-
Cisco ACNS Software Configuration Guide for Centrally Managed Deployments, Release 5.2
-
Index
-
Title Page
-
Preface
-
Chapter 1: Understanding the ACNS 5.2 Network
-
Chapter 2: Using the Content Distribution Manager GUI
-
Chapter 3: Getting Started
-
Chapter 4: Setting Up Content Request Routing in the ACNS Network
-
Chapter 5: Configuring the ACNS Network for Content Distribution
-
Chapter 6: Configuring the ACNS Network for Content Acquisition
-
Chapter 7: Creating and Managing Programs
-
Chapter 8: Configuring Caching Services
-
Chapter 9: Configuring Streaming Media Services
-
Chapter 10: Working with Device Configurations
-
Chapter 11: Configuring Network Interfaces
-
Chapter 12: Configuring Request Processing Services
-
Chapter 13: Configuring Request Authentication and Authorization
-
Chapter 14: Configuring Login Authentication and Authorization
-
Chapter 15: Creating and Managing IP Access Control Lists
-
Chapter 16: Configuring Platform and System Settings
-
Chapter 17: Upgrading and Downgrading the Software
-
Chapter 18: Monitoring the ACNS Network
-
Chapter 19: Backup and Recovery Procedures
-
Appendix A: Creating Manifest Files
-
Appendix B: Configuring Disk Space
-
Appendix C: IP Multicast Addressing
-
Appendix D: Advanced Routing Configurations
-
Appendix E: Mapping ACNS Software CLI Commands to the Content Distribution Manager GUI
-
Table Of Contents
Configuring Request Processing Services
Configuring an ICAP Server for ICAP Service
Configuring the Rules Template Using CLI Commands
Adding a Pattern to an Existing Pattern List
Associating an Action with an Existing Pattern List
Verifying an Action Performed on a Pattern List
Configuring URL Filter Settings Using the Content Distribution Manager GUI
Creating a Text File URL List for URL Filtering
URL Filtering with the N2H2 Server
Enabling N2H2 Filtering Using the Content Distribution Manager GUI
N2H2 Status and Statistics Commands
N2H2 Configuration and Restrictions
URL Filtering with Websense Enterprise Software
Using a Websense Enterprise Server
Using the Integrated Websense Server
Configuring Ports for the Integrated Websense Server
About Websense Server Failover
Enabling Websense Filtering Using the Content Distribution Manager GUI
Websense Status and Statistics Commands
Websense Configuration and Restrictions
URL Filtering with SmartFilter Software
SmartFilter Software and the Action No-Auth Command Rule Interaction
Configuring the Content Engine GUI for Secure or Nonsecure Access
Configuring Request Processing Services
You can configure various content filtering services for the Content Engine, such as ICAP services, rules, and URL filtering. The following sections describe how to define and configure these various features:
•
Configuring the Content Engine GUI for Secure or Nonsecure Access
Configuring ICAP
The Internet Content Adaptation Protocol (ICAP) is an open-standards protocol that can be used for content adaptation, typically at the network edge. ICAP provides a common standard for communication between edge devices and ICAP services such as content filtering and virus scanning provided by third-party vendors. ICAP support on Content Engines enables system resources to be used for other critical applications while using the services offered by third-party vendors for content adaptation.
ICAP has various vectoring points (decision points) that enable modification of HTTP requests and responses when they are processed by the Content Engine. You can define one or more ICAP services and associate them with one or more vectoring points that the service is able to support. An ICAP service is a collection of attributes and ICAP servers. You can configure a maximum of ten ICAP services per Content Engine, with an upper limit of five ICAP servers per ICAP service. Also, you can choose to apply ICAP services to all HTTP requests processed by the Content Engine or apply ICAP processing only to requests that match the Rules Template.
Note
Configuring ICAP Settings
To configure ICAP settings for the Content Engine, follow these steps:
Step 1
Step 2
Step 3
Figure 12-1 ICAP Settings Window
Step 4
The all option applies ICAP processing to all HTTP requests. The rules-template option applies ICAP processing only to requests that match the rule action use-icap-service rule defined in the Rules Template.
Step 5
You can configure the Content Engine to append the client and server IP address headers to requests that are passed to the ICAP server. This specifies that the ICAP extension headers are passed to the ICAP server during the session negotiation between the Content Engine and the ICAP server. This capability allows you to use your ICAP server to perform URL filtering based on the client IP address and server IP address.
Step 6
Step 7
You can configure the Content Engine to append the username and groupname headers to the request that is passed to the ICAP server was added. This capability allows you to use your ICAP server to perform URL filtering based on username and groupname. The currently supported authentication schemes include LDAP, NTLM, RADIUS, and TACACS+.
Step 8
Step 9
Step 10
Step 11
Step 12
Configuring ICAP Services
ACNS 5.2 software supports the following three vectoring points:
•
This vectoring point applies to requests from clients. The ICAP server specifies whether to terminate the connection, send a modified error response to the client, search the cache using the requested URL, use a modified URL before looking up the cache, or modify the request headers or bodies, in the case of a cache miss.
•
This vectoring point applies only to requests after a cache miss and before the request is forwarded to the origin server for content retrieval. The ICAP server determines whether to terminate the client connection, send a modified error response to the client, send the request to the origin server using the client-specified URL or an alternative URL, or modify the request headers or bodies.
•
This vectoring point applies to responses that are received from the origin server. The ICAP server specifies whether to return the response to the client, modify the response headers or bodies before sending them to the client, or cache the response using the same or an alternative URL.
ICAP servers configured with various vectoring points (especially request modification-precache) may become overloaded with HTTP requests because all requests pass through this point. We therefore recommend that you use a cluster of ICAP servers to load balance requests based on various parameters such as weighted load, client IP and server IP address-hash based format, or round-robin format.
More than one ICAP service can be associated with a vectoring point. An ICAP service configured at a vectoring point can have only one load-balancing scheme, irrespective of the number of servers. However, multiple ICAP services configured at one or all of the vectoring points can have different load-balancing schemes.
Note
To configure an ICAP service for a Content Engine, follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Figure 12-2 Creating New ICAP Service
Step 6
a.
b.
c.
Step 7
Step 8
a.
b.
c.
Step 9
Step 10
Step 11
Configuring an ICAP Server for ICAP Service
ICAP servers process HTTP requests from clients based on the ICAP services configured using various vectoring points. ICAP servers perform content adaptation such as request or response modification and filtering of requests or responses based on the configured vectoring points.
You can configure the maximum number of connections and the weight that can be handled by an ICAP server in a cluster of servers. The weight parameter represents the percentage of load that can be redirected to the ICAP server. An ICAP server with a weight of 40 means that this server handles 40 percent of the load. If the total weight of all ICAP servers in a load-balanced cluster exceeds 100, the weight parameter for each ICAP server is recalculated.
Note
To configure an ICAP server for a previously configured ICAP service on a Content Engine, follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
When ICAP processing is enabled and an HTTP browser with a streaming Java applet is opened, several undesirable things occur:
•
•
These conditions occur because the ICAP server is set up to inspect the entire data packet before delivering a response to the client. However, because there is a streaming request, the data continues flowing to the ICAP server indefinitely, deadlocking any response to the requesting client.
Two workarounds are available. You can configure the ICAP server to bypass the scanning process, or you can configure rules on the Content Engine to skip ICAP processing on websites that are known to contain streaming Java applets.
To configure the ICAP server to bypass scanning, use rules such as client_skip_content or server_skip_content.
•
client_skip_content=User Agent: Windows Media Player 9.0.1•
server_skip_content=Content-Type: X-Dave_ContentAlternatively, you can configure the Content Engine to bypass ICAP processing based on user agents or any of the patterns available in the Rules Template, by using the rule command. In the following example, the Content Engine is configured to bypass ICAP processing on the intranet site cisco.com and on the trusted Internet site datek.com:
CE(config)# rule enableCE(config)# rule action use-icap-service trend-reqmod pattern-list 1 protocol allCE(config)# rule action use-icap-service trend-respmod pattern-list 1 protocol allCE(config)# rule pattern-list 1 domain "!(.*cisco\.com|.*datek\.com)"!CE(config)# icap apply rules-templateCE(config)# icap service trend-reqmodenablevector-point reqmod-precacheserver icap://172.19.227.150/REQ-ServiceexitCE(config)# icap service trend-respmodenablevector-point respmod-precacheserver icap://172.19.227.150/interscanexitConfiguring Service Rules
The Rules Template feature provides a flexible mechanism to specify configurable caching requests by allowing these requests to be matched against an arbitrary number of parameters, with an arbitrary number of policies applied against the matches. You can specify a set of rules, each clearly identified by an action and a pattern. Subsequently, for every incoming request, if a pattern for a rule matches the given request, the corresponding action for that rule is taken.
Requests can be matched against regular expressions symbolizing domain names, source IP addresses and network masks, destination IP addresses and network masks, destination port numbers, MIME types, or regular expressions symbolizing a URL.
You can configure service rules using the Content Distribution Manager GUI or CLI commands. This section provides instructions for using the Content Distribution Manager GUI. For more information on the types of policies that can be applied, actions and patterns, Rules Template processing, and using the CLI to configure service rules, refer to the Cisco ACNS Software Command Reference, Release 5.2.
To configure or modify service rule settings, you need to do the following:
•
•
Enabling Rule Settings
Before you configure service rules, you need to enable rule settings for the Content Engine. To enable rule settings, follow these steps:
Step 1
Step 2
Step 3
Step 4
To enable rules using the CLI, use the rule enable global configuration command.
Configuring Service Rules
Configuring a service rule consists of the following tasks:
1.
2.
3.
An action is a process that the Content Engine performs while processing the request, for example, blocking the request, redirecting the request, and so on. A pattern defines the limits of the request, for example, a pattern may specify that the IP address must fall within the subnet range 10.0.*.*.
To configure service rule parameters, follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
a.
b.
For example, to create pattern list number 72 with the pattern type domain and the yahoo.com domain as the domain to be acted on by an action, enter 72 domain yahoo.com in the Rule Parameters field. (See Figure 12-3.)
Figure 12-3 Creating a New Pattern List and Defining a Pattern
Table 12-5 Pattern Types
domain
Matches the domain name in the URL or the Host header against a regular expression. For example, ".*ibm.*" matches any domain name that contains the "ibm" substring. "\.foo\.com$" matches any domain name that ends with the ".foo.com" substring.
In regular expression syntax, the dollar sign "$" metacharacter directs that a match is made only when the pattern is found at the end of a line.
rule pattern-list list_num domain dn_regexp
dst-ip
Matches the request's destination IP address and netmask against the specified destination IP address and netmask. Specify an IP address and a netmask. In proxy mode, the Content Engine does a DNS lookup to resolve the destination IP address of the HTTP request, making the response time longer, and possibly negating the benefit of setting a dst-ip rule. When an outgoing proxy is configured, cache miss requests are forwarded by the Content Engine to the outgoing proxy without examination of the destination server IP address, making the dst-ip rule unenforceable on the first Content Engine.
rule pattern-list list_num dst-ip d_ipaddress d_subnet
dst-port
Matches the request's destination port number against the specified destination port number. Specify a port number.
rule pattern-list list_num dst-port port
groupname
Matches the groupname of the end user (web client that is requesting content) who was authenticated through LDAP or NTLM.
This pattern can be applied only to request authentication for users who have been authenticated through LDAP or NTLM. Supports exact string comparison. The groupname comparison is case insensitive. Maximum length of groupname is 255 characters. Valid characters are an underscore and alphanumeric characters. If the groupname configuration in the Rules Template and the group name-based access list match, then the access list takes precedence.
Tiprule pattern-list list_num groupname name
groupname-regex
Matches the group-name of the end user (web client that is requesting content) against a regular expression. Specify a regular expression. For example, use to configure a regular expression-based policy on groupnames or to OR multiple groupnames in the same line of in a single pattern list. For example, to OR three groupnames enter:
ContentEngine(config)# rule pattern-list 1 groupname-regex Engingeering|Marketing|Finance\The specified action is taken if any of the above groupnames matched the one in the request.
rule pattern-list list_num groupname-regex group_name_regexp
group-type
Specifies whether the pattern list is an AND or OR type. The default is OR.
rule pattern-list list_num group-type {and | or}
header-field
Request header field pattern.
Request header field patterns referer, request-line, and user-agent are supported for actions block, reset, redirect, and rewrite. The referer pattern is matched against the Referer header in the request, the request-line pattern is matched against the first line of the request, and the user-agent pattern is matched against the User-Agent header in the request.
rule pattern-list list_num header-field {referer ref_regexp | request-line req_regexp | user-agent ua_regexp}
header-field-sub
Request header field subpattern and substitute replacement pattern.
rule pattern-list list_num header-field-sub {referer ref_regexp ref_sub | request-line req_regexp req_sub | user-agent ua_regexp ua_sub}
icap-attribute
Specifies the attribute and value pair of the ICAP service.
rule pattern-list list_num icap-attribute icap_attribute icap_value
mime-type
Matches the MIME type of the response.
Specify a MIME type string, for example, "image/gif," as defined in RFC 2046 (http://www.faqs.org/rfcs/rfc2046.html). The administrator can specify a substring, for example, "java" and have it apply to all MIME types with the "java" substring, such as "application/x-javascript."
rule pattern-list list_num mime-type mt_regexp
scr-ip
Matches the request's source IP address and netmask. Specify an IP address and a netmask.
rule pattern-list list_num src-ip s_ipaddress s_subnet
url-regex
Matches the URL against a regular expression. The match is case insensitive. Specify a regular expression whose syntax can be found at the following URL:
http://yenta.www.media.mit.edu/projects/Yenta/Releases/Documentation/regex-0.12/.
rule pattern-list list_num url-regex url_regexp
url-regsub
For the rewrite and redirect actions, matches the URL against a regular expression to form a new URL in accordance with the pattern substitution specification. The match is case insensitive. The valid substitution index range is from 1 to 9.
rule pattern-list list_num url-regsub url_regexp url_sub
username
Matches the username of the end user (the web client that is requesting content) who was authenticated through LDAP, NTLM, RADIUS, or TACACS+. Specify the username or usernames. Maximum length of username is 255 characters for LDAP, RADIUS, or TACACS+ authentication. See below for information about the maximum length of usernames for NTLM authentication.
Valid characters are an underscore and alphanumeric characters. The match supports exact string comparison. The username comparison is case insensitive.
To specify multiple usernames in the same line for the same pattern list use a delimiter. For example:
ContentEngine(config)# rule pattern-list 1 username jdoe8,dsmith7,jsmith50By default, the match does not consider the domain name, and matches for username only. To include domain name as well as username in the match, specify domainname\username. For example:
ContentEngine(config)# rule pattern-list 1 username domain cisco\jdoe8For NTLM authentication, the domain\username:password:NTLM string must be 50 characters or less. If this string is greater than 50 characters, the domain name is truncated and the rule username pattern is not matched. An error message is generated in the system log in this situation.
To match all users in a particular domain, enter:
ContentEngine(config)# rule pattern-list 1 username domain domainname\*where domainname is the name of the domain (for example, cisco).
rule pattern-list list_num username user_name
Step 6
Step 7
a.
b.
For example, if you want to block access by any protocol to yahoo.com, then choose block from the Rule Type drop-down list and enter pattern-list 72 protocol all in the Rule Parameters field. (See Figure 12-4.)
Figure 12-4 Associating an Action with an Existing Pattern List
Step 8
Configuring the Rules Template Using CLI Commands
These sections describe how to configure pattern lists and actions for the Rules Template using CLI commands.
•
•
Configuring a Pattern List
To create a new pattern list, follow these steps:
In the following example, the rule pattern-list command is configured to create a pattern list to block all domains that contain .foo.com in the URL request using the domain \.foo.com pattern.
ContentEngine(config)# rule pattern-list 10 domain foo.comContentEngine# show rule pattern-list 10 domainRules Template Configuration----------------------------Rule Processing EnabledPattern-Lists :rule pattern-list 10 domain foo.comContentEngine#Adding a Pattern to an Existing Pattern List
To add a new pattern to an already existing pattern list, follow these steps:
In the following example, the rule pattern-list command is configured to add a pattern to an existing pattern list to perform an action yet to be defined on the destination IP address 172.16.25.25 using the dst-ip pattern.
ContentEngine(config)# rule pattern-list 10 dst-ip 172.16.25.25 255.255.255.0ContentEngine# show rule pattern-list 10 allRules Template Configuration----------------------------Rule Processing EnabledPattern-Lists :rule pattern-list 11 dst-ip 172.16.25.25 255.255.255.0rule pattern-list 11 domain foo.comContentEngine#Associating an Action with an Existing Pattern List
To associate an action with an existing pattern list, follow these steps:
In the following example, the rule action block command is configured and associated with an existing pattern list.
ContentEngine(config)# rule action block pattern-list 10 protocol allContentEngine# show rule action blockRules Template Configuration----------------------------Rule Processing EnabledActions :rule action block pattern-list 10 protocol allContentEngine#Verifying an Action Performed on a Pattern List
To verify the response sent by the Content Engine to confirm that a certain action is performed on a pattern list, follow these steps:
In the following example, the rule action block command is configured and associated with an existing pattern list, which lists as its pattern the domain yahoo.com.
ContentEngine(config)# rule pattern-list 30 domain yahoo.comContentEngine(config)# rule action block pattern-list 30 protocol allContentEngine# show statistics rule action blockRules Template Statistics-------------------------Rule hit count = 3 Rule: rule action block pattern-list 30 protocol allContentEngine#In this example, the request to yahoo.com was denied three times.
Configuring URL Filtering
Some enterprises have a requirement to monitor, manage, and restrict employee access to nonbusiness and objectionable content on the Internet. Employees or students can be allowed or denied access to websites, or can be coached with information about acceptable use of the Internet. By having a URL filtering scheme on Content Engines, organizations realize an immediate return on investment as a result of increased productivity and recaptured network bandwidth, while reducing legal liability.
The URL filtering features presented in this section allow the Content Engine to control client access to websites in any of the following ways:
•
•
•
•
For information about configuring the Websense software, go to the following website: http://www.websense.com
•
For information about configuring the SmartFilter software, go to the following website: http://www.securecomputing.com
Note
Custom Blocking Messages
The Content Engine can be configured to return a customized blocking message to the client. The custom message must be an administrator-created HTML file named block.html. Make sure to copy all embedded graphics associated with the custom message HTML window to the same directory that contains the block.html file. To enable the customized blocking message, use the url-filter http custom-message command and specify the directory name.
To disable the custom message, use the no url-filter http custom-message command.
The url-filter http custom-message command can be enabled and disabled without affecting the good-sites-allow and bad-sites-deny configuration.
Note
In the example shown, a block.html file displays the following custom message:
This page is blocked by the Content Enginewhen the Content Engine intercepts a request to the blocked site.
In the block.html file shown, objects (such as .gif, .jpeg, and so on) must be referenced within the custom message directory string /content/engine/blocking/url, as shown in the example below.
Note
<TITLE>Cisco Content Engine example customized message for url-filtering</TITLE><p><H1><CENTER><B><I><BLINK><FONT COLOR="#800000">P</FONT><FONT COLOR="#FF00FF">R</FONT><FONT COLOR="#00FFFF">A</FONT><FONT COLOR="#FFFF00">D</FONT><FONT COLOR="#800000">E</FONT><FONT COLOR="#FF00FF">E</FONT><FONT COLOR="#00FFFF">P</FONT><FONT COLOR="#FF8040">'</FONT><FONT COLOR="#FFFF00">S</FONT></BLINK><FONT COLOR ="#0080FF">Blocked Page</FONT></I></B></CENTER></H1><p><p><IMG src="/content/engine/blocking/url/my.gif"><p>This page is blocked by the Content Engine.<p>If the block.html file is updated, it will automatically display its new message without your having to reenter the url-filter http custom-message command.
Configuring URL Filter Settings Using the Content Distribution Manager GUI
To configure URL filter settings for the Content Engine, follow these steps:
Step 1
Step 2
Step 3
Figure 12-5 URL Filter Settings Window
Step 4
Step 5
Step 6
Creating a Text File URL List for URL Filtering
You can configure the Content Engine to deny client requests for URLs that are listed in a badurl.lst file, or configure it to fulfill only requests for URLs in a goodurl.lst file.
The use of URL lists applies to requests in HTTP, HTTPS, and FTP format as well as streaming media protocols such as MMS and RTSP.
Note
Caution
To deny requests for specific HTTP URLs, follow these steps:
Step 1
In this file, enter the URLs that you want to block. The list of URLs in the badurl.lst file must be written in the form http://www.domain.com/ and delimited with carriage returns.
Step 2
Note
Step 3
Console(config)# url-filter http bad-sites-deny file local/local1/badurl.lstStep 4
Console(config)# url-filter http bad-sites-deny enableTo permit specific HTTP URLs to the exclusion of all other URLs, follow these steps:
Step 1
In this file, enter the URLs that you want to exclusively allow. The list of URLs in the goodurl.lst file must be written in the form http://www.domain.com and delimited with carriage returns.
Step 2
Note
Step 3
Console(config)# url-filter http good-sites-allow file local/local1/goodurl.lstStep 4
Console(config)# url-filter http good-sites-allow enable
Note
Note
Use the no form of the command to disable blocking, Websense, or N2H2 permission requests (for example, no url-filter bad-sites-deny).
URL Filtering with the N2H2 Server
Note
N2H2 is a globally deployed URL-filtering software that can filter HTTP, FTP, or HTTPS requests based on destination host name, destination IP address, and username and password. It relies on a sophisticated URL database exceeding 15 million sites and is organized into over 40 categories using both Internet technology and human review.
The Content Engine can perform URL filtering using the N2H2 server. (See Figure 12-6.) The Content Engine and the N2H2 server use the Internet Filtering Protocol (IFP) Version 1 to communicate with each other. When the Content Engine receives a URL request, it sends an IFP request to the N2H2 server with the requested URL. The N2H2 server does some necessary lookups for the URL and sends back an IFP response. Based on the N2H2 server's IFP response, the Content Engine either blocks the HTTP request by redirecting the browser to a block page or proceeds with normal HTTP processing by sending the URL request to an origin server.
Figure 12-6 N2H2 Filtering
URL filtering using an N2H2 server is applied to HTTP, FTP, or HTTPS traffic before the service rule mechanism is applied, regardless of whether the requested object is in the cache or not. Filtering is applied to these traffic types:
•
•
N2H2 Features Supported
N2H2 supports three filtering methods. Table 12-8 lists the N2H2 features supported by the Content Engine. One N2H2 server can support multiple Content Engines simultaneously.
Enabling N2H2 Filtering Using the Content Distribution Manager GUI
To configure N2H2 filter settings for the Content Engine, follow these steps:
Step 1
Step 2
Step 3
Step 4
Figure 12-7 URL Filter Settings—HTTP URL Filter Settings
Step 5
N2H2 Configuration Commands
•
This command enables the N2H2 server as the current URL filtering scheme. The command will not succeed if the server IP address is not configured, or if another URL filter is already enabled with N2H2 or other filtering schemes.
•
This command configures the Content Engine to query the N2H2 server. The optional port field specifies the port on the N2H2 server to which the Content Engine should send IFP requests. The default port number is 4005. The optional timeout field (in seconds) specifies how long the Content Engine should wait for an IFP response from the N2H2 server. The default timeout is 5 seconds.
This command does not verify whether or not an N2H2 server is accessible at the specified IP address in the current implementation. The configuration can be changed while N2H2 is enabled. The Content Engine will adopt the new configuration at run time.
•
This command allows HTTP or HTTPS requests to pass when the N2H2 server is enabled but the Content Engine has problems communicating with the N2H2 server. With allowmode enabled, if the Content Engine fails to receive responses from the N2H2 server successfully, the Content Engine still allows all traffic through (it proceeds with normal traffic processing). With allowmode disabled, on the other hand, the Content Engine blocks all traffic through the Content Engine. By default, allowmode is enabled.
The allowmode option can be configured with or without N2H2 enabled and is independent of the N2H2 server configuration. The Content Engine adopts the new configuration for allowmode if N2H2 is already running.
N2H2 Status and Statistics Commands
Additional CLI commands to use with N2H2 URL filtering are as follows:
•
This command shows the URL filtering scheme enabled on the Content Engine and the configurations for each URL filtering scheme, such as the configuration data for N2H2.
•
ContentEngine# show url-filter httpURL filtering is set to use bad-listLocal list configurations==================================Good-list file name :Bad-list file name : /local1/url-filter/badlist.httpCustom message directory :Websense server configuration==================================Websense server IP : 172.16.193.165Websense server port : 15868Websense server timeout: 20 (in seconds)Websense allow mode is ENABLEDN2H2 server configuration==============================N2H2 server IP : 172.16.193.165N2H2 server port : 4005N2H2 server timeout : 5 (in seconds)N2H2 allow mode is ENABLEDContentEngine#•
This command shows the request-reply statistics of the communication between the Content Engine and the N2H2 server. These statistics show the number of requests sent, replies received, pages blocked, pages allowed, and failure cases. More detailed URL filtering statistics are available on the N2H2 server.
ContentEngine# show stat url-filter http n2H2N2H2 URL Filtering Statistics:Lookup requests transmitted = 144Lookup response received = 144Requests timed out = 0Number of retransmits = 0Requests BLOCKed by N2H2 = 52Requests OKed by N2H2 = 92Allow Mode Statistics:No available connection = 0Error sending lookup requests = 0Error receiving lookup responses = 0Server error in responses = 0Server Error in Responses:Error in Filter Server = 0Error in IFP server = 0Seq number mismatch = 0Multiple responses rcvd = 0TCP error statistics:Bad network endpoint = 0Network unreachable = 0Underlying connection broken = 0Timeout specified is reached = 0Address already in use = 0Client connection broken = 0Client connection timeout = 0Server connection broken = 0Server connection timeout = 0Register read cancelled = 0Other errors = 0Queue statistics:Number of xacts in Queue = 0Overhead statistics:Avg total process time = 17Avg response time = 17Socket update count = 0ContentEngine#The statistics shown can be cleared using the clear statistics url-filter N2H2, clear statistics urlfilter, and clear statistics all commands.
•
This command resets the statistics counters for the N2H2 server to 0.
N2H2 Configuration and Restrictions
Only one URL filtering scheme can be active per protocol. In order to enable N2H2 URL filtering, you should first make sure that no other URL filtering scheme is configured. You can then configure the server information for N2H2 using the url-filter N2H2 server IP address [port 1-65535] [timeout 1-120] command (or the GUI equivalent) and enabling the N2H2 server.
The server IP address and port number configured in the Content Engine must match the IP address of the N2H2 server and the port that the N2H2 server uses to listen for IFP requests. If the configuration on the Content Engine does not match the configurations on the N2H2 server, the Content Engine will time out all HTTP, FTP, or HTTPS requests and either block or allow all HTTP traffic based on the allowmode option configuration.
URL Filtering with Websense Enterprise Software
Note
Websense Enterprise is an Internet filtering software that transparently monitors, reports on, and manages employee use of the Internet. Cisco ACNS 5.2 software supports Websense Enterprise software Version 5.2 on all Cisco Content Engine platforms.
You can configure your ACNS network to use an external enterprise server with Websense Enterprise software installed, or you can enable the Content Engine integrated Websense server, or you can configure both an external and an integrated Websense server for the Content Engine. An external Websense server communicates with the Content Engine over the network, whereas an integrated Websense server runs internally to the Content Engine. Communications between the Content Engine caching processes and an integrated Websense server happen internally to the Content Engine.
To access the set of documents on Websense product setup and implementation, you can access the following URL:
http://www.websense.com/support/documentation/index.cfm
Using a Websense Enterprise Server
Figure 12-8 shows a network configuration that uses a Websense enterprise server as a filtering engine for the Content Engine. The Content Engine enforces the filtering policy configured on the Websense server. Refer to the Websense documentation for further information on Websense filtering policies.
Figure 12-8 URL Filtering with a Websense Server
Using the Integrated Websense Server
The integrated Websense server uses approximately 60 MB to 140 MB of RAM in the Content Engine. We recommend that you run the integrated Websense server on Content Engines with at least 512 MB of RAM for best results.
When the Websense server is enabled and the Websense URL database is downloaded the first time, CPU usage can be very high. Therefore, we recommend that you enable the Websense server during off-peak times or times of low network traffic. Otherwise, other processes running on the Content Engine might be affected. If the Websense server stalls, it restarts automatically.
Websense provides an image of the Websense server that resides in the /local/local1/WebsenseEnterprise directory. All the executables as well as the configuration and logging files are stored in the above mentioned directory. This package requires about 150 MB of disk space in the /local/local1/WebsenseEnterprise/EIM directory. An additional 140 MB of disk space is required at the time of downloading the Websense URL database, increasing the total disk space requirement to 290 MB. To ensure that you have enough disk space to properly download the Websense software, we recommend that you increase the amount of sysfs disk space to be greater than the default sysfs on your Content Engine.
Configuring Ports for the Integrated Websense Server
The integrated Websense process requires that four ports be opened for connections either from processes internal to the Content Engine or from external processes such as the PIX firewall. These four ports and default port numbers are as follows:
•
This is the TCP port that receives requests for content filtering according to the Websense protocol.
•
If the Websense process blocks a URL, it sends a redirect URL to the user. The redirect URL is configured to print out the blocked page and policy for the user. The Websense process listens on this port to receive the pages blocked, serviced by a thread in the Websense server. This thread sends the blocked page in response to the redirected request.
•
This port is required by the Websense GUI to configure the Websense server.
•
The Websense server has an exhaustive set of diagnostics that the users can run remotely to diagnose problems in the Websense process. These diagnostics connect to this port.
You can configure these ports by modifying the websense.ini file that resides in the /local/local1/WebsenseEnterprise directory. The Websense server must be restarted so it can pick up the newly configured ports.
You can modify the ports by exporting a copy of the websense.ini file using FTP from the /local/local1/WebsenseEnterprise directory on the Content Engine, modifying the file, deleting the websense.ini file on the Content Engine, and then sending back the modified file to the Content Engine using FTP.
Note
About Websense Server Failover
In ACNS software, Release 5.2, the Websense server failover feature was added. This feature allows you to configure a Content Engine to use up to two Websense servers for failover purposes (one primary and one secondary server) for URL filtering. Table 12-10 lists the supported Websense server failover configurations.
The order in which you configure the Websense servers determines which server is designated the primary Websense server. The first configured Websense server is designated the primary server. Configuration of a secondary Websense server is optional. To configure Websense server failover using the Content Distribution Manager GUI, see the next section, "Enabling Websense Filtering Using the Content Distribution Manager GUI."
Enabling Websense Filtering Using the Content Distribution Manager GUI
To enable Websense filtering using the Content Distribution Manager GUI, follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Note
Step 6
Alternatively, check the Embedded check box to configure the Content Engine integrated Websense server as the primary URL filtering server. The Websense Server Hostname field becomes unavailable. This ensures that the URL filtering software uses the local Websense server and not a remote host as the Websense server.
Step 7
Step 8
Step 9
Step 10
Step 11
Note
Websense Status and Statistics Commands
Additional CLI commands to use with Websense URL filtering are as follows:
•
This command shows the IP address of the local host in the Websense sever IP field when the local host is configured as the Websense server for Websense URL filtering.
The show url-filter http command also shows the URL filtering scheme enabled on the Content Engine for HTTP traffic and the configurations for each URL filtering scheme, such as the configuration data for Websense.
In this example, the show url-filter http command is used to display the status of all HTTP URL filtering schemes presently configured on the Content Engine:
ContentEngine# show url-filter httpURL filtering is set to use bad-listLocal list configurations==================================Good-list file name :Bad-list file name : /local1/url-filter/badlist.httpCustom message directory :Websense server configuration==================================Websense server IP : 172.16.193.165Websense server port : 15868Websense server timeout: 20 (in seconds)Websense allow mode is ENABLEDN2H2 server configuration==============================N2H2 server IP : 172.16.193.165N2H2 server port : 4005N2H2 server timeout : 5 (in seconds)N2H2 allow mode is DISABLEDContentEngine#•
This command shows the configuration for the Websense server configured on the Content Engine. The output of the command includes the configured port numbers for the Websense server port, blocked message server port, configuration server port, and diagnostics server port; the Websense server version number; and the maximum number of connections.
•
This command shows the request-reply statistics of the communication between the Content Engine and the Websense server. These statistics show the number of requests sent, replies received, pages blocked, pages allowed, and failure cases. More detailed URL filtering statistics are available on the Websense server.
ContentEngine# show statistics url-filter http websenseWebsense URL Filtering Statistics:Transmission statistics:Lookup requests transmitted = 1Lookup requests timed-out = 1Lookup responses received = 1Lookup responses received with error = 0Multiple response received = 0Sequence number mismatch = 0TCP errors:Connection reset = 0Connection timeout = 3Other errors = 0Filter results:Requests BLOCKed by Websense = 1Requests OKed by Websense = 0Sent to Allowmode ok = 1Sent to Allowmode block = 0desc_filtered_and_passed = 0desc_category_blocked = 1desc_category_not_blocked = 0desc_category_blocked_custom_deny = 0desc_category_not_blocked_custom_permit = 0Websense log statistics:Logs sent successfully = 1Connection error = 0Error during log processing = 0Log not complete = 1Log not sent because Websense disabled = 0No available connection = 0Congestion statistics:Pending requests = 0Pending log requests = 0ContentEngine#The statistics shown can be cleared using the clear statistics url-filter http websense, and clear statistics all commands. All the statistics counters are then reset to 0.
•
This EXEC command saves Websense configuration files (websense.init and ws.cfg) modified from the external Websense Manager GUI across disk reconfiguration and ACNS software release upgrades (which might erase disk content).
You must execute this command in order to have the most recent configuration modifications, including websense.ini file modifications and the Websense URL filtering configuration changes.
If the write memory command is not used before reboot but after a disk reconfiguration or an ACNS software upgrade that erases disk content, the Websense configurations that were saved when the write memory command was last used are retained. However, if the write memory command was never used before, then default configurations are applied when the content on /local/local1/WebsenseEnterprise directory is erased.
Websense Configuration and Restrictions
Only one URL filtering scheme can be active per protocol. In order to enable Websense URL filtering, you should first make sure that no other URL filtering scheme is enabled on the same protocol. You can then configure the information for the Websense server using the url-filter http websense server IP address [port 1-65535] [timeout 1-120] command (or the GUI equivalent) and enabling the Websense server with the url-filter http websense enable command (or the GUI equivalent).
The server IP address and port number configured in the Content Engine must match the IP address of the Websense server and the port on which the Websense server listens to filter requests. If the configuration on the Content Engine does not match the configurations on the Websense server, the Content Engine will time out all HTTP, FTP, or HTTPS requests and either block or allow all HTTP traffic based on the allowmode option configuration.
URL Filtering with SmartFilter Software
Note
SmartFilter software for the Content Engine provides employee Internet management (EIM) functionality with proxy servers, firewalls, and caching appliances. The integrated Content Engine and SmartFilter product preserves all functionality available in a regular Content Engine. The SmartFilter filtering capability is available as an add-on service on the Content Engine, and the service may be enabled or disabled as desired through the Content Engine CLI or GUI.
The integrated Content Engine and SmartFilter product provides a one-box solution for server functionality. The Content Engine uses a suite of plug-in APIs to allow the SmartFilter software to implement hooks at strategic points during an HTTP transaction and thus provide URL filtering.
The integrated Content Engine and SmartFilter product provides two end user management tools called the SmartFilter Administration Console and the SmartFilter Administration Server. This GUI components download configurations into the Content Engine for use by the SmartFilter process.
To use SmartFilter URL filtering with a cluster of Content Engines, make sure to enter the url-filter http smartfilter enable command (or the GUI equivalent) on each Content Engine in the cluster to ensure that all traffic is filtered.
Refer to the SecureComputing website (http://www.securecomputing.com) for documentation regarding SmartFilter.
SmartFilter Software and the Action No-Auth Command Rule Interaction
The rule action no-auth global configuration command permits specific login and content requests to bypass authentication and authorization features such as LDAP, RADIUS, SSH, or TACACS+. In the following example, any requests from the source IP address (src-ip) 172.16.53.88 are not authenticated.
ContentEngine(config)# rule enableContentEngine(config)# rule action no-auth pattern-list 1 protocol allContentEngine(config)# rule pattern-list 1 src-ip 172.16.53.88 255.255.255.255If the software is configured for authentication and SmartFilter URL filtering, requests that are allowed to bypass authentication will also bypass the SmartFilter URL filter.
Configuring the Content Engine GUI for Secure or Nonsecure Access
You can configure the Content Engine GUI on a centrally deployed Content Engine for secure or nonsecure access. The secured Content Engine GUI is the default.
Either secure or nonsecure access to the Content Engine GUI is possible but not both. For example, if the secured Content Engine GUI is enabled (for example, https:// access on port 8003), then nonsecure access to the Content Engine GUI (for example, http:// access on port 8001) is not allowed. The port number of the Content Engine GUI is determined when the ACNS software is installed on the Content Engine.
Before logging in to the Content Engine GUI, check that you have the following information:
•
•
•
To access the Content Engine GUI, you must enter the URL or IP address of the Content Engine and the port number. The URL (location) of the Content Engine is determined during the installation of the ACNS software. If your network supports DNS and the IP address of the Content Engine has been added to your DNS table, you can access the Content Engine GUI by using the DNS name of the Content Engine.
To configure the Content Engine GUI for secure or nonsecure access, follow these steps:
Step 1
Step 2
Step 3
Step 4
a.
b.
Step 5
a.
b.
Step 6
If you try to leave this window without saving the modified settings, a warning dialog box prompts you to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
Note
