CYAN SECURE WEB - Info-Point-Security
CYAN SECURE WEB - Info-Point-Security
CYAN SECURE WEB - Info-Point-Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CYAN</strong> <strong>SECURE</strong> <strong>WEB</strong><br />
Installing on Windows<br />
September 2009<br />
Applies to: <strong>CYAN</strong> Secure Web 1.7 and above
<strong>CYAN</strong> Secure Web Installing on Windows<br />
Table of Contents<br />
1 Introduction...................................................................................................................................................<br />
2<br />
2 Preparation...................................................................................................................................................<br />
2<br />
3 Network Integration.......................................................................................................................................<br />
3<br />
3.1 Out-of-line Deployment.........................................................................................................................<br />
3<br />
3.2 DMZ Deployment..................................................................................................................................<br />
3<br />
4 Proxy Modes.................................................................................................................................................<br />
4<br />
5 Setting up Secure Web.................................................................................................................................<br />
5<br />
6 Login to the Administration Interface.............................................................................................................<br />
7<br />
6.1 Secure Web License.............................................................................................................................<br />
9<br />
6.2 Changing the Secure Web Administrator Password...........................................................................<br />
10<br />
6.3 Initial Configuration and Authentication...............................................................................................<br />
11<br />
7 Setting up Microsoft SQL Server Express Edition.......................................................................................<br />
12<br />
8 Setting up the Reporting System................................................................................................................<br />
15<br />
8.1 Setting up the Database Connection..................................................................................................<br />
15<br />
8.2 Setting up the Reporting Database.....................................................................................................<br />
16<br />
8.3 Enabling the Log-Feeder....................................................................................................................<br />
17<br />
9 Login to the Reporting System....................................................................................................................<br />
18<br />
10 Where to continue ... ................................................................................................................................. 19<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 1 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
1 Introduction<br />
<strong>CYAN</strong> Secure Web is a standalone proxy server. The native Windows version with its easy setup<br />
and administration interface integrates perfectly with Microsoft Windows networks.<br />
The installation package contains the complete set of components of the <strong>CYAN</strong> Secure Web<br />
proxy solution. It supports transparent authentication out-of-the box as well as integrates the<br />
anti-virus scan engine NOD32 from ESET.<br />
2 Preparation<br />
Secure Web for Windows requires a Windows 2003 Server as the underlying operating system.<br />
We strongly recommended to have installed the latest service packs from Microsoft for your<br />
host.<br />
In order to operate the Reporting System, a SQL database system is required. The <strong>CYAN</strong><br />
Reporting System supports following SQL databases:<br />
– Postgresql 8.0 or higher<br />
– Mysql 5.1 or higher<br />
– Microsoft SQL Server<br />
F Note: In the case you plan to use the <strong>CYAN</strong> Reporting System, we strongly<br />
recommend to setup the database server prior to installing Secure Web.<br />
In the case you do not have any of the SQL database systems listed above which can be used<br />
by the reporting system as the data store, we recommend to install MS SQL 2005 Express<br />
Edition (available from http://www.microsoft.com/sql/editions/express/) on any compatible<br />
Windows system.<br />
F Note: For evaluation purposes or for small and medium size businesses the SQL<br />
database system can be installed on the same host together with the Secure Web<br />
proxy server. For large scale installations we strongly recommend to run the<br />
database system on a different host, so that the performance of the proxy server<br />
is not affected by the reporting jobs.<br />
The latest setup instructions on setting up MS SQL Express are available at:<br />
http://www.cyan-networks.com/mssqlhowto<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 2 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
3 Network Integration<br />
There are numerous ways in which Secure Web for Windows can be deployed in the network<br />
two basic concepts being: out-of-line and in the demilitarized zone (DMZ).<br />
3.1 Out-of-line Deployment<br />
The following diagram illustrates the out-of-line deployment:<br />
In the out-of-line deployment the proxy server resides on the same physical network as the<br />
clients. The clients must not necessarily use the proxy server for their Internet access.<br />
However, in order to ensure security the firewall must be configured to disallow all direct traffic<br />
from the client to the Internet. To utilize the proxy server either all clients are explicitly<br />
configured to use the proxy host, or a rule on the firewall utilizes the proxy server into<br />
transparent mode applying port forwarding rules.<br />
3.2 DMZ Deployment<br />
Illustration 1: Out-of-line deployment<br />
The following diagram illustrates the deployment in a DMZ:<br />
Illustration 2: Deployment in a DMZ<br />
In the DMZ deployment, the proxy is made part of the network that is protected by the firewall<br />
from both, the extranet and the intranet. In the case that a DMZ is established already, this is<br />
the preferred mode, especially if the authentication shall be used and the also the<br />
authentication server is on this network.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 3 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
4 Proxy Modes<br />
“Proxy Mode” refers to the way how clients “see” the proxy server. One can differentiate<br />
between two main modes: non-transparent and transparent mode.<br />
Non-transparent (classic proxy) mode means that the client application (e.g. your web<br />
browser) must be aware of the existence of the proxy server, i.e. the client must be explicitly<br />
configured to use the server in order to establish connections to the Internet.<br />
On the other hand, in transparent mode, the client's application does not know about the<br />
existence of the proxy server. Generally all traffic on TCP port 80 (HTTP) is redirected by a<br />
networks element (router, firewall, the <strong>CYAN</strong> appliance) to the proxy server, i.e. the proxy<br />
server is “injected” transparently into the network traffic.<br />
These two modes have different consequences:<br />
– non-transparent mode: as described above, each client's application needs to be<br />
configured to use the proxy server, which implies some administrative effort. Furthermore,<br />
in order to be able to enforce the use of this security and policy gateway, another network<br />
element (router, firewall) must ensure (by blocking) that no direct traffic from a client may<br />
pass to the Internet.<br />
– transparent mode: to operate Secure Web for Windows in this mode, it is required to<br />
configure port forwarding rules on your router or firewall device. Please refer to the<br />
documentation of your router or firewall to find out about the necessary configuration<br />
steps.<br />
You will most probably want to redirect all traffic that “goes to” the TCP destination port 80,<br />
which is the common port for HTTP servers. You may, however, also want to redirect the<br />
ports 3126 and 8080, which are commonly used by proxy servers. In this way you shall<br />
prevent the use of external (possibly anonymous) proxies.<br />
F Caution: be careful with the redirect rule, make sure that the requests from the<br />
proxy machine itself do not get redirected, otherwise it will start to loop between<br />
the firewall and the proxy server, resulting in a failure of one, or both devices.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 4 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
5 Setting up Secure Web<br />
The latest copy of the Windows version of Secure Web can be downloaded from<br />
www.cyan-networks.com/windows<br />
F Note: Make sure that you execute the setup program with administrator<br />
permissions!<br />
After downloading and executing the setup program it will start extracting the setup files and<br />
start the setup wizard:<br />
Illustration 3: Secure Web Setup Wizard<br />
During the setup process the wizard will ask you if you would like to setup the database<br />
connection for the Cyan Reporting System. In the case you already have an MS SQL server<br />
installed and running, and you would like to put the reporting data onto this server, select the<br />
option “Configure CRS to work with MS SQL”.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 5 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
Illustration 4: Secure Web Setup Wizard - specify<br />
database connection<br />
Please refer also to chapter 8 Setting up the Reporting System on page 15 for details<br />
connecting the reporting system to the database instance.<br />
After successful installation you will find following services in the Windows service manager:<br />
Illustration 5: Secure Web Services<br />
All services are set to automatically start at system startup.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 6 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
6 Login to the Administration Interface<br />
The Secure Web provides an intuitive, web-based configuration application enabling the<br />
administrator to configure all components. In order to administrate the Secure Web, use a<br />
standard web browser to connect to the URL:<br />
https://:9992/<br />
where is one of the IP addresses of the proxy host. After successful installation<br />
on the Windows platform an entry has been added to your start menu providing a shortcut to<br />
the administration interface:<br />
Illustration 6: Secure Web Start Menu Entries on Windows<br />
On connecting to the administration interface, the browser will display a warning about the<br />
certificate. Please click “Yes” to proceed to the administration page. The following screenshot<br />
shows the dialog that appears in Microsoft Internet Explorer Version 6.0:<br />
Illustration 7: SSL Warning<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 7 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
On successful connect, the admin selection screen will appear:<br />
Click the “Cyan Secure Web” icon to enter the web administration interface:<br />
Illustration 9: Secure Web Login<br />
The default login values are:<br />
User: admin<br />
Password: admin<br />
Illustration 8: Admin Selection Screen<br />
F Note: We strongly recommended to change the administrator password as soon as<br />
possible.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 8 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
6.1 Secure Web License<br />
Secure Web requires a valid license to operate. In the case you have not received your license<br />
information and would like to evaluate Secure Web, please browse to the location<br />
http://www.cyan-networks.com/registration<br />
and follow the instructions on the screen. On successful completion of the registration, a key<br />
file that includes the evaluation license will be sent to your email address.<br />
In order to activate Secure Web with a valid license, browse to the Admin / License dialog and<br />
upload the key file that is attached to the email you received, as shown in the following<br />
screenshot:<br />
Illustration 10: Secure Web (evaluation) license<br />
F Note: After uploading the Secure Web license, the proxy will start updating the<br />
URL database. This could take several minutes, depending on the speed of your<br />
Internet connection. You may want to check the 'Server' dialog to view the current<br />
status of the download.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 9 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
6.2 Changing the Secure Web Administrator Password<br />
In order to change the Secure Web administrator user account browse the menu to Admin /<br />
Admin User / Users as shown in the following screenshot:<br />
Illustration 11: Secure Web administrator user<br />
Click on the Edit button next to the administrator user “admin” to open a new dialog which<br />
allows you to change the name as well as assign a new password.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 10 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
6.3 Initial Configuration and Authentication<br />
Secure Web is installed on the appliance with a default configuration. This configuration<br />
includes for the purpose of authentication an IP instance named “global” representing “the<br />
world” (0.0.0.0/0), as shown in the following screenshot:<br />
Illustration 12: Initial authentication setup<br />
In order to configure and successfully use your own authentication instance, like your Active<br />
Directory server for example, you must delete or deactivate this IP instance. Browse the menu<br />
to Authentication / IP Instance, click the Edit button of the “global” IP instance and clear the<br />
“Enabled” checkbox to deactivate this IP instance.<br />
F Note: Do not forget to click the button in order to notify the Secure Web<br />
proxy server that it needs to reload the configuration.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 11 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
7 Setting up Microsoft SQL Server Express Edition<br />
Microsoft SQL Express Edition is a free of charge SQL database engine that you might want to<br />
use as the database backend to the <strong>CYAN</strong> Reporting System. You can obtain the latest copy<br />
from the Microsoft homepage from the following URL:<br />
http://www.microsoft.com/sql/editions/express/<br />
After downloading and starting the setup program please follow the instructions of the setup<br />
wizard up to the dialog shown below. Please make sure to uncheck the “Hide advanced<br />
configuration options” button:<br />
Illustration 13: MS SQL Server 2005 Setup<br />
Continue to the dialog shown below. In this dialog please make sure that “Default instance”<br />
will be installed:<br />
Illustration 14: MS SQL Server Setup - Default<br />
instance<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 12 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
The “Default instance” will select the TCP port 1433 as the listening port for the SQL server<br />
communication.<br />
Continue to the dialog shown below and select the “Mixed Mode” installation option. Please do<br />
not forget to specify a password for the sa user. The sa user is the system administrator for<br />
the SQL server and will have all administrative permissions:<br />
Illustration 15: MS SQL Server Setup - Mixed Mode<br />
Continue with the setup wizard until the installation is finished. After finishing the installation<br />
the SQL server must be setup to allow TCP for remote connections. To enable this function<br />
please start the “SQL Server Surface Area Configuration” program:<br />
Illustration 16: MS SQL Server Windows Start Menu Entries<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 13 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
Select the “Surface Area Configuration for Services and Connections” link to open the settings<br />
of the database engine.<br />
Illustration 17: SQL Server Surface Area<br />
Configuration<br />
To change the setting for remote connections browse the tree to the dialog “Database<br />
Engine” / “Remote Connections”. Change the setting for “Local and remote connections” to<br />
“Using TCP/IP only” as shown in the following screenshot:<br />
Illustration 18: SQL Server Settings for Remote Connections<br />
The configuration fo the SQL server is now completed. Finally a restart MS SQL Server is<br />
required so that the changes will take effect.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 14 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
8 Setting up the Reporting System<br />
The initial configuration of the reporting system is not connected to a database. The following<br />
actions need to be completed to activate the Reporting System:<br />
1. Setting up the Database Connection<br />
2. Setting up the Reporting Database<br />
3. Enabling the Log-Feeder<br />
8.1 Setting up the Database Connection<br />
In order to setup the reporting database connection connect to the administration interface<br />
and select the Cyan Reporting System icon from the Admin Selection Screen (see Illustration<br />
8: Admin Selection Screen on page 8). The following setup dialog will be displayed:<br />
Illustration 19: Database Connection for the Reporting System<br />
In the case you have installed MS SQL Server and specified the connection parameters during<br />
the setup process of Secure Web, this screen will not be displayed anymore.<br />
Following to saving the connection information by clicking the “Setup” button, the<br />
administration interface will guide you to the process of setting up the database tables.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 15 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
8.2 Setting up the Reporting Database<br />
Provided the database connection is set up correctly and the database is empty, the Reporting<br />
System will display the following screen, showing that the database version is out of date:<br />
Click the button to confirm that the missing database may now be set up and configured<br />
automatically.<br />
Illustration 20: Setting up the reporting database<br />
F Note: Whenever new versions of the Reporting System require changes to the<br />
database, your explicit confirmation is requested to in order to proceed with the<br />
upgrade.<br />
F Caution: Database upgrades may take a long time and can cause significant<br />
impact on the operation and performance of the system. Therefore the Reporting<br />
System will never upgrade the database automatically, but leave this decision with<br />
the administrator.<br />
After successful completion of the setup / upgrade of the database, the login dialog will<br />
(re-)appear.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 16 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
8.3 Enabling the Log-Feeder<br />
In order to activate the import of the reporting information into the reporting database, the log<br />
feeder service of Secure Web must be enabled. Browse the menu to Server / Log Feeder /<br />
Setup as shown in the following screenshot:<br />
Illustration 21: Log Feeder<br />
The default values in this dialog are prepared to operate with the reporting system on this<br />
same machine. In case you want to run the reporting system on a separate machine, please<br />
refer to the Secure Web Reference Guide that describes the necessary steps.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 17 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
9 Login to the Reporting System<br />
In order to login to the Reporting System connect to the administration interface and select the<br />
Cyan Reporting System icon from the Admin Selection Screen (see Illustration 8: Admin<br />
Selection Screen on page 8). The following login screen will appear:<br />
Illustration 22: Reporting login<br />
The reporting system uses different login credentials than the appliance component. You may<br />
want to assign a different password to the Secure Web administration login in order restrict the<br />
administration of the machine parameters and the reporting to different people.<br />
The default login values are:<br />
User: admin<br />
Password: admin<br />
F Note: We strongly recommended to change the administrator password as soon as<br />
possible.<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 18 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
10 Where to continue ...<br />
Further documentation about the product as well as technical white papers that describe<br />
certain use cases can be found in our documentation repository on our homepage:<br />
http://www.cyan-networks.com/documentation<br />
In the case you need assistance, please contact your local reseller or contact our support team<br />
via email or telephone at<br />
support@cyan-networks.com<br />
+43 (720) 555444-333<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 19 -
<strong>CYAN</strong> Secure Web Installing on Windows<br />
Illustration Index<br />
Illustration 1: Out-of-line deployment................................................................................................................ 3<br />
Illustration 2: Deployment in a DMZ..................................................................................................................3<br />
Illustration 3: Secure Web Setup Wizard.......................................................................................................... 5<br />
Illustration 4: Secure Web Setup Wizard - specify database connection.......................................................... 6<br />
Illustration 5: Secure Web Services.................................................................................................................. 6<br />
Illustration 6: Secure Web Start Menu Entries on Windows..............................................................................7<br />
Illustration 7: SSL Warning................................................................................................................................7<br />
Illustration 8: Admin Selection Screen.............................................................................................................. 8<br />
Illustration 9: Secure Web Login....................................................................................................................... 8<br />
Illustration 10: Secure Web (evaluation) license............................................................................................... 9<br />
Illustration 11: Secure Web administrator user................................................................................................10<br />
Illustration 12: Initial authentication setup....................................................................................................... 11<br />
Illustration 13: MS SQL Server 2005 Setup.................................................................................................... 12<br />
Illustration 14: MS SQL Server Setup - Default instance................................................................................ 12<br />
Illustration 15: MS SQL Server Setup - Mixed Mode.......................................................................................13<br />
Illustration 16: MS SQL Server Windows Start Menu Entries......................................................................... 13<br />
Illustration 17: SQL Server Surface Area Configuration.................................................................................. 14<br />
Illustration 18: SQL Server Settings for Remote Connections........................................................................ 14<br />
Illustration 19: Database Connection for the Reporting System......................................................................15<br />
Illustration 20: Setting up the reporting database............................................................................................16<br />
Illustration 21: Log Feeder.............................................................................................................................. 17<br />
Illustration 22: Reporting login........................................................................................................................ 18<br />
© 2009 <strong>CYAN</strong> Networks Software GmbH - 20 -