CYAN SECURE WEB - Infopoint Security · CYAN Secure Web Installing on Windows 6.3 Initial...

CYAN SECURE WEB

Installing on Windows

September 2009

Applies to: CYAN Secure Web 1.7 and above

CYAN Secure Web Installing on Windows

Table of Contents1 Introduction ................................................................................................................................................... 2

2 Preparation ................................................................................................................................................... 2

3 Network Integration ....................................................................................................................................... 3

3.1 Out-of-line Deployment ......................................................................................................................... 3

3.2 DMZ Deployment .................................................................................................................................. 3

4 Proxy Modes ................................................................................................................................................. 4

5 Setting up Secure Web ................................................................................................................................. 5

6 Login to the Administration Interface ............................................................................................................. 7

6.1 Secure Web License ............................................................................................................................. 9

6.2 Changing the Secure Web Administrator Password ........................................................................... 10

6.3 Initial Configuration and Authentication ............................................................................................... 11

7 Setting up Microsoft SQL Server Express Edition ....................................................................................... 12

8 Setting up the Reporting System ................................................................................................................ 15

8.1 Setting up the Database Connection .................................................................................................. 15

8.2 Setting up the Reporting Database ..................................................................................................... 16

8.3 Enabling the Log-Feeder .................................................................................................................... 17

9 Login to the Reporting System .................................................................................................................... 18

10 Where to continue ... ................................................................................................................................. 19

© 2009 CYAN Networks Software GmbH - 1 -


1 IntroductionCYAN Secure Web is a standalone proxy server. The native Windows version with its easy setup and administration interface integrates perfectly with Microsoft Windows networks.

The installation package contains the complete set of components of the CYAN Secure Web proxy solution. It supports transparent authentication out-of-the box as well as integrates the anti-virus scan engine NOD32 from ESET.

2 PreparationSecure Web for Windows requires a Windows 2003 Server as the underlying operating system. We strongly recommended to have installed the latest service packs from Microsoft for your host.

In order to operate the Reporting System, a SQL database system is required. The CYAN Reporting System supports following SQL databases:

– Postgresql 8.0 or higher

– Mysql 5.1 or higher

– Microsoft SQL Server

F Note: In the case you plan to use the CYAN Reporting System, we strongly recommend to setup the database server prior to installing Secure Web.

In the case you do not have any of the SQL database systems listed above which can be used by the reporting system as the data store, we recommend to install MS SQL 2005 Express Edition (available from http://www.microsoft.com/sql/editions/express/) on any compatible Windows system.

F Note: For evaluation purposes or for small and medium size businesses the SQL database system can be installed on the same host together with the Secure Web proxy server. For large scale installations we strongly recommend to run the database system on a different host, so that the performance of the proxy server is not affected by the reporting jobs.

The latest setup instructions on setting up MS SQL Express are available at:

http://www.cyan-networks.com/mssqlhowto


http://www.microsoft.com/sql/editions/express/

http://www.cyan-networks.com/mssqlhowto


3 Network IntegrationThere are numerous ways in which Secure Web for Windows can be deployed in the network two basic concepts being: out-of-line and in the demilitarized zone (DMZ).

3.1 Out-of-line DeploymentThe following diagram illustrates the out-of-line deployment:

In the out-of-line deployment the proxy server resides on the same physical network as the clients. The clients must not necessarily use the proxy server for their Internet access. However, in order to ensure security the firewall must be configured to disallow all direct traffic from the client to the Internet. To utilize the proxy server either all clients are explicitly configured to use the proxy host, or a rule on the firewall utilizes the proxy server into transparent mode applying port forwarding rules.

3.2 DMZ DeploymentThe following diagram illustrates the deployment in a DMZ:

In the DMZ deployment, the proxy is made part of the network that is protected by the firewall from both, the extranet and the intranet. In the case that a DMZ is established already, this is the preferred mode, especially if the authentication shall be used and the also the authentication server is on this network.


Illustration 2: Deployment in a DMZ

Illustration 1: Out-of-line deployment


4 Proxy Modes“Proxy Mode” refers to the way how clients “see” the proxy server. One can differentiate between two main modes: non-transparent and transparent mode.

Non-transparent (classic proxy) mode means that the client application (e.g. your web browser) must be aware of the existence of the proxy server, i.e. the client must be explicitly configured to use the server in order to establish connections to the Internet.

On the other hand, in transparent mode, the client's application does not know about the existence of the proxy server. Generally all traffic on TCP port 80 (HTTP) is redirected by a networks element (router, firewall, the CYAN appliance) to the proxy server, i.e. the proxy server is “injected” transparently into the network traffic.

These two modes have different consequences:

– non-transparent mode: as described above, each client's application needs to be configured to use the proxy server, which implies some administrative effort. Furthermore, in order to be able to enforce the use of this security and policy gateway, another network element (router, firewall) must ensure (by blocking) that no direct traffic from a client may pass to the Internet.

– transparent mode: to operate Secure Web for Windows in this mode, it is required to configure port forwarding rules on your router or firewall device. Please refer to the documentation of your router or firewall to find out about the necessary configuration steps.You will most probably want to redirect all traffic that “goes to” the TCP destination port 80, which is the common port for HTTP servers. You may, however, also want to redirect the ports 3126 and 8080, which are commonly used by proxy servers. In this way you shall prevent the use of external (possibly anonymous) proxies.

F Caution: be careful with the redirect rule, make sure that the requests from the proxy machine itself do not get redirected, otherwise it will start to loop between the firewall and the proxy server, resulting in a failure of one, or both devices.



5 Setting up Secure WebThe latest copy of the Windows version of Secure Web can be downloaded from

www.cyan-networks.com/windows

F Note: Make sure that you execute the setup program with administrator permissions!

After downloading and executing the setup program it will start extracting the setup files and start the setup wizard:

During the setup process the wizard will ask you if you would like to setup the database connection for the Cyan Reporting System. In the case you already have an MS SQL server installed and running, and you would like to put the reporting data onto this server, select the option “Configure CRS to work with MS SQL”.


Illustration 3: Secure Web Setup Wizard

http://www.cyan-networks.com/windows


Please refer also to chapter 8 Setting up the Reporting System on page 15 for details connecting the reporting system to the database instance.

After successful installation you will find following services in the Windows service manager:

All services are set to automatically start at system startup.


Illustration 4: Secure Web Setup Wizard - specify database connection

Illustration 5: Secure Web Services


6 Login to the Administration InterfaceThe Secure Web provides an intuitive, web-based configuration application enabling the administrator to configure all components. In order to administrate the Secure Web, use a standard web browser to connect to the URL:

https://<ipaddress>:9992/

where <ipaddress> is one of the IP addresses of the proxy host. After successful installation on the Windows platform an entry has been added to your start menu providing a shortcut to the administration interface:

On connecting to the administration interface, the browser will display a warning about the certificate. Please click “Yes” to proceed to the administration page. The following screenshot shows the dialog that appears in Microsoft Internet Explorer Version 6.0:


Illustration 7: SSL Warning

Illustration 6: Secure Web Start Menu Entries on Windows


On successful connect, the admin selection screen will appear:

Click the “Cyan Secure Web” icon to enter the web administration interface:

The default login values are:

User: admin

Password: admin

F Note: We strongly recommended to change the administrator password as soon as possible.


Illustration 8: Admin Selection Screen

Illustration 9: Secure Web Login


6.1 Secure Web LicenseSecure Web requires a valid license to operate. In the case you have not received your license information and would like to evaluate Secure Web, please browse to the location

http://www.cyan-networks.com/registration

and follow the instructions on the screen. On successful completion of the registration, a key file that includes the evaluation license will be sent to your email address.

In order to activate Secure Web with a valid license, browse to the Admin / License dialog and upload the key file that is attached to the email you received, as shown in the following screenshot:

F Note: After uploading the Secure Web license, the proxy will start updating the URL database. This could take several minutes, depending on the speed of your Internet connection. You may want to check the 'Server' dialog to view the current status of the download.


Illustration 10: Secure Web (evaluation) license

http://www.cyan-networks.com/registration


6.2 Changing the Secure Web Administrator PasswordIn order to change the Secure Web administrator user account browse the menu to Admin / Admin User / Users as shown in the following screenshot:

Click on the Edit button next to the administrator user “admin” to open a new dialog which allows you to change the name as well as assign a new password.


Illustration 11: Secure Web administrator user


6.3 Initial Configuration and AuthenticationSecure Web is installed on the appliance with a default configuration. This configuration includes for the purpose of authentication an IP instance named “global” representing “the world” (0.0.0.0/0), as shown in the following screenshot:

In order to configure and successfully use your own authentication instance, like your Active Directory server for example, you must delete or deactivate this IP instance. Browse the menu to Authentication / IP Instance, click the Edit button of the “global” IP instance and clear the “Enabled” checkbox to deactivate this IP instance.

F Note: Do not forget to click the button in order to notify the Secure Web proxy server that it needs to reload the configuration.


Illustration 12: Initial authentication setup


7 Setting up Microsoft SQL Server Express EditionMicrosoft SQL Express Edition is a free of charge SQL database engine that you might want to use as the database backend to the CYAN Reporting System. You can obtain the latest copy from the Microsoft homepage from the following URL:

http://www.microsoft.com/sql/editions/express/

After downloading and starting the setup program please follow the instructions of the setup wizard up to the dialog shown below. Please make sure to uncheck the “Hide advanced configuration options” button:

Continue to the dialog shown below. In this dialog please make sure that “Default instance” will be installed:


Illustration 13: MS SQL Server 2005 Setup

Illustration 14: MS SQL Server Setup - Default instance

http://www.microsoft.com/sql/editions/express/default.mspx


The “Default instance” will select the TCP port 1433 as the listening port for the SQL server communication.

Continue to the dialog shown below and select the “Mixed Mode” installation option. Please do not forget to specify a password for the sa user. The sa user is the system administrator for the SQL server and will have all administrative permissions:

Continue with the setup wizard until the installation is finished. After finishing the installation the SQL server must be setup to allow TCP for remote connections. To enable this function please start the “SQL Server Surface Area Configuration” program:


Illustration 15: MS SQL Server Setup - Mixed Mode

Illustration 16: MS SQL Server Windows Start Menu Entries


Select the “Surface Area Configuration for Services and Connections” link to open the settings of the database engine.

To change the setting for remote connections browse the tree to the dialog “Database Engine” / “Remote Connections”. Change the setting for “Local and remote connections” to “Using TCP/IP only” as shown in the following screenshot:

The configuration fo the SQL server is now completed. Finally a restart MS SQL Server is required so that the changes will take effect.


Illustration 17: SQL Server Surface Area Configuration

Illustration 18: SQL Server Settings for Remote Connections


8 Setting up the Reporting SystemThe initial configuration of the reporting system is not connected to a database. The following actions need to be completed to activate the Reporting System:

1. Setting up the Database Connection

2. Setting up the Reporting Database

3. Enabling the Log-Feeder

8.1 Setting up the Database ConnectionIn order to setup the reporting database connection connect to the administration interface and select the Cyan Reporting System icon from the Admin Selection Screen (see Illustration8: Admin Selection Screen on page 8). The following setup dialog will be displayed:

In the case you have installed MS SQL Server and specified the connection parameters during the setup process of Secure Web, this screen will not be displayed anymore.

Following to saving the connection information by clicking the “Setup” button, the administration interface will guide you to the process of setting up the database tables.


Illustration 19: Database Connection for the Reporting System


8.2 Setting up the Reporting DatabaseProvided the database connection is set up correctly and the database is empty, the Reporting System will display the following screen, showing that the database version is out of date:

Click the button to confirm that the missing database may now be set up and configured automatically.

F Note: Whenever new versions of the Reporting System require changes to the database, your explicit confirmation is requested to in order to proceed with the upgrade.

F Caution: Database upgrades may take a long time and can cause significant impact on the operation and performance of the system. Therefore the Reporting System will never upgrade the database automatically, but leave this decision with the administrator.

After successful completion of the setup / upgrade of the database, the login dialog will (re-)appear.


Illustration 20: Setting up the reporting database


8.3 Enabling the Log-FeederIn order to activate the import of the reporting information into the reporting database, the log feeder service of Secure Web must be enabled. Browse the menu to Server / Log Feeder / Setup as shown in the following screenshot:

The default values in this dialog are prepared to operate with the reporting system on this same machine. In case you want to run the reporting system on a separate machine, please refer to the Secure Web Reference Guide that describes the necessary steps.


Illustration 21: Log Feeder


9 Login to the Reporting SystemIn order to login to the Reporting System connect to the administration interface and select the Cyan Reporting System icon from the Admin Selection Screen (see Illustration 8: AdminSelection Screen on page 8). The following login screen will appear:

The reporting system uses different login credentials than the appliance component. You may want to assign a different password to the Secure Web administration login in order restrict the administration of the machine parameters and the reporting to different people.

The default login values are:

User: admin

Password: admin

F Note: We strongly recommended to change the administrator password as soon as possible.


Illustration 22: Reporting login


10 Where to continue ...Further documentation about the product as well as technical white papers that describe certain use cases can be found in our documentation repository on our homepage:

http://www.cyan-networks.com/documentation

In the case you need assistance, please contact your local reseller or contact our support team via email or telephone at

[email protected]

+43 (720) 555444-333


mailto:[email protected]

http://www.cyan-networks.com/documentation


Illustration IndexIllustration 1: Out-of-line deployment................................................................................................................ 3

Illustration 2: Deployment in a DMZ..................................................................................................................3

Illustration 3: Secure Web Setup Wizard.......................................................................................................... 5

Illustration 4: Secure Web Setup Wizard - specify database connection.......................................................... 6

Illustration 5: Secure Web Services.................................................................................................................. 6

Illustration 6: Secure Web Start Menu Entries on Windows..............................................................................7

Illustration 7: SSL Warning................................................................................................................................7

Illustration 8: Admin Selection Screen.............................................................................................................. 8

Illustration 9: Secure Web Login....................................................................................................................... 8

Illustration 10: Secure Web (evaluation) license............................................................................................... 9

Illustration 11: Secure Web administrator user................................................................................................10

Illustration 12: Initial authentication setup....................................................................................................... 11

Illustration 13: MS SQL Server 2005 Setup.................................................................................................... 12

Illustration 14: MS SQL Server Setup - Default instance................................................................................ 12

Illustration 15: MS SQL Server Setup - Mixed Mode.......................................................................................13

Illustration 16: MS SQL Server Windows Start Menu Entries......................................................................... 13

Illustration 17: SQL Server Surface Area Configuration.................................................................................. 14

Illustration 18: SQL Server Settings for Remote Connections........................................................................ 14

Illustration 19: Database Connection for the Reporting System......................................................................15

Illustration 20: Setting up the reporting database............................................................................................16

Illustration 21: Log Feeder.............................................................................................................................. 17

Illustration 22: Reporting login........................................................................................................................ 18


CYAN SECURE WEB - Infopoint Security · CYAN Secure Web Installing on Windows 6.3 Initial...

Documents

Transcript of CYAN SECURE WEB - Infopoint Security · CYAN Secure Web Installing on Windows 6.3 Initial...