System requirements

Secure Web is built to run on Linux systems. The build system is a debian etch. Secure Web should run on all Linux systems with following or higher versions of the kernel and libraries:

• Kernel version 2.6.x
• SSL (libssl.so) : OpenSSL 0.9.7 or higher is required.
• LDAP (libldap.so) : OpenLDAP libraries 2.2 or higher are required for LDAP authentication.
• C++ (libstdc++6.so) : C++ supplementary libraries version 6.

All libraries must be correctly registered with the dynamic linker of your system. The product will, on startup, search for libssl.so and libldap.so. Please make sure that the libraries can be accessed by this filenames. Create symbolic links to the libraries, if necessary, like this:

    # ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so
    # ln -s /usr/lib/libldap_r.so.2.0.130 /usr/lib/libldap.so

We have successfully tested Secure Web on

• SuSE Enterprise 10
• Redhat ES 5
• Debian Etch, Lenny
• Ubuntu 8.04 LTS, 9.10

Setup procedure

The setup of the product depends on the platform you are using. Please refer to the proper platform page for more information about the setup steps.

Initial administration

After setup, the administration interface is accessible with your web browser at https://ipaddress:9992/. The default username/password is admin/admin. Please change this after your first login in the "Admin" menu. The administration interface is only accessible over a secure https connection. If you want to change the default ssl certificate, please consult support.

Java

The administration interface needs the java development kit (Sun JDK recommended) version 1.5 or higher installed on the system and the JAVA_HOME environment variable set up accordingly. We ship a Sun JDK 1.5 with the setup which will be used for the product by default. If you want to use your own JDK, you may use the helper script in the product suite to switch the JDK:

    # scripts/use_alternative_jdk.sh

To switch back to the shipped JDK, use:

    # scripts/use_shipped_jdk.sh

Installation Defaults

The default installation sets up the proxy on port 8080 for all network interfaces of your machine. IP authentication is enabled for all IPs (0.0.0.0) which maps to the default filter 'defaultrestrictive'. This default filter is setup to be very restrictive and blocks all categories by default.

Demo registration

If you have not purchased a license from Cyan Networks yet you may register a demo version of this product. Click on the "Register Demo" button, which will open a new dialog where you are asked to provide your personal and company details. After completing this dialog you will receive a demo license to your supplied Email address.

License installation

If you have purchased a license or registered a demo version from Cyan Networks you will recieve a license file via Email. Save this license file on the hard disk, go to the "Admin" menu and click on "License". Use the "Browse" button to select the license file previously saved. Now click the "Upload License" button to install the Secure Web license. You should now see your license details and the status set to "Valid". If not, please contact support.

Admin proxy settings

For certain actions, the product itself needs to access the internet. Such requests need to be made for the automatic list update. If the product needs to use an upstream proxy, please open the administration interface, go to the "Admin" menu and click on "Admin proxy". Fill in all information necessary for the product to be able to reach the Internet. If authentication is enabled on an upstream proxy, click the "Need authentication" checkbox and provide valid user credentials.

VMWare information

Important information about the VMWare installation can be found on the VMWare summary page. The credentials for the linux system are the following:

	root/cyan
	sweb/cyan

The product is installed in the home directory of user "sweb" and starts up automatically. DHCP is configured to query for an IP address and an OpenSSH server is installed for your convenience.

Authentication against Active Directory (AD) via LDAP

To authenticate against a Windows Active Directory server, you can use native windows authentication, or connect via LDAP.
To use LDAP, you need the following settings within the LDAP instance configuration:

• LDAP bind method: LDAP_AUTH_SIMPLE
• LDAP bind DN: cn=Administrator,cn=Users,dc=<your domain>,dc=com
• LDAP bind password: <password of admin user>

The user must have sufficient rights to query to Active Directory. If the specific User is located in an organisational unit on the LDAP server, make sure to specify the cn or ou the user is located in. In the example given above, "cn=Users" is the default organisational unit for users.

• LDAP base DN: cn=Users,dc=<your domain>,dc=com
• LDAP user attribute: sAMAccountName
• LDAP user OC: user

If you want to authenticate against groups as well, enable the "Enable groups" checkbox and fill in the following fields:

• LDAP group attribute: cn
• LDAP group OC: group
• LDAP group member: member

ESET virus scanner

If you wish to use the ESET anti virus engine and have purchased a license from CYAN Networks, you will receive a license file via Email. Save this license file on the hard disk, click the "Browse" button on the "License" dialog and select the file previously saved. Now click the "Upload License" button to install the anti virus license.

After the license is in place, the virus pattern update tool can be run with the command:

    # <INSTALLDIR>/scripts/cyan-eset-updater.sh

The virus scanner data files will be placed in directory <INSTALLDIR>/data/bases.

If you want to keep you virus pattern files up to date, you should add an entry to the crontab of user sweb containing this command.

ESET on Debian/Ubuntu

If you didn't use the generic installer, in order to use the ESET virus scanner, you need to install the ESET support package:

    # apt-get install cyan-sweb-1.8-vscan-eset

After you install the support package, the virus scanner is ready to use. A crontab entry has been created to keep the virus patterns up to date.

Customize error pages

If you want to modify the error pages to your CI, you can modify the files in <INSTALLDIR>/templates/.
To supply your own logo, background images, etc., just put them into the <INSTALLDIR>/web/ folder. Please note, that they need to be named differently than the supplied CYAN Networks files, or they will be overwritten during the next product update.

The latest release version 1.8 brings new error message templates with extended information and a new look & feel. To not cause any problems with your existing templates, the templates are not overwritten per default. To use the new templates, you will have to copy the files manually.

Warning: Your local changes will be lost if you follow the commands below. Please make sure that you have a backup and/or adapted the new templates to your need before settings them active.

    # cd /opt/cyan/sweb/templates

    # cp certerror.html.def certerror.html

    # cp delayed.html.def delayed.html

    # cp error.html.def error.html

    # cp ftpdir.html.def ftpdir.html

This does not apply if you are doing a fresh installation. The new  templates will automatically be set active in this case.

Upgrade to the latest version

The upgrade of the product depends on the platform you are using.Please refer to the proper platform page for more information about the setup steps.

Known issues

• HTTP/HTTPS request with IP addresses (instead of host names) will be blocked per default. This behaviour blocks ICQ, Skype and similar products that connect to their server parts via the HTTPS proxy.

• SSL intercept mode issues: (these issues won't emerge when using SSL tunneling mode)
  • If you want to use SSL intercept, the browser will display a warning upon entering an HTTPS URL. To avoid this, you need to supply a Certficate Authority (CA) certificate to CYAN Secure Web and all your Web browsers. CYAN Secure Web provides the possibility to generate and export a CA Certificate for this use.
  • Since Skype uses the SSL protocol, but diverges later from SSL protocol procedure, it won't work with SSL intercept mode.
• If you're using the Active Directory authentication via the Samba daemon, you will need to rejoin into your domain after an upgrade.
  Either use the appliance interface for this, or use the command line tool: net join -U administrator

FAQ

Q: My Internet browser wants to download some file instead of presenting me the administration interface. What is going wrong?

A: You probably used HTTP instead of HTTPS to connect to the administration interface. Please verify that you use https://ipaddress:9992/ to access the interface.

Q: How do I know the IP address of the VMWare?

A: The VMWare will print out some system information on boot up. If you missed this information, you can query the IP configuration on the shell as well. To do this, login into the operating system and issue the command:

	# /usr/sbin/ifconfig eth0

Q: Is the engine based on Squid?

A: No, the proxy engine is our own development and not based on Squid.

Q: Is authentication against Active Directory supported?

A: Yes, authentication is support via the LDAP method and via a Unix or Windows authentication module.

Q: What anti-virus engines are support?

A: The product support native Sophos, Kaspersky and ESET and external virus scanners. For native Sophos, a Sophos product must be installed. For Kaspersky and ESET, only a license file from Cyan Networks is needed.

Q: Is it possible to run the VMWare under WindowsXP/Linux/FreeBSD/... ?

A: The VMWare image will run under all operating systems VMWare supports.

Q: Is the Cyan URL Filter Database licensed from some 3rd party company?

A: No, the URL Filter Database is entirly our own. It contains 26 categories.

Q: How can I reach support?

A: Support is available via e-mail: support@cyan-networks.com