Web Protection Connector

7/27/2019 Web Protection Connector

1/22

WDS ConnectorSM

Installation Guide

Product Version: 6.9

Document Date:

02/2011

Proprietary and Confidential


2/22

WDS ConnectorSM Installation Guide - Product Version: 6.9

Proprietary and Confidential02/11 Page 2

TABLE OF CONTENTS

1 INTRODUCTION ...................................................................................................................... 31.1 Requirements for installation ............................................................................................. 31.2 Download the WDS Connector Setup Wizard .................................................................. 51.3 Run the WDS Connector Setup Wizard ............................................................................ 81.4 Set up users for the WDS Connector .............................................................................. 11

2 REINSTALLING THE WDS CONNECTOR........................................................................... 133 AD CONFIG EDITOR ............................................................................................................ 154 UNINSTALLING THE WDS CONNECTOR .......................................................................... 185 MANAGING THE WDS CONNECTOR LOGS ...................................................................... 19

5.1Turning on the WDS Connector Logs ............................................................................. 195.2 Viewing the WDS Connector Logs .................................................................................. 19

6 ENABLING NTLM ON WINDOWS CLIENTS ....................................................................... 21


3/22



1 IntroductionThe WDS ConnectorSM, which is an enhancement to the Web Protection Service, allowsusers to access the web through Web Protection using existing local network domaincredentials. This capability, known as transparent authentication, eliminates the need for

Web Protection to authenticate a user each time the user opens a browser. Instead, WebProtection validates the user automatically whenever the user opens a browser.Administrators of the Web Protection service can continue to apply group policies to users,as well as track individual web usage, threats, and more.

1.1 Requirements for installation

Before you install WDS Connector, ensure that the following requirements are met:

Web Protection service must be enabled. A Domain Controller must reside within the customers Intranet and must be running

Active Directory. You need the DNS name or IP address of this controller. Each user that WDS Connector authenticates must have an account in Active

Directory. That account must contain the same email address that the WebProtection Control Console contains. You must have Customer Administrator or higher privileges on the Web Protection

Control Console. The local Intranet must contain a Windows server that can run the WDS Connector

software and serve as a proxy server. This server must meet the followingrequirements:. The server must be running Windows Server 2003 or higher software and

Microsoft Management Console (MMC) Services snap-in. All available updates for the servers version of Windows must also be installed.

The firewall on the proxy server must allow access by user clients. Specifically, port3128 tcp must be open outbound to the internet.

The proxy settings in Internet Explorer on the proxy server must be turnedofffor

installation. The time clock of the proxy server must be reasonably accurate, at least within one

hour of the actual time within its time zone. It is recommended that your LAN use aNetwork Time Server to ensure this synchronization.

The proxy server must be running .NET 2.0 or higher. If the server is not running.NET 2.0 or higher, the installer notifies you during the initial setup and installs .NETfor you.

NTLM enabled Browser (FF


4/22



Determine Web Protection

Authentication

The Access Controls window allows you to define the manner in which users will

be authenticated when accessing the Web. For example, you can register a listof accepted IP addresses for your organization.

There are three mechanisms provided that allows you into the Web Protection

system.

Note: More than one authentication can be used in conjunction, if desired.

IP Range AuthenticationAdvantages: No user login required

No passwords need to be maintained for users

No software to install Can be deployed at the edge of the network using routing

Disadvantages: Group policies cannot be applied (all users have one policy)

No individual reporting, all reporting is grouped by the external IP address

Explicit User AuthenticationAdvantages: Group policies can be applied (different users can have different policies)

Individual reporting on a per user basis

No software to install

Disadvantages: Requires users to log in once per browser session

Passwords must be maintained and/or authenticated against corporate

server.

Transparent Authentication (WDS Connector)Advantages: No user login required

No passwords need to be maintained for users in the Web Protection system

Group policies can be applied (different users can have different policies)

Individual reporting on a per user basis

Disadvantages: Requires software to be installed on the corporate infrastructure

Requires Active Directory and NTLM authentication to recognize users

Requires that each user has an email address in active directory that

matches a corresponding email address in the Web Protection Control

Console.

Requires that users log on to the domain interactively.


5/22



Installing WDS Connector on a Windows server, perform the following steps:

1.2 Download the WDS Connector Setup Wizard

You must first download the WDS Connector Setup Wizard from your Web ProtectionControl Console.

1. Ensure that the proxy settings in Internet Explorer on the proxy server are turnedoff.

2. Log in to the Web Protection Control Console.

The Web Protection Control Console appears.

3. Click the Setup tab.The Web Protection Setup screen appears.

If your Web Protection includes IP Address Range Authentication, the WebProtection Setup screen appears as follows.

If your Web Protection does not include IP Address Range Authentication, then only

the Web Protection Setup screen appears.

4. Click the Download WDS Connectorlink

A Run screen appears and asks if you want to Run or Save the installation program.


6/22



5. Depending on the computer from which you accessed the Web Protection ControlConsole, perform the steps for one of the following two scenarios:

If you accessed the Web Protection Control Console from the Windows serverthat will be the proxy server, do the following:

A. Select Run .

The installer checks for Windows updates and the presence of .NET 2.0. If .NET

2.0 is not installed, the installer installs it.The installer redisplays a Run screen.

NOTE: If all applicable Windows updates are not installed, the installationfails.

B. Select Run again.

The WDS Connector Setup Wizard opens.

C. Continue with the Run the WDS Connector Setup Wizard section.

If you logged into the Web Protection Control Console from a computer other thanthe proxy server, do the following:

A. Select Save.

B. Transfer the files you downloaded to the proxy server using a memory stick,a CD-ROM or some other means.

C. On the proxy server, locate the file you downloaded and double-click to run it.

A Run screen appears, asking if you want to Run or Save the installation files.

D. Select Run .

The installer checks for Windows updates and the presence of .NET 2.0. If .NET2.0 is not installed, the installer performs an installation of .NET.


7/22



The installer redisplays a Run screen.

NOTE: If all applicable Windows updates are not installed, the installationfails.

E. Select Run again.

The WDS Connector Setup Wizard opens.

F. Continue with the Run theWDS Connector Setup Wizard section.

At tention: If your system receives the following error message during theWeb Protection Setup, it means Short File Names are disabled. Continuewith the following steps to enable this information.

1. Click OKThe following WDS Connector Install screen displays.

2. Click OK to continue the Web Protection installer setup.

The WDS Connector Installation screen displays.

3. Click Close to exit your installer and reboot your system to continue the WebProtection installer setup.


8/22



Note: After completing these steps you have to reboot your system andbegin to install the WDS Connector from the start.

1.3 Run the WDS Connector Setup WizardAfter you download the installation package and select Run, the following screen appears.Complete the steps that follow to set up WDS Connector.

1. Click Next.

The License Agreement page appears.

2. Select I Agree, and click Next.

The Select Installation Folder screen appears.


9/22



3. Use the default folder or click theBrowse button to select a different folder for theWDS Connector software.

4. Click Next.

An installation confirmation screen appears.

5. Click Next.

The installation of software begins. When the software has been installed, a WDSConnector Login configuration screen appears.

6. Enter the username and password you normally use to access the Web ProtectionAdmin Console, and click Next.

The Setting Active Directory Connection Information screen appears.


10/22



7. In the AD Hostname FQDN field, enter the fully-qualified domain name (FQDN) of theActive Directory domain controller in the local intranet.

NOTE: Although an FQDN is preferred because it minimizes network requests, anon-FQDN domain name is also allowed in this field.

8. In the Domain\Username field, enter a user name for the domain controller, usingstandard Windows domain user name format. Standard Windows user name formatincludes the domain name, followed by a backslash (\), followed by the username (forexample, acme-domain\johndoe).

NOTE:The user name you enter must have read access to the Active Directory.

9. Enter a password for the user name in the Password field.10. Click Next. A confirmation information screen displays

NOTE: The Test button can be used to validate your AD settings. For moreinformation regarding this functionality see Chapter 4 for more details.

The Account setup screen appears.

11. Select Local System account or enter a User name and password for a unique

WDS Connector account.

NOTE: If you set up a unique account for WDS Connector, you must alsoadminister the account on the Active Directory domain controller.

12. Click Next.

The installation is complete.

13. Click Close.


11/22



14. To verify that WDS Connector is running, access your Windows services screen.

15. Go to Start > All Programs > Administrative Tools > Component Services

For most Windows systems, you access the Windows services screen throughWindows Control Panel.

16. Check the screen to verify that the WDS Connector has started.

1.4 Set up users for the WDS Connector

The browser settings on each users personal computer must be administered for the newproxy server. These settings must include port 3128 as the browsers access port on theproxy server.

For example, to manually set the Windows Internet Explorer browser for an individual P.C.,you access the Local Area Network (LAN) Settings screen in Internet Explorer andadminister the Proxy Server section for the following:

The use of a proxy server by the browser The IP address or host name of the proxy server Port 3128 for the proxy server connection


12/22



Contact your local support Web site or local support personnel for information on variousmethods of configuring browser proxy settings to point to the WDS Connector.

Important: For the WDS Connector to authenticate a user, the user must alreadyhave an account in Active Directory (AD), and the AD account must include an emailaddress that matches an email address in the Web Protection Control Console.

If Microsoft Exchange is installed and running on the AD server and the user alreadyhas an Exchange account, the users email address is automatically populated in ADwhen the users AD account is created. However, when Exchange isn't alreadyrunning on the proxy server, or when Exchange is running on a different server, theusers email must be added manually into the users AD account.


13/22



2 Reinstalling the WDS ConnectorIf, for some reason, you must reinstall the WDS Connector, the installation software checksthat the WDS Connector is not running before the installation software resumes theinstallation.

During the reinstallation sequence, you might see the following screen:

In this case, do the following steps:

1. Click No.

A number of screens may appear and disappear as the WDS Connector shuts down.

Then, the following screen appears.

2. Select the default Repair WDS Connector option, and click Cancel.

The wizard prompts for confirmation on exit.

3. Click No.

The Welcome screen appears again.


14/22



4. Click Finish.

Continue with the installation as in the Run the WDS Connector Setup Wizardsection of this document.


15/22



3 AD Config EditorIf you wish to edit your Change Settings for Web Protection including the:

Host Name

Domain

Password

Go toAl l Program > WDS Connector > AD Config Editor

The Edit Active Directory Connection screen displays.

1. Type the changes you wish to make.

2. Click Test

A Success Information window displays.


16/22



3. Click OK and then Click Save.4. Restart your Connector. To Restart your Connector go to Go toStart > All Programs >

Administrat ive Tools > Component Services.

In the event that your AD Hostname is invalid, the following Failure Information pop-updisplays to alert you to one of these issues:

This is an invalid AD Hostname

The AD Hostname is not visible to this machine

The AD is not running on that machine

The AD Hostname machine is down.

5. Click OK to edit your information.6. Click Test and if successful, Click OK and Save.7. Restart your Connector. To Restart your Connector go to Go toStart > All Programs >



17/22



If the User Name or Password is invalid, the following Failure Information pop-up displays.

8. Click OK to edit your information.9. Click Test and if successful, Click OK and Save10. Restart your Connector. To Restart your Connector go to Go toStart > All Programs >



18/22



4 Uninstall ing the WDS ConnectorTo remove the WDS Connector program from your server, perform the following steps:

1. From theStart button on the P.C., selectAl l Programs.

The list of programs appears.

2. Select WDS Connectorfrom the list. Then select WDS Connector Uninstall fromthe pop-up menu.

A confirmation page appears.

3. Click Yes.

The WDS Connector is removed from your server.


19/22



5 Managing the WDS Connector logsThe WDS Connector can generate logs of activity. These logs are turned off by default,but for troubleshooting purposes in conjunction with support personnel, you might want toturn the logs on.

CAUTION: The logs can generate a lot of data. You should only turn on the WDSConnector logs for troubleshooting purposes. Otherwise, the logs quickly begin totake up disk space.

5.1 Turning on the WDS Connector Logs

To turn on the logs, perform the following steps:

1. From theStart button on the Windows Task Bar, selectAl l Programs.

The list of programs appears.

2. Select WDS Connectorfrom the list. Then select WDS Connector ConfigurationManagerfrom the pop-up menu.

The WDS Connector Configuration Manager page appears.

3. Click Turn Logging On.

The button changes to Turn Logging Off. WDS Connector is ready to send data toits logs.

5.2 Viewing the WDS Connector Logs

To view the WDS Connector Logs, perform the following steps:

1. In your Window Explorer, locate the directory in which you installed WDS Connector.

The default location is within the Program Files directory atC:\Program Files\WDSConnector.

2. From the WDS Connector directory, access the following path:

WDS Connector Proxy\var\logs

The logs directory appears.


20/22



3. Double-click any file name to view its contents.


21/22



6 Enabling NTLM on Windows clients

The WDS Connector requires NTLM information and the client must be configured to use

NTLM. Unfortunately, newer versions of Windows operating systems (Vista and beyond)do not inherently provide NTLM information when used in conjunction with newer versionsof Windows Server (2008 and beyond).

To enable NTLM on a Windows client, the following entry must be added to the Windowsregistry:

Wi ndows Regi st r y Edi t or Ver si on 5. 00

[ HKEY_LOCAL_MACHI NE\ SYSTEM\ Curr ent Cont r ol Set \ Cont r ol \ Lsa]"LmCompat i bi l i t yLevel "=dwor d: 00000000

This can be automated by using a login script to add the entry to the client machines uponlogin. A .reg file must be created and then called from a batch file. In the script folder ofthe Windows Domain Controller machine, create a new text file and call it something likeWDS_Connector_Fix.reg for convenience. This file should contain the following text (theblank line is necessary):

Wi ndows Regi st r y Edi t or Ver si on 5. 00

[ HKEY_LOCAL_MACHI NE\ SYSTEM\ Curr ent Cont r ol Set \ Cont r ol \ Lsa]"LmCompat i bi l i t yLevel "=dwor d: 00000000

An associated batch file must contain the line similar to the one below (replace the Domain

Controller Host and script share to include a valid UNC path to the script folder):r egedi t / s \ \ \ \ WDS_Cont r ol l er _Fi x. r eg

This batch file also needs to be added to the appropriate domain in the Group PolicyEditor.

WARNING: McAfee recommends using caution when editing the registry on anycomputer. While the change suggested is relatively low risk, please note that changing theWindows Registry may have unexpected consequences. Be sure to back up all work priorto executing any changes.


22/22

Web Protection Connector

Documents

Transcript of Web Protection Connector