-
Cisco ACNS Software Configuration Guide for Locally Managed Deployments, Release 5.2
-
Title
-
Preface
-
Chapter 1: Introduction
-
Chapter 2: Understanding the Basics
-
Chapter 3: Getting Started
-
Chapter 4: Deployment Scenarios for Standalone Content Engines
-
Chapter 5: Configuring Transparent Redirection for Standalone Content Engines
-
Chapter 6: Configuring Conventional Caching Services for Standalone Content Engines
-
Chapter 7: Configuring WMT Streaming Media Services on Standalone Content Engines
-
Chapter 8: Configuring RTSP Media Services on Standalone Content Engines
-
Chapter 9: Configuring Content Authentication and Authorization on Standalone Content Engines
-
Chapter 10: Configuring URL Filtering on Standalone Content Engines
-
Chapter 11: Configuring ICAP on Standalone Content Engines
-
Chapter 12: Configuring the Rules Template on Standalone Content Engines
-
Chapter 13: Configuring Primary and Backup Proxy Servers for Standalone Content Engines
-
Chapter 14: Configuring Advanced Transparent Caching Features on Standalone Content Engines
-
Chapter 15: Configuring Additional Network Interfaces and Bandwidth on Standalone Content Engines
-
Chapter 16: Configuring Login Authentication and Authorization on Standalone Content Engines
-
Chapter 17: Configuring AAA Accounting on Standalone Content Engines
-
Chapter 18: Creating and Managing IP Access Control Lists for Standalone Content Engines
-
Chapter 19: Viewing and Modifying TCP Stack Parameters on Standalone Content Engines
-
Chapter 20: Monitoring and Troubleshooting
-
Appendix A: Content Engine GUI Menu Options
-
Appendix B: Reference Material for Standalone Content Engine Deployments
-
Table Of Contents
Configuring URL Filtering on Standalone Content Engines
Displaying the Current URL Filtering Configurations
URL Filtering with Local List Files
Configuring Local List URL Filtering on Standalone Content Engines
Reloading Local List Files on Standalone Content Engines
Creating Custom Blocking Messages
URL Filtering with an N2H2 Server
Configuring Standalone Content Engines for N2H2 URL Filtering
URL Filtering with Websense Software
About Websense Server Failover
Configuring Standalone Content Engines for Websense URL Filtering
Configuring Ports for the Websense Server
Configuring Websense Server Failover and URL Filtering
Configuring URL Filtering with a Local Websense Server
Configuring Websense URL Filtering with External Websense Servers
Deactivating Local Websense Server Services on Standalone Content Engines
Saving Websense Configuration Files
Viewing Websense URL Filtering Statistics
URL Filtering with SmartFilter Software
About the SmartFilter Control List
Configuring URL Filtering on Standalone Content Engines
This chapter describes the different types of URL filtering that are supported with standalone Content Engines that are running ACNS 5.x software, and describes how to configure URL filtering on standalone Content Engines.
This chapter contains the following sections:
•
Displaying the Current URL Filtering Configurations
•
•
•
•
Note
For information about how to configure URL filtering on Content Engines that are registered with a Content Distribution Manager (as opposed to standalone Content Engines), refer to the Cisco ACNS Software Configuration Guide for Centrally Managed Deployments, Release 5.2.
URL Filtering Overview
Some enterprises have a requirement to monitor, manage, and restrict employee access to nonbusiness and objectionable content on the Internet. Employees or students can be allowed or denied access to websites, or can be coached with information about acceptable use of the Internet. By having a URL filtering scheme on Content Engines, organizations realize an immediate return on investment as a result of increased productivity and recaptured network bandwidth, while reducing legal liability.
Table 10-1 lists the various URL filtering schemes that you can configure a standalone Content Engine to use in order to control client access to websites.
Table 10-1 URL Filtering Mechanisms with Standalone Content Engines
Local list files
Deny access to URLs specified in a list. Permit access only to URLs specified in a list. See the "URL Filtering with Local List Files" section.
N2H2 external servers
Direct client requests for content to an external N2H2 server for URL filtering. See the "URL Filtering with an N2H2 Server" section.
Websense server
Direct client requests for content to either the local Websense plug-in or to an external Websense server for URL filtering. See the "URL Filtering with Websense Software" section.
SmartFilter plug-in
Direct client requests for content to the SmartFilter plug-in for URL filtering. See the "URL Filtering with SmartFilter Software" section.
See Table B-6 for a list of the URL filtering schemes (for example, SmartFilter or Websense) that are supported for different protocols.
Although only one form of URL filtering scheme can be active at a time per protocol, many URL filtering schemes can be supported at one time. For example, if an N2H2 filter is applied to HTTP requests, then no other URL filtering scheme (for instance, Websense or SmartFilter) can be applied to this protocol. However, you could apply the local list URL filtering scheme (good lists and bad lists) to the streaming media protocols (WMT client requests and client requests over RTSP). The scheme enabled for a particular protocol is independent from that of other protocols.
Note
To ensure that URL filtering applies to every URL that passes through the Content Engine, disable all bypass features. By default, load bypass is enabled.
•
•
ContentEngine(config)# no bypass load enable•
ContentEngine(config)# no error-handling send-cache-errorContentEngine(config)# no error-handling reset-connectionRADIUS and URL Filtering
When both RADIUS authentication and URL filtering are enabled on the Content Engine, the user Filter-Id attribute in the RADIUS server database can be configured to bypass URL filtering.
The following is an example of a user Filter-Id attribute entry in the RADIUS server database.
test Password = "test"Service-Type = Framed-User,Filter-Id = "No-Web-Blocking"The Filter-Id attribute is defined as either No-Web-Blocking or Yes-Web-Blocking. Yes-Web-Blocking means that the request is subject to URL filtering, and No-Web-Blocking means that the request is not subject to URL filtering. If blocking is not specified, Yes-Web-Blocking is the default RADIUS filter.
Note
Displaying the Current URL Filtering Configurations
To display the URL filtering configurations for a standalone Content Engine, use the show url-filter EXEC commands.
ContentEngine# show url-filter httpContentEngine# show url-filter rtspContentEngine# show url-filter wmtIn this example, the show url-filter http command is used to display the status of all URL filtering schemes for HTTP requests that are currently configured on the standalone Content Engine.
ContentEngine# show url-filter httpURL filtering is set to use bad-listLocal list configurations==================================Good-list file name :Bad-list file name : /local1/url-filter/badlist.httpCustom message directory :Websense server configuration==================================Websense server IP : 172.16.193.165Websense server port : 15868Websense server timeout: 20 (in seconds)Websense server connections : 40Websense allow mode is ENABLEDN2H2 server configuration==============================N2H2 server IP : 172.16.193.165N2H2 server port : 4005N2H2 server timeout : 5 (in seconds)N2H2 allow mode is ENABLEDContentEngine#URL Filtering with Local List Files
You can configure standalone Content Engines to deny client requests for URLs that are listed in a badurl.lst file, or configure them to fulfill only requests for URLs in a goodurl.lst file. The use of local list files (URL lists) applies to HTTP (HTTP, HTTPS-over-HTTP, and FTP-over-HTTP) as well as streaming media protocols such as MMS and RTSP. This type of URL filtering is referred to as "local list URL filtering."
Tip
The local list file for each protocol should not contain URLs that belong to other protocols. For instance, the HTTP local list file should contain only HTTP, HTTPS, or FTP URLs, and the WMT local list file should contain only MMS URLs.
Caution
Configuring Local List URL Filtering on Standalone Content Engines
You can configure a standalone Content Engine to use local list URL filtering to filter the following types of client requests for content:
•
•
•
Filtering for native FTP and native HTTPS requests is not supported.
To use the Content Engine CLI to configure local list URL filtering on a standalone Content Engine, use the url-filter global configuration commands.
ContentEngine(config)# url-filter ?http For requests over HTTPrtsp For requests over RTSPwmt For WMT requestsLocal list URL filtering is the only supported filtering mechanism for requests over RTSP and WMT requests; the N2H2, SmartFilter, and Websense filtering mechanisms are not supported for these types of requests. For requests over HTTP, the local list URL filtering mechanism as well as N2H2, SmartFilter, and Websense is supported. See Table B-4 for a list of the kinds of URL filtering that are supported for the different protocols.
Table 10-2 describes the Content Engine CLI commands for configuring a standalone Content Engine to use local list URL filtering for HTTP requests (HTTP, FTP-over-HTTP, and HTTPS-over-HTTP requests).
Table 10-3 describes the Content Engine CLI commands for configuring a standalone Content Engine to use local list URL filtering for requests over RTSP.
Table 10-4 describes the Content Engine CLI commands for configuring a standalone Content Engine to use local list URL filtering for Windows Media Technologies (WMT) requests (MMS requests over UDP [MMSU], MMS requests over TCP [MMS], and MMS requests over HTTP).
To configure a standalone Content Engine to use a local list file to deny client requests for specific HTTP URLs, follow these steps:
Step 1
In this file, enter the URLs that you want to block. The list of URLs in the badurl.lst file must be written in the form http://www.domain.com/ and be delimited with carriage returns.
Step 2
Tip
Step 3
Console(config)# url-filter http bad-sites-deny file local/local1/badurl.lstStep 4
Console(config)# url-filter http bad-sites-deny enableTo configure a standalone Content Engine to use a local list file permit specific HTTP URLs to the exclusion of all other URLs, follow these steps:
Step 1
In this file, enter the URLs that you want to exclusively allow. The list of URLs in the goodurl.lst file must be written in the form http://www.domain.com and be delimited with carriage returns.
Step 2
Tip
Step 3
Console(config)# url-filter http good-sites-allow file local/local1/goodurl.lstStep 4
Console(config)# url-filter http good-sites-allow enable
Reloading Local List Files on Standalone Content Engines
When you update the badurl.lst or goodurl.lst file, use the url-filter local-list-reload EXEC command to reload the good site or bad site lists on the standalone Content Engine if the URL list feature is enabled.
url-filter local-list-reload {http | rtsp | wmt}
where:
•
•
•
The following shows how to reload new good site or bad site lists on a standalone Content Engine.
ContentEngine# url-filter local-list-reload httpContentEngine# url-filter local-list-reload rtspContentEngine# url-filter local-list-reload wmtCreating Custom Blocking Messages
In the case of local list URL filtering, you can configure standalone Content Engines to return a customized blocking message to the client that requested content that is served through the Content Engine. The custom message must be an administrator-created HTML page named block.html. Make sure to copy all embedded graphics associated with the custom message HTML page to the same directory that contains the block.html file. The following is an example of the contents of the block.html file.
<TITLE>Cisco Content Engine example customized message for url-filtering</TITLE><p><H1><CENTER><B><I><BLINK><FONT COLOR="#800000">P</FONT><FONT COLOR="#FF00FF">R</FONT><FONT COLOR="#00FFFF">A</FONT><FONT COLOR="#FFFF00">D</FONT><FONT COLOR="#800000">E</FONT><FONT COLOR="#FF00FF">E</FONT><FONT COLOR="#00FFFF">P</FONT><FONT COLOR="#FF8040">'</FONT><FONT COLOR="#FFFF00">S</FONT></BLINK><FONT COLOR ="#0080FF">Blocked Page</FONT></I></B></CENTER></H1><p><p><IMG src="/content/engine/blocking/url/my.gif"><p>This page is blocked by the Content Engine.<p>If the block.html file is updated, it will automatically display its new message without your having to reenter the url-filter http custom-message command.
In the following example, a block.html file displays the custom message
This page is blocked by the Content Enginewhen the standalone Content Engine intercepts a request to the blocked site.
In the block.html file, objects (such as .gif, .jpeg, and so on) must be referenced within the custom message directory string /content/engine/blocking/url, as shown in the preceding example.
To enable the customized blocking message, use the url-filter http custom-message global configuration command and specify the directory name. To disable the custom message, use the no url-filter http custom-message command.
You can enable and disable the url-filter http custom-message command without affecting the good-sites-allow and bad-sites-deny configuration.
Note
Contact your administrator if you have any questions concerning access to the blocked site you requested.
URL Filtering with an N2H2 Server
N2H2 is a globally deployed URL-filtering solution that can filter HTTP, FTP, or HTTPS requests based on destination host name, destination IP address, and user name and password. It relies on a sophisticated URL database exceeding 15 million sites and is organized into over 40 categories using both Internet technology and human review. Refer to http://www.n2h2.com for further information on N2H2 filtering products.
Note
N2H2 supports three filtering methods. Table 10-5 lists the N2H2 features supported by the Content Engine. One N2H2 server can support multiple Content Engines simultaneously.
Configuring Standalone Content Engines for N2H2 URL Filtering
Standalone Content Engines can use an N2H2 enterprise server as a filtering engine and enforce the filtering policy configured on the N2H2 server. (See Figure 10-1.) The standalone Content Engine and the N2H2 server use Internet Filtering Protocol (IFP) Version 2 to communicate with each other. When the Content Engine receives a URL request, it sends an IFP request to the N2H2 server with the requested URL. The N2H2 server does some necessary lookups for the URL and sends back an IFP response. Based on the N2H2 server's IFP response, the Content Engine either blocks the HTTP request by redirecting the browser to a page where a blocking message is displayed or proceeds with normal HTTP processing by sending the URL request to an origin server.
Figure 10-1 N2H2 Filtering
Note
To configure a standalone Content Engine to use an external N2H2 server for URL filtering, follow these steps:
Step 1
Step 2
Only one URL filtering scheme per protocol can be active at a time.
Step 3
a.
url-filter http N2H2 server {[hostname | ip-address]} [port portnum [timeout seconds]]
where:
–
–
–
–
In the following example, the Content Engine is configured to use an N2H2 server that has an IP address of 172.16.22.10. The Content Engine will send IFP requests to this N2H2 server on port 4008 and will wait for up to 15 seconds for an IFP response from this server before timing out the connection:
ContentEngine(config)# url-filter http N2H2 server 172.16.22.10 port 4008 timeout 15The server IP address and port number configured on the standalone Content Engine must match the IP address of the N2H2 server and the port that the N2H2 server listens to for IFP requests. If the configuration on the Content Engine does not match the configurations on the N2H2 server, the Content Engine will time out all HTTP requests (HTTP, FTP-over-HTTP, or HTTPS-over-HTTP requests) and either block or allow all HTTP traffic based on the allowmode option configuration.
Note
Step 4
Console(config)# url-filter http N2H2 enable
Step 5
•
•
You can configure the allowmode option with or without N2H2 being enabled; it is independent of the N2H2 server configuration. The Content Engine adopts the new configuration for allowmode if N2H2 URL filtering is already being used.
Step 6
These statistics show the number of requests sent, replies received, pages blocked, pages allowed, and failure cases. More detailed URL filtering statistics are available on the N2H2 server.
The statistics shown can be cleared using the clear statistics url-filter http N2H2 and clear statistics all EXEC commands. The clear statistics url-filter http N2H2 EXEC command resets the statistics counters for the N2H2 server. All the statistics counters are reset to 0.
Note
URL Filtering with Websense Software
Standalone Content Engines can use a remote Websense enterprise server as a filtering engine and enforce the filtering policy configured on the Websense server. As Figure 10-2 shows, the remote Websense server runs on a separate system (Host A) from the local Websense server and communicates with the standalone Content Engine over the network.
Figure 10-2 URL Filtering with Websense Servers
You can also configure a standalone Content Engine to use the integrated Websense server. The integrated Websense server is an internal server that runs on the Content Engine, and is referred to as the "local Websense server."
Note
About Websense Server Failover
In ACNS software, Release 5.2, the Websense server failover feature was added. This feature allows you to configure a Content Engine to use up to two Websense servers for failover purposes (one primary and one secondary server) for URL filtering. Table 10-6 lists the supported Websense server failover configurations.
The order in which you configure the Websense servers determines which server is designated the primary Websense server. The first configured Websense server is designated the primary server. Configuration of a secondary Websense server is optional. For an example of how to configure Websense server failover for a standalone Content Engine, see the "Configuring Websense Server Failover and URL Filtering" section.
About Websense Services
In Websense 5.2 software, three services (the employee Internet management [EIM] server, network agent service, and user service) replace the single Websense service (the local Websense server) that was supported in Websense Version 5.0.1. The term "local Websense server" is still used to refer collectively to these three Websense processes that are running internally on the Content Engine. These Websense processes are also called "services."
With Websense 5.2 software, you can use a local or remote Websense policy server to activate the local EIM server, the local network agent, and the local user service individually on a Content Engine. See Table 10-7.
Table 10-8 lists the Content Engine CLI commands that were added in ACNS 5.2 software in order to support the integration of Websense 5.2 software.
Note
Configuring Standalone Content Engines for Websense URL Filtering
In ACNS software, Release 5.2, you can configure a Content Engine to use up to two Websense servers for URL filtering.
To configure a Content Engine for Websense URL filtering, determine the type of Websense server configuration that you want to use for URL filtering.
•
•
•
Only one URL filtering scheme per protocol can be active at a time. In order to enable Websense URL filtering for requests over HTTP, you should make sure that no other URL filtering scheme is configured per protocol. Use the show url-filter http EXEC command to display the URL filtering schemes that are currently enabled on this Content Engine for HTTP requests (HTTP, FTP-over-HTTP, and HTTPS-over-HTTP). See Table B-4 for the kinds of URL filtering that are supported for different protocols with a Websense server.
Note
Websense software provides an image of the Websense server that resides in the
/local1/WebsenseEnterprise/EIM directory on the Content Engine. All the executables as well as the configuration and logging files are stored in this directory.When the Websense server is enabled and the Websense URL database is downloaded to the Content Engine for the first time, CPU usage will be high. Therefore, it is recommended that you enable the Websense server during off-peak times or at times of low network traffic; otherwise, other processes running on the Content Engine may be affected. If one of the Websense processes exits, the local Websense server is automatically restarted on the Content Engine.
To download the Websense components, such as Explorer, Manager, and Reporter, or to obtain an evaluation key for use with the local Websense server that runs on the standalone Content Engine, access the following URL and follow the sequence of steps:
http://www.websense.com/downloads
Configuring Ports for the Websense Server
The Websense process requires that four ports be open for connections either from processes internal to the Content Engine or from external processes such as the Websense Manager. See Table 10-9.
You can configure the first three ports that are listed in Table 10-9 by modifying the eimserver.ini file that resides in the /local1/WebsenseEnterprise/EIM directory on the standalone Content Engine. The Websense server must be restarted so it can pick up the newly configured ports.
You can modify the ports by exporting a copy of the eimserver.ini file using FTP from the /local1/WebsenseEnterprise/EIM directory on the Content Engine, modifying the file, deleting the eimserver.ini file on the Content Engine, and then sending back the modified file to the Content Engine using FTP.
Note
Configuring Websense Server Failover and URL Filtering
In the following scenario, the Content Engine is acting as the HTTP proxy for URL filtering. First, the Content Engine is configured to use either the local or the remote policy server, and then the local Websense server services (the local EIM server, the local user service, and the local network agent) are activated on the Content Engine.
Next, the Content Engine is configured to use the local (internal) Websense server as its primary Websense server and an external Websense server as the secondary Websense server. If the primary Websense server is unavailable, the Content Engine sends the filtering requests to this secondary server.
After allow mode is reenabled on the Content Engine, URL filtering is enabled on the Content Engine. Finally, the Websense manager GUI is used to configure the default policy for the local and the remote Websense servers, and then the HTTP proxy is enabled on the Content Engine.
Step 1
•
ContentEngine(config)# websense-server service policy local activate•
ContentEngine(config)# websense-server service policy remote host {hostname| IP address} [port policy-server-port]where:
–
–
Either the local or the remote policy server must be running before you can activate any of the services of the local Websense server (the local EIM server, the local network agent, and the local user service) on the Content Engine. Local and remote policy server configuration are mutually exclusive.
Step 2
ContentEngine(config)# websense-server service eim activateStep 3
ContentEngine(config)# websense-server service user activateStep 4
ContentEngine(config)# websense-server service network-agent activateStep 5
ContentEngine(config)# websense-server enable
Note
Step 6
Note
In this example, the Content Engine (that is acting as the HTTP proxy) sends filtering requests to the local Websense server on port 4005, waits 60 seconds for a response from the local Websense server before timing out the connection, and establishes 90 persistent connections to this local Websense server. Because the local Websense server is configured first, it is designated the primary Websense server for the Content Engine.
ContentEngine(config)# url-filter http websense server local port 4005 timeout 60 connections 90
Note
Step 7
Because the local Websense server is already the primary Websense server, you must specify an external Websense server as the secondary Websense server.
In this example, the external Websense server with an IP address of 172.18.22.10 is configured as the secondary Websense server. If the local Websense server is unavailable, the Content Engine will send the requests to this secondary Websense server on port 4006, will wait up to 90 seconds for a response from this server before timing out the connection, and will establish 90 persistent connections per CPU.
ContentEngine(config)# url-filter http websense server 172.18.22.10 port 4006 timeout 90Step 8
ContentEngine(config)# no url-filter http websense allowmode enableIf the primary Websense server is unavailable, then the Content Engine sends the requests to the specified secondary Websense server. If both the primary and the secondary Websense servers are unavailable, then the requests are sent to allow mode.
•
•
You can configure the allowmode option with or without the Websense server being enabled; it is independent of the Websense server configuration. The Content Engine adopts the new configuration for allowmode if Websense URL filtering is already being used.
Step 9
ContentEngine(config)# url-filter http websense enableStep 10
a.
•
•
•
b.
•
•
c.
•
•
•
•
•
Note
Step 11
ContentEngine(config)# http proxy incoming 8080Step 12
Configuring URL Filtering with a Local Websense Server
In order to configure the Content Engine to use the local (internal) Websense server for URL filtering, you must perform these tasks:
1.
In ACNS software, Release 5.2 or later, you can now activate one or more Websense server services individually. Table 10-7 lists the Websense server services.
2.
3.
In ACNS software, Release 5.2 or later, you can configure up to two Websense servers for failover purposes. One of these Websense servers can be the local Websense server. The order in which you configure the Websense servers determines which server is the primary server. The first configured Websense server is automatically designated the primary Websense server, whereas the second configured server becomes the secondary Websense server. For a list of supported configurations, see Table 10-6.
In ACNS software, Release 5.2 or later, you can activate any combination of the local Websense server services (which are listed in Table 10-7). If the local policy server is not activated on the Content Engine, you must point to a valid external policy server when activating the other three local Websense server services (the local EIM server, the local network agent, and the local user service). For more information on this topic, see the "Configuring Websense URL Filtering with External Websense Servers" section.
ACNS software, Release 5.0.3 to 5.1.x, has the local Websense server. Because the activation of the individual services of the Websense server in these software releases is not optional, when you upgrade to ACNS software, Release 5.2 from ACNS software, Release 5.0.3 to Release 5.1.x, by default the following three local Websense server services are activated on the Content Engine: the local policy server, the local EIM server, and the local user service.
To configure the Content Engine to use the local (internal) Websense server for URL filtering, follow these steps:
Step 1
•
ContentEngine(config)# websense-server service policy local activate•
ContentEngine(config)# websense-server service policy remote host {hostname| IP address} [port policy-server-port]where:
–
–
Note
Step 2
ContentEngine(config)# websense-server service eim activateStep 3
ContentEngine(config)# websense-server service user activateStep 4
ContentEngine(config)# websense-server service network-agent activateStep 5
ContentEngine(config)# websense-server enable
Note
Step 6
ContentEngine(config)# url-filter http websense server local [port portnumber] [timeout seconds] [connections connections]where:
•
•
•
•
Step 7
ContentEngine(config)# url-filter http websense enableStep 8
For information about deactivating one or more of the services of the local Websense server on the Content Engine, see the "Configuring Websense URL Filtering with External Websense Servers."
Configuring Websense URL Filtering with External Websense Servers
When configuring a Content Engine to use an external Websense server, you must specify an IP address and port number for that server. That specified IP address and port number must match the IP address of the external Websense server and the port that the external Websense server listens to for filtering requests. Otherwise, the Content Engine will time out all HTTP requests (HTTP, FTP-over-HTTP, or HTTPS-over-HTTP requests) and either block or allow all HTTP traffic based on the allowmode option configuration. By default, allow mode is enabled on the Content Engine. When allow mode is enabled, the Content Engine is permitted to fulfill an HTTP request from a client if the external Websense server does not respond. If allow mode has been disabled, use the url-filter http websense allowmode enable command to reenable it.
In ACNS software, Release 5.2 or later, you can configure up to two Websense servers for failover purposes. The order in which you configure the Websense servers determines which server is the primary server. The first configured Websense server is automatically designated the primary Websense server, whereas the second configured server becomes the secondary Websense server. For a list of supported Websense server configurations, see Table 10-6.
To configure a standalone Content Engine to use an external Websense server for URL filtering, follow these steps:
Step 1
url-filter http websense server {[hostname | ip-address]} [port portnum [timeout seconds
[connections connection]]where:
•
•
•
•
•
The following example shows how to configure a standalone Content Engine to point to an external Websense server that has the IP address 172.18.22.10 and is running on Host A. The Content Engine is configured to send requests to this external Websense server on port 4006, and to wait up to 90 seconds for a response from this server before timing out the connection:
ContentEngine(config)# url-filter http websense server 172.18.22.10 port 4006 timeout 90
Note
Step 2
•
•
Step 3
Console(config)# url-filter http websense enable
Note
Step 4
Deactivating Local Websense Server Services on Standalone Content Engines
To deactivate one or more of the services of the local Websense server (the local EIM server, the local network agent, the local user service, or the local policy server) on a standalone Content Engine, follow these steps:
Step 1
Step 2
Step 3
ContentEngine(config)# no websense-server service eim activateContentEngine(config)# no websense-server service user activateContentEngine(config)# no websense-server service network-agent activateThere is no required order in which you should deactivate the local EIM server, the local network agent, or the local user service on the Content Engine. However, if the policy server is running on the Content Engine (that is, the local policy server is being used instead of a remote policy server), the policy server should be the last local Websense service to be deactivated (using the no websense-server service policy activate command). In contrast, if you are using a remote policy server, make sure that it is running before you attempt to deactivate the local EIM server, the local network agent, or the local user service (using the no websense-server service service-name activate command) on the Content Engine.
Step 4
Saving Websense Configuration Files
In ACNS software, Release 5.2 or later, the write memory command saves modified Websense configuration files (the eimserver.ini, config.xml, and websense.ini files and the Blockpages directory) across disk reconfiguration and ACNS software release upgrades.
You must execute the write memory command in order to save the most recent configuration modifications, including websense.ini file modifications and Websense URL filtering configuration changes. The write memory command enables the changes made from the external Websense Manager GUI to be saved across disk reconfiguration and upgrades (which might erase disk content).
The Websense configurations from the last use of the write memory command are retained under the following situations:
•
•
If the write memory command has never been used before, then default configurations will be applied when the content in the /local1/WebsenseEnterprise/EIM directory on the Content Engine is erased.
Viewing Websense URL Filtering Statistics
Use the show url-filter http EXEC command to display the status of all HTTP URL filtering schemes presently configured on the standalone Content Engine. Use the show statistics url-filter http websense EXEC command to display the request-reply statistics for the communication between the Content Engine and the Websense server. These statistics show the number of requests sent, replies received, pages blocked, pages allowed, and failure cases. More detailed URL filtering statistics are available on the Websense server.
The statistics shown can be cleared using the clear statistics url-filter http websense and clear statistics all EXEC commands. All the statistics counters are then reset to 0.
URL Filtering with SmartFilter Software
SmartFilter software running on standalone Content Engines provides employee Internet management (EIM) functionality when used with proxy servers, firewalls, and caching appliances. The SmartFilter filtering capability is available as an add-on service on a Content Engine that is running ACNS 5.x software. The SmartFilter add-on service is licensed directly through Cisco.
The SmartFilter add-on service provides a one-box solution for server functionality. The Content Engine uses a suite of plug-in APIs to allow the SmartFilter software to implement hooks at strategic points during an HTTP transaction and thus provide URL filtering.
To configure this SmartFilter add-on service, you use an end user management tool called the sfadmin console, and a management server tool called the sfadmin server. You use the sfadmin console to configure the SmartFilter product and then store the configuration on the sfadmin server. The sfadmin server propagates this configuration to the end client Content Engines, to be used by the SmartFilter software that is running on the Content Engines. Use the url-filter http smartfilter enable global configuration command to enable SmartFilter URL filtering on a standalone Content Engine. To use SmartFilter URL filtering with a cluster of standalone Content Engines, make sure to enter the url-filter http smartfilter enable command on each Content Engine in the cluster to ensure that all traffic is filtered.
Note
About the SmartFilter Control List
A SmartFilter Control List categorizes 2 million websites into content groups. There are 30 predefined SmartFilter Control List categories that encompass a wide variety of material. Some categories are focused on reducing legal liability of a company. These 30 categories are set to "Deny" in the default SmartFilter software policy. Some categories contain such sites as MP3 sites (sites with content that consumes excessive bandwidth). The remainder of these 30 categories are considered unproductive or inappropriate for business or educational environments.
SmartFilter software also provides ten user-defined categories that allow you to further tailor access by defining and filtering sites that are not included in the SmartFilter Control List. Additionally, you can exempt any site that you would like specific groups or individuals to access quickly and easily. You can use the SmartFilter Administration Console to define a SmartFilter Control List download schedule. The Download Setup window tracks the download site, your username, and your password. If you do not download an updated SmartFilter Control List at least monthly, the SmartFilter software considers the Control List "expired," and invokes the action that you specified in the SmartFilter License window.
Note
