CYAN SECURE WEB - Info-Point-Security

CYAN SECURE WEB 

Installing on Windows 

September 2009 

Applies to: CYAN Secure Web 1.7 and above

CYAN Secure Web Installing on Windows 

Table of Contents 

1 Introduction................................................................................................................................................... 

2 

2 Preparation................................................................................................................................................... 

2 

3 Network Integration....................................................................................................................................... 

3 

3.1 Out-of-line Deployment......................................................................................................................... 

3 

3.2 DMZ Deployment.................................................................................................................................. 

3 

4 Proxy Modes................................................................................................................................................. 

4 

5 Setting up Secure Web................................................................................................................................. 

5 

6 Login to the Administration Interface............................................................................................................. 

7 

6.1 Secure Web License............................................................................................................................. 

9 

6.2 Changing the Secure Web Administrator Password........................................................................... 

10 

6.3 Initial Configuration and Authentication............................................................................................... 

11 

7 Setting up Microsoft SQL Server Express Edition....................................................................................... 

12 

8 Setting up the Reporting System................................................................................................................ 

15 

8.1 Setting up the Database Connection.................................................................................................. 

15 

8.2 Setting up the Reporting Database..................................................................................................... 

16 

8.3 Enabling the Log-Feeder.................................................................................................................... 

17 

9 Login to the Reporting System.................................................................................................................... 

18 

10 Where to continue ... ................................................................................................................................. 19 

© 2009 CYAN Networks Software GmbH - 1 -


1 Introduction 

CYAN Secure Web is a standalone proxy server. The native Windows version with its easy setup 

and administration interface integrates perfectly with Microsoft Windows networks. 

The installation package contains the complete set of components of the CYAN Secure Web 

proxy solution. It supports transparent authentication out-of-the box as well as integrates the 

anti-virus scan engine NOD32 from ESET. 

2 Preparation 

Secure Web for Windows requires a Windows 2003 Server as the underlying operating system. 

We strongly recommended to have installed the latest service packs from Microsoft for your 

host. 

In order to operate the Reporting System, a SQL database system is required. The CYAN 

Reporting System supports following SQL databases: 

– Postgresql 8.0 or higher 

– Mysql 5.1 or higher 

– Microsoft SQL Server 

F Note: In the case you plan to use the CYAN Reporting System, we strongly 

recommend to setup the database server prior to installing Secure Web. 

In the case you do not have any of the SQL database systems listed above which can be used 

by the reporting system as the data store, we recommend to install MS SQL 2005 Express 

Edition (available from http://www.microsoft.com/sql/editions/express/) on any compatible 

Windows system. 

F Note: For evaluation purposes or for small and medium size businesses the SQL 

database system can be installed on the same host together with the Secure Web 

proxy server. For large scale installations we strongly recommend to run the 

database system on a different host, so that the performance of the proxy server 

is not affected by the reporting jobs. 

The latest setup instructions on setting up MS SQL Express are available at: 

http://www.cyan-networks.com/mssqlhowto 



3 Network Integration 

There are numerous ways in which Secure Web for Windows can be deployed in the network 

two basic concepts being: out-of-line and in the demilitarized zone (DMZ). 

3.1 Out-of-line Deployment 

The following diagram illustrates the out-of-line deployment: 

In the out-of-line deployment the proxy server resides on the same physical network as the 

clients. The clients must not necessarily use the proxy server for their Internet access. 

However, in order to ensure security the firewall must be configured to disallow all direct traffic 

from the client to the Internet. To utilize the proxy server either all clients are explicitly 

configured to use the proxy host, or a rule on the firewall utilizes the proxy server into 

transparent mode applying port forwarding rules. 

3.2 DMZ Deployment 

Illustration 1: Out-of-line deployment 

The following diagram illustrates the deployment in a DMZ: 

Illustration 2: Deployment in a DMZ 

In the DMZ deployment, the proxy is made part of the network that is protected by the firewall 

from both, the extranet and the intranet. In the case that a DMZ is established already, this is 

the preferred mode, especially if the authentication shall be used and the also the 

authentication server is on this network. 



4 Proxy Modes 

“Proxy Mode” refers to the way how clients “see” the proxy server. One can differentiate 

between two main modes: non-transparent and transparent mode. 

Non-transparent (classic proxy) mode means that the client application (e.g. your web 

browser) must be aware of the existence of the proxy server, i.e. the client must be explicitly 

configured to use the server in order to establish connections to the Internet. 

On the other hand, in transparent mode, the client's application does not know about the 

existence of the proxy server. Generally all traffic on TCP port 80 (HTTP) is redirected by a 

networks element (router, firewall, the CYAN appliance) to the proxy server, i.e. the proxy 

server is “injected” transparently into the network traffic. 

These two modes have different consequences: 

– non-transparent mode: as described above, each client's application needs to be 

configured to use the proxy server, which implies some administrative effort. Furthermore, 

in order to be able to enforce the use of this security and policy gateway, another network 

element (router, firewall) must ensure (by blocking) that no direct traffic from a client may 

pass to the Internet. 

– transparent mode: to operate Secure Web for Windows in this mode, it is required to 

configure port forwarding rules on your router or firewall device. Please refer to the 

documentation of your router or firewall to find out about the necessary configuration 

steps. 

You will most probably want to redirect all traffic that “goes to” the TCP destination port 80, 

which is the common port for HTTP servers. You may, however, also want to redirect the 

ports 3126 and 8080, which are commonly used by proxy servers. In this way you shall 

prevent the use of external (possibly anonymous) proxies. 

F Caution: be careful with the redirect rule, make sure that the requests from the 

proxy machine itself do not get redirected, otherwise it will start to loop between 

the firewall and the proxy server, resulting in a failure of one, or both devices. 



5 Setting up Secure Web 

The latest copy of the Windows version of Secure Web can be downloaded from 

www.cyan-networks.com/windows 

F Note: Make sure that you execute the setup program with administrator 

permissions! 

After downloading and executing the setup program it will start extracting the setup files and 

start the setup wizard: 

Illustration 3: Secure Web Setup Wizard 

During the setup process the wizard will ask you if you would like to setup the database 

connection for the Cyan Reporting System. In the case you already have an MS SQL server 

installed and running, and you would like to put the reporting data onto this server, select the 

option “Configure CRS to work with MS SQL”. 



Illustration 4: Secure Web Setup Wizard - specify 

database connection 

Please refer also to chapter 8 Setting up the Reporting System on page 15 for details 

connecting the reporting system to the database instance. 

After successful installation you will find following services in the Windows service manager: 

Illustration 5: Secure Web Services 

All services are set to automatically start at system startup. 



6 Login to the Administration Interface 

The Secure Web provides an intuitive, web-based configuration application enabling the 

administrator to configure all components. In order to administrate the Secure Web, use a 

standard web browser to connect to the URL: 

https://:9992/ 

where is one of the IP addresses of the proxy host. After successful installation 

on the Windows platform an entry has been added to your start menu providing a shortcut to 

the administration interface: 

Illustration 6: Secure Web Start Menu Entries on Windows 

On connecting to the administration interface, the browser will display a warning about the 

certificate. Please click “Yes” to proceed to the administration page. The following screenshot 

shows the dialog that appears in Microsoft Internet Explorer Version 6.0: 

Illustration 7: SSL Warning 



On successful connect, the admin selection screen will appear: 

Click the “Cyan Secure Web” icon to enter the web administration interface: 

Illustration 9: Secure Web Login 

The default login values are: 

User: admin 

Password: admin 

Illustration 8: Admin Selection Screen 

F Note: We strongly recommended to change the administrator password as soon as 

possible. 



6.1 Secure Web License 

Secure Web requires a valid license to operate. In the case you have not received your license 

information and would like to evaluate Secure Web, please browse to the location 

http://www.cyan-networks.com/registration 

and follow the instructions on the screen. On successful completion of the registration, a key 

file that includes the evaluation license will be sent to your email address. 

In order to activate Secure Web with a valid license, browse to the Admin / License dialog and 

upload the key file that is attached to the email you received, as shown in the following 

screenshot: 

Illustration 10: Secure Web (evaluation) license 

F Note: After uploading the Secure Web license, the proxy will start updating the 

URL database. This could take several minutes, depending on the speed of your 

Internet connection. You may want to check the 'Server' dialog to view the current 

status of the download. 



6.2 Changing the Secure Web Administrator Password 

In order to change the Secure Web administrator user account browse the menu to Admin / 

Admin User / Users as shown in the following screenshot: 

Illustration 11: Secure Web administrator user 

Click on the Edit button next to the administrator user “admin” to open a new dialog which 

allows you to change the name as well as assign a new password. 



6.3 Initial Configuration and Authentication 

Secure Web is installed on the appliance with a default configuration. This configuration 

includes for the purpose of authentication an IP instance named “global” representing “the 

world” (0.0.0.0/0), as shown in the following screenshot: 

Illustration 12: Initial authentication setup 

In order to configure and successfully use your own authentication instance, like your Active 

Directory server for example, you must delete or deactivate this IP instance. Browse the menu 

to Authentication / IP Instance, click the Edit button of the “global” IP instance and clear the 

“Enabled” checkbox to deactivate this IP instance. 

F Note: Do not forget to click the button in order to notify the Secure Web 

proxy server that it needs to reload the configuration. 



7 Setting up Microsoft SQL Server Express Edition 

Microsoft SQL Express Edition is a free of charge SQL database engine that you might want to 

use as the database backend to the CYAN Reporting System. You can obtain the latest copy 

from the Microsoft homepage from the following URL: 

http://www.microsoft.com/sql/editions/express/ 

After downloading and starting the setup program please follow the instructions of the setup 

wizard up to the dialog shown below. Please make sure to uncheck the “Hide advanced 

configuration options” button: 

Illustration 13: MS SQL Server 2005 Setup 

Continue to the dialog shown below. In this dialog please make sure that “Default instance” 

will be installed: 

Illustration 14: MS SQL Server Setup - Default 

instance 



The “Default instance” will select the TCP port 1433 as the listening port for the SQL server 

communication. 

Continue to the dialog shown below and select the “Mixed Mode” installation option. Please do 

not forget to specify a password for the sa user. The sa user is the system administrator for 

the SQL server and will have all administrative permissions: 

Illustration 15: MS SQL Server Setup - Mixed Mode 

Continue with the setup wizard until the installation is finished. After finishing the installation 

the SQL server must be setup to allow TCP for remote connections. To enable this function 

please start the “SQL Server Surface Area Configuration” program: 

Illustration 16: MS SQL Server Windows Start Menu Entries 



Select the “Surface Area Configuration for Services and Connections” link to open the settings 

of the database engine. 

Illustration 17: SQL Server Surface Area 

Configuration 

To change the setting for remote connections browse the tree to the dialog “Database 

Engine” / “Remote Connections”. Change the setting for “Local and remote connections” to 

“Using TCP/IP only” as shown in the following screenshot: 

Illustration 18: SQL Server Settings for Remote Connections 

The configuration fo the SQL server is now completed. Finally a restart MS SQL Server is 

required so that the changes will take effect. 



8 Setting up the Reporting System 

The initial configuration of the reporting system is not connected to a database. The following 

actions need to be completed to activate the Reporting System: 

1. Setting up the Database Connection 

2. Setting up the Reporting Database 

3. Enabling the Log-Feeder 

8.1 Setting up the Database Connection 

In order to setup the reporting database connection connect to the administration interface 

and select the Cyan Reporting System icon from the Admin Selection Screen (see Illustration 

8: Admin Selection Screen on page 8). The following setup dialog will be displayed: 

Illustration 19: Database Connection for the Reporting System 

In the case you have installed MS SQL Server and specified the connection parameters during 

the setup process of Secure Web, this screen will not be displayed anymore. 

Following to saving the connection information by clicking the “Setup” button, the 

administration interface will guide you to the process of setting up the database tables. 



8.2 Setting up the Reporting Database 

Provided the database connection is set up correctly and the database is empty, the Reporting 

System will display the following screen, showing that the database version is out of date: 

Click the button to confirm that the missing database may now be set up and configured 

automatically. 

Illustration 20: Setting up the reporting database 

F Note: Whenever new versions of the Reporting System require changes to the 

database, your explicit confirmation is requested to in order to proceed with the 

upgrade. 

F Caution: Database upgrades may take a long time and can cause significant 

impact on the operation and performance of the system. Therefore the Reporting 

System will never upgrade the database automatically, but leave this decision with 

the administrator. 

After successful completion of the setup / upgrade of the database, the login dialog will 

(re-)appear. 



8.3 Enabling the Log-Feeder 

In order to activate the import of the reporting information into the reporting database, the log 

feeder service of Secure Web must be enabled. Browse the menu to Server / Log Feeder / 

Setup as shown in the following screenshot: 

Illustration 21: Log Feeder 

The default values in this dialog are prepared to operate with the reporting system on this 

same machine. In case you want to run the reporting system on a separate machine, please 

refer to the Secure Web Reference Guide that describes the necessary steps. 



9 Login to the Reporting System 

In order to login to the Reporting System connect to the administration interface and select the 

Cyan Reporting System icon from the Admin Selection Screen (see Illustration 8: Admin 

Selection Screen on page 8). The following login screen will appear: 

Illustration 22: Reporting login 

The reporting system uses different login credentials than the appliance component. You may 

want to assign a different password to the Secure Web administration login in order restrict the 

administration of the machine parameters and the reporting to different people. 

The default login values are: 

User: admin 

Password: admin 

F Note: We strongly recommended to change the administrator password as soon as 

possible. 



10 Where to continue ... 

Further documentation about the product as well as technical white papers that describe 

certain use cases can be found in our documentation repository on our homepage: 

http://www.cyan-networks.com/documentation 

In the case you need assistance, please contact your local reseller or contact our support team 

via email or telephone at 

support@cyan-networks.com 

+43 (720) 555444-333 



Illustration Index 

Illustration 1: Out-of-line deployment................................................................................................................ 3 

Illustration 2: Deployment in a DMZ..................................................................................................................3 

Illustration 3: Secure Web Setup Wizard.......................................................................................................... 5 

Illustration 4: Secure Web Setup Wizard - specify database connection.......................................................... 6 

Illustration 5: Secure Web Services.................................................................................................................. 6 

Illustration 6: Secure Web Start Menu Entries on Windows..............................................................................7 

Illustration 7: SSL Warning................................................................................................................................7 

Illustration 8: Admin Selection Screen.............................................................................................................. 8 

Illustration 9: Secure Web Login....................................................................................................................... 8 

Illustration 10: Secure Web (evaluation) license............................................................................................... 9 

Illustration 11: Secure Web administrator user................................................................................................10 

Illustration 12: Initial authentication setup....................................................................................................... 11 

Illustration 13: MS SQL Server 2005 Setup.................................................................................................... 12 

Illustration 14: MS SQL Server Setup - Default instance................................................................................ 12 

Illustration 15: MS SQL Server Setup - Mixed Mode.......................................................................................13 

Illustration 16: MS SQL Server Windows Start Menu Entries......................................................................... 13 

Illustration 17: SQL Server Surface Area Configuration.................................................................................. 14 

Illustration 18: SQL Server Settings for Remote Connections........................................................................ 14 

Illustration 19: Database Connection for the Reporting System......................................................................15 

Illustration 20: Setting up the reporting database............................................................................................16 

Illustration 21: Log Feeder.............................................................................................................................. 17 

Illustration 22: Reporting login........................................................................................................................ 18

CYAN SECURE WEB - Info-Point-Security

Create successful ePaper yourself

Delete template?

Save as template?