote products derived from this software without specific prior 

written permission. This software is provided “as is” without express or implied warranty. 

The OpenLDAP Public License 

Version 1.4, 18 January 1999 

Copyright 1998-1999, The OpenLDAP Foundation. 

All Rights Reserved. 

Note: 

This license is derived from the “Artistic License” as distributed with the Perl Programming Language. 

As significant differences exist, the complete license should be read. 

PREAMBLE 

The intent of this document is to state the conditions under which a Package may be copied, such that 

the Copyright Holder maintains some semblance of artistic control over the development of the 

package, while giving the users of the package the right to use and distribute the Package in a more-orless 

customary fashion, plus the right to make reasonable modifications. 

408 


Definitions: 

“Package” refers to the collection of files distributed by the Copyright Holder, and derivatives of that 

collection of files created through textual modification. 

“Standard Version” refers to such a Package if it has not been modified, or has been modified in 

accordance with the wishes of the Copyright Holder. 

“Copyright Holder” is whoever is named in the copyright or copyrights for the package. 

“You” is you, if you're thinking about copying or distributing this Package. 

“Reasonable copying fee” is whatever you can justify on the basis of media cost, duplication charges, 

time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but 

only to the computing community at large as a market that must bear the fee.) 

“Freely Available” means that no fee is charged for the item itself, though there may be fees involved 

in handling the item. It also means that recipients of the item may redistribute it under the same 

conditions they received it. 

1. You may make and give away verbatim copies of the source form of the Standard Version of this 

Package without restriction, provided that you duplicate all of the original copyright notices and 

associated disclaimers. 

2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain 

or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard 

Version. 

3. You may otherwise modify your copy of this Package in any way, provided that you insert a 

prominent notice in each changed file stating how and when you changed that file, and provided that 


a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by 

posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major 

archive site such as uunet.uu.net, or by allowing the Copyright Holder to include your modifications in 

the Standard Version of the Package. 

b) use the modified Package only within your corporation or organization. 

c) rename any non-standard executables so the names do not conflict with standard executables, which 

must also be provided, and provide a separate manual page for each non-standard executable that 

clearly documents how it differs from the Standard Version. 



409

4. You may distribute the programs of this Package in object code or executable form, provided that 


a) distribute a Standard Version of the executables and library files, together with instructions (in the 

manual page or equivalent) on where to get the Standard Version. 

b) accompany the distribution with the machine-readable source of the Package with your 

modifications. 

c) accompany any non-standard executables with their corresponding Standard Version executables, 

giving the non-standard executables non-standard names, and clearly documenting the differences in 

manual pages (or equivalent), together with instructions on where to get the Standard Version. 


5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any 

fee you choose for support of this Package. You may not charge a fee for this Package itself. However, 

you may distribute this Package in aggregate with other (possibly commercial) programs as part of a 

larger (possibly commercial) software distribution provided that you do not advertise this Package as a 

product of your own. 

6. The scripts and library files supplied as input to or produced as output from the programs of this 

Package do not automatically fall under the copyright of this Package, but belong to whomever 

generated them, and may be sold commercially, and may be aggregated with this Package. 

7. C subroutines supplied by you and linked into this Package in order to emulate subroutines and 

variables defined by this Package shall not be considered part of this Package, but are the equivalent of 

input as in Paragraph 6, provided these subroutines do not change the behavior of the Package in any 

way that would cause it to fail the regression tests for the Package. 

8. Software supplied by you and linked with this Package in order to use subroutines and variables 

defined by this Package shall not be considered part of this Package and do not automatically fall 

under the copyright of this Package. Executables produced by linking your software with this Package 

may be used and redistributed without restriction and may be sold commercially so long as the primary 

function of your software is different than the package itself. 

9. The name of the Copyright Holder may not be used to endorse or promote products derived from 

this software without specific prior written permission. 

10. THIS PACKAGE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED 



The End 

410 


Perl/Cryptix 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

These packages provide various cryptography support to the perl environment. They are used to 

support encryption of protocols and protect data. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

This perl extension includes software developed by, and copyright of, A.M. Kuchling. 

Other parts of the library are covered by the following licence: 

Copyright (C) 1995, 1996 Systemics Ltd (http://www.systemics.com/) 


This library and applications are FREE FOR COMMERCIAL AND NON-COMMERCIAL USE as 

long as the following conditions are adhered to. 

Copyright remains with Systemics Ltd, and as such any Copyright notices in the code are not to be 

removed. If this code is used in a product, Systemics should be given attribution as the author of the 

parts used. This can be in the form of a textual message at program startup or in documentation (online 

or textual) provided with the package. 









This product includes software developed by Systemics Ltd (http://www.systemics.com/) 

THIS SOFTWARE IS PROVIDED BY SYSTEMICS LTD “AS IS” AND ANY EXPRESS OR 

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 

IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 




411





DAMAGE. 

The licence and distribution terms for any publicly available version or derivative of this code cannot 

be changed. i.e. this code cannot simply be copied and put under another distribution licence 

[including the GNU Public Licence.] 

Perl/Mime-Tools 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

This is a library that provides mime parsing capabilities to the Perl environment. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

The “MIME-tools” Perl5 kit. 

Copyright (c) 1996 by Eryq. All rights reserved. 

This program is free software; you can redistribute it and/or modify it under the same terms as Perl 

itself. 

You should have received a copy of the Perl license along with Perl; see the file README in Perl 

distribution. 

You should have received a copy of the GNU General Public License along with Perl; see the file 

Copying. If not, write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. 

You should have received a copy of the Artistic License along with Perl; see the file Artistic. 

NO WARRANTY 

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 







412 




IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 










PostgreSQL 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

This is a SQL DBMS used to store configuration and state data on iPrism. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

PostgreSQL Data Base Management System (formerly known as Postgres, then as Postgres95). 

Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group 

Portions Copyright (c) 1994 Regents of the University of California 

Permission to use, copy, modify, and distribute this software and its documentation for any purpose, 

without fee, and without a written agreement is hereby granted, provided that the above copyright 

notice and this paragraph and the following two paragraphs appear in all copies. 

IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR 

DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, 

INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS 

DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF 

THE POSSIBILITY OF SUCH DAMAGE. 

THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, 


AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER 


413

IS ON AN “AS IS” BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS 

TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR 

MODIFICATIONS. 

Samba 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Samba is used to provide the protocol support to interact with an NTLM environment. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

-- Samba uses the GNU V2 license. See “GNU v2” on page 310 

Squid 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Squid implements an HTTP proxy used to implement the actual data handling of the HTTP traffic in 


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

By accepting this notice, you agree to be bound by the following agreements: 

This software product, SQUID, is developed by Duane Wessels, and copyrighted (C) 2000 by the 

Regents of the University of California, with all rights reserved. UCSD administers the NLANR Cache 

grants, NCR 9616602 and NCR 9521745 under which most of this code was developed. 

This program is free software; you can redistribute it and/or modify it under the terms of the GNU 

General Public License (version 2) as published by the Free Software Foundation. It is distributed in 

the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty 

of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 

Public License for more details. 

You should have received a copy of the GNU General Public License along with this program; if not, 

write to: 

The Free Software Foundation 

59 Temple Place 

414 


Suite 330 

Boston, MA 02111, USA 

Or contact info@nlanr.net 

Sudo 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Sudo implements a mechanism for controlling privileges to iPrism system resources. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Sudo is distributed under the following BSD-style license: 

Copyright (c) 1994-1996,1998-2000 Todd C. Miller 








3. The name of the author may not be used to endorse or promote products derived from this software 

without specific prior written permission from the author. 

4. Products derived from this software may not be called “Sudo” nor may “Sudo” appear in their 

names without specific prior written permission from the author. 

THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, 



THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEM- 

PLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 





SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 


415

Additionally, lsearch.c, fnmatch.c, getcwd.c, snprintf.c, strcasecmp.c and fnmatch.3 bear the following 

UCB license: 

Copyright (c) 1987, 1989, 1990, 1991, 1993, 1994 

The Regents of the University of California. All rights reserved. 




















VTUN 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Vtun is used to allow the iPrism administrator establish secure diagnostic tunnels as requested by the 

support team. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

VTun - Virtual Tunnel over TCP/IP network. 

Copyright (C) 1998-2000 Maxim Krasnyansky 

416 


VTun has been derived from VPPP package by Maxim Krasnyansky. 

This program is free software; you can redistribute it and/or modify it under the terms of the GNU 

General Public License as published by the Free Software Foundation; either version 2 of the License, 

or (at your option) any later version. 

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 

without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 

PURPOSE. See the GNU General Public License for more details. 

WUFTPd 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

WUFTPd is used to implement an FTP server. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Copyright (c) 1999,2000 WU-FTPD Development Group. 


Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 The Regents of the University 

of California. 

Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 

Portions Copyright (c) 1989 Massachusetts Institute of Technology. 

Portions Copyright (c) 1998 Sendmail, Inc. 

Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 

Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 

Portions Copyright (C) 1991, 1992, 1993, 1994, 1995 1996, 1997 

Free Software Foundation, Inc. 

Portions Copyright (c) 1997 by Stan Barber. 

Portions Copyright (c) 1997 by Kent Landfield. 

Use and distribution of this software and its source code are governed by the terms and conditions of 

the WU-FTPD Software License (“LICENSE”). 

If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/ 

license.html. 

$Id: COPYRIGHT,v 1.1.1.1 2000/07/21 16:08:05 danno Exp $ 


417

-------------------------------------------------------------------------------------------------------------- 

Below are the copyrights of the individual contributors to wu-ftpd. 

-------------------------------------------------------------------------------------------------------------- 

/Copyright (c) 1993, 1994 Washington University in Saint Louis 






2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and 



acknowledgement: This product includes software developed by the Washington University in Saint 

Louis and its contributors. 



THIS SO FTWARE IS PROVIDED BY WASHINGTON UNIVERSITY AND CONTRIBUTORS 

“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 

TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASHINGTON 

UNIVERSITY OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

Copyright (c) 1996,1998 Berkeley Software Design, Inc. All rights reserved. 



provided that this notice is retained, the conditions in the following notices are met, and terms applying 

to contributors in the following notices also apply to Berkeley Software Design, Inc. 

418 








This product includes software developed by Berkeley Software Design, Inc. 

4. Neither the name of the Berkeley Software Design, Inc. nor the names of its contributors may be 

used to endorse or promote products derived from this software without specific prior written 

permission. 

THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. “AS IS” AND 



PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. 



SUBSTI- TUTE GOODS DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 

OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 





Copyright (c) 1985, 1988 Regents of the University of California. 











419












/Copyright (c) 1988 The Regents of the University of California. All rights reserved. 









THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTO RS “AS IS” AND 










POSSIBILITY OF SUCH DAMAGE. / 

Copyright (c) 1994 


This code is derived from software contributed to Berkeley by Jan-Simon Pendry. 

420 


Redistribution and u se in source and binary forms, with or without modification, are permitted 













CONSE- QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 






Copyright (c) 1989, 1993, 1994 


This code is derived from software contributed to Berkeley by Guido van Rossum. 













421









Copyright (c) 1985, 1988 The Regents of the University of California. 

All right used in source and binary forms are permitted provided that: 

(1) source distributions retain this entire copyright notice and comment, and 

(2) distributions including binaries display the following acknowledgement: 

“This product includes software developed by the University of California, Berkeley and its 

contributors” in the documentation or other materials provided with the distribution. Neither the name 

of the University nor the names of its contributors may be used to endorse or promote products derived 

from this software without specific prior written permission. 




Copyright (c) 1988 Regents of the University of California. 


Redistribution and use in source and binary forms are permitted provided that the above copyright 

notice and this paragraph are duplicated in all such forms and that any documentation, and other 

materials related to such distribution and use acknowledge that the software was developed by the 

University of California, Berkeley. The name of the University may not be used to endorse or promote 

products derived from this software without specific prior written permission. 








422 





















Redistribution and use in source and binary forms are permitted provided that: 


(2) distributions including binaries display the following acknowledgement: “This product includes 

software developed by the University of California, Berkeley and its contributors” in the 

documentation or other materials provided with the distribution. Neither the name of the University 

nor the names of its contributors may be used to endorse or promote products derived from this 

software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND 

WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT 

LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 

PARTICULAR PURPOSE. 






423



































424 






Copyright (c) 1988 The Regents of the University of California. 

























(2) distributions including binaries display the following acknowledgement: ``This product includes 

software developed by the University of California, Berkeley and its contributors'' in the 



425


software without specific prior written permission. 






This code is derived from software contributed to Berkeley by Chris Torek. 

Redistribution and use in source and binary forms are permitted provided that: (1) source distributions 

retain this entire copyright notice and comment, and (2) distributions including binaries display the 

following acknowledgement: ``This product includes software developed by the University of 

California, Berkeley and its contributors'' in the documentation or other materials provided with the 

distribution. 

Neither the name of the University nor the names of its contributors may be used to endorse or 





Copyright (c) 1983, 1989 Regents of the University of California. 




(2) distributions including binaries display the following acknowledgement: ``This product includes 

software developed by the University of California, Berkeley and its contributors'' in the 



software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND 

WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT 

LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 

PARTICULAR PURPOSE. 



426 


Redistribution and use in source and binary forms are permitted provided that the above copyright 

notice and this paragraph are duplicated in all such forms and that any documentation, and other 

materials related to such distribution and use acknowledge that the software was developed by the 

University of California, Berkeley. The name of the University may not be used to endorse or promote 

products derived from this software without specific prior written permission. THIS SOFTWARE IS 

PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, 

INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY 

AND FITNESS FOR A PARTICULAR PURPOSE. 




(1) source distributions retain this entire copyright notice and comment, and (2) distributions including 

binaries display the following acknowledgement: ``This product includes software developed by the 

University of California, Berkeley and its contributors'' in the documentation or other materials 

provided with the distribution. Neither the name of the University nor the names of its contributors 

may be used to endorse or promote products derived from this software without specific prior written 

permission. 




Copyright (c) 1983, 1995, 1996 Eric P. Allman 

Copyright (c) 1988, 1993 













427










Copyright (c) 1998 Sendmail, Inc. All rights reserved. 

Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 

Copyright (c) 1988, 199 


By using this file, you agree to the terms and conditions set forth in the LICENSE file which can be 

found at the top level of the sendmail distribution. 

SENDMAIL LICENSE 

The following license terms and conditions apply, unless a different license is obtained from Sendmail, 

Inc., 1401 Park Avenue, Emeryville, CA 94608, or by electronic mail at license@sendmail.com. 

License Terms: 

Use, Modification and Redistribution (including distribution of any modified or derived work) in 

source and binary forms is permitted only if each of the following conditions is met: 

1. Redistributions qualify as “freeware” or “Open Source Software” under one of the following terms: 

(a) Redistributions are made at no charge beyond the reasonable cost of materials and delivery. 

(b) Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to 

provide a copy of the Source Code for up to three years at the cost of materials and delivery. 

Such redistributions must allow further use, modification, and redistribution of the Source Code under 

substantially the same terms as this license. For the purposes of redistribution “Source Code” means 

the complete source code of sendmail including all modifications. 

Other forms of redistribution are allowed only under a separate royalty- free agreement permitting 

such redistribution subject to standard commercial terms and conditions. A copy of such agreement 

may be obtained from Sendmail, Inc. at the above address. 

428 


2. Redistributions of source code must retain the copyright notices as they appear in each source code 

file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below. 





“Copyright (c) 1998 Sendmail, Inc. All rights reserved.” 

4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their 

contributors may be used to endorse or promote products derived from this software without specific 

prior written permission. The name “sendmail” is a trademark of Sendmail, Inc. 

5. All redistributions must comply with the conditions imposed by the University of California on 

certain embedded code, whose copyright notice and conditions for redistribution are as follows: 

(a) Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved. 

(b) Redistribution and use in source and binary forms, with or without modification, are permitted 


(i)Redistributions of source code must retain the above copyright notice, this list of conditions and the 


(ii) Redistributions in binary form must reproduce the above copyright notice, this list of conditions 

and the following disclaimer in the documentation and/or other materials provided with the 

distribution. 

(iii) Neither the name of the University nor the names of its contributors may be used to endorse or 


6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL, INC. 

AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, 



SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR 









429

(Version 8.6, last updated 6/24/98) 

Copyright 1989 Massachusetts Institute of Technology 

Permission to use, copy, modify, distribute, and sell this software and its documentation for any 

purpose is hereby granted without fee, provided that the above copyright notice appear in all copies 

and that both that copyright notice and this permission notice appear in supporting documentation, and 

that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software 

without specific, written prior permission. M.I.T. makes no representations about the suitability of this 

software for any purpose. It is provided “as is” without express or implied warranty. 

M.I.T. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING 

ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL 

M.I.T. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR 

ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 

WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 

ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 

SOFTWARE. 

This software is Copyright 1997 by Stan Barber. 

Permission is hereby granted to copy, reproduce, redistribute or otherwise use this software as long as: 

there is no monetary profit gained specifically from the use or reproduction of this software, it is not 

sold, rented, traded or otherwise marketed, and this copyright notice is included prominently in any 

copy made. 

The author(s) make no claims as to the fitness or correctness of this software for any use whatsoever, 

and it is provided as is. Any use of this software is at the user's own risk. 

Copyright (C) 1991, 92, 93, 94, 95, 96, 97 Free Software Foundation, Inc. 

This library is free software; you can redistribute it and/or modify it under the terms of the GNU 

Library General Public License as published by the Free Software Foundation; either version 2 of the 

License, or (at your option) any later version. 

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 

without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 

PURPOSE. 

See the GNU Library General Public License for more details. 

You should have received a copy of the GNU Library General Public License along with this library; 

see the file COPYING.LIB. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 

330, Boston, MA 02111-1307, USA. 

430 


WU-FTPD SOFTWARE LICENSE 

Use, modification, or redistribution (including distribution of any modified or derived work) in any 

form, or on any medium, is permitted only if all the following conditions are met: 

1. Redistributions qualify as “freeware” or “Open Source Software” under the following terms: 

a. Redistributions are made at no charge beyond the reasonable cost of materials and delivery. Where 

redistribution of this software is as part of a larger package or combined work, this restriction applies 

only to the costs of materials and delivery of this software, not to any other costs associated with the 

larger package or combined work. 

b. Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide 

a copy of the Source Code for up to three years at the cost of materials and delivery. Such 

redistributions must allow further use, modification, and redistribution of the Source Code under 

substantially the same terms as this license. For the purposes of redistribution “Source Code” means all 

files included in the original distribution, including all modifications or additions, on a medium and in 

a form allowing fully working executable programs to be produced. 

2. Redistributions of Source Code must retain the copyright notices as they appear in each Source 

Code file and the COPYRIGHT file, these license terms, and the disclaimer/limitation of liability set 

forth as paragraph 6 below. 





Copyright (c) 1999,2000 WU-FTPD Development Group. 


Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 

The Regents of the University of California. 

Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 

Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 

Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 

Portions Copyright (c) 1998 Sendmail, Inc. 

Portions Copyright (c) 1989 Massachusetts Institute of Technology. 

Portions Copyright (c) 1997 Stan Barber. 

Portions Copyright (c) 1997 Kent Landfield. 

Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 

Free Software Foundation, Inc. 


431

Use and distribution of this software and its source code are governed by the terms and conditions of 

the WU-FTPD Software License (“LICENSE”). 

If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/ 

license.html 


acknowledgement: “This product includes software developed by the WU-FTPD Development Group, 

the Washington University at Saint Louis, Berkeley Software Design, Inc., and their contributors.” 

5. Neither the name of the WU-FTPD Development Group, nor the names of any copyright holders, 

nor the names of any contributors may be used to endorse or promote products derived from this 

software without specific prior written permission. The names “wuftpd” and “wu-ftpd” are trademarks 

of the WU-FTPD Development Group and the Washington University at Saint Louis. 

6. Disclaimer/Limitation of Liability: 

THIS SOFTWARE IS PROVIDED BY THE WU-FTPD DEVELOPMENT GROUP, THE 

COPYRIGHT HOLDERS, AND CONTRIBUTORS, “AS IS” AND ANY EXPRESS OR IMPLIED 



NO EVENT SHALL THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, 

OR CONTRIBUTORS, BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 







7. USE, MODIFICATION, OR REDISTRIBUTION, OF THIS SOFTWARE IMPLIES 

ACCEPTANCE OF ALL TERMS AND CONDITIONS OF THIS LICENSE. 

$Id: LICENSE,v 1.1.1.1 2000/07/21 16:08:05 danno Exp $ 

Apache 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Apache implements an HTTP server for iPrism 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

432 


The Apache Software License, Version 1.1 

Copyright (c) 2000-2002 The Apache Software Foundation. All rights reserved. 







3. The end-user documentation included with the redistribution, if any, must include the following 


“This product includes software developed by the Apache Software Foundation (http:// 

www.apache.org/).” Alternately, this acknowledgment may appear in the software itself, if and 

wherever such third-party acknowledgments normally appear. 

4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote 

products derived from this software without prior written permission. For written permission, please 

contact apache@apache.org. 

5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their 

name, without prior written permission of the Apache Software Foundation. 

THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED 



NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE 

LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 







This software consists of voluntary contributions made by many individuals on behalf of the Apache 

Software Foundation. For more information on the Apache Software Foundation, please see . 

Portions of this software are based upon public domain software originally written at the National 

Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. 


433

mod_ntlm_winbind 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

mod_ntlm_winbind implements an ntlm authentication modules for apache. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

mod_ntlm_winbind.c -- Apache ntlm_winbind module 

[Originally autogenerated via ``apxs -n ntlm_winbind -g''] 

Based on: 

mod_ntlm.c for Win32 by Tim Costello 

pam_smb by Dave Airlie 

Copyright Andreas Gal , 2000 

Copyright Sverre H. Huseby , 2000 

Copyright Tim Potter , 2001 

THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES 

ARE DISCLAIMED. 

This code may be freely distributed, as long the above notices are reproduced. 

mod_ssl 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Mod SSL is used to provide SSL support to apache. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

_ _ 

_ __ ___ ___ __| | ___ ___| | mod_ssl 

| '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL 

| | | | | | (_) | (_| | \__ \__ \ | www.modssl.org 

|_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org 

|_____| 

434 


_____________________________________________________________________________ 

''Ian Fleming was a UNIX fan! 

How do I know? Well, James Bond 

had the (license to kill) number 007, 

i.e. he could execute anyone.'' 

-- Unknown 

LICENSE 

The mod_ssl package falls under the Open-Source Software label because it's distributed under a 

BSDstyle license. The detailed license information follows. 

Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. 









“This product includes software developed by Ralf S. Engelschall for use in 

the mod_ssl project (http://www.modssl.org/).” 

4. The names “mod_ssl” must not be used to endorse or promote products derived from this software 

without prior written permission. For written permission, please contact rse@engelschall.com. 

5. Products derived from this software may not be called “mod_ssl” nor may “mod_ssl” appear in their 

names without prior written permission of Ralf S. Engelschall. 

6. Redistributions of any form whatsoever must retain the following acknowledgment: 

“This product includes software developed by Ralf S. Engelschall for use in 

the mod_ssl project (http://www.modssl.org/).” 

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL “AS IS” AND ANY 

EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 


PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS 



435






SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

==================================================================== 

Xinetd 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

Xinetd is a program that is used to control the execution of various network services. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

++++++++++++++++++++++++++++++++++++++ 

(c) Copyright 1992, 1993 by Panagiotis Tsirigotis 

436 


Index 

A 

Abort (Exit option) 46 

About tab 36, 255 

absolutism 309 

Access Control List 

Adding to a Profile 65 

Categories 80, 81, 112 

Creating 71 

Deleting an ACL 83 

Editing Settings 82 

Locally Defined Categories 80 

Profiles and ACLs 57 

Viewing Filtering Properties 81 

Access Control Lists (ACLs) dialog box 77 

Access Denied (Error) 355 

Access Denied Page 

Default 98 

making quick changes to 123 

Options 97 

Access Menu 32 

Access Requests 19, 98, 104 

How to Request Access to a Site 104 

accounting services 321 

accounts 337 

ACL 

definition of 57 

Add Web Sites button 50 

Administrative Privileges 133 

ads 338 

Adult Sex Education 326 

Advanced Filter Creation screen 271 

advertising 320 

Adware 343 

adware 343 

affairs of state 314 

airlines 332 

Alcohol/Tobacco 324 

Alt/New Age 312 

anarchy 310 

anime 327 

anonymizer 

iGuard site rating category 333 

anonymizers 

detecting 12 

unsure 12 

reporting 12 

anonymous surfing 333 

anti-gay 309 


437

anti-Semitism 309 

anti-spoof 

detecting 226 

anti-spoofing 

enabling 226 

Appliance Manager 27 

armaments 311 

arms 311 

arousal 323 

arsenal 311 

art gallery 313 

Art/Culture 313 

artillery 311 

asset planning 320 

astronomy 341 

atheism 316 

auction 321 

Authentication 177 

Auto-Login 146 

changing the authentication page 116 

Choosing an Authentication Mechanism 142 

Configuring Browsers for Authentication 345 

Creating User Accounts in iPrism 131 

Joining iPrism to an NT Domain 159 

Testing 177 

using an LDAP Server 150 

using an NTLM Server 159 

Authentication is Required (Error) 356 

Auto-Login 146 

Configuration Requirements 147 

Redirection Settings 162 

AV Scanning 

description 11 

enable/disable 42 

B 

Backup 

Backing Up iPrism’s Settings 228 

Backup/Restore tab 38, 229 

backyard wrestling 312 

bad language 310 

bankruptcy 320 

banks 320 

banners 338 

bars 325 

baseball 332 

basketball 332 

bed & breakfast 332 

beer 325 

438 


elief 316 

betting 327 

bidding 321 

bigotry 309 

bikini 322 

Block Offensive (profile) 65 

Block/Unblock Site button 51, 257 

Blocked Sites 

Requesting Access to 104 

Blocking Access 

Blocking versus Monitoring 80 

Submitting Sites That You Want to Block 114 

Unblocking Sites 280 

body images 323 

bombs 311 

bonds 320 

bongs 325 

bookies 327 

bootleg 308 

breweries 325 

browser hijacker 343 

brutality 312 

bulletin boards 334 

Business 317 

Corporate Marketing 319 

Finance 320 

Job/Employment Search 320 

Professional Services 321 

Specialized Shopping 317 

C 

career 321 

casinos 327 

Categories 307 

Locally Defined 112, 114 

Central Mgmt. tab 38, 213 

chain letters 310 

chat 334 

cheats 327 

child education 340 

church 316 

CIA 314 

cigarettes 325 

city government 314 

classified ads 315 

clip art 313 

clubs 326 

cocaine 325 

codes 327 


439

coercion 316 

collecting 328 

Colleges 339 

colleges 340 

Communication with Other IP Networks 195 

company info 320 

Computer Hacking 308 

computers 341 

condoms 326 

Configure iPrism button 50 

congress 314 

Connection Failed (Error) 357 

conservation 328 

conspiracy 310 

consulting 321 

contemporary art 313 

contests 327 

Continuing Education/Colleges 339 

contraceptives 342 

Copyright Infringement 308 

corporate info 320 

Corporate Marketing 319 

county government 314 

CPU Utilization 252 

crack 309 

crackz 309 

Create filters for recently blocked pages 281 

credit card fraud 342 

creed 316 

crime 312 

cruelty 312 

cruise 332 

cryptanalysis 309 

Cult 316 

currency 320 

Current Filters screen 270 

Current Overrides screen 283 

cursing 310 

Custom Filters 112, 259 

Deleting 269 

Editing 269 

How to Create 266 

customs 313 

D 

databases 341 

Date Editor dialog box 218 

Date setting 217 

Default Profiles 65 

440 


democrat 314 

descrambler 308 

desktop themes 337 

dialer 343 

directories 339 

discrimination 309 

Discussion Forums 334 

diversion 328 

DNS 

Disable DNS option 203 

Using iPrism with Multiple DNS Servers 194 

doctors 325 

Documentation 

iPrism Installation Guide 4 

domain names 338 

DoS attacks 

detecting 226 

preventing 226 

downloads 337 

Drugs 325 

drunk 325 

Dutch auction 321 

E 

eBay 321 

economics 320 

Education 

Continuing Education/Colleges 339 

History 340 

K-12 340 

Reference Sites 341 

Science/Tech 341 

elementary 340 

email 337 

Email Alerts 

Creating and Configuring 184 

Deleting 187 

Editing 187 

Email Alerts tab 36, 184 

Email Host 336 

Enable LDAP Authentication (checkbox) 151 

Enable NT Authentication (checkbox) 160 

Entertainment 326 

Error Messages 351 

estate planning 320 

exclusive rights 308 

Exporting Local User Data 369 


441

F 

faction 313 

faith 316 

family planning 326 

family safe 337 

fanaticism 309 

fascism 309 

FBI 314 

federal government 314 

fighting 312 

File Masks (in filters) 272 

Filter List Updates 221 

Filter Manager 51, 257 

Filtering 

Blocking versus Monitoring 80 

Categories 307 

Custom Filters 112 

Deciding What Gets Blocked 12 

Filtering Database 12 

How iPrism Filters Internet Activity 55 

Introduction to Filtering Profiles 56 

Finance 320 

fine art 313 

firms 321 

fitness 325 

flights 332 

football 332 

Foreign Language 312 

forums 334 

Forwarding Name Server 

Changing 194 

fraud 310 

Free Memory 252 

free MP3 308 

funding 320 

futures 320 

G 

galleries 313 

Gambling 327 

Games 327 

garish 311 

garters 322 

Gateway 

Changing iPrism’s Default Route on the Network 195 

goddesses 313 

golf 332 

Google web accelerator 12 

Government 313 

442 


government agencies 314 

graphic pictures 323 

grassroots 314 

gross 311 

grotesque 311 

Group Mapping 168 

guns 311 

H 

hacking 309 

handicap 327 

hate speech 309 

hazing 312 

headhunter 321 

Health 324 

Adult Sex Education 326 

Alcohol/Tobacco 324 

Drugs 325 

Health (sub-category) 325 

K-12 Sex Education 341 

Health (sub-category) 325 

Help 

iPrism’s built-in help system 30 

Technical Support 3 

historical information 340 

History 340 

Hobbies/Interest 328 

homophobia 309 

horoscopes 313 

horror 311 

hospitals 325 

Host Name 

Changing iPrism’s Identity (Host Name) 190 

hostility 312 

hosting 338 

HTML Tags for Access Denied Page 119 

HTML Tags for Authentication Page 119 

HTML Template Manager 117 

humor 328 

I 

iGuard 12 

Site Rating Categories 308 

illegal 310 

illegal copy 308 

IM 

hybrid filtering 

description of 11 

provisioning 43 


443

spam filtering 44 

Import Report 369 

Import/Export tab 31, 367 

Importing 

How to Import a User List 367 

preparing a User List For Import 366 

User Account Data into iPrism 141 

User names 141 

Importing User Data 365 

in bad taste 311 

in poor taste 311 

information technology service 321 

injury 312 

Installing iPrism 

Pre-installation Notes 4 

Interface 

Changing iPrism’s Internal/External/Management Interface Mode 191 

Internal Name Server 194 

Internet 333 

Anonymizer 333 

Discussion Forums 334 

Email Host 336 

Online Auctions 321 

Online Chat 334 

Safe Search Engine 337 

Shareware Download 337 

Translators 334 

Web Banners 337 

Web Host 338 

Web Search 338 

Internet Explorer 

Configuring for Authentication 347 

Intolerance/Extremism 309 

Invalid Request (Error) 360 

Invalid URL (Error) 361 

investment 320 


About iPrism tab 255 

Accessing iPrism’s User Interface 48 

How iPrism Works 10 

in-line installation 8 

Managing Multiple iPrism Units 242 

preferred operating mode 8 

testing 5 

web and IM/P2P filtering 8 

354, 362, 353, 351, 51 

IRC 334 

IRS 314 

444 


J 

Job/Employment Search 320 

jobs 321 

jokes 328 

K 

K-12 340 

K-12 Sex Education 341 

kama sutra 326 

keylogger 343 

kids searches 337 

killing 312 

KKK 309 

knives 311 

L 

languages 335 

LDAP Server 

Communicating with 150 

Example using NT Active Directory 157 

Mask values in LDAP Configuration 154 

Query Attributes 154 

Setting Up the iPrism LDAP Client 151 

LDAP tab 151 

legal services 321 

legal software 337 

leisure pursuit 328 

libraries 341 

Lingerie/Bikini 322 

links 338 

liquor 325 

Load Balancing 

iPrism in a Load Balancing Environment 242 

loan 320 

Local Allow (ACL category) 113 

Local allow (ACL category) 80 

Local Categories 114 

Local Deny (ACL category) 113 

Local deny (ACL category) 81 

Locally Defined (ACL categories) 

How to Use 112 

Locally Defined Categories 80 

Lock ACL 84 

lotteries 327 

lyrics 310 

M 

Machine Account 162 

Maintaining 166 


445

magazines 315 

mail order brides 322 

Malware 343 

malware 343 

manipulation 316 

Map List Items 

Sorting and Editing 174 

Mapping 174 

Mapping NT Groups to Privileges 174 

Mapping NT Groups to Profiles 170 

marijuana 325 

masturbation 326 

Mature Humor 328 

mature subjects 322 

medications 325 

military 314 

military hardware 312 

militias 309 

Miscellaneous Questionable 309 

Mobile filtering 89 

Mode 

Changing iPrism’s Interface Mode 191 

Monitor Offensive (profile) 65 

Monitoring Access 80 

Multiple iPrism Units 242 

museums 313 

mutilation 311 

mutual funds 320 

N 

Name Server 193 

Forwarding Name Server 194 


nazism 309 

Netscape Navigator 


Network Interface Settings 

Internal/External/Management 191 

Network Settings 

Accessing Network Settings 189 

Default Route (Gateway) 195 

Forwarding Name Server 194 

Host Name 190 


Name Server 193 

Parent Proxy 200 

Port Assignments 204 

Using iPrism with Multiple DNS Servers 194 

Network Time Protocol (NTP) 219 

446 


Networking tab 37, 189, 190 

Network-level filtering 89 

Networks 

Defining Networks and Subnets in iPrism 89 

Networks tab 33 

News 315 

newsgroups 334 

newspapers 315 

No access (access level) 133 

Maintaining iPrism’s Machine Account 166 

Maintaining 166 

177, 175, 168, 170 

Communicating with 159 

Joining iPrism to an NT Domain 159 

Mapping NT Groups to Privileges 174 

Mapping NT Groups to Profiles 170 

160, 220 

nudes 323 

nudist colonies 323 

Nudity 323 

nutrition 326 

O 

odds 327 

On the Fly While You Surf button 50 

Online Auctions 321 

Online Chat 334 

online ordering 318 

online translation 335 

options 320 

Other (ACL categories) 81 

Override existing 368 

Override Location/Duration screen 103 

Override Management tab 34, 107, 108 

Override Privileges 99 

Override Who screen 102 

Override/Request Access button 97, 99 

Overrides 97 

How to Override a Blocked Site 99 

How to Revoke a Single Override 108 

How to Revoke All Overrides 108 

Managing Override Access 107 

P 

painting 313 

paraphernalia 325 

Parent Proxy 200 

Pass All (profile) 65 

password 309 


447

Passwords 

creating user passwords 132 

past events 340 

pastime 328 

patent 308 

Pending Requests screen 277 

Phishing 342 

phishing 342 

physics 341 

piercings 324 

plagiarize software 308 

police 314 

political affairs 314 

Politics 314 

POP3 337 

Pornography 323 

Port Assignments 204 

Ports 

Adding Other Secured Ports 206, 207 

Secured Site Access (HTTPS Ports) 206 

Ports tab 37 

post 334 

pranks 312 

Preferences tab 35, 37 

Preferences tab (Reports) 245 

prejudice 309 

product info 320 

Product Support 3 

Profanity 310 

Professional Services 321 

Profile 168 

Profiles 

Assigning Profiles to Networks (Workstations) 89 

Assigning Profiles to Users 89 

Creating 60 

Default Profiles 65 

Deleting 70 

Editing 69 

How iPrism Uses Profiles 88 

Introduction to Filtering Profiles 56 

Profiles and ACLs 57 

Scheduling ACLs 65 

Profiles tab 33, 74 

programming 341 

promotion 320 

Prompt for action 368 

Proxies 

Changing iPrism’s Proxy Port 205 

Configuring Proxy Settings in Netscape 346 

448 


Proxy Settings in IE 349 

Setting Up a Parent Proxy 200 

Using for Filter and System Updates 203 

Proxy Exceptions 207 

Proxy Exceptions tab 34 

Proxy tab 38, 124 

public sale 321 

publications 315 

Q 

Questionable 308 

Computer Hacking 308 

Copyright Infringement 308 

Intolerance/Extremism 309 

Miscellaneous Questionable 309 

Profanity 310 

Tasteless 310 

Violence 311 

Weapons/Bombs 311 

Quick Submit 115 

R 

racism 309 

radicalism 309 

radio 326 

Rating 

Changing a site’s rating 272 

Reboot (Exit Option) 47 

Recent Blocks screen 282 

Recreation 326 

Entertainment 326 

Gambling 327 

Games 327 

Hobbies/Interest 328 

Mature Humor 328 

Sports 331 

Travel 332 

redirection settings (IP/DNS) 162 

redirects 338 

Reference Sites 341 

Registration Information 231 

Registration tab 38 

Religion 315 

religious conviction 316 

Report Preferences 245 

Reports 

Security Log 253 

Reports Manager button 49 

Reports Menu 34 


449

eproduction 342 

republican 314 

Request Access 98 

How to Request Access to a Site 104 

Requesting Access to a Blocked Page 104 

Request Access screen 105 

reservations 332 

resources 

limiting consumption of 226 

restoring iPrism 

from local backup 230 

to its original factory settings 230 

resume 321 

Retain existing 368 

retirement planning 320 

ripped 308 

Routes 

Changing iPrism’s Default Route on the Network 195 

Static Routes 196 

Routing Information Protocol (RIP) 

Enabling RIP Updates 196 

S 

sadism 312 

Safe Search Engine 337, 150 

Save & Exit option 46 

scat 311 

Scheduling ACLs within a Profile 65 

Science/Tech 341 

sculpture 313 

search engines 339 

secondary schools 340 

sect 316 

Secured Site Access Ports (HTTPS Ports) 206 

Adding Other Secured Ports 206, 207 

Security 

Adware 343 

iPrism Security Log 253 

Malware 343 

Phishing 342 

Spyware 343 

Security Log tab 36, 253 

Select Rating screen 268 

senate 314 

serialz 308 

Sex 322 

Lingerie/Bikini 322 

Nudity 323 

Pornography 323 

450 


Sexuality 324 

sex techniques 326 

Sexuality 324 

Shared Configurations 

Adding a Slave to a Shared Configuration 215 

Changing the Master iPrism Device 215 

Configuring the Master iPrism Server 213 

iPrism in a Load Balancing Environment 242 

Managing Multiple iPrism Units 242 

Removing a Slave from a Shared Configuration 215 

Stand Alone Mode with Configuration Sharing 216 

Viewing Master/Slave Configuration Information 216 

shareware 337 

Shareware Download 337 

Shutdown (Exit option) 46 

Site Ratings 

Changing a URL’s Rating 112 

Checking a Site’s Rating 285 

site seeing 332 

skin heads 309 

smoking 325 

SMTP Relay Settings 199 

smut 323 

Society 

Alt/New Age 312 

Art/Culture 313 

Cult 316 

Government 313 

News 315 

Politics 314 

Religion 315 

Specialized Shopping 317 

Sports 331 

Spyware 343 

spyware 343 

Spyware/Adware 343 

St. Bernard Software Technical Support 3 

Stand Alone Mode 216 

state government 314 

Static Routes 

Adding 196 

Editing/Deleting 199 

Status tab 35, 251 

stocks 320 

Submitting Sites You Want to Block 114 

swearing 310 

swimsuits 322 

swords 311 

synagogue 316 


451

System Memory 252 

System Menu 36 


Backing Up and Restoring iPrism’s Settings 228 

Date and Time 217 

Registration Information 231 

Restoring the Default/Factory Configuration 230 

System Software Updates 224 

System Updates 221 

T 

tab 42 

Tasteless 310 

tattoos 324 

taxes 320 

Technical Support 3 

temp agencies 321 

temple 316 

tennis 332 

time setting 217 

toolz 309 

torture 311 

totalitarianism 309 

tour 332 

tourist 332 

trade schools 340 

trading 321 

traditions 313 

Translators 334 

Travel 332 

travel agent 332 

trips 332 

trojan 343 

U 

UltraSurf proxy 12 

Unable to Determine IP Address (Error) 358 

Unblocking Sites 280 

underwear 323 

universities 340 

unrated URLs, automatically rating 259 

Updates 

Filter List Updates 221 

System Software Updates 224 

Using a Proxy for Filter and System Updates 203 

Uptime 251, 12 

URLs 

automatically rating 259 

unrated 259 

452 


usenet 334 

User Accounts 

About 142 

Creating in iPrism 131 

editing 141 

Importing local account data 141 

User Admin Privileges 133 

User Import Report 369 

User Names 

Importing 365 

User names 

exporting 369 

How to Import a User List 367 

Importing into iPrism 141 

User-level filtering 88 

Users Menu 31 

Users tab 31, 141 

V 

vacation 332 

video games 327 

Violence 311 

virus 309, 343 

voodoo 313 

voting 314 

vulgar 311 

vulgarity 310 

W 

war 312 

warez 308, 309 

WCCP 

Using a WCCP Router with iPrism 200 

weaponry 311 

Weapons/Bombs 311 

Web 333 

Web Access 

Controlling Access to Individual Web Sites 111 

Web Banners 337 

Web Browsers 


Web Host 338 

Web Search 338 

Web Sites 

Checking the Rating of 285 

white house 314 

wicca 313 

Windows NT LAN Manager (see ’NTLM Server’) 159 

wine 325 


453

wire service 315 

witchcraft 313 

worm 343 

worship 316 

Write Error / Broken Pipe 364 

Z 

Zero Sized Reply (Error) 363 

454 



Version 6.0 

©2001-2008 St. Bernard Software, Inc. All rights reserved. 

The St. Bernard Software logo, iPrism and iGuard are trademarks of St. Bernard Software Inc. 

All other trademarks and registred trademarks are hereby acknowledged. 

Corporate Office - USA 

15015 Avenue of Science 

San Diego, CA 92128 

Main Phone: 

Toll Free: 

Fax: 

Email: 

Web: 

858-676-2277 

800-782-3762 

858-676-2299 

info@stbernard.com 

www.stbernard.com

iPrism Administration Guide - EdgeWave

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?