Time-based Access Control allows an administer to enforce time-of-day web access to users or computers (IP or MAC address) using the web proxy.

If you did not select this module to be included during the installation process, you must first install the module.

Time periods define the day of week (i.e. Monday, Tuesday …) and the time of day (i.e. 12:00 - 13:00) that an access control rule should apply. Select Add/Edit Time Period from the Webconfig tab menu to:

• display and/or edit a currently defined time period
• add a new time period definition
• delete an existing time period definition

In the sample screenshot below, we have created two time period definitions. The first defines a lunch break on weekdays between 12:00pm and 1:00pm (13:00). The second covers the entire day over a weekend (Saturday and Sunday).

An unlimited number of access control list definitions can be created to customize precisely how users or machines on the LAN should be given access to the web via the proxy server. In the example below, a rule to allow all machines on the LAN to have access to the web during the weekend is being created. By specifying an internal IP range of 192.168.1.100 to 192.168.1.255, the IP based identification will apply this rule to all computers on the LAN receiving a DHCP lease in this IP range.

A unique name identifying the access control.

Sets the ACL rule type - allow or deny. Allow provides web access to the user/computer…Deny forbids web access.

References a unique time of day rule. The drop down menu will be empty and a link to create a new time period will be displayed if no time definitions have been created.

Determines whether the ACL rule will apply to the time period defined or all time outside of the time period defined. For example, if you defined a time period name Lunchtime that was defined as 12:00 - 13:00 from Monday to Friday and you wanted a specific rule to apply during the lunch hour, select Within. Conversely, if you wanted a rule to be applied for all hours outside of the lunch period, you would select Outside.

Depending on your proxy configuration, up to three different methods of user/machine identification are possible - username, IP address and MAC address.

Username-based authentication is only available if you have User Authentication enabled. Users must provide login credentials and have access to the proxy server (as defined by the User Options configuration). Once logged into a proxy session, ACL rules based on username will apply.

To restrict web access to a particular computer or multiple computers (i.e. a computer lab), IP address based identification can be used. A single IP address or a range of IP addresses (separated by a dash) can be added. Valid entry examples include:

• 192.168.1.100
• 10.0.0.121
• 192.168.1.100-192.168.1.150

The IP address represents the address of the machine connecting to the proxy. Since the computer is located on the LAN segment of the network, any IP address or range listed here should be restricted to an internal IP address or range.

A MAC address is a unique identifier originating from a computer's network card. MAC addresses can be a good alternative to IP addresses if an administrator does not lock down the network settings of a machine which might allow a savvy user to get around an IP address-based access control rule. A MAC address must be obtained from the machine and is dependent on the OS.

Open up a shell and type:

# ifconfig eth0 

Where eth0 represents the network (Ethernet) card. The MAC address for the sample sample output below comes after the HWaddr header and is 00:40:63:DA:E7:23:

To obtain the MAC address under Windows, click on the Start button and select the Run menu option. Enter cmd in the run field. Once you are at the Windows command prompt, type:

C:\> ipconfig /all 

and click enter. Find the MAC address next to the Physical Address field. Make sure you get the MAC address of the correct device…there may be more than one if you have both a network card and wireless networking card.

New ACL rules are added to the bottom of the list…that is to say, new rules begin with the lowest priority.

The proxy server analyzes each rule in successive order…starting from the top and working through each rule. The first rule to match a true condition stops the processing and allows (or denies, depending on the rule type) access to the web.

In the example below, there are three rules…AllEmployees has the highest priority, followed by LunchHourStaff and finally (lowest priority) HourlyEmployees.

To understand priorities, it is probably easiest to follow through a few scenarios.

Saturday - since it is a weekend, and through the creation of the AllEmployees rules, all IP address on the LAN have be defined in the creation of the ACL, all computers on the LAN will have access to the web, regardless of MAC or username based ACL's and regardless of whether it is lunch hour (i.e. 12pm - 1pm) or not. In this case, the first rule (All Employees) applies (returns true) and processing of further rules is not performed.

Monday @ 12:15pm - All users who are using computers whose IP's have been added to the LunchHourlyEmployees IP list will have access to the web.

Monday @ 1:15pm - All users who are using computers whose IP's have been added to the HourlyEmployees IP list will be denied access to the web. This is because the third rule is applied since the first two rules did not return a true statement. Any user who is using a computer whose IP is not listed in the HourlyEmployees rule will be allowed access to the web.

By default, if no ACL rules return true (i.e. are executed as allow/deny) a user is allowed access to the web. To apply a blanket block rule, create an IP range ACL using the deny type along with a time definition from 00:00 - 24:00.

Use the up and down arrows on the ACL Summary page to bump the priority of any ACL rule you create in order to enforce time of day web access.

• Squid Proxy website

The software filters cookies, ads, banners, pop-ups, and other unwanted Internet content.

If you use ClarkConnect as a gateway, you can configure the banner ad blocker in transparent mode. In other words, it is not necessary to change the settings for all the web browsers on the PCs on your network.

• Step 1 - Install the required Web Proxy server
• Step 2 - From Web Proxy's web-based administration page, set the proxy to transparent mode.
• Step 3 - From Banner Ad administration page, enable banner ad blocker integration.

• Privoxy Home Page

The content filtering software blocks inappropriate websites from the end user. The software can also be used to enforce company policies; for instance, blocking personal webmail sites like Hotmail can decrease lost productivity at the office.

The filter engine uses a variety of methods including phrase matching, URL filtering and black/white lists. Although the filter works effectively 'out-of-the-box', for best results, we recommend subscribing to a service level the includes the 'Content Filter Update' service (see Services link below). By keeping your blacklist up-to-date, you will be providing your LAN with the most effective blocking solution against the 'churn' of sites that change daily.

New sites appear, old sites disappear and current sites move around. By enabling the Content Filter Updates service, you will receive regular updates to the filter lists. See website for more details.

If you did not select this module to be included during the installation process, you must first install the module.

The web-based administration tool gives you access to a number of configuration settings. The filter must be run in parallel with the Web Proxy server.

In standard mode, the web proxy operates on port 3128 and the content filter operates on port 8080. You must change the settings of all the web-browsers located on the local network to point to one of the above ports in order to take advantage of proxy or filtering services. If users have the technical knowledge and have access to the browser settings on their local machine, they could potentially by-pass the proxy server and have full access to content on the Internet.

In transparent mode, all requests from the local network automatically pass through the web proxy cache. The settings for the local machines do not need to be changed. By-passing the proxy is not possible by changing browser settings on the local machine. Obviously, this is the preferred configuration.

If you have a subscription to the “Content Filter Blacklist Update” service (enabled through your ClarkConnect Gateway Service account) you can check to make sure the update service is active. If the update service is activated, you will see a screen capture similar to that shown below.

Updates are pulled or pushed automatically from the ClarkConnect Gateway Service network approximately every week.

Banned File Extensions Banning specific file extensions is a useful tool for limiting content available to users on the LAN. It can also greatly decrease the chances of users unwittingly downloading and running 'arbitrary' code downloaded from the Internet which could potentially contain viruses, spyware of other malicious code.

By checking a box next to an extension, you are disallowing filtered users from accessing this file type. If you wish an extension to be blocked and it is not listed in the available list, add it to the list using the “Add a new extension type” form.

Banned MIME Types Similarly, MIME types instruct a browser to utilize certain applications in order to display content encoding. Security exploits in the applications themselves can be used to infiltrate a computer.

MIME types checked in the “Banned MIME Types” form will not be allowed to pass through the firewall and to the computer making the request on the LAN, providing a more secure environment.

Banned Site List Sites entered in the “Banned Site List” will be banned, regardless of the site's content, or whether the site is on one of the blacklists.

Exempt Site List Sites entered in the “Exempt Site List” will be allowed, regardless of the site's content. Use this form if content on a site triggers a 'false positive' that you wish to override.

If you have some or all of your workstations configured to use static IP addresses, you can configure individual workstations' access to the web.

Here you can configure LAN IP addresses that will be completely blocked from accessing the web. You can either add IP addresses individually or add groups as defined below.

Here you can configure LAN IP addresses that will be granted completely unfiltered access to the web. You can either add IP addresses individually or add groups as defined below.

You can configure groups of IP addresses to simplify and organize workstation access to the web. For example in an educational environment you can add all administrator/staff IP addresses to a Staff group and add them to the Exempt User IP List.

The content filter system uses phrase lists to calculate a score for every web page. You can fine tune your content filter scoring by specifying which phrase lists to use.

In general you will want the phrase lists you select here to correspond with the blacklists you are using. At a minimum you will want to include the proxies phraselist to prevent your users from bypassing the filter.

If you have problems with some of the phraselists - that they're either blocking too strictly or not enough, please send information to phrasemaster@dansguardian.org.

The content filter system uses black lists to block specific web sites. You can fine tune your content filter black lists by specifying which lists to use. Note that these lists are updated weekly by the Content Filter Update Service if you have subscribed to that service.

If you have problems with some of the phraselists - that they're either blocking too strictly or not enough, please submit your changes at http://www.urlblacklist.com/?sec=submit.

Language - If your native language is supported by the DansGuardian content filter, you can configure the filter to use your language when displaying block reports to your users and error messages.

Sensitivity Level - The sensitivity level is an arbitrary scale that allows 'coarse' adjustment of the phrase filter sensitivity. Increasing the sensitivity level means that fewer bad phrases/words will cause the filter to block the page.

PICS Level - An Internet standard for rating web content. This setting will prove to be of minor significance as sites self-administrate this parameter. As a general rule, the recommendation is to disable this setting.

Reporting Level - Five options are available to customize what a user 'sees' when the filter blocks a page:

• Stealth Mode - Site is not blocked…User's IP and site is logged (/var/log/dansguardian/access.log)
• Access Denied - User's browser will receive an 'Access Denied' in place of the web page.
• Short Report - A short error message 'bubble' will be displayed like the one below:

• Full Report - Same as above, but the weighted limit and actual value will be displayed (useful for fine-tuning the system).
• Custom Report - Uses the customizable HTML template located at /etc/dansguardian/languages/[language] where language is the language you have selected in the setting above. The HTML template file is template.html and the default en_US language folder is /etc/dansguardian/languages/ukenglish.

Block IP Domains - Used to prevent users from circumnavigating the URL-based portion of the filter by using IP addresses instead of URL's. Pages will still be filtered based on the other filtering mechanisms: weightedphrases, mime types, file extensions etc. Blanket Block - Most restrictive setting. All sites will be blocked with the exception of those listed in the exempt list. Useful for kiosks/public terminals where a browser is used to access a company site etc.

• DansGuardian website
• URLBlacklist.com - used by the CCGS Service

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP. The software not only saves bandwidth and speeds up access time, but also gives administrators the ability to track web usage in the daily report.

If you did not select this module to be included during the installation process, you must first install the module.

The maximum size on your hard disk to use for the proxy server cache.

Any file (image, web page, PDF, etc) above the maximum object size will still go through the proxy but will not be cached. Large files (for instance, a movie file) can take up a lot of space in your proxy cache. If you have a cache size of 2 Gb and two people happen to download 1 Gb files at the same time, then these two files would replace everything else in your cache. You can limit the maximum object size to prevent this situation.

If you want to limit downloads of large files (for instance, movies) you can set a maximum size. Any file above this limit will get blocked.

Use the reset cache button to delete all the files currently stored by the web proxy server.

The web proxy and content filter work together to filter web traffic on your network. The combination of these two applications can operate in several different modes.

This mode is typically used to either temporarily disable the web proxy service or implement a custom proxy configuration file. Web traffic can still continue to flow un-proxied on port 80, while access to port 3128 (web proxy) and port 8080 (content filter) are also available.

In this mode, all workstations on the local network must be configured to use port 8080 (content filter) as the proxy server. In other words, the only way a person can access the web is by configuring their web browser to go through the content filter.

This mode is typically used to take advantage of the improved bandwidth usage and speed of a proxy server. In transparent mode, all web requests from the local network automatically pass through the proxy. No configuration changes are required on the workstations.

This mode is typically used to enforce content filtering without the need to make configuration changes on the workstations. As soon as you enable this mode, all web traffic going through your gateway goes through the content filter.

In some circumstances, you may need to by-pass the proxy server when it is running in transparent mode. Typically, this is required for web sites that are not proxy-friendly (notably, older Microsoft IIS web servers send invalid web server responses – these responses may not get through the proxy server).

Example: Tivo personal video recorders (PVRs) are unable to connect via a proxy server. Adding Tivo's network 204.176.0.0/14 to the proxy by-pass list solves the issue.

In non-transparent mode, you must change the settings on all the web browsers running on your local network. The following describes the steps for configuring Internet Explorer, but other browsers have similar procedures. In Internet Explorer

• Click on Tools in the menu bar
• Select Internet Options
• Click on the Connections tab
• Click on the LAN Settings button

In the Proxy Server settings box, specify your gateway's IP address (default: 192.168.1.1) and the proxy port (see next section). You may not be able to access websites on your Squid machine or on your local network unless you select “Bypass proxy server for local addresses”.

The Web Proxy Report includes statistics on top sites, number of hits, usage by LAN IP address, daily traffic size, and more. You can view the report from the web-based administration tool.

From the Squid Web Proxy FAQ: Question: Can I make my regular FTP clients use a Squid cache? Answer: It's not possible. Squid only accepts HTTP requests.

If you see the message A configuration issue with your web browser settings was detected, please make sure your browser settings match your proxy server configuration.

• Squid Proxy website

Previous: Printing | Next: Groupware || Return: Index