If you intended to go to a web filter 3 documentation page and were brought here instead please try clearing your browser cache.

Web Filter 2 Manual

End of Life/Support

Note: All support and functionality for Web Filter 2 is scheduled to end December 31st, 2017. Please make sure to upgrade to Web Filter 3 Longhorn prior to that date.

Installation

Appliance Implementation Guidelines

Background

We have a variety of Rockets to meet your needs. Determining the proper number and roles of appliances can be a hard process as all networks are different. This will help you plan your implementation and your Rocket installation. We’ll work with you to create the right solution for your network and your needs. Keep in mind networks grow and because of that, a little overkill can be a good thing.

Tip:

Multiple Rocket appliances can be set up in parent/child configurations to distribute your filtering and email management needs. For example, you can configure a Rocket appliance as a parent web filter and Bottle Rockets as child appliances for email management. Please note that due to latency issues all servers in a parent/child configuration need to be located on a common network with fast and reliable transmission rates.

Rocket, Web Filter

The three main things to consider when determining what Rocket, Web Filter appliance(s) are right for you are:

  • The number of ‘protected’ workstations
  • The amount of total bandwidth
  • The structure of your network

The Rocket appliances run on a BSD platform and can be combined in parent/child tiers to handle any size network.
<!–
Single-appliance Web Filter appliances, meaning a single box inline performing policy lookups and reporting, should be able to handle the following amount of traffic:

Rocket Traffic  Load
Bottle Rocket 150Mbs
Rocket, 1Gb 300Mbs

If you have more than 300Mbs of traffic you should use multiple Rocket appliances. Please note Bottle Rocket Web Filters should not be used as a parent if you have more than 300Mbs of traffic.

Inline Child Rocket appliances should be able to handle the following amount of traffic:

Rocket Traffic Load
Rocket, 1Gb 1Gbps (see note below)
Rocket, 10Gb 2Gbps (see note below)

If you are expecting to sustain more than 2Gbps of throughput a scalable load-balanced solution should be used. If you wish to add Advanced Reporting with full URL details an additional Advanced Reporting Rocket is required.
–>

Note:

There’s no easy way to outline which solution is right for you as your particular implementation may require additional Rockets to handle Policy and/or Reporting roles. Contact us to diagram and plan your implementation.

Rocket Install Prerequisites

Here are the steps to take to get your Rocket ready for your appointment with your Sales Engineer.

I. Open the following Firewall ports:

http://community.lightspeedsystems.com/knowledgebase/ports-used-by-lightspeed-systems-solutions/

II. Obtain the following network information
(write it down so it’s handy for your appointment)

    1. Fully-qualified hostname for the Rocket: ________________________________
    2. Static IP Address for Rocket: _______________________________________
    3. Subnet Mask: _______________________________________
    4. Gateway: _______________________________________
    5. Internal DNS server’s IP(s): _______________________________________
    6. SMTP Mail Server and Port: _______________________________________

III. Physical setup

    1. Rack the Rocket server
    2. Connect the Management NIC to your network. It must be connected and able to access the network and internet. Leave the other interfaces disconnected for now.
    3. Connect the power cables, USB keyboard, and VGA monitor.
    4. Power on the server

IV. Configuring the Management NIC

    1. At the command prompt, login using the following credentials:

Username: admin     Password: admin

    2. Select Management NIC Setup, then enter the IP Address, Subnet Mask, and Gateway.
    3. Select Logout, then press [Enter] to save the Management NIC configuration.

V. Prepare for deployment

    1. Log into the Lightspeed Rocket Appliance web console at http://<IP Address>

Username: admin     Password: admin

    2. Lightspeed Rocket login screen: change the admin password
    3. Ready for blast off: click “Let’s get started”
    4. Interfaces: Specify the fully-qualified hostname for the Rocket and DNS server(s); use the information from Step 2
    5. Connectivity: Verify firewall ports are open
    6. Updates: Allow updates to download and install (approx. 15-30 minutes)
    7. Date and Time: Pick the closest major city in your time zone
    8. Licensing: Enter your Customer ID (See “Welcome E-Mail”)
    9. License Agreement: Please read and accept the License Agreement
    10. Server Roles: Select the role(s) appropriate to your server
    11. Complete: Click ‘click here to continue’ and you’ll be redirected to the Rocket Dashboard.

VI. That’s it! Now please contact your Sales Engineer.
(Not sure who your SE is? Check the Region Map.)

IMPORTANT:A blue Lightspeed USB drive is included with the paperwork provided with your Rocket appliance. It is important that you keep this USB drive. The drive may be used with future software updates.

Understanding Release Numbers

On the Software Updates page you can view the current version of software, install updates and upgrades, and enable automatic update installation. To access this page click Administration on the dashboard and then click Software Updates.

This section describes the differences between software updates and upgrades and what the numbers and letters in a release number mean.

Sample Software Updates

Software releases for the Lightspeed Systems solutions can be one of the following:

New Maintenance Updates

These are software updates, which can be installed either automatically or manually through your Rocket appliance. For example, if you have Release 2.2.17 and you install Release 2.2.18 this is a software update.

New Version Upgrades

These are software upgrades, which can normally be installed manually. However, they cannot be installed automatically. In addition, depending on the current version of software you are running and the type of upgrade you may need to use a flash drive supplied by Lightspeed Systems to perform the upgrade. For example, if you have Release 2.2.17 and you install Release 2.3.0 or Release 3.0.0 these are upgrades.

Whether a version of software is an update or an upgrade, whether the change is major or minor, and if the version is a pre-release or latest official version can be determined by examining the position of digits and letters (if applicable) in the release number. The figure and table below show how to interpret the release number.

Rocket-ReleaseNumbers2

Digit or Letter Position Upgrade? Update? Description/Comments
First Digit The first digit indicates a major software upgrade, which may require installation with a Lightspeed Systems flash drive and a re-flash of the Rocket appliance.
Second Digit The second digit indicates a minor software upgrade, which can be installed manually on the Software Updates page. However, it cannot be installed automatically.
Third Digit The third digit indicates an update, which can be installed either manually or automatically. Please note updates may contain some minor features, but their main purpose is to correct issues.
Release Suffix The final characters in a release number will only be present if the release is a release candidate (rc) or a beta release (b). For example, if the release suffix consists of the letters “rc” this indicates a release candidate while a “b” indicates a beta release. For instance, Release “2.4.0.rc1” is the first release candidate of Release 2.4.0. Release candidates and beta releases must be installed manually and will display a confirmation window when you start the upgrade or update.

TIP: Keep Your Software Up to Date

Lightspeed Systems strongly recommends that you keep up to date with the latest software updates. While you may not be experiencing any known issues, there may be beneficial performance improvements and security-related changes in the updates.

Configuring the Rocket

Getting Connected

First we’ll connect the Lightspeed Rocket Appliance to power, monitor, keyboard, and the copper RJ-45 management NIC.

  • 1. The first time you power up the Lightspeed Rocket Appliance, you will be prompted for a username and password to log into the appliance console. The username is admin, and the password is admin.

Note:

You can only log into the appliance console from the local machine. You cannot log in remotely via SSH.

  • 2. Next, configure the Management NIC (Network Interface Card).

Rocket-Config

  • 3. Select Management NIC Setup, then enter the IP Address, Gateway and Subnet Mask for the Lightspeed Rocket Appliance.
  • 4. Select Logout, then press [Enter] to save the Management NIC configuration.

Preparing for Deployment

The next step is to prepare the Lightspeed Rocket Appliance for deployment.

  • 1. Log into the Lightspeed Rocket Appliance web console at http://LSS_Server_name/ with the default user name admin and default password admin.
  • 2. If this is the first time anyone has logged into the Web Console for the Lightspeed Rocket Appliance, the setup wizard will prompt you for basic information.

Rocket-BlastOff

  • 3. Follow the prompts in the wizard to set up:
    • Interfaces
    • Date and Time
    • Licensing
    • Servers
    • Updates

NIC Connections

The Rocket Appliance’s external connection (copper RJ-45 connectors on 1g Rockets and Bottle Rockets and fiber LC connectors on 10Gb Rockets) will connect in line with your outbound connection to the Internet. Typically, this would be connected to the internal interface on your firewall. The Rocket Appliance’s internal connection (copper RJ-45 connectors on 1g Rockets and Bottle Rockets and fiber LC connectors on 10Gb Rockets) will go to your core network — typically, where the internal interface on your firewall previously connected. The following network diagram shows a typical setup.

Rocket

Manual Configuration

Configure Interfaces

  • 1. On the Management Interface page of the setup wizard, enter the IP address, netmask, and gateway of the Management interface. Configure at least the first DNS server; the second is optional.
  • 2. Hostname is optional.

Note:

If you enter a host name, you must also add a DNS A-Record on your DNS server. Without an A-Record, features such as the Access Page (on page 132) will not work properly.

  • 3. Click Next to apply your changes. You should see a notification that the connection was successful. Click Continue to dismiss the notification and go to the next wizard page.

Set Date and Time

  • 1. Select your Location and your Date/Time Format.
  • 2. You can synchronize the date and time on your Rocket appliance with a Network Time Protocol (NTP) server. Enter the name of the NTP. The default server is: pool.ntp.org

Note:

You must use a Network Time Protocol Server, either the default, or another NTP server. The setup wizard cannot continue until you have specified the NTP server to use.

  • 3. Click Next to apply your changes.

Configure Licenses

  • 1. To authorize the Lightspeed Rocket appliance, enter the Customer ID provided by Lightspeed Systems.
  • 2. You should see your account information displayed after the Lightspeed Systems Rocket has contacted us with the customer ID. Please verify that this information is correct.
  • 3. Click Next to apply your changes.
  • 4. View and acknowledge the License Agreement.

Configure Server

  • 1. Enter the fully-qualified domain name for the SMTP server. It must match the MX record for your domain (mail.domain.com) and be different from your real internal email server to avoid a mail loop. Include login information for the SMTP server, if required.
  • 2. Click Next to apply your changes. The server will now download any available updates.

Change the Default Administrator Password

  • 1. On the right side of the dashboard, click Administration, then select Tiered Admin.
  • 2. On the left side navigation, select Root.
  • 3. Scroll to the bottom of the page, then under Local Users, click admin. This action opens the Edit Local Web User dialog box.
  • 4. Enter the new password, confirm the password, then click Save.

Restart the Appliance

  • 1. At the top left area of the dashboard, click Status.
  • 2. On the left side navigation, select Shut Down / Restart to reboot the Rocket appliance to apply your changes.

Advance Reporting Rocket Setup

Initial Setup

The 1600R3-AR (Advanced Reporting Appliance) follows the same initial setup instructions as any other Rocket does. The primary difference is when you select the hardware platform. As shown below this is locked down specifically to the Advanced Reporting role for a 1600R3-AR.

Advanced Reporting Fixed Server Role

Child Process

When converting a 1600R3-AR to a child server the reporting data currently on the parent server will not be migrated to the Advanced Reporting Appliance.

Advanced Report Data Conversion Warning

This data will also no longer be available through the web interface. If you wish to retain this data you will need to export required data to CSV or PDF files. If you wish to view the reports via the Web user interface you will need to perform a full data backup on the parent server before beginning the child process on the 1600R3-AR. Once this data is backed up it can be restored to a stand-alone Rocket to view/retrieve reports. This cannot be restored to the 1600R3-AR child.

Reconfiguring Child Server

If a 1600R3-AR needs to be reconfigured as a child server all reporting data currently on the rocket will be lost during this process.

Advanced Reporting Reconfigured Warning

Backup/Restore

When performing a restore of the 1600R3-AR you will need to verify that the Rocket is configured as a child server first. If it is not configured as a child the server will not be properly configured upon completion to take full advantage of all reporting features. In this scenario a reflash of the appliance would most likely be required to correct the issue.

Once the server has been configured as a child server and rebooted you will need to open the Backup/Restore menu and restore the selected backup file with reporting data.

NOTE:

If the parent server’s IP has changed this could prevent the server from restoring properly and will require aid from Lightspeed Support to properly complete the restore process.

Feature Changes

Reporting Data Retention

The Advanced Reporting Appliance still has a 90-day retention cap on reporting data. This has not changed from other appliances.

Full URL Reporting on Allowed Sites

The Advanced Reporting Appliance allows for full URL detail reporting on allowed sites. On average, enabling this option can increase the space requirements of the database by as much as ten times. In most environments this option is not required as the current aggregated reporting options are sufficient for customer use.

Rocket Administration – Main Controls

Logging In

The moment you’ve been waiting for: it’s time to log into your Rocket! All you have to do is

  • 1. Open a web browser and navigate to the IP address of your Lightspeed Systems Rocket Appliance (for example, http://192.168.0.200).

Login Screen

  • 2. Log in as username admin, password admin.
  • 3. If you are logging into the root tier (the default), proceed to Step 4. In addition, if you are logging into a child server proceed to Step 4. (You can only log into the root tier on child servers.) Otherwise, follow Steps a and b below to select a tier.
    • a. Select the tier from the Tier dropdown list.

Login Tier Selection Menu

    • b. Click the tier, which will select the tier and close this window. Please note you can search for tiers by entering the tier’s name in the search window.

Note:

If you change your mind you can click Close to exit this menu.

  • 4. If needed, select the authentication source from the dropdown list.
  • 5. Click Login.

Tip:

Check (select) Remember Me to remember your user name and tier selection (if applicable).

 

Tiered Administration

Tiered Administration is an advanced feature that you can use to create complex rules for policies and category settings based on IP address ranges.

For most customers, the default configuration, with all IP addresses in your network at the Root tier, will be all you need. Consider using Tiered Administration if you are an Internet Service Provider for other entities requiring individual management and policies.

For all Tiers, you can configure:

  • Tier Name and Description – Give your tiers a meaningful name and description to aid in management and troubleshooting.
  • Settings – You can manage bandwidth, customer IDs, and proxy ports for each tier. See Tiered Administration Settings for more information.
  • Address Space – By default, all IPv4 and IPv6 addresses in your network are assigned to the Root Tier. For most applications, no further configuration is needed. Any address space you assign to Sub Tiers is excluded from the Root Tier. See Address Space for more information.
  • Subnet Labels – Assign subnet labels to identify segments of your network by IP address range. These labels are used in the Reports module. See Subnet Labels for more information.
  • Internal Ignore List / External Ignore List – These settings are for advanced configurations and testing only, and are generally not needed in a typical Lightspeed Systems Rocket application. Use the Internal and External Ignore List to set up a pass-through route between an internal IP address or range and an external IP address or range. See Internal Ignore List and External Ignore List for more information.
  • Email Domains – You can configure email domains that are controlled by the root or sub tiers. See Email Domains for more information.
  • Authentication Sources – Lightspeed Systems Rocket can use a variety of directory services to authenticate users, including Active Directory, Novell, LDAP and Apple Open Directory. You can also authenticate users locally; that is, with usernames and passwords stored in the Lightspeed Systems Rocket’s own database. See the Authentication Sources section for more information.
  • Administrators – If you want to allow other administrator users to log into Lightspeed Systems Rocket with their network username and password, add them here. The Lightspeed Systems Rocket will use the authentication source you select. See Administrators for more information.
  • Local Users – If you want to add users directly to Lightspeed Systems Rocket without using another authentication source, enter them here. See Local Users for more information.
  • Network Share – This folder is created and shared automatically by the Lightspeed Systems Rocket. Each tier has its own folder. Use this folder to place SIS (Student Information System) export files for Launch (Lightspeed Dashboard) to import. For the Root tier only, this folder also contains backup files exported by the Lightspeed Systems Rocket.

To view the details for the Network Share click Administration, select the root tier, and then scroll all the way down to Network Share at the bottom. You should see something like:
\\\tier1

Inside that share are two folders named backup and sis_import for backups and the SIS imports, respectively. Please note that the root tier share is the only one that has the backup folder. All other tiers will only have the sis_import folder.

NOTE:

See Provisioning Users, Groups, and Devices for information about importing SIS data into Launch (Lightspeed Dashboard).

Click Edit Name & Description to edit the name and description of a tier.

Tier Administration Options

Root administrators can navigate between the root tier and sub tiers by clicking the tier’s name in the Favorite Tiers panel or by clicking more in the Favorite Tiers panel, which will display the Organize Tiers window as shown below.

Organize Tiers window

Click the sub tier’s name to navigate to it. If you have many tiers you can filter them in the search window.

To add a sub tier to the Favorite Tiers panel select it and then click Save.

NOTE:

Please note the root tier will reflect what the license of the console has for the customer ID and cannot be changed without changing the license key itself. Sub-tiers can manually specify a customer ID to utilize.

SNMP

You can use Simple Network Management Protocol (SNMP) in network management systems (NMSs) to monitor the Rocket. In this environment an SNMP manager (for example, an NMS device) sends requests to an SNMP agent (the Rocket). You can use an SNMP browser to browse the tree and pick the available MIBs or use the built-in monitoring utilities from your NMS. This lets you monitor the Rocket and other network devices (for examples, switches, routers, and printers) from the same workstation.

Click Administration and then SNMP to view this page.

SNMP Page

  • SNMPv1/SNMPv2c read-only access community name – This read-only field displays the community name that the SNMP manager must use to communicate with the Rocket (the SNMP agent).
  • Community access restriction – Enter an IP address, IP address range, or valid (in other words, resolvable) hostname that will allow access to the SNMP agent on the Rocket. If the hostname or network address/CIDR range is not valid, the community will not report.

Note:

In large environments where many SNMP pollers are used then setting the Community access restriction field to an empty value allows many SNMP pollers.

Supported MIBS

The table below lists MIBs that are currently supported on the Rocket appliance. Click the MIB name for more information.

MIB Description
SNMPv2-MIB The MIB module for SNMP entities.
DISMAN-EVENT-MIB The MIB module for defining event triggers and actions for network management purposes.
IF-MIB The MIB module to describe generic objects for network interface sublayers.
SNMPv2-SMI The Structure Management Information (SMI) document consisting of module, object, and notification definitions.
IP-MIB The MIB for the Internet Protocol (IP).
TCP-MIB The Transmission Control Protocol (TCP) MIB.
IPV6-TCP-MIB The MIB for implementing TCP over IPv6.
UDP-MIB The MIB for User Datagram Protocol (UDP).
IPV6-UDP-MIB The MIB for UDP over IPv6.
HOST-RESOURCES-MIB The MIB for managing host systems.
UCD-SNMP-MIB The MIB for extensions originally developed by the University of California, Davis.
MTA-MIB The MIB for Message Transfer Agents (MTAs).
IPV6-MIB The MIB for Internet Protocol v6 (IPv6).
NOTIFICATION-LOG-MIB The MIB for senders of notifications, which can also be used also by receivers.
SCTP-MIB The MIB for Stream Control Transmission Protocol (SCTP), which was originally developed for transporting Public Switched Telephone Network (PSTN) signaling messages but is now used for many other applications.

Useful SNMP OIDs

The sections below list several MIB Object IDs (OIDs) to display useful statistics about Rocket appliances. In the tables below you can click the table name for more information. In addition, several sections provide sample outputs generated by the open source Net-SNMP suite of application. Click here for more information about Net-SNMP.

prTable

MIB/Table Name Registered OID Summary
UCD-SNMP-MIB::prTable 1.3.6.1.4.1.2021.2 A table containing information on running programs/daemons configured for monitoring in the snmpd.conf file of the agent. Errors flag processes that violate the number of running processes required by the agent’s configuration file.

The Rocket appliance uses certain service-critical processes depending on its configuration. These services are monitored by the SNMP agent and can be reported on using the UCD-SNMP-MIB MIB via the prTable OID.

dsktable

MIB/Table Name Registered OID Summary
UCD-SNMP-MIB::dskTable .1.3.6.1.4.1.2021.9 Disk watching information.

laTable

MIB/Table Name Registered OID Summary
UCD-SNMP-MIB::laTable .1.3.6.1.4.1.2021.10 Load average information.

fileTable

MIB/Table Name Registered OID Summary
UCD-SNMP-MIB::fileTable .1.3.6.1.4.1.2021.15 Table of monitored files.

ifTable

MIB/Table Name Registered OID Summary
IF-MIB::ifTable .1.3.6.1.2.1.2.2 A list of interface entries. The number of entries is given by the value of ifNumber (the number of network interfaces).

HOST-RESOURCES-MIB MIB

Another useful MIB is the HOST-RESOURCES-MIB MIB, which is documented as OID .1.3.6.1.2.1.25.

hrStorageTable

MIB/Table Name Registered OID Summary
HOST-RESOURCES-MIB::hrStorageTable .1.3.6.1.2.1.25.2.3 The (conceptual) table of logical storage areas on the host.

You can use the hrStorageTable to determine the actual usable amount of storage available. This value excludes the loss due to formatting or file system reference information. This table is particularly useful diagnostic tool for ‘out of memory’ and ‘out of buffers’ errors. In addition, it can be a useful tool for monitoring memory, buffer, and disk performance.

hrDeviceTable

MIB/Table Name Registered OID Summary
HOST-RESOURCES-MIB:: hrDeviceTable  .1.3.6.1.2.1.25.3.2 The (conceptual) table of devices contained by the host.

You can use the hrDeviceTable table to display device data, including device ID, status, and errors.

Logs

The Logs page contains an actively updated log file of events as they happen. It includes configuration changes, errors, and any other event that occurs on the appliance.

  • A numeral beside the page heading indicates the number of new log entries since you loaded the page.
  • Click the numeral to refresh the list.
  • Use the search window to filter log entries.
  • Click the navigation buttons in the upper right area of the page to browse the log.

system-logs-screenshot

  • Time – Local time on the Lightspeed Systems Rocket appliance.
  • Process – The name of the process (for example Network Time Protocol Daemon or PostgreSQL) that generated the log entry.
  • Message – The contents of any informational messages, error conditions, or user commands issued.

Note:

The log file contains information that may be useful for advanced troubleshooting with the assistance of Lightspeed Systems technical support.

Campus Library

The Campus Library is a teacher-contributed repository of educational content including YouTube videos, Web Sites, and Documents. When integrated with the Lightspeed Web Filter, library resources that would ordinarily be filtered are unblocked automatically for users.

You can integrate the Campus Library with your Lightspeed Web Filter by associating it with a Fully Qualified Host Name (FQHN) on your network. You do this from the Administration dashboard on your Lightspeed Rocket.

This provides anonymous access to the Campus Library. Students and teachers can connect to this host to search and access resources in the entire Campus Library, without having to log into either the Library or the Lightspeed Dashboard.

The only time a Lightspeed Dashboard login is required is when teachers wish to add content to the library.

campuslibrary

Follow the steps below to add a Campus Library link.

  • 1. From the dashboard click Administration.
  • 2. Click Campus Library.
  • 3. In the Hostname window enter the Campus Library’s FQHN.Note: The Campus Library needs to resolve to the IP of the Rocket. 
  • 4. From the dropdown list select one of the following to set the maximum grade level allowed. Please note the equivalent UK grade levels are in parentheses.
      Pre-K (Reception)
      K (Year 1)
      1st Grade (Year 2)
      2nd Grade (Year 3)
      3rd Grade (Year 4)
      4th Grade (Year 5)
      5th Grade (Year 6)
      6th Grade (Year 7)
      7th Grade (Year 8)
      8th Grade (Year 9)
      9th Grade (Year 10)
      10th Grade (Year 11)
      11th Grade (Year 12)
      12th Grade (Year 13)
  • 5. Click Save.

Please note before you can use the Campus Library, you need to be a licensed customer of the Lightspeed Systems Web Filter, Mobile Manager or Classroom Orchestrator, your school district needs to be setup on Lightspeed Dashboard, and your serial number needs to be listed.

Important

The FQHN of the Campus Library cannot be the same as the hostname for the server itself. Setting the hostname for the Campus Library to the same hostname of the server will cause issues with management and viewing of the access page.

Tip

Add a DNS C name record for your Campus Library to make it easier for students to access.

Note: The C name needs to be an alias for the Rocket. 

Auditing

Use the Auditing page to view all configuration changes to the Lightspeed Systems Web Filter module.

auditing-page

Auditing Video Tutorial

You can filter the report by date range and category.

Entries that contain additional information are hyperlinked. Click the link for details.

auditing-details

Software Updates

The Software Updates page shows you the software version number currently installed on your Lightspeed Rocket Appliance. You can also see if an updated version of the software is available. In addition, you can configure how and when your appliance is updated.

software-updates

Note:

See What Do Release Numbers Mean? for an explanation of release numbers.

Note:

Pre-release or Release Candidates are NOT automatically updated to the general release. Administrators will need to manually update Pre-release or Release Candidates to the release version.

The Rocket appliance offers several types of software updates. To install an update click its link. Depending on the type of software update you may be presented with a confirmation window similar to the following:

confirm-install-software

If so, check (select) “I have read the release notes and I am ready to update my system” and then click Continue.

Note:

If you have parent and child Rocket appliances always update the parent server first. In addition, you should stagger updates for Rocket appliances in front of your firewalls, especially when the firewalls are in a failover configuration.

Note:

Visit the Release Center to view Lightspeed Systems release notes.

New Maintenance Updates

A maintenance update is minor update, which is indicated by a change in the third digit of the release number (for example, an update from 2.2.17 to 2.2.18). This table provides links to software updates and special pre-release versions of the software.

Automatic Maintenance

Check (select) Enable automatic maintenance, select the time in 24-hour format from the dropdown lists (the default is 11:00 p.m.), and click Save to enable automatic installation of the latest maintenance version of the software. This is enabled by default.

Note:

This option will only install new maintenance versions. Version upgrades must be installed manually.

Shutdown/Restart

You can shut down or restart the Lightspeed Systems Rocket appliance from this page.

shutdown-restart

Shutdown/Restart Video Tutorial

Shutting down the Lightspeed Systems Rocket Appliance

You should always shut down the Lightspeed Systems Rocket Appliance properly before disconnecting power. Proper shutdown protects the integrity of your configuration and data files. To shut down the Lightspeed Rocket Appliance, click Shutdown. You will be prompted to confirm your selection.

When the Lightspeed Systems Rocket Appliance is shut down, all traffic will be bypassed or blocked, depending on the Bypass on failure setting.

Caution:

Although the Lightspeed Systems Rocket Appliance has several built-in features that protect data integrity in most circumstances, an improper shutdown (for example, by disconnecting the power cord while the appliance is running) may cause data loss or corruption. You should implement, and regularly test, a backup power source for your critical network servers.

Restarting the Lightspeed Systems Rocket Appliance

You should only need to restart the Lightspeed Systems Rocket Appliance if you are directed to do so by Lightspeed Systems Technical Support. To restart the appliance, click Restart. You will be prompted to confirm your selection.

During the time the appliance is restarting (generally from 15 to 60 seconds, depending on hardware and software configuration), all traffic will be bypassed or blocked, depending on the Bypass on failure setting.

SMTP Server

The SMTP Server page is where you add the network addresses for the SMTP Server (email server). Simple Mail Transfer Protocol (SMTP) is the protocol used to send email between mail servers on the Internet. The SMTP Server listens for incoming and outgoing SMTP connections, accepts the connections if they are OK, receives the email, and then forwards the email on to the next SMTP server.

smtp-server-screenshot

Note:

The Lightspeed Systems Web Filter module does not support IMAP.

SMTP Settings

Use this table to configure basic SMTP server settings.

  • From Address – Enter the domain name to be used as the originating (from) address by the SMTP server.
  • Host – Enter the hostname or IP address for the SMTP server.
  • Port Number – Enter the port number. Note: The default port for SMTP services is 25.

Click the Send Test Email button to confirm your SMTP server configuration.
Click Save to save any changes you make.

Authentication

Use this table to enable and configure authentication.

  • Server requires authentication – Check (select) this field to enable authentication. You will not be able to configure any SMTP server authentication settings until you enable this field.
  • Username – Enter the username here.
  • Password – Enter the password associated with the username here.
  • Password Confirmation – Re-enter the password for the server here.
  • Authentication Method – From the dropdown list select the authentication method, which can be Plain, Login, or cram_md5.

Server Roles

On the Server Roles page you can monitor and configure a Rocket appliance child server. Parent/Child server synchronization lets you centralize reporting and policy management in a multi-appliance environment. Child servers poll the parent every minute while the parent server will poll the child server if necessary.

Note:

In a multi Rocket environment the user agents should point to the parent server.

If you are logged into the parent server you can view the status and manage child servers from the Dashboard as shown below.

child-server-on-parent dashboard

  • IP address – The IP address, status (a green light will be displayed if it is operational), and the server role of the child server. In addition, user-configured text describing this server will also be displayed.
  • Status – The synchronization status of this child server.
  • Manage All Servers – Click this link to be taken to the Server Roles page.
  • Manage Server – Click this link to go to the Dashboard of the selected child server.

If you click Manage Server you will be taken to the Dashboard of the selected child server as shown below.

child-server-activity-page

If you need to return to the parent server click Go to Parent Server as shown above.

Tip:

To select what role a Rocket appliance will perform, please refer to the Configuring Server Roles section. To configure a child server, please refer to the steps described in the Converting to a Child Server section. To manage a child server from the parent server, please refer to the Managing Server Roles section.

Network Interfaces

Use the Network Interfaces page to configure each Network Interface Card (NIC).

The Lightspeed Systems Rocket appliance has at least two NICs:

  • MGMT (Management interface)
  • Bridge (Bridge interface, for connecting the Lightspeed Systems Rocket appliance to your local network)

Click the icon to select a network interface to configure it.

network-interfaces

Tip:

Each network interface has a status icon, which indicates normal operation (black) or error (red).

Configuring Ethernet Ports

When configuring Ethernet port settings on the Rocket appliance you should ensure that speed and duplex are set to the highest common denominator (for example, 1000/Full Duplex).

Note:

Don’t forget to lock the speed and duplex on switch and firewall ports as well.

Management Interfaces (MGMT)

The Management Interface is the network interface through which you connect to the Lightspeed Systems Rocket appliance to administer the system.

management-interface

Host

  • Hostname (optional) – Enter the hostname of your Lightspeed Systems Rocket appliance here.

Note:

If you enter a hostname, you must also add a DNS A-Record on your DNS server. Without an A-Record, features such as the Access Page will not work properly. In addition, the hostname needs to match the FQDN on both the internal and external DNS record.

Management Interface

  • IP Address – Enter the IP address (IPv4) for the Lightspeed Systems Rocket appliance.
  • Subnet Mask – Enter the subnet mask for the Lightspeed Systems Rocket appliance.
  • Default Gateway – Enter the IP address of the default gateway for your network. This is typically the IP address of your router or firewall.
  • Speed and Duplex – In most cases, speed and duplex can be set to Auto, but if the interface status shows as Half Duplex, then you should manually lock it to Full Duplex and hard set your switch to match Full Duplex.

Note:

The interface should be initialized and able to pass traffic after the initial setup wizard completes.

  • IPv6 Address – If your network supports IPv6, enter the IPv6 address for the Lightspeed Systems Rocket appliance.
  • IPv6 Prefix Length – Enter the IPv6 Prefix Length in use on your network.
  • IPv6 Default Gateway – Enter the address of the default IPv6 gateway for your network.

DNS Servers

  • Primary DNS Server (IPv4/IPv6) – Enter the IP address of the primary Domain Name System (DNS) server. The Lightspeed Systems Rocket requires at least one DNS server in order to communicate on the network.
  • Secondary DNS Server (optional) (IPv4/IPv6) – Enter the IP address of the secondary DNS server. This setting is optional, and is only needed as a backup if the primary DNS server is unable to resolve an address.

Important:

DHCP is not supported. You must assign static IP addresses to the Lightspeed Systems Rocket Appliance.

Auxiliary Interface (no longer used)

  • IP Address – Enter the IP address (IPv4) for the auxiliary interface.
  • Subnet Mask – Enter the subnet mask for the auxiliary interface.
  • Speed and Duplex – From the dropdown list select the speed and duplex for auxiliary interface, which can be Auto (the default), 1000 Mbps (full-duplex), 100 Mbps (full-duplex), 100 Mbps (half-duplex), 10 Mbps (full-duplex), or 10 Mbps (half-duplex).
  • MTU – From the dropdown list select the maximum transmission unit (MTU) size (in bytes), which can be 1500 (the default), 7000, or 9000.
  • IPv6 Address – If your network supports iPv6, enter the IPv6 address for the auxiliary interface.
  • IPv6 Prefix Length – If your network supports IPv6, enter the IPv6 prefix length for the auxiliary interface.

Bridge Interface

The Bridge interface connects the Internal, or Local Area Network (LAN) port with the External, or Wide Area Network (WAN) port, so that the Lightspeed Systems Rocket can analyze and filter incoming and outgoing network data.

bridge-interface

For 1Gb Rockets and Bottle Rockets the only settings on this page are Speed (Automatic or 10 Mbps to 1000 Mbps) and Duplex (Automatic, half or full) for each interface. For 10Gb Rockets you can also enable Virtual LAN (VLAN / VLANs) tagging. For all Rockets this configuration page also shows the status of each interface (Active or Error).

VLAN

On 10Gb Rockets only check (select) Enable processing of tagged vlan traffic if the bridge will be passing tagged traffic. Please note this option is only displayed if the Rocket software detects 10Gb interfaces.

VLAN Table

Internal Interface 0 / External Interface 0

Speed and Duplex – The speed and duplex needs to be hardcoded to match the speed of your network. In most cases this will 1000 Mbps, Full Duplex. In addition to configuring this on the Rocket all connected devices need to be hardcoded to the same setting. Select the correct combination of speed and duplex from the dropdown list.

Notes:

Speed and duplex mismatches are the top cause of what is perceived as the Rocket slowing Internet traffic.

Both the internal and external interfaces on the Rocket must be set to the same settings.

Localization

Use the Localization page to configure time and language settings for your location.

localization

Time Zone

To select your time zone, open the Time Zone list and choose the country and nearest city in your local time zone. For example, if you are in Bakersfield, California, the nearest city on the Time Zone list is Los Angeles.

Language

Select your default language from the Default locale dropdown list.

Network Time Server

Accurate reporting depends on having the correct date and time on the Lightspeed Systems Rocket appliance. To help maintain accuracy, the appliance automatically synchronizes with a Network Time Protocol (NTP) time server.

The default entry for this field is http://pool.ntp.org. If you prefer to use a different Network Time Server (NTP), enter the host name for the network time server (NTP) in this field, and then click Save to apply the change. You can find a list of public NTP servers here.

To revert to the default time server, click Reset.

Backup and Restore

The Rocket Appliance runs automated backups daily and weekly, and stores the backup files in the shared network folder for the root tier.

backup-and-restore

Backups

    The fields displayed by the Backups table are described below:
  • Type – The type of backup, which can be Daily, Weekly, or Manual.
  • Date – The date of the backup.
  • Version – The software version of the backup.
  • File – The name and path of the backup file.
  • Size – The size of the backup file.
  • Created – When this backup file was created.
  • Restore – Click this button to restore the backup.

Important Notes:

  • Due to changes in 2.2.13, backups from 2.2.12 and earlier are not compatible with the restore process.
  • Current and backup software must be in the same minor release. See Understanding Release Numbers for more information.

Follow the steps below to create a manual backup.

  • 1. Select one of the following backup options from the dropdown list:
    • Configuration Only
    • Full
  • 2. Click Backup Now.

Note:

Lightspeed Systems recommends that you should avoid running any backups during the middle of the day.

Previous Restores

The Previous Restores table displays when the last previous restore was performed.

Backup Network Share

The fields displayed by the Backup Network Share table are described below:

  • SMB Path – The path name of the backup network share.
  • Username – The user name of the backup network share.
  • Password – The password for the backup network share. Click Regenerate to create a new password.

 Import Logs

This table lists log files of imports from a TTC server. Click the name of a log file to download it. Click the X in its row to delete it.

Licensing

Note: The Lightspeed Systems Rocket comes with a 14-day evaluation license that allows full functionality of all Lightspeed Systems Rocket features. When the 14 day evaluation period ends, only the licensed products associated with your Lightspeed customer ID will be available for use.

licensing

A Customer ID number is supplied at the time of purchase/delivery of The Lightspeed Systems Rocket appliance. You must have this Customer ID number available in order to complete your appliance authorization.

Serial Number (Customer ID)

To authorize the Lightspeed Rocket appliance, enter the Customer ID Number (provided by Lightspeed Systems) and click Save. Then click Update Licenses to retrieve your most up to date license from Lightspeed Systems’ licensing server.

iSCSI

Small Computer Systems Interface (SCSI) protocol is used to communicate with I/O devices, including storage devices, over physical media (for example, Parallel SCSI, IPI, IEEE-1394 FireWire, and Fibre Channel) in a local network. Internet Small Computer Systems Interface (iSCSI) is a transport protocol used to create a Storage Area Network (SAN) that operates over TCP/IP, allowing transport of data over LANs, WANs, and the Internet using existing network infrastructure.

The following sections describe what you need to know and do before you configure iSCSI (see iSCSI Prerequisites and Considerations), how to use the wizard to configure iSCSI on a Rocket appliance (see Configuring iSCSI), and how to view the status of an iSCSI device (see Viewing iSCSI Status).

Warning:

Adding iSCSI cannot be reversed unless you reinstall the software entirely. Lightspeed Systems recommends that you contact support to assist you with this configuration. In addition, depending on the amount of data currently stored in your database the conversion process can take hours and should be performed after hours since there are periods of time that the Rocket will not be able to filter properly.

iSCSI Prerequisites and Considerations

Before you configure iSCSI on a Rocket appliance you should keep the following considerations and prerequisites in mind.

Hardware Considerations

Since iSCSI connections generally use the same network infrastructure as other network equipment in LANs and WANs it is possible to inadvertently make cabling mistakes. A single mistake can compromise the logical barrier between iSCSI and the rest of your network. Therefore, you should consider color-coding cables and clearly-labeled switch ports.

For example, you could use yellow cables for iSCSI and blue cables for your normal data. In addition, and if resources permit, you could consider using physically separate switches for iSCSI.

Security Considerations

While it is possible to configure iSCSI without security you should not do so. Without security, your iSCSI connection will be vulnerable to active and passive attacks.

Network Prerequisites

When preparing your network before you configure iSCSI on a Rocket appliance please ensure the following for compliance to iSCSI standards:

  • The auxiliary NIC must be on a different subnet from the management NIC.
  • iSCSI targets and initiators must support at least one TCP connection.
  • iSCSI names must be unique within the operational domain of the end user.
  • Each iSCSI node, whether an initiator or target, must have an iSCSI name.
  • The initiator and target should implement Challenge Handshake Authentication Protocol (CHAP).
  • Reverse-CHAP Authentication is not supported.
  • You should use the default TCP port number for iSCSI, which is 3260.

Note:

For a complete list of requirements please refer to RFC 3720, “Internet Small Computer Systems Interface (iSCSI)“.

Backup Before You Configure iSCSI

Lightspeed Systems recommends that you perform a full backup and move it off of your appliance before you configure iSCSI. This ensures you can recover your old configuration if something goes wrong during the setup and you have to rebuild your appliance.

Please note that previous backups will not be available or compatible after the iSCSI configuration has completed and you cannot restore a backup from an iSCSI-configured appliance to a non-iSCSI appliance. In addition, the backup folder share/location will also change after iSCSI is configured. The new user/share folder will be available on the Backup and Restore page.

Define an Auxiliary Interface for the iSCSI Device

You need to configure an auxiliary interface for an iSCSI device before you can configure it. See Network Interfaces for more information.

Viewing iSCSI status

To display the current status of iSCSI devices, click Administration on the Dashboard and then click iSCSI. The following screen will be displayed.

iscsi-status-screen

Field Field Description
Name The name of the iSCSI device.
Initiator Name The initiator (i.e., client) name of the iSCSI connection. This name must be either an iSCSI- Qualified Name (type “iqn”) or an IEEE EUI-64 format (type “eui”).
Host The DNS name, IPv4 address, or IPv6 address of the host (target).
Target The target (i.e., host) name of the iSCSI connection. This name must be either an iSCSI- Qualified Name (type “iqn”) or an IEEE EUI-64 format (type “eui”).
Lun The Logical Unit Number (LUN) of the target (host) device.
Mount The logical name and path of the target device, which is similar to the format of an attached SCSI device.
Status The current status of the iSCSI device and connection.
Capacity The free and used capacity (in gigabytes) of the iSCSI device.
Note: The capacity of the iSCSI device is also displayed on the Dashboard under Disk Usage.

Note:

If data is being transferred between the iSCSI client and host the status of the transfer will be displayed.

Configuring iSCSI

To configure iSCSI on a Rocket appliance, follow the steps below. Please note that Lightspeed Systems strongly recommends you read and understand the best practices described in iSCSI Prerequisites and Considerations before proceeding.

Warning:

Installing iSCSI is a one-way street and there is no going back to local storage for reports unless you reinstall the software entirely.

Note:

You can exit the iSCSI setup wizard by clicking the abort setup link at the start of the wizard or by clicking the Abort button during the wizard.

click-administration

How to configure iSCSI

  • 1. From the dashboard, click Administration. The following screen will be displayed:

click-iscsi

  • 2. Under Server click iSCSI. The following screen will be displayed if you have already defined an auxiliary interface for your iSCSI device.

iscsi-page

    • If you have not configured an auxiliary interface the following will be displayed instead.
    • If you have already configured the auxiliary interface proceed to Step 3. If not, click the Network Interfaces link, perform the steps described in Management Interface (MGMT) to configure the auxiliary interface, and go back to Step 1.
  • 3. Click the Setup iSCSI Device button. The following screen will be displayed:

iscsi-wizard-start-ready

  • 4. Click the best practices link to review what you need to know and do before you configure an iSCSI device.
  • 5. Select (check) the I have read and understood the best practices checkbox.
  • 6. Click the Let’s get started link. The following page will be displayed:

iscsi-settings-page

  • 7. Enter the following iSCSI target settings:
    • Host – Enter the DNS name, IPv4 address, or IPv6 address for the host.
    • Port – Optional. Enter the TCP port number. Please note you should use 3260, which is the worldwide standard TCP port number for iSCSI. You should not change this number unless it is absolutely necessary.
    • IQN Initiator Name – Enter the initiator (client) name in the standard “IQN” format. In most cases the default initiator name will work properly. In certain environments where a Microsoft Server 2003/2008/2012 iSCSI target is utilized it must be changed to an acceptable initiator name.
    • Discovery Username – Optional. Enter the discovery username.
    • Discovery Password – Optional. Enter the discovery password.
    • Discovery Password Confirmation – Optional. Enter the discovery password again.
  • 8. Click Next. The following screen will be displayed.

iscsi-wizard-discovering-target

Note: The target discovery process may take several minutes. Once it is complete the following screen will be displayed.

iscsi-wizard-select-target

  • 9. Select the target you want to connect to be selecting and enter the following information:
    • Target – Select the target (host) device from the dropdown list.
    • Username – Optional. Enter the target’s username.
    • Password – Optional. Enter the target’s password.
    • Password Confirmation – Optional. Enter the target’s password again.

Warning:

After you select a target you will not be able to abort or go back after this page.

  • 10. Click Next. The following screen will be displayed:

discovering-luns

Note: The Logical Unit Number (LUN) discovery process may take several seconds. Once it is complete the following screen will be displayed:

iscsi-select-luns

  • 11. Select the LUN from the dropdown list.

Warning:

This process will reformat the selected LUN if its data/format is not recognized.

  • 12. Click Next. The following screen will be displayed:

iscsi-wizard-complete

  • 13. Click the Click here to continue link to exit the iSCSI setup wizard. The iSCSI Settings page will be displayed as shown below.

iscsi-status-screen-with-backup

Note:

The initial iSCSI data transfer process may take several hours to complete.

Rocket Administration – SSL and Proxy

SSL Certificate

SSL (Secure Sockets Layer) encryption protects sensitive information such as login IDs and passwords from being intercepted and misused. On the Rocket, the console SSL certificate is used to establish trust for the Management and Access Pages. When configured as a proxy server, using SSL decryption, the Proxy certificate is required for the client to trust the Rocket to establish the SSL session to the destination host. This is used for selective blocking or unblocking within domains such as google.com and youtube.com, or filtering and reporting on the Full URL Details within a secure connection.

Note:

A detailed technical discussion of SSL is outside the scope of this document. For technical information on SSL and related security topics, refer to the Wikipedia article on Transport Layer Security.

The SSL Certificate page consists of two sections:

  • Console Certificate
  • Proxy Certificate

Console Certificate

The Console Certificate provides trust for encryption for administrator usernames and passwords when logging into the Rocket administration dashboard. trusted SSL connection also provides encryption for usernames and passwords for end users on your network when they sign into the Secure Access Page.

The Rocket includes a self-signed console certificate that is valid for 39 months. If you prefer to use an SSL certificate issued by a trusted certificate authority, you can install it in place of the self-signed certificate. You can also generate or install your own self-signed SSL certificate.

Important: The Host Name on the Network Interfaces page must match the host name in the proxy certificate.

Installed Console Certificate

This table lists details about the current console certificate. Please note the default Console certificate has a lifetime of 39 months after being initialized.

Download Links

For security reasons, some browsers and devices will warn users when visiting an HTTPS site that is using a self-signed or untrusted certificate. These users will need to download, import, and trust the site certificate using the generated links in this section.

Web console and access page certificate – Download this certificate for secure access to the Rocket web console and Access Page.

Copy the link in this section to share it with users who need to download the certificate.

Replace

You can create a new or import a certificate file by clicking the Create Self-Signed Certificate, Create Certificate Signing Request, or the Import Existing Certificate buttons.

Proxy Certificate

If the Rocket is not configured as a Proxy Server, when a user accesses a secure HTTPS site, only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based for the entire domain, rather than for URLs and URL patterns within the domain.

When the Proxy Server is enabled with SSL Decryption, all HTTPS (encrypted) requests can be examined via a trusted Man-In-The-Middle proxy. When a user requests a secure website, such as a banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

Note: A few steps are required to enable HTTPS decryption once you’ve installed the proxy certificate:

  • Proxy Server must be selected (checked) on the Server Roles page, and configured on the Proxy Server page.
  • Decrypt SSL Traffic must be selected (checked) on the Proxy Server page.

Note also that the client must be configured to use the Rocket as an SSL proxy (either explicitly or through WCCP.

Installed Proxy Certificate

This table lists the expiration date for the current proxy certificate. If a proxy certificate is about to expire, click Recreate the certificate to extend the expiration date. Please note that the default Proxy certificate has a lifetime of 39 months after being initialized.

Important:

If you recreate the proxy certificate, you will need to redeploy this certificate to all user devices that use this Rocket proxy server. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.

Download Links

Note: In most cases, the Help Link (below) is the best choice for users who need to install the proxy certificate themselves.

Any client connected to the proxy must download and trust the certificate so that it can trust the Rocket as a “root signing authority.” For devices that you cannot configure via GPO or ZENworks, users will need to manually install the certificate from the links below:

Proxy server certificate used when opting to decrypt SSL traffic – Download this certificate for HTTPS traffic if you have enabled the proxy server.

Proxy SSL certificate for Chromebook devices – Download this CRT-formatted SSL certificate for Google device proxy clients (Chromebooks and Android).

Copy the links in this section to share them with users who need to download the certificate.

Tip:

See Configuring a Rocket Appliance as a Proxy Server for more information.

Help Link

The Help Link goes to a page that automatically detects the device type and browser, and provides specific instructions to download and import the certificate.  Share this link with users who need to install the proxy certificate themselves, without assistance.

proxycerthelp

This SSL Certificate Self-Service Portal can be accessed by having users visit: http://<hostname or IP of Rocket>/lsaccess/proxycert

OS/Browser-specific installation instructions

First, download the Proxy Certificate from the link provided on the help page, or from

http://<hostname or IP of Rocket>/lsaccess/proxycert

Install Proxy Certificate with Windows Firefox

  1. Select Options
  2. Select the Advanced tab
  3. Select the Certificates tab
  4. Click View Certificates
  5. Select the Authorities tab
  6. Click Import
  7. Browse to the location that you downloaded the ls-rocket.der certificate to in the first step, then click Open
  8. In the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box
  9. Click OK three times
  10. Restart Firefox

Install Proxy Certificate with OS X Firefox

  1. Select Preferences
  2. Select Advanced
  3. Select Certificates
  4. Click the View Certificates button
  5. Select Authorities
  6. Click the Import button
  7. Browse to the location that you downloaded the certificate to in the first step
  8. Select the ls-rocket.der file
  9. Verify that the checkbox for “Trust this CA to identify websites” is selected and click OK

Install Proxy Certificate with Windows Chrome

  1. Go to chrome://settings/
  2. Scroll down and select Show advanced settings…
  3. Under the HTTPS/SSL section, select Manage certificates
  4. Select Trusted Root Certification Authorities
  5. Click Import and Next
  6. Browse to the location that you downloaded the certificate to in the first step
  7. Select the ls-rocket.der file
  8. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish
  9. Accept the Security Warning
  10. Restart the browser

Install Proxy Certificate with Windows Internet Explorer

  1. Select Internet Options
  2. Select the Content tab
  3. Click Certificates
  4. Select Trusted Root Certification Authorities
  5. Click Import and Next
  6. Browse to the location that you downloaded the certificate to in the first step (you will need to have “All Files (*.*)” selected for the file type
  7. Select the ls-rocket.der file and click Open
  8. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish
  9. Accept the Security Warning
  10. Restart the browser

Install Proxy Certificate with Windows

  1. Click Start, click Start Search, type mmc, and then press ENTER
  2. On the File menu, click Add/Remove Snap-in
  3. Under Available snap-ins, click Certificates, and then click Add
  4. Under This snap-in will always manage certificates for, click Computer account, and then click Next
  5. Click Local computer, and click Finish., click OK
  6. In the console tree, double-click Certificates
  7. Right-click the Trusted Root Certification Authorities store
  8. Click All Tasks and then select Import and click Next
  9. Browse to the location that you downloaded the certificate to in the first step (you will need to have “All Files (*.*)” selected for the file type
  10. Select the ls-rocket.der file and click Open
  11. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish

Install Proxy Certificate with OS X

  1. Open Keychain Access
  2. Select File
  3. Click Import Items
  4. Browse to the location that you downloaded the certificate to in the first step
  5. Select the ls-rocket.der file
  6. Select System for the Destination Keychain option
  7. Click the Open button
  8. Click the Always Trust button

Install Proxy Certificate with iOS

  1. Tap the Install button
  2. Tap Done

Install Proxy Certificate with Chrome OS

  1. Select Settings
  2. Select Show Advanced Settings
  3. Under HTTPS/SSL, select Manage Certificates
  4. Select the Authorities tab
  5. Select Import
  6. Browse to ls-rocket-chrome.crt and click open
  7. Select the checkbox labeled ‘Trust this certificate for identifying websites.’
  8. Click Ok, then click Done

Appliance

SSL Certificate

SSL (Secure Sockets Layer) encryption protects sensitive information such as login IDs and passwords from being intercepted and misused. On the Rocket, the console SSL certificate is used to establish trust for the Management and Access Pages. When configured as a proxy server, using SSL decryption, the Proxy certificate is required for the client to trust the Rocket to establish the SSL session to the destination host. This is used for selective blocking or unblocking within domains such as google.com and youtube.com, or filtering and reporting on the Full URL Details within a secure connection.

Note:

A detailed technical discussion of SSL is outside the scope of this document. For technical information on SSL and related security topics, refer to the Wikipedia article on Transport Layer Security.

The SSL Certificate page consists of two sections:

  • Console Certificate
  • Proxy Certificate

Console Certificate

The Console Certificate provides trust for encryption for administrator usernames and passwords when logging into the Rocket administration dashboard. trusted SSL connection also provides encryption for usernames and passwords for end users on your network when they sign into the Secure Access Page.

The Rocket includes a self-signed console certificate that is valid for 39 months. If you prefer to use an SSL certificate issued by a trusted certificate authority, you can install it in place of the self-signed certificate. You can also generate or install your own self-signed SSL certificate.

Important: The Host Name on the Network Interfaces page must match the host name in the proxy certificate.

Installed Console Certificate

This table lists details about the current console certificate. Please note the default Console certificate has a lifetime of 39 months after being initialized.

Download Links

For security reasons, some browsers and devices will warn users when visiting an HTTPS site that is using a self-signed or untrusted certificate. These users will need to download, import, and trust the site certificate using the generated links in this section.

Web console and access page certificate – Download this certificate for secure access to the Rocket web console and Access Page.

Copy the link in this section to share it with users who need to download the certificate.

Replace

You can create a new or import a certificate file by clicking the Create Self-Signed Certificate, Create Certificate Signing Request, or the Import Existing Certificate buttons.

Proxy Certificate

If the Rocket is not configured as a Proxy Server, when a user accesses a secure HTTPS site, only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based for the entire domain, rather than for URLs and URL patterns within the domain.

When the Proxy Server is enabled with SSL Decryption, all HTTPS (encrypted) requests can be examined via a trusted Man-In-The-Middle proxy. When a user requests a secure website, such as a banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

Note: A few steps are required to enable HTTPS decryption once you’ve installed the proxy certificate:

  • Proxy Server must be selected (checked) on the Server Roles page, and configured on the Proxy Server page.
  • Decrypt SSL Traffic must be selected (checked) on the Proxy Server page.

Note also that the client must be configured to use the Rocket as an SSL proxy (either explicitly or through WCCP.

Installed Proxy Certificate

This table lists the expiration date for the current proxy certificate. If a proxy certificate is about to expire, click Recreate the certificate to extend the expiration date. Please note that the default Proxy certificate has a lifetime of 39 months after being initialized.

Important:

If you recreate the proxy certificate, you will need to redeploy this certificate to all user devices that use this Rocket proxy server. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.

Download Links

Note: In most cases, the Help Link (below) is the best choice for users who need to install the proxy certificate themselves.

Any client connected to the proxy must download and trust the certificate so that it can trust the Rocket as a “root signing authority.” For devices that you cannot configure via GPO or ZENworks, users will need to manually install the certificate from the links below:

Proxy server certificate used when opting to decrypt SSL traffic – Download this certificate for HTTPS traffic if you have enabled the proxy server.

Proxy SSL certificate for Chromebook devices – Download this CRT-formatted SSL certificate for Google device proxy clients (Chromebooks and Android).

Copy the links in this section to share them with users who need to download the certificate.

Tip:

See Configuring a Rocket Appliance as a Proxy Server for more information.

Help Link

The Help Link goes to a page that automatically detects the device type and browser, and provides specific instructions to download and import the certificate.  Share this link with users who need to install the proxy certificate themselves, without assistance.

proxycerthelp

This SSL Certificate Self-Service Portal can be accessed by having users visit: http://<hostname or IP of Rocket>/lsaccess/proxycert

OS/Browser-specific installation instructions

First, download the Proxy Certificate from the link provided on the help page, or from

http://<hostname or IP of Rocket>/lsaccess/proxycert

Install Proxy Certificate with Windows Firefox

  1. Select Options
  2. Select the Advanced tab
  3. Select the Certificates tab
  4. Click View Certificates
  5. Select the Authorities tab
  6. Click Import
  7. Browse to the location that you downloaded the ls-rocket.der certificate to in the first step, then click Open
  8. In the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box
  9. Click OK three times
  10. Restart Firefox

Install Proxy Certificate with OS X Firefox

  1. Select Preferences
  2. Select Advanced
  3. Select Certificates
  4. Click the View Certificates button
  5. Select Authorities
  6. Click the Import button
  7. Browse to the location that you downloaded the certificate to in the first step
  8. Select the ls-rocket.der file
  9. Verify that the checkbox for “Trust this CA to identify websites” is selected and click OK

Install Proxy Certificate with Windows Chrome

  1. Go to chrome://settings/
  2. Scroll down and select Show advanced settings…
  3. Under the HTTPS/SSL section, select Manage certificates
  4. Select Trusted Root Certification Authorities
  5. Click Import and Next
  6. Browse to the location that you downloaded the certificate to in the first step
  7. Select the ls-rocket.der file
  8. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish
  9. Accept the Security Warning
  10. Restart the browser

Install Proxy Certificate with Windows Internet Explorer

  1. Select Internet Options
  2. Select the Content tab
  3. Click Certificates
  4. Select Trusted Root Certification Authorities
  5. Click Import and Next
  6. Browse to the location that you downloaded the certificate to in the first step (you will need to have “All Files (*.*)” selected for the file type
  7. Select the ls-rocket.der file and click Open
  8. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish
  9. Accept the Security Warning
  10. Restart the browser

Install Proxy Certificate with Windows

  1. Click Start, click Start Search, type mmc, and then press ENTER
  2. On the File menu, click Add/Remove Snap-in
  3. Under Available snap-ins, click Certificates, and then click Add
  4. Under This snap-in will always manage certificates for, click Computer account, and then click Next
  5. Click Local computer, and click Finish., click OK
  6. In the console tree, double-click Certificates
  7. Right-click the Trusted Root Certification Authorities store
  8. Click All Tasks and then select Import and click Next
  9. Browse to the location that you downloaded the certificate to in the first step (you will need to have “All Files (*.*)” selected for the file type
  10. Select the ls-rocket.der file and click Open
  11. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish

Install Proxy Certificate with OS X

  1. Open Keychain Access
  2. Select File
  3. Click Import Items
  4. Browse to the location that you downloaded the certificate to in the first step
  5. Select the ls-rocket.der file
  6. Select System for the Destination Keychain option
  7. Click the Open button
  8. Click the Always Trust button

Install Proxy Certificate with iOS

  1. Tap the Install button
  2. Tap Done

Install Proxy Certificate with Chrome OS

  1. Select Settings
  2. Select Show Advanced Settings
  3. Under HTTPS/SSL, select Manage Certificates
  4. Select the Authorities tab
  5. Select Import
  6. Browse to ls-rocket-chrome.crt and click open
  7. Select the checkbox labeled ‘Trust this certificate for identifying websites.’
  8. Click Ok, then click Done

Create a Certificate Signing Request

If you want to add the Lightspeed Systems Rocket appliance to your existing SSL certificate, click Administration from the dashboard, click SSL Certificate, and then click Create Certificate Signing Request to use this wizard to generate a certificate signing request to submit to your certificate authority.

new-certificate-signing-request

  • Fully Qualified Domain Name – Enter the complete domain name for the Lightspeed Systems Rocket appliance, for example web_filter.example.org.
  • Country – Select your country from the dropdown list.
  • State or Province – Select your state or province from the dropdown list.
  • City – Enter your city in this field.
  • Organization – Enter your school, district name, or other organization information here.
  • Department (optional) – This field is optional. Enter your department here, or leave the field blank.
  • Email – Enter the administrator’s email address here.

Click Next >> to generate the request, and then submit the text in the Certificate Signing Request box to the certificate authority that created your SSL certificate (for example godaddy.com or thawte.com).

After the certificate authority has processed your request, you will receive a Certificate Key and, in cases where the certificate authority is not the root certificate, a Certificate Chain. Paste the certificate key and certificate chain into their respective boxes on the Complete Certificate Request form. To complete the signing request, click Finish.

Note:

The Lightspeed Systems Web Filter will return to the Certificate Signing Request page until you complete the request with the keys returned by your certificate authority.

Create Self-Signed Certificate

The Lightspeed Systems Web Filter ships with a self-signed certificate already installed. If you want to replace or update the built-in certificate with your own information, click Administration from the dashboard, click SSL Certificate, and then click Create Self-Signed Certificate to use the wizard on this page to create and apply your own self-signed certificate.

Note:

A self-signed certificate provides the necessary encryption for secure administration. Because the certificate is based only on the information you provide in this form, rather than from a recognized certificate authority, it is not intended for general public use.
The information you enter here will be visible to users who view your certificate information.

new-self-signed-certificate

  • Fully Qualified Domain Name – Enter the complete domain name for the Lightspeed Systems Web Filter appliance, for example web_filter.example.org
  • Country – Select your country from the dropdown list.
  • State or Province – Select your state or province from the dropdown list.
  • City – Enter your city in this field.
  • Organization – Enter your school, district name, or other organization information here.
  • Department (optional) – This field is optional. Enter your department here, or leave the field blank.
  • Email – Enter the administrator’s email address here.

When you have finished entering information into the form, verify that it is correct, and then click Create. The Lightspeed Systems Web Filter will generate and apply the certificate. Edit the web bookmark or shortcut to your Lightspeed Systems Web Filter appliance, and change http: to https:, and then use the updated shortcut to connect to the console.

Import Existing Certificate

If you already have a certificate issued by a Certificate Authority for your domain, you can enter the certificate keys here by clicking Administration from the dashboard, clicking SSL Certificate, and then clicking Import Existing Certificate.

Import-Existing-Certificate

Paste the Private Key, Certificate Key, and (optionally) the Certificate Chain in their respective boxes, and then click Save.

Note:

When importing an SSL Certificate to the Rocket it cannot use a private key that requires a password from the web service to launch. Using a certificate that requires a password will prevent the web server from restarting and will leave the Rocket in a state that it cannot be managed from.

How to Correctly Split and Import an Encrypted Certificate

Note: This only works with a PFX file

The best way to split and import and encrypted certificate is through the use of OpenSSL.

For Windows, you can download OpenSSL here: https://slproweb.com/products/Win32OpenSSL.html

OSX/Linux have OpenSSL built-in. Simply type a command to “locate openssl” or type “openssl -v”

Windows Method

1. Download and install slproweb’s win32 release: Win32 OpenSSL v1.1.0e Light

2. Open CMD

3. CD into C:\OpenSSL-Win32\bin
openssl

4. Copy your PFX into C:\OpenSSL-Win32\bin\

5. Follow the next steps in extracting your keys needed to import to your Rocket. You will be prompted for a pass phrase which will be removed from the certificate.

  • a. Extract unencrypted private key: openssl pkcs12 -in name.pfx -nocerts -nodes -out name.unencrypted.priv.key
  • b. Extract Certificate
  • c. Extract only the certificate: openssl pkcs12 -in name.pfx -nokeys -clcerts -out name.pem
  • d. Extract Certificate Authority Chain
  • e. Extract CA chain: openssl pkcs12 -in name.pfx -nokeys -cacerts -out CAchain.pem. If there are multiple certificates in the chain, they will all be in the same output file.

Web Filter 2 Installation

1. Copy everything from the contents of the file including the =========BEGIN CERTIFICATE========= to the =========END CERTIFICATE=========

2. Open Web Filter 2 and navigate over to Administration > SSL Certificate > Import Certificate 

3. Right click in the respected fields for each certificate copied and paste it in that field:

  • [Private key] will require the name.unencrypted.priv.key
  • [Certificate key] name.pem
  • [Intermediate key/Certificate Chain] CAchain.pem

WARNING:

Make sure there are no extra blank line at the end of each certificate they should look similar to the following:

=========END CERTIFICATE=========

=========BEGIN CERTIFICATE========

NOTE:

Some certificates include extra CN information this can be included into each respected field/PEM file

  • Ex.
    Bag Attributes
    Microsoft Local Key set: &lt;No Values&gt;
    localKeyID: 01 00 00 00
    friendlyName: le-a1f16e7d-e433-4590-848b-0fedfd6f8bcc
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    Key Attributes
    X509v3 Key Usage: 10

If the intermediate/Certificate chain is blank you will need to acquire this from your SSL Company

Verifying a Certificate

To verify that the certificate creation or import procedure succeeded, substitute “https” for “http” in the URL for your Lightspeed Systems Rocket appliance. This forces an SSL connection to the appliance.

  • If the certificate is a Self-Signed Certificate, it should give a certificate error but allow access via HTTPS.
  • If it is an officially signed certificate and the certificate matches the host that the client is connecting to, it should allow the HTTPS connection without a certificate error.

The certificate takes effect as soon as you apply it; no appliance restart is needed.

If you receive an error message after applying a certificate, click the back button on your web browser. In most cases, the certificate will be saved and applied correctly.

If you still experience errors, verify with your Certificate Authority that the information in the certificate is correct.

General

General

Use the General page to configure the basic functions of the Web Filter module. Click Save to save any changes you make.

wf-settings-gnl-1

Inline Filter

wf-settings-gnl-2

Decode SSL Certificates – Through various methods, including (among others) decoding of SSL Certificates and SNI extension to TLS, the Lightspeed Systems Web Filter can determine the site that a user is attempting to visit through SSL. The Lightspeed Systems Web Filter looks up the host in the database, and applies the appropriate policies.

Notes:

Because of the nature of SSL traffic, the Lightspeed Systems Rocket does not display the Access Page when blocking an HTTPS session.

A detailed technical discussion of SSL is outside the scope of this document. For technical information on SSL and related security topics, refer to the Wikipedia article on Transport Layer Security here.

Bypass on failure – This setting controls how the Lightspeed Systems Web Filter should handle traffic in the event of hardware or software failure, or power loss. Select (check) this check box to allow unfiltered traffic to pass through the network interfaces. Unselect (uncheck) to block all traffic and disable all Internet access.

Block P2P networks – Peer to Peer (P2P) protocols such as BitTorrent and Skype can use up large amounts of bandwidth. They can also be a source of unwanted content such as viruses, trojans, inappropriate or infringing downloads. Select (check) this check box to block all unidentified UDP traffic. Enabling this option will block Skype, UltraSurf type traffic, and file-sharing networks such as BitTorrent.

Warning: Possible overblocking with the Block P2P networks option.

Enabling the Block P2P networks option could cause overblocking. Therefore, to prevent this, Lightspeed Systems recommends that you use P2P exclusions to allow specific traffic.

Block proxied requests – Users often attempt to bypass content filters by connecting to a proxy server, which disguises or encrypts traffic to escape detection. The Lightspeed Systems Web Filter uses advanced proxy detection and traffic analysis to block known and unknown proxy servers. Select (check) this check box to block proxy server connections.

P2P Exclusions

If you enabled the Block P2P networks option above you can use this table to exclude specified external IP addresses of peer-to-peer (P2P) sites.

p2p-exclusions-1

Perform the following to add a new P2P exclusion list.

  • 1. Click Add P2P Exclusion.

 

  • 2. Enter the external IP address range, or check (select) All External IPv4 Addresses, or check (select) All External IPv6 Addresses, or check (select) All External IPv4 Addresses and check (select) All External IPv6 Addresses.
  • 3. Enter the port number or check (select) All Ports.
  • 4. Optional. Enter a meaningful description in the Comment field.
  • 5. Click Save.

Behavior

wf-settings-gnl-4

Disable Google encrypted search – Select this option to disallow access to Google’s encrypted search page, and redirect users to non-encrypted searches. Please note this option also applies to compatible Mobile Filter clients.
Enforce Google Safe Search – Select this option to redirect www.google.com requests to forcesafesearch.google.com. Please note although traffic will still be HTTPS, Google SafeSearch will be enforced.

Enforce YouTube Restricted Mode – Select this option to redirect www.youtube.com requests to forcesafetymode.youtube.com. Please note that traffic will still be HTTPS but YouTube safety mode will be enforced.

Important: While this is enforced within any browser accessing YouTube, the iOS YouTube app connects to Google through a method that does not provide  unfiltered search results. To block the iOS YouTube app, add the URL pattern *googleapis.com/youtube/v1/search* to your Local-Block list.

Secure access page – Check (select) this option to force HTTPS when redirecting web requests to the access page.
YouTube for Schools Code – If your school is a member of YouTube’s EDU portal, enter your YouTube EDU code here.

YouTube EDU Codes

Please refer to Google’s YouTube EDU help page for more information.

Blocked Website Reviewers

As described in Rule Sets you can allow users to submit blocked sites for administrative review. To enable this option, you need to specify one or more destination email addresses for the review request messages. This should be the email address of a user with sufficient access to visit blocked web sites to determine the validity of the review request.

blocked-website-reviewers22

Enter the email addresses for your content reviewers in this field.

Retention

Use this page to configure the data retention period for the Reports module.

Adjust the slider to change the reporting period from 7 days (minimum) to 14 days (default) to 90 days (maximum), according to your school district’s data retention procedures.

Important:

At the end of the retention period, the Lightspeed Systems Web Filter purges the oldest data to make room for newer data. The system also runs automated backups daily and weekly. For long term data retention, you can copy these data files from the Rocket appliances’ shared network directory.

web-module-statistics-data

Retention Video

Proxy Server

The Proxy Server page is used to configure settings for the Proxy Server module. Configure decryption, authentication, and exclusion settings and then click Save to save your changes.

Note:

The Lightspeed Systems Proxy Server module automatically supports X-Forward-For headers. Please note that the X-Forward-For header will be added to HTTPS traffic ONLY if you have the Decrypt SSL traffic proxy option (described below) enabled.

proxy-server-page

Note:

See Configuring a Rocket Appliance as a Proxy Server for more information.

General

The General table is used to configure basic behavior applying to the proxy role, including decrypting SSL traffic, setting the proxy port, and configuring Web Cache Communication Protocol (WCCP).

Proxy Server General page

Decrypt SSL traffic – This setting controls how the Web Filter will filter HTTPS requests by decrypting traffic between the client and server in order to examine the full URL. Select (check) this check box to decrypt SSL traffic. Unselect (uncheck) to only examine the FQHN (fully qualified hostname) and not the full URL. Please note this option requires that you have the Proxy Server SSL Certificate installed. See SSL Certificate for more information.

Proxy Port – Enter the proxy port for the Proxy Server.

Enable WCCP – Check (select) this option to globally enable WCCP on the Rocket. In order to enable WCCP a Router IP (below) must first be supplied.

WCCP Router IP Address – To enable WCCP above enter the router IP address for the WCCP router. See the Configuring WCCP page for more information.

Security

The Security table is used to configure access and security settings for clients connecting to the proxy server.

Proxy Server Security Table

Restrict access – Check (select) this option to restrict external access to the Rocket Web Filter proxy server to only iOS and Chrome OS devices.

Require authentication – Check (select) this option to force authentication on all internal and external clients using the proxy server. Please note that the Transparent authentication source on the Mobile Devices page will be used to authenticate proxy users. This option will be disabled if WCCP is enabled above.

PAC Files

Proxy auto-config (PAC) files can be hosted on the Rocket. Users can enter the PAC file URL in their browsers to install it.

PAC Files Table

Note:

See the Wikipedia and FindProxyForURL.com articles for information about PAC file formats.

To view or edit an existing PAC file click its name. To upload a new PAC file follow the steps below.

    • 1. From the dashboard click Web Filter.
    • 2. Click Proxy Server.
    • 3. Click Upload PAC File. The following will be displayed.

Upload New PAC File

  • 4. Click Choose File.
  • 5. Select the PAC file and then click Choose.
  • 6. Optional: Enter a description.
  • 7. Click Save.

To delete a PAC file click the X in its row.

Google Apps Domains

You can create Google Apps Domain lists to limit access to Google Apps tied to specific domains. For example, if you set the restriction to yourschool.edu then users would only be able to use Google apps tied to yourname@yourschool.edu Google content, not yourname@gmail.com content.

Proxy Server Google Apps Domains

Notes:

  • You must enable the proxy option “Decrypt SSL traffic” to use this feature.
  • You cannot have google.com defined in the SSL Decryption Exclusions.
  • This feature ONLY applies to proxy clients.

Click a Google Apps Domain list to view and edit it and click the X in its row to delete it.

Tip:

Please refer to the Google Apps Administrator article “Block access to consumer accounts” for more information.

Follow the steps below to create a new Google Apps Domains list.

  • 1. From the dashboard click Web Filter.
  • 2. Click Proxy Server.
  • 3. Click Add Google Apps Domain.
  • 4. Enter the domain.
  • 5. Optional: Enter a comment.
  • 6. Click Save.

SSL Decryption Exclusions

The SSL Decryption Exclusions table is used to configure domains that will be excluded from SSL decryption by the Proxy Server.

SLL Decryption Exclusion

Follow the steps below to configure a domain to be excluded from SSL decryption by the Proxy Server.

  • 1. From the dashboard click Web Filter.
  • 2. From there, click Proxy Server under Module Settings.
  • 3. After that, click Add SSL Decryption Exclusion (Note: you must have Decrypt SSL Traffic checked and saved).
  • 4. Enter the domain name.
  • 5. Optional: Enter a meaningful description.
  • 6. Click Save.

Important: If you are using GAFE services, a current list of SSL exclusions as recommended by Google can be found in this help article.

Allowed Destination Ports

The Allowed Destination Ports table is used to configure destination ports to be used by the Proxy Server.

Allowed Destination Ports
Follow the steps below to add an allowed destination port.

  • 1. From the main dashboard, click Web Filter.
  • 2. From there, click Proxy Server on the left nav.
  • 3. Then click Add Allowed Destination Port.
  • 4. Enter the destination port number.
  • 5. If the destination port is used for SSL check (select) Ssl.
  • 6. Optional: Enter a meaningful description.
  • 7. Click Save.

Inspectors

Normally, when an allowed URL is requested the Web Filter does not log data for further-allowed requests from the same domain for the next 5 minutes. With Inspectors, you can report fully-allowed URLs in detail. Inspectors can be applied to IP addresses, computer names, or user names.

inspectors-window

You can have up to 5 inspectors per tier and up to 15 inspectors per Lightspeed Systems Rocket Appliance.

Creating an Inspector

    • 1. From the dashboard click Web Filter and then click Inspectors.
    • 2. Click the New Inspector button. A screen similar to the following will be displayed:

new-inspector

    • 3. Select the inspector type from the dropdown, which can be IP address, computer name, or user name.
    • 4. If you selected IP Address for the inspector type enter the IP address you want to inspect and proceed to Step 5. Otherwise, perform the following steps to configure the additional options for user and computer names.

new-user-inspector

    • – Select the authentication source from the dropdown.
    • – Enter the user or computer name in the search box and click Search.
    • – Select the user or computer name.
    • – Enter a meaningful name in the Name box.
  • 5. Enter a useful description in the Description box.
  • 6. Click Save.

When utilizing the mobile filter with the inspector a username MUST be provided. The Lightspeed Web Filter will be unable to retrieve additional information from mobile clients based on IP address or computer name.

Inspectors will not apply to IP addresses in the internal ignore list as the Lightspeed Web Filter records no data for those requests.

Editing and Deleting Inspectors

To edit an inspector’s description, follow the steps below:

    • 1. Click the name of the inspector on the Inspectors page. The following form will be displayed.

edit-inspector

  • 2. Enter a useful description.
  • 3. Click Save.

To delete an inspector, click the X in the inspector’s row and click OK when prompted.

Mobile Devices

The Mobile Devices page is where you configure how the Web Filter module manages mobile device access. To get filterable IP addresses for devices running Mobile Filter v5.x navigate to mobiledevices.lightspeedsystems.com. To manage devices running Mobile Filter v6.x and later navigate to mobile.lsfilter.com.

web-filter-mobile-filter-settings

In addition, you can also force registration of mobile devices. Click Save to save any changes you make.

Mobile Filter

This table sets basic Web Filter behavior for mobile devices.

Force Registration – This setting controls whether all mobile devices must be registered. Select (check) this check box to force all mobile devices to be registered. Unselect (uncheck) to use an authentication source for all mobile devices.

Note:

If you do not force registration, then an authentication source is required.

Bypass on failure – This setting controls how the Lightspeed Systems Web Filter server should handle mobile traffic in the event that mobile devices are unable to communicate with your management server.

  • Select (check) to allow mobile devices to have unfiltered access if communication with your management server is lost.
  • Unselect (uncheck) to block unfiltered access if communication with your management server is lost.

Transparent authentication – Select the transparent authentication source from the dropdown list. You can use this settings for Google authentication. In addition, you can use this for proxy and RADIUS clients.

Notes:

Google Authentication: See Setting Up a Google Authentication Source for information about configuring Google authentication.

Proxy Clients: See Configuring a Rocket as a Proxy Server for information about configuring a Rocket appliance as a proxy server.

RADIUS Clients: See the Authentication page for information about setting the RADIUS shared secret and see Configuring a RADIUS Accounting Server for steps to configure a RADIUS accounting server.

Devices

This field displays the number of known mobile devices on your network. Click Remove All Devices to remove all mobile devices from your network. (Click Mobile Devices report to navigate to the Mobile Devices Report page.)

School ID

The School ID to be used for filtering.

Settings for v 6.x

For devices running Mobile Filter v6.x and later navigate to mobile.lsfilter.com to uninstall passwords, configure MAC addresses registration, and so forth.

Tip:

See Using the Device Registration Portal to Manage Devices for more information.

Settings for v 5.x

Mobile Filter Addresses

This section displays the IP ranges that are registered for auto-configuration for devices running Mobile Filter v5.x. These IP ranges are configured when you set up Mobile Filtering at http://mobiledevices.lightspeedsystems.com/

v5 Mobile Filter Table

Tip:

Click Refresh this List to refresh the list of registered IP ranges.

Authentication

You can require users to web authenticate before they are allowed to browse the Web. The authentication process allows Internet access for a specified time period. When the time period elapses, users must log in again before continuing.

webfulter-authentication1

The Lightspeed Systems Web Filter uses various authentication methods. Once a user logs in, the Web Filter uses the Rule Sets and Assignments to determine what types of content to allow or block. If a user is not associated with a specific rule set, the Web Filter uses the Default web filter rule set.

Captive Portal

You can use a captive portal to force HTTP clients on your network to authenticate before using the Internet. Use the Captive Portal table to restrict Internet access to the portal until authentication requirements are satisfied.
Captive Portal Table

    • Captive portal Check (select) this option to force all users to authenticate before using the Internet.
      • Exclude users reported by a User Agent, RADIUS, proxy or mobile filter – Check (select) this sub option to exclude users using the Lightspeed Systems User Agent, users authenticated by a RADIUS server, Proxy Servers users, or Lightspeed Systems Mobile Filter users.

Tip

You can create exemptions to Captive Portal settings in the Exemptions table below.

  • Capture discovery URLs – Check (select) this option to redirect users sending discovery URLs to an access page.

Access Page

AuthAccessPage

  • Authentication Check (select) to let users who have been blocked to authenticate with an access page.

Lifetime

Use this table to configure authentication lifetimes for users, user groups, and user OUs.

Tips on authentication lifetimes

Authentication lifetimes configured for user names should be placed at the top so they will be evaluated first.

You can change the evaluation order of a lifetime by sliding it up or down. To delete a lifetime click the X in its row.

AuthLifetimes

Adding an authentication lifetime

    • 1. To add an authentication lifetime click Add User. The following pop-up window will be displayed:

add-lifetime-popup

  • 2. Enter the following information:
    • Type – Select the authentication type for the user from the dropdown list, which can be User Group, User Name, or User OU
    • Authentication Source – Select the authentication source from the dropdown list
    • Use the search box to locate and select the user, user OU, or user group
    • Name – Enter the User Name, User OU, or User Group
    • Description – Enter a meaningful description
    • Authentication Lifetime – Enter the authentication expiration period in minutes, up to a maximum value of 7200 minutes (five days)
  • 3. Click Save to save your changes or Cancel to discard them

Source Exemptions

Use these tables to enter IP addresses that are exempt from authentication.

Note:

Please note authentication exemptions do not apply to captive portal discovery URLs. Therefore, if the Capture discovery URLs option is enabled clients will be redirected to an authentication page if and when they try to hit one of the discovery URLs, even if the client’s IP is in the Exemptions list.

Tips for Exemptions

Source Exemptions are only applied to the “Require users to authenticate before web browsing” option in the Access table above and NOT the “Allow Users to authenticate from the access page when blocked” option.

To delete an exemption, move the mouse cursor over the right side of the exemptions list until an X appears. Click the X to remove the IP address or range from the list.

AuthExemption1

Adding an Exemption

    • 1. Click Add Exemption. The following pop-up window will be displayed:

add-exemption-popup

  • 2. Enter the following information:
    • IP Range/Mask – You can allow specific IP addresses or ranges to access the Internet without authenticating. Add the starting IP and the ending IP addresses for a range, or add the same address as the start and end address for a single IP. You can enter as many IP addresses as you need. Enter IP addresses in the following format:
192.168.1.0 single IP address
192.168.1.0-192.168.1.254 range of IP addresses
192.168.1.0/24 CIDR notation for same range as above
  • Comment – Enter any comments about this exemption.

Destination Exemptions

Use the Destination Exemptions table to configure external IP addresses or domains where authentication is not required.

AuthExemption2

Follow the steps below to configure a domain to be excluded from authentication.

  • 1. From the dashboard click Web Filter.
  • 2. Click Authentication.
  • 3. Click Add Exemption under Domain Exemptions. The following will be displayed.

AddExemptionPopup

  • 4. Enter the domain or IP address you want to exclude from authentication.
  • 5. Optional. Enter a meaningful description.
  • 6. Check (select) Proxy Auth Exemption if you want this domain exempted from authentication on the Proxy Server module.
  • 7. Check (select) Web Auth Exemption if you want this domain exempted from authentication on the Web Filter module.
  • 8. Click Save.

RADIUS

The Rocket appliance supports RADIUS accounting for user identification, which allows the Rocket to act as an accounting server for an existing RADIUS implementation. You can use the Rocket’s accounting server to pass authentication from wireless access points.

Note:

Only user names and IP addresses are passed to the Rocket accounting server.

Use the RADIUS table to configure the onboard RADIUS accounting server.

radius-table

Shared secret – Enter the RADIUS shared secret to be used for the Rocket RADIUS accounting server. It must be the same shared secret that you configured on your wireless access point.

Click Save to save any changes you make.

Notes:

See the Mobile Devices page to configure the authentication source for the accounting server and see Configuring a RADIUS Accounting Server for steps to configure a RADIUS accounting server.

For servers or computers that do not have users logged in, you need to either create an Authentication Exemption or an Internal Ignore List entry. For an external web server you need to create an External Ignore List entry.

Administration

Web Filter Administration

Web Filter Essentials. 

Module Settings

From the Settings menu, you can configure some key elements of your Web Filter:

  • Authentication – which users must provide login credentials before browsing the web, and how
  • General – how to configure:
    • The inline filter
    • Basic behavior for all Web Filter module modes
    • Blocked website reviewers
  • Inspectors – using inspectors to report complete data about a user, computer, or IP address
  • Mobile Devices – how to handle mobile device access
  • Proxy Server – configuring settings for the Proxy Server module
  • Retention – setting the data retention period for the Reports module

Content Database

The Content Database is the core of the Web Filter module. The Web Filter module uses a database consisting of millions of domains, IPs, and URLs combined, sorted into categories appropriate for education.

About our Database

Our database is education specific. This means that in almost all cases any website that is necessary for the classroom is already categorized properly for education so the need to allow unknown or unverified websites for day-to-day classwork is not necessary.

And our database is dynamic. We use a variety of methods for categorization including:

  • Internet crawlers that are constantly scanning new and existing websites for malware and inappropriate content
  • Human review team that not only verifies change requests from users but also validates the crawlers
  • And our education community worldwide. Feedback from classrooms all over the world is sent back to our database team and processed. These changes are shared with all customers, so we are working together to create the most complete and accurate database for schools

With our dynamic database, we can update all of the Rocket Web Filters worldwide within minutes if necessary. This takes the burden of real-time scanning off of your individual Rocket and moves it out to the cloud where our resources and shared customer base can all help each other.

Categorized Sites

Use the Categorized Sites page to search the Content Database for a URL. The search results will show how the URL is currently categorized.

From the search results, you can add a domain to your Local-Allow and Local-Block lists, create redirection rules for built-in or local categories, or add a domain to one of the default categories.

To update the category for a domain:

  • 1. Search for the domain, URL, or IP address on the Categorized Sites page.

searchdatabase

  • 2. In the search results, click to edit the domain you want to recategorize.

recategorized

  • 3. Click to open the Category dropdown list, and select a local category or an existing default category, then click Save.

Note:

These exceptions are stored locally on your Rocket, and are not sent to Lightspeed Systems. To request a review of a site by Lightspeed staff, please submit the request via the Database form.

Tip:

Open the Rule Sets page and click Default to see the complete list of content categories and the default Allow and Block actions.

How Web Filter Handles Unknown URLs

All Rocket appliances ship with a base categorization database of the most commonly used sites. When a site is unknown by a customer’s on-premise Rocket, a request is sent to our Dynamic Database (DDB) servers for categorization. This process works very similar to a DNS lookup. Our master databases will respond to the on-premise Rocket with the proper categorization for the site and a Time To Live (TTL). (This is designed for maximum efficiency and speed.)

The TTL tells the on-premise Rocket how long to store this looked up entry in their local database. The TTL varies by category but most are set for two weeks. This allows your Rocket to only maintain the categorizations in your database that your end users are visiting. If a site were to change categories before the TTL expires, our emergency update process will alert the Rocket appliance to recheck for categorization prior to the TTL expiration. This is useful if a website were to be compromised by malware. When this is discovered, we can signal all the Rocket appliances to update their categorization within minutes to ensure that customers are protected.

Since the internet is very dynamic and sites are added every day, there are cases where a customer Rocket will request a site that is not in our master database. If this is the case it will be returned as unknown with a short TTL. Our DDB sends this information to our categorization engine with top priority. Most sites are fully categorized within a few hours. Then the site gets categorized and when the TTL expires, the new categorization will be pushed to your on-premise Rocket.

Categories

See details on our categories here.

Many customers can use Lightspeed Systems default blocked and allowed categories without modification. However, you can override the default categories by adding Domains, IPs, or URLs to the Local-allow and Local-block categories. You can also create your own local categories containing Domains, IPS, or URLs that should be handled differently.

Local Categories

The simplest way to manage local categories is to use the Reviews report to categorize the sites your users are attempting to access. You can also edit the local categories by clicking the category name, and then adding sites manually.

  • Local-allow – The local-allow category allows you to unblock sites that would ordinarily be blocked by the Lightspeed Systems database
  • Local-block – The local-block allows you to block sites that are normally allowed by the Lightspeed Systems database

Add Local Category

Click the Add Local Category button to add a new Local Category.

  • Name – Enter a meaningful name for your local category in this field
  • Description – Briefly describe the category here, for example “search engines”
  • Redirect URL – When a user requests a site within a blocked category, the URL you enter here will be displayed instead of the requested page. Enter the destination URL for sites in this category. For example, you can redirect requests for Google.com, Yahoo.com, and other search engines to a child-safe site such as RefSeek. Leave this field blank if you do not want Lightspeed Systems Web Filter to redirect URLs in this category
  • Set default behavior to block – Select (check) this check box to block all sites in this list. Instead of opening the requested page, the Web Filter will display the Access Page

Categories with Local Changes

You have the option to use one of the standard Lightspeed categories instead of adding a domain to a local category. There are a couple of reasons to use this option:

  • Reports — recategorized domains will be associated with meaningful category names, without requiring you to duplicate the list of default filter categories.
  • Block Page — users will see a meaningful category name when accessing a blocked page, again without requiring you to duplicate the list of default filter categories.

Domains are added to local and standard categories from the Categorized Sites page.

Redirected Categories

You can redirect any of the predefined blocked content categories to a URL of your choice. For example, you can redirect all sites in the category kids_and_teens.chat to a single chat site such as Kidzworld. Note that local categories with redirect URLs will also appear in this list.

Add Redirected Category

Click the Add Redirected Category button to add a redirected category.

add-redirected-category

  • Category – Select a content category from the dropdown list.
  • Redirect URL – Enter the destination URL for sites in this category.

Locked Categories

Locked categories are content categories that should always be blocked, even to users with rule sets or advanced rule sets that would otherwise allow access.

Add Locked Category

Click the Add Locked Category button to add a new Locked Category.

add-locked-category

  • Category – Select a content category from the dropdown list.

Categorized sites

The Categorized Sites page is where you search the Lightspeed Systems Content Database for web sites, IP addresses, and URLs, to determine their category and blocking status.
categorized-sites

Note:

Use the wildcard character ( * ) to find subdomains. For example, to find subdomains of “cnn.com,” search for “*.cnn.com.”

Adding a site to a local category

    • 1. Click the site name in the list to add the site to a local  category.

edit-categorized-site

  • 2. Enter the following information:
    • Category – From the dropdown list select the local  category.
    • Apply to selected URLs – Check (select) subdomains you want to add to the local category.
    • Comment – Optional. Enter a comment for this local category.
  • 3. Click Save to save your changes.

Tip:

Search for URLs at http://archive.lightspeedsystems.com to see detailed information about a web site’s classification.

Guaranteed Categories

The Guaranteed Categories feature regulates the flow of traffic—both outbound and inbound—for various content categories. This means, for example, that important traffic, such as online courseware, will not have to share bandwidth with less important traffic such as general web surfing and streaming media.
Guaranteed Categories Page
With guaranteed categories enabled, the Lightspeed Systems Rocket begins to prioritize traffic by category when overall traffic reaches a specified percentage of the throughput.

Enable Guaranteed Categories

This is a simple on-off switch. Click to turn guaranteed categories on or off:

Guaranteed Categories On:

Guaranteed Categories Enabled

Guaranteed Categories Off:

Guaranteed Categories Disabled

Set Threshold

This is the percentage of the minimum bandwidth for your site at which to begin prioritizing traffic. Slide the pointer to reduce or increase the bandwidth allocation for non-excluded categories. Click Apply to save your change.
Set Threshold

Select Guaranteed Categories

This area shows a list of the current guaranteed categories.
Select Categories

Add Category

To add a content category to the guaranteed category list, click Add Category, choose a category from the dropdown list, and then click Save.

Note:

Traffic to any category not in the excluded list will be blocked when the guaranteed category threshold is reached.

Select Categories

Delete a Category

To remove a category from the Exclusions list, move the mouse cursor over the right side of the exclusions list until an X appears. Click the X to remove the category from the list.

Note:

Guaranteed Categories (formerly known as “Bandwidth Management”) in the Rocket is simplified to provide what districts have told us they need. We asked customers what they needed from guaranteed categories, and they said they wanted to ensure that usage of certain critical websites (such as an online state testing site) not be impacted by the use of media-rich Web 2.0 sites. The Guaranteed Categories feature in our Web Filter does just that, as it allows users to easily set a threshold to begin blocking all non-critical categories. For more information on using Guaranteed Categories for online testing, view Rob’s Blog post.

User Agents

PC User Agent

A critical factor for the efficient administration of any network is the ability to quickly and reliably identify client workstations whether reviewing their network activity in real-time reports or conducting statistical reviews. Difficulties in resolving the assigned names of a variety of workstations and operating systems often leaves many network reports lacking clear and simple identification for many devices and complicates the assignment of traffic control policies.

Fully understanding this issue, Lightspeed Systems developed the User Agent (UA) to resolve these user identification issues.

  • Directory support for Active Directory, Novell, and OpenLDAP (configuration required) user resolution.
  • Reports computer name, user name, groups and OU (as applicable). When clients are not part of a directory, simple machine name and simple user name are reported.
  • Server-side LTDP interrogation in case reporting fails.
  • Reporting occurs at Startup, Logon, Logoff, and Heartbeat (every 30 minutes).
  • Designed to run on machines having a minimum of 256 MB RAM.
  • The agent runs transparently on the client workstation and is not visible to the user.

Recommended: Set the User Agent Service recovery options to “Restart the Service”
In order to ensure the User Agent Service is always running and to help facilitate error recording in the event of a service crash please set the User Agent Service recovery options to “Restart the Service” as shown below.

ua-restart-service

This behavior can be set with a Group Policy Object (GPO) to avoid manually editing the preferences on each workstation. See the Microsoft Windows Server help page “Configure a Service Item” for information about configuring a GPO.

Install

Prerequisites

Ensure your system satisfies the Hardware and Software Requirements.

Before beginning this procedure, you will need to obtain the following components from Agents and Downloads:

  • MSI Transform Utility – The MSI Transform Utility is used to create an installation “modification” package that assigns/configures a desired server address during the MSI installation. The identified server will receive the user name information to be used for Lightspeed Rocket identification and reporting purposes. Click to download MSITransform.exe.
  • User Agent(x86 or x64).msi – This component is the basic installation package for the User Agent and can be used with the MSI Transform Utility created files or can be installed as is and manually configured with the Lightspeed Rocket information afterward. Both x86 and x64 version are available.

Note:

Special consideration needs to be taken if the User Agent is going to be included in your base image. Before shutting down the master machine for the last time you will need to stop the User Agent service and delete the “HKEY_LOCAL_MACHINE\SOFTWARE\Lightspeed Systems\User Agent\Machine UUID” registry key. This will ensure that a unique UUID is created after deploying your image. Please contact support if you need any assistance.

Note:

In a multi-Rocket environment, the user agents should point to the parent server.

ActiveDirectory Install

You can use Group Policy Objects (GPOs) to assign and install software to computers in a domain, and it can be useful to deploy this software based on group membership or OUs. This section describes how to have your User Agent software deployed across multiple OUs.

Agents interact with the server using a special TCP protocol that runs on port 1306. Naturally, this port needs to be accessible through firewalls and any other devices that might be in between the agents and the server. Reports are sent to the server over this protocol to keep it up to date and accurately reflect who is logged on to each IP address

Instructions

  • 1. Create a network share folder to hold the deployment MSI and MST files. Set the security on this folder to allow AD users and computers (“Everyone” group) to have ‘read and execute’ privileges. Build, copy or move the required MSI and MST files into this location.
  • 2. Login to your network’s Active Directory server as a domain administrator, and then launch the Active Directory Users and Computers snap-in.
  • 3. Though you can apply group policies to an entire domain and multiple OU’s, it is highly recommended, that when planning the installation of the User Agent software that you apply the group policy to ONLY the lowest common workstation OU, not at a Domain level.
  • 4. From the Active Directory ‘Users and Computers’ snap-in, locate the OU that you want to have the GPO linked to. Right-click that OU, click Properties, and then click on the Group Policy tab.
  • 5. Click the New button to create a new GPO for installing the User Agent MSI package. Enter a descriptive name for this new Group Policy, such as “Deployment of User Agent” and click Enter.
  • 6. Select the new GPO name that you just created and click Edit. This starts the Group Policy Editor.
  • 7. Expand the Software node of the Computer Configuration set, then right-click ‘Software Installation’. Select the ‘New -> Package’ option to open the browse dialog for selecting the User Agent MSI.
  • 8. Navigate to the network location that contains the User Agent installer files. Click on the ‘User Agent(x86 or x64).msi’ file, and then click Open.
      If the installer files reside on a local hard drive, do not use a local path provided by the browser – instead, use a UNC path (such as \\servername\sharename\path\filename.msi) for the local PC to universally indicate the location of the installation files.
  • 9. If you allow the Group Policy to be created with the file location specified as ‘local’, client computers that attempt to install the package will look in their LOCAL hard drive folders, and will not find the installation files and the installation will fail.
  • 10. In the Deploy Software options dialog, click and select the Advanced option, which will allow you to specify modifications (MST files) for the software installation then click Enter to move to the installation properties dialog.
  • 11. Click on the Deployment tab and make sure that the ‘Uninstall this application when it falls out of the scope of management’ option is NOT ENABLED.
  • 12. Click on the Modifications tab, then click the Add button to browse for the associated MST file. This file should have been labeled “UserAgentServerID.mst” and should be in the common file share where the “User Agent(x86 or x64).msi” file is located. Select this file and click the Open button to add it to the modifications list.
    Click the OK button when all properties are complete. This will save and assign the GPO to the selected OU. Click on the Software Installation node to refresh and display the completed/assigned policy.

Changes to a GPO are not immediately imposed upon the target computers, but are applied in accordance with the currently valid group-policy refresh interval. You can use the Secedit.exe command-line tool to impose GPO settings upon a target workstation immediately.

You should verify your Lightspeed Rocket settings for name resolution services.

ZENworks Install

Follow the PC User Agent Install steps above before proceeding.

  • 1. Login to the ZENworks ConsoleOne as an Administrator.
  • 2. Create a New Application in the appropriate OU
  • 3. Right-click on the desired OU and select ‘New Application Object’
  • 4. Select the option ‘An application that has an MSI file’ and click Next.
  • 5. Navigate to or enter the UNC path to the User Agent(x86 or x64).msi file in the file share location. Click Next.
  • 6. Provide a name for the deployment object, such as “Deploy Lightspeed User Agent”, then click Next.
  • 7. No Rules should need to be added, so click Next.
  • 8. No additional user assignments should be needed, so click Next.
  • 9. When the Summary dialog is displayed verify the settings, then click Finish.
  • 10. Configure the User Agent to report to the local Lightspeed Rocket.
  • 11. Right-click on the new Application Object (‘Deploy Lightspeed User Agent’) and select the Properties option.
  • 12. Click on the MSI tab, select the Transform option and click Add.
  • 13. Browse to your .MST file (created as a pre-requisite), select it and click OK.
  • 14. Click OK to complete the configuration task and prepare the object for deployment.
  • 15. Assign the deployment application object with deployment rights. The ‘Run Once’ option will force it to all machines.

Manual Install

Ensure you’ve followed the PC User Agent Installation instructions above before proceeding.

  • 1. Working at the target workstation as a Local Administrator, prepare a local copy of the User Agent(x86 or x64).msi file by either downloading it from Agents and Downloads or by accessing it from a network share or removable media.
  • 2. Launch the User Agent(x86 or x64).msi program from a command prompt set to the source location of the MSI file, using the command: MSIEXEC /I User Agent(x86 or x64).msi ID_SERVER=192.168.2.23, where the ID_SERVER value is the IP Address or network FQHN of the Rocket Web Filter. The User Agent software will be installed into the c:\Program Files\Lightspeed Systems\UserAgent directory and the Identification Server (Lightspeed Rocket) will be properly set in the registry.
    • Examples:
    • MSIEXEC /I UserAgentx86.msi ID_SERVER=192.168.2.23
    • MSIEXEC /I UserAgentx64.msi ID_SERVER=192.168.2.23
  • 3. If you wish to verify the registry setting applied properly:
    • Launch the registry editor – ‘Regedit.exe’ – from the Explorer window or from a command prompt.
      Navigate to the registry key
      ‘HKEY_LOCAL_MACHINE>Software>Lightspeed Systems>User Agent>Identification Server’
      and verify that your target server (Rocket Web Filter) has been properly registered. Modify the key value if necessary, then close the registry editor.
  • 4. When the installation is complete, you may need to reboot the workstation to activate the User Agent (or go to the services.msc and cycle the “User Agent Service”).

Upgrades

The PC User Agent can be installed directly overtop an existing version, no different than if it were a brand new install.

Uninstall

Follow either of the processes below to remove the User Agent.

Option 1: GUID

Open Add or Remove Programs
Click Remove next to Lightspeed Systems User Agent
Select Yes to confirm removal.
Click Yes to complete the uninstall.

Option 2: Command Line

Run MSIEXEC /uninstall UserAgent(x86 or x64).msi with /passive or /quiet
Requires the UserAgent(x86 or x64).msi to be in the same directory.

OpenLDAP Configuration

The User Agent supports native OpenLDAP user resolution. Using the WinLDAP implementation, an LDAP server is communicated with and queried to obtain the base search path, the user’s DN and the user’s groups. Note: Unlike AD and Novell environments, an OpenLDAP environment requires UA registry configuration.

In order to communicate with the OpenLDAP server, configure the following under HKLM\Software\Lightspeed Systems\UserAgent:

  • Set “Network Type” to “LDAP”
  • Add “LDAP Server” (REG_SZ), then set to either the IP address or FQDN name
  • Optional registry values may be required for some OpenLDAP environments. (Please contact support should the current implementation not work properly in your environment.)
    • LDAP Base Search Path (REG_SZ) – optional, the base path of the LDAP directory (default: dynamically obtained)
    • LDAP Group Class (REG_SZ) – optional, objectclass for a group (default: posixGroup)
    • LDAP User Attribute (REG_SZ) – optional, the LDAP attribute that defines a user in the directory (default: uid)
    • LDAP Member Attribute (REG_SZ) – optional, the LDAP attribute that defines a member of a group (default: memberUid)
    • LDAP Bind User DN (REG_SZ) – optional, a full DN of a user that has access to the LDAP directory (no default)
    • LDAP Bind User Password (REG_SZ) – optional, the password for the user above (no default)

Mac User Agent

A critical factor for the efficient administration of any network is the ability to quickly and reliably identify client workstations whether reviewing their network activity in real-time reports or conducting statistical reviews. Difficulties in resolving the assigned names of a variety of workstations and operating systems often leaves many network reports lacking clear and simple identification for many devices and complicates the assignment of traffic control policies.

Note:

Nested Groups are not supported by the Mac User Agent.

Fully understanding this issue, Lightspeed Systems developed the Mac User Agent (MUA) to resolve these user identification issues.

  • Reports computer name, user name, groups, and user OU (as applicable) when bound to Active Directory, Open Directory, or Novell eDirectory (Release v3.1.2 and later) services. When no services are bound, simple machine name and simple user name are reported.
  • Computer OU and computer DN are not supported.
  • Server-side LTDP interrogation in case reporting fails.
  • Set “Preferred Directory Service” upon installation.
  • Information reported or sent in reply of LTDP interrogation is determined by the Mac UA installation setting “Preferred Directory Service”, i.e. Active Directory, Open Directory, Novell (eDirectory), or None. For OD or Novell resolution the preferred Open Directory setting must be enabled. If None is set a check occurs to see if an AD server is bound and active in Directory Services, if so, the MUA will default to AD info.
  • Reporting occurs at Startup, Logon, Logoff, and Heartbeat (every 30 minutes from MUA Startup).
  • The Mac Identification module runs transparently on the client workstation and is not visible to the user.

A critical factor for the efficient administration of any network is the ability to quickly and reliably identify client workstations whether reviewing their network activity in real-time reports or conducting statistical reviews. Difficulties in resolving the assigned names of a variety of workstations and operating systems often leaves many network reports lacking clear and simple identification for many devices and complicates the assignment of traffic control policies.

Note:

Nested Groups are not supported by the Mac User Agent.

Fully understanding this issue, Lightspeed Systems developed the Mac User Agent (MUA) to resolve these user identification issues.

  • Reports computer name, user name, groups, and user OU (as applicable) when bound to Active Directory, Open Directory, or Novell eDirectory (Release v3.1.2 and later) services. When no services are bound, simple machine name and simple user name are reported.
  • Computer OU and computer DN are not supported.
  • Server-side LTDP interrogation in case reporting fails.
  • Set “Preferred Directory Service” upon installation.
  • Information reported or sent in reply of LTDP interrogation is determined by the Mac UA installation setting “Preferred Directory Service”, i.e. Active Directory, Open Directory, Novell (eDirectory), or None. For OD or Novell resolution the preferred Open Directory setting must be enabled. If None is set a check occurs to see if an AD server is bound and active in Directory Services, if so, the MUA will default to AD info.
  • Reporting occurs at Startup, Logon, Logoff, and Heartbeat (every 30 minutes from MUA Startup).
  • The Mac Identification module runs transparently on the client workstation and is not visible to the user.

Install

Prerequisites

Verify that you meet the Hardware and Software requirements.

Note:

In a multi Rocket environment the user agents should point to the parent server.

The steps for local and remote installations are listed below. Please note the following bindings are supported.

  • Native binding to AD or AOD
  • No nested groups for AD

Ensure you’ve followed the Mac User Agent Install article before proceeding. Please note admin access is required for installation on the client workstations and a reboot will be required at the end of the installer routine.

Local Install – Version 4.x (for Yosemite only)

    • 1. Download the installer from Lightspeed Systems
      • Downloads are located at Agents and Downloads
    • 2. From your Mac workstation open and mount the UserAgent.dmg file.
    • 3. Run the Lightspeed Systems UserAgent.pkg file to start the installer and click Continue on the warning.
    • 4. On the Introduction page click Continue.
    • 5. On the Installation Type page click Install to proceed with the installation. Please note you will be prompted to enter the admin password in order to install.
    • 7. Open a Terminal window and send the following command to set the server:
sudo defaults write useragent IdentServer -string “192.168.0.200"
    • 8. Once complete click Close, reboot and ‘You’re Done!’

Mac User Agent Installer Log File

The Mac User Agent version 4.x installer writes to the file /private/var/log/system.log with ‘useragent’ before each line. You can use this file to help you understand installation issues or to help Lightspeed Systems Support help you in solving any installation issues.

Local Install – Version 3.x (for older Mac OSX versions)

    • 1. Download the installer from Lightspeed Systems
      • Downloads are located at Agents and Downloads
    • 2. From your Mac workstation open and mount the LightspeedUserAgent.dmg file.
    • 3. Run the Lightspeed Systems UserAgent.pkg file to start the installer and click Continue on the warning.
    • 4. On the Introduction page click Continue.
    • 5. On the Installation Type page click Install to proceed with the installation. Please note you will be prompted to enter the admin password in order to install.
    • 6. On the Setup page define the hostname or IP of your Rocket Server, select your Preferred Directory Service and click Continue.
    • 8. Once complete click Close, reboot and ‘You’re Done!’

Mac User Agent Installer Log File

The Mac User Agent version 3.x installer writes exclusively to the /Library/Logs/Lightspeed Systems/UserAgent.log file.  You can use this file to help you understand installation issues or to help Lightspeed Systems Support help you in solving any installation issues.

Remote Install

    • 1. Download the installer from Lightspeed Systems
      • Downloads are located at Agents and Downloads
      • Inside the install .dmg is the .pkg file needed to deploy to clients via Apple Remote Desktop (ARD) or another remote desktop application.

Tip:

You can use the free Packages application or Apple’s built-in pkgbuild and productbuild utilities to create .pkg files.

    • 3. Deploy the User Agent package using Apple Remote Desktop or another remote desktop application. Refer to the documentation for your deployment tool on how to remotely install the agent.

Please note once the User Agent is installed, you will need to run the following script to configure the Identification Server. Be sure to replace the IP address below with the IP address or the FQDN of your Rocket appliance. Also please note the command requires admin access.

sudo defaults write useragent IdentServer -string "192.168.0.200"

Upgrade

The Mac User Agent can be installed directly over top of an existing version, no different than if it were a brand new install. Thus please follow Mac User Agent Install for new installs and upgrades.

Mac User Agent Installer Log File

The Mac User Agent installer writes to the file /private/var/log/system.log with ‘useragent’ before each line. You can use this file to help you understand installation issues or to help Lightspeed Systems Support help you in solving any installation issues.

Uninstall

You must have the LightspeedUserAgent.dmg file in order to perform an uninstall

  • 1. From your Mac workstation open and mount the LightspeedUserAgent.dmg file.
  • 2. Run the uninstall file to start the uninstall process.
  • 3. You will be prompted for the ‘admin’ password before uninstall commences.

Linux User Agent

The Linux User Agent allows user resolution for many flavors of Linux. A current list is available on the Downloads page. Upon installation and configuration, the User Agent will send the user login name, IP address, and host name of the machine to the defined Identification Server. This information will then display in Web Filter reports.

The login is captured at a shell login, and when someone either manually or automatically signs into GNOME Display Manager X Windows. Sign out happens within a minute of the user logging off. If someone signs back in before sign out is detected, the new user’s login overwrites the older login name immediately.

Install

Prerequisites

Ensure your system satisfies the Hardware and Software Requirements

Download the latest package for your system architecture at Agents and Downloads

Install the “dialog” package for your system. SuSE comes with it, Ubuntu and Fedora Core don’t. This will allow you to run the menu-based configuration tool as a full-screen console.

Note: In a multi Rocket environment the user agents should point to the parent server.

Installation

  • 1. Double click the downloaded file and let your package manager install it.
  • 2. Options and menu screen may vary depending on Linux distribution.
  • 3. After installation is complete, open a terminal window.
  • 4. Gain root privileges either through sudo su or just su.
  • 5. Type in /bin/setupua.sh which will allow you to configure:
    • Hostname/IP address of the Identification Server
    • Default network interface from which the local IP address will be read (such as eth0)
    • Optional advanced-user settings to subscribe other services to the Lightspeed Systems User Agent PAM module
    • In most cases, the preselected services will work best.

Uninstall

To uninstall the Linux User Agent, with root permissions at a terminal, select and run the executable appropriate for your Linux distribution.

RPM (.rpm) uninstall: rpm -e linuxua
Debian (.deb) uninstall: dpkg -r linuxua

MSI Transform

When mass deploying the User Agent via Active Directory’s Group Policy Object (GPO) or Novell’s ZENworks, a transform (MST) file is needed. This file will preset the update server for each agent. Without it any form of mass deployment would be pointless as the Agents would not report anywhere, and would require a manual registry change on each machine.

Building a User Agent .MST file
Download the latest UserAgent MSI and MsiTransform.exe.

Open a command prompt and navigate to the folder containing the downloaded files
Execute the utility using the following command format:

  • MsiTransform.exe -i UserAgentx64.msi –s 10.1.1.2

Where –

  • -i, –input <original .MSI package, for example, UserAgent.msi (in working directory) or c:\TempSoftwareStore\UserAgent.msi (in alternate storage location)>
  • -s, –server <IP Address or network host name for the ‘Identification’ server>
  • -d, –debug <Debug mode>
  • -?, -h, –help <Show help and exit>

The output file will be within into the current directory that the utility was executed from and will be named “UserAgentIDServer.mst”. Use this file to build the AD-GPO or the ZENworks distribution process for installing the TTC User Identification Agent on your network.

Domain Controller Agent

The Active Directory Domain Controller Agent ( DCUA ) can be installed on Microsoft Active Directory Domain Controllers to supply the Rocket Web Filter with user information when a user logs into the network.

In order for the Domain Controller User Agent (DCUA) to be able to “see” logons and logoffs, the security policy for the domain must be configured to audit those events.

2008 Server Configuration

    • 1. From the Administrative Tools menu, choose Group Policy Management:

DC-1

    • 2. Expand the Domains folder under the Forest to be configured.
    • 3. Expand the Group Policy Objects folder under the domain to be configured.
    • 4. Right-click Default Domain Controllers Policy and select Edit:

DC-2

    • 5. Open the Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy folder:

DC-3

    • 6. Double-click Audit account logon events:

DC-4

    • 7. Check the Success box and click OK.
    • 8. Double-click Audit logon events:

DC-5

    • 9. Check the Success box and click OK.
    • 10. Double-click Audit logon events:

DC-6

2003 Server Configuration

    • 1. From the Administrative Tools menu, choose Domain Security Policy:

DC2003-1

    • 2. Open the Security Settings →Local Policies →Audit Policy folder:

DC2003-2

    • 3. Double-click Audit account logon events:

DC-2003-3

    • 4. Check the Success box and then click OK.
    • 5. Double-click Audit logon events:

DC2003-4

  • 6. Check the Success box and then click OK.

Chrome Extension User Agent

The User Agent extension for Chrome provides seamless single sign-on capabilities for ChromeOS devices when they are used on a network that is both

  • filtered by a Rocket Web Filter running version 2.10.0 or greater, and
  • set up with a Google domain as an authentication source

When both are true, this User Agent extension transparently authenticates users within your tier address space to your tier’s Google Authentication source. Please note users must be valid members of your Google Auth domain.

Note:

The Chrome Extension User Agent requires a Web Filter license from Lightspeed Systems.

Current Limits

Devices with multiple interfaces and/or IPv6 and IPv4 enabled will be authenticated using only the IP address that hits the Rocket API. The other addresses will still be considered unknown.

Thin Client Agent

Overview

Thin Client User Agent provides filtering for Terminal/Citrix/NComputer Servers. The client is required so each individual user on the system can get the appropriate policy and reporting for their session. It requires you to point it to a Lightspeed Systems Rocket server 1.3.10 and higher.

You will need a Server Name Indication (SNI) supported browser for the local SSL decoder to successfully decode any https domains when using the Mobile Filter/Thin Client user Agent. See Selectively accessing Google Services for a list of browsers with SNI support.

Note:

You cannot use Web Zones in conjunction with Thin Client User Agent servers.

How it works

Once installed the Thin Client User Agent is able to distinguish between different user sessions so that each user on the system is able to get their correct policy from the Lightspeed Systems Rocket server as well as send the correct reporting information. It sends off each request to the Lightspeed Systems Rocket server for review to see if it should be allowed or not based on the policy being enforced on the server.

Install

Ensure your system satisfies the Hardware and Software Requirements

Pre-Install Configuration for using TCUA with Lightspeed Systems Rocket server

Thin Client User Agent Server Configuration Options
Under Administration –> Tiered Administration –> Internal Ignore List section be sure to add the static IP address of your server that the Thin Client User Agent will be installed on to enable proper filtering and reporting. Otherwise, the server will authenticate at the bridge.

Thin Client User Agent Properties

Under Web Filter–>Mobile in the Settings section

The authentication source under the “Force registration” option is the source that the Thin Client User Agent will use.

Note:

If you do not force registration, then an authentication source is required.

Check the “Bypass on failure” option if you would like traffic to continue unfiltered if the Rocket server is unreachable.

All other policy options should work as they normally would.

Installation

Once the pre-install configuration has been completed you may proceed to install the Thin Client User Agent.

  • 1. Download the ThinClientUserAgentx86/x64 from Agents and Downloads
  • 2. Run the MSI, follow the prompts, and agree to the terms and license.
  • 3. Configure your http://mobile.lsfilter.com account.
  • 4. Launch a web browser–you should now see that the Thin Client User Agent is operational.

Upgrade

Thin Client User Agent has an auto updater, so no manual upgrade should be required. Customer should contact support for help in using the TCUA auto updater.

Uninstall

Either of these processes will remove the Thin Client User Agent.

Option 1: GUI

1. Open Add or Remove Programs
2. Click Remove next to Thin Client User Agent
3. Select Yes to confirm removal.

Option 2: Command Line

Run MSIEXEC /uninstall ThinClientUserAgent(x86 or x64).msi with /passive or /quiet
Requires the ThinClientUserAgent(x86 or x64).msi to be in the same directory.

Note:

Because Thin Client users don’t have distinct IPs, the Thin Client User Agent is not compatible with fixed or open Web Zones managed through the Rocket Web Filter. The TCUA can be used with Launch Web Zones.

Archived Release Notes

Click here for a PDF archive of the Thin Client User Agent release notes.

Mobile Filters

Mobile Filter for Windows

Prerequisites

Hardware and Software

Ensure your environment meets the Hardware and Software requirements.

SNI Requirement

You will need a Server Name Indication (SNI) supported browser for the local SSL decoder to successfully decode any https domains when using the Mobile Filter/Thin Client user Agent. See Selectively accessing Google Services for a list of browsers with SNI support.

Antivirus File Exclusions

PC Mobile Filter creates many files that need to be excluded from antivirus software scans. These files and their locations are listed in the sections below.

Windows Mobile Filter 5.0.x exclusions

    • C:\Program Files\Lightspeed Systems\Mobile Filter (Folder Exclusion)
    • C:\Program Files\Lightspeed Systems\Mobile Filter\LSMFSVC.exe (filtering service)
    • C:\Program Files\Lightspeed Systems\Mobile Filter\LSMFDRV.sys (drivers)
    • C:\Program Files\Lightspeed Systems\Mobile Filter\LSMFTdi.sys (drivers)
    • C:\ProgramData\Lightspeed Systems (Folder Exclusion)
    • C:\ProgramData\Lightspeed Systems\lsmobilefilter.config (configuration file Windows Vista+)
    • C:\ProgramData\Lightspeed Systems\LSMFSVCXXXX.log (log file Windows Vista+)
    • C:\Document and Settings\All Users\Application Data\Lightspeed Systems\lsmobilefilter.config (config XP only)
    • C:\Document and Settings\All Users\Application Data\Lightspeed Systems\LSMFSVCXXXX.log (log file XP only)
    • C:\Windows\System32\drivers\LSMFDRV.sys (actual driver files)
    C:\Windows\System32\drivers\LSMFTdi.sys (actual driver files)

Windows Mobile Filter 6.0.x exclusions

    • C:\Program Files\Lightspeed Systems\Mobile Filter (Folder Exclusion)
    • C:\Program Files\Lightspeed Systems\Mobile Filter\LSMFSvc.exe
    • C:\Program Files\Lightspeed Systems\Mobile Filter\LSMFSvc.log
    • C:\Program Files\Lightspeed Systems\Mobile Filter\Wfp\LSMFWfp.sys
    • C:\Program Files\Lightspeed Systems\Mobile Filter\Wfp\LSMFWfp.inf
    • C:\Program Files\Lightspeed Systems\Mobile Filter\Wfp\LSMFWfp.Cat
    • C:\ProgramData\Lightspeed Systems (Folder Exclusion)
    • C:\ProgramData\Lightspeed Systems\lsmobilefilter.config
    C:\Windows\System32\drivers\LSMFWfp.sys (actual driver files)

 

Install, Uninstall, Upgrade

Install

Pre-Install Configuration

Define the Mobile Filter Properties on the server to ensure that it operates properly. This includes setting up a Fully Qualified Domain Name (FQDN) for your security server and forwarding port 80 (http traffic) through the firewall to your security server.

Note:

You must be an administrator to run the 32-bit and 64-bit versions of Lightspeed Systems Windows Mobile Filter 6.x.

Mobile Filter Properties

  • Open the console for the Rocket.
  • On the Web Filter navigate to Web Filter > Mobile Devices.
  • Define your settings – For Web Filter. Refer to the Mobile Devices help page for more information.

Network DNS and Firewall Settings

The Mobile Filter must be able to contact your security server from both inside and outside of the network.

The hostname on the Rocket Web Filter (Administration > Network Interfaces > Host) needs to match the FQDN on both the internal and external DNS record.

Access/Block Page Configuration

Navigate to Administration > Network Interfaces, enter the host name of the appliance in the Hostname field, and click Save.

Installation

Once the pre-install configuration has been completed you may proceed to install the Mobile Filter. Follow the below instructions based on your intended application.

Note:

This page describes the installation steps for PC Mobile v6.x. Please see Install, Uninstall, and Upgrade PC Mobile Filter v4.x and v5.x for v4.x and v5.x installation steps.

Installing on each machine

Provides desktop content filtering for machines that may leave the network. Should you have deployed laptops to students/teachers you want to make sure when the machine leaves the network the same content filtering policy, which applies inside the network is applied outside as well. The Mobile Filter will disable itself when internal to your network, thus utilizing your inline filtering server for blocking and reporting.

Installing v6.x and later

Follow the steps below to install and activate PC Mobile Filter 6.x and later.

Upgrading from Mobile Filter 5.x

If you are upgrading from PC Mobile Filter 5.x to PC Mobile Filter 6.x you must uninstall Mobile Filter 5.x before you begin. See the “PC Mobile Filter Uninstall” section below for more information.

v6.x and later prerequisites

Please refer to the Using the mobile.lsfilter.com Website to Manage Devices page for information about registering your customer account on mobile.lsfilter.com, signing in, configuring your organization information, and adding and managing devices.

v6.x and later installation

Download PC Mobile Filter 6.x from the Mobile Filter Downloads page.

As long as the prerequisites are setup on the mobile.lsfilter.com page, then you can install or deploy the PC Mobile Filter agent on the PCs without any parameters. While it is not recommended, if the mobile.lsfilter.com page is not preconfigured, then the agent can still be installed using the SERVERS= switch.

Remote Install

MSI Transform Utility: Installation of the product may be customized using MsiTransform utility to facilitate unattended installation using a Group Policy Object (GPO) for example. The appropriate server names are supplied to MsiTransform, which it uses to create an MSI database modified with the server names and a Windows Installer Transform file (.mst).

Click to select the MSITransform.exe version to download.

Examples:

  • MSITransform MobileFilter.msi /s <HOSTNAME OF ROCKET>
  • MSITransform MobileFilter.msi /s <EXTERNAL IP OF ROCKET>

To install the product using the transform file, include TRANSFORMS= on the msiexec command-line.
Example:

  • msiexec /i MobileFilter.msi TRANSFORMS=MobileFilter.mst

Manual Upgrade

Manual Upgrade from 6.0.3 to 6.0.4

To install LSMF 6.0.4 on a machine with an existing 6.0.3 installation using the command line:

  • 1. Download the win8_32update604.zip (and/or the x64 version). You can find it at Agents and Downloads.
  • 2. Open up a command prompt (CMD) and change to the directory where you downloaded the above file. (should be on a local machine, not a network location.)
  • 3. Use ‘Run as Administrator’ option to start the command prompt (CMD).
  • 4. Unzip the file into an empty directory. Files should be Update.exe and the MSI file.
  • 5. Type in the following command:
    • Update.exe -update

Important

When updating from 6.0.3 to 6.0.4 once the machine is updated the machine will immediately reboot without delay.

Uninstall

Before You Begin

Uninstalls require Internet access to api.lsfilter.com. This is required for the built-in safeguard to prevent unauthorized persons from uninstalling the software. In addition, devices must have to have their MAC address registered to mobile.lsfilter.com. This is so that we can tie them to an organization to verify the password.

Process

  • 1. Open Add or Remove Programs
  • 2. Click Remove next to Lightspeed Mobile Filter
  • 3. Select Yes to confirm removal.
  • 4. Enter removal password.

Unattended Removal

The MsiTransform utility can also be used to allow an unattended removal of the PC Mobile Filter. The command line for the creation of the transform file would be:

  • msiexec /x MobileFilter.msi PASSWORD=theconfiguredpassword /qn

(The password can be changed via the mobile.lsfilter.com website.) Removal of the product at a future date using GPO would happen without a dialog box asking for a removal password. Lightspeed support must supply the password and will have to be consulted in order to set up an unattended removal. The password is specific and can’t be arbitrary.

Click to select the MSITransform.exe version to download.

Deploying an Image on Windows Mobile Filter Clients

The best practice for deploying Windows Mobile Filter on images to client PCs is to create the image and then install from Microsoft System Center 2012 R2 Configuration Manager with either Group Policy Objects (GPOs) or a third-party utility.

If you cannot deploy Windows Mobile Filter after creating the image for client PCs, you will need to create the image from a working Mobile Filter client. Required configuration files used to identify if the machine has been renamed are only created after the Mobile Filter has a been configured. This will allow the Mobile Filter to know once it has been imaged onto another machine and that machine has had the name changed to recreate the Unique Device Identifier (UUID). Please note if the UUID is not regenerated it will create a load on your Policy Server, which will not be able to filter properly.

Note:

Renaming the client PC will regenerate the UUID as well as removing and re-installing.

 

Mobile Filter for Linux

Install, Uninstall, and Upgrade

Hardware and Software

Ensure your environment meets the Hardware and Software requirements.

Pre-Install Configuration

Before you begin installation of the Linux Mobile Filter, review this information and complete this pre-install configurations.

Define the Mobile Filter Properties on the server to ensure that it operates properly. This includes setting up a Fully Qualified Domain Name (FQDN) for your security server and forwarding port 80 (http traffic) through the Firewall to your security server.

Mobile Filter Properties

    • Open the console for Rocket
    • On Web Filter navigate to Web Filter > Mobile
    • Define your settings – For Web Filter refer to the Mobile help page

Network DNS and Firewall settings

The Mobile Filter must be able to contact your security server from both inside and outside of the network. The following article explains this process in detail: Enabling port 80 access to the Management NIC

The hostname on the Rocket (Administration > Network Interfaces > Host) needs to match the FQDN on both the internal and external DNS record.

Access/Block Page Configuration

Navigate to Administration > Network Interfaces, enter the host name of the appliance in the Hostname field, and click Save.

Rocket Access Page Configuration

In the Management Console, navigate to Properties > Content Filter > Properties > Advanced Tab. In both Default URL fields, modify each to replace (local) with the FQDN of your server, leaving the remaining portion of the path.

Local Install

1. Download the linuxmf-1.00-1.deb package.
2. Run the Debian package. Your software management installer should come up.
3. Choose “install” in the software management interface.
4. Enter your administrator password for the workstation.
5. Reboot to finalize the installation.

Uninstall

1. Open your package management software.
2. Select the linux-mobile-filter package and mark it for removal.
3. Apply the changes and the Linux Mobile Filter should be removed.

Upgrade

Automatic Upgrades
v1.00.01
Linux Mobile Filter has an auto updater, so no manual upgrade should be required.

Version 1.00.01 is a controlled release. All the new package installs will be v1.00.01, but automatic upgrades of existing Linux Mobile Filter clients will be controlled by the administrators via the Mobile Filter update servers.

Browster Replacement for Android

Install

Hardware and Software

Ensure your environment meets the Hardware and Software requirements.

One at a Time

To install the Android Mobile Browser on a single device, simply download the Lightspeed Mobile Filter Browser from Google Play and send it to your Android device.

Security

The Android Mobile Browser provides application restrictions as there are none built into the core OS. This is configured from a password protected settings panel from within the application; the password for this panel is configured on first launch. From the settings panel you can selected applications you wish to restrict. The restrict function works in a redirect fashion, as when the restricted app is launch, the user is forced back into the Mobile Browser.

Here are the recommend applications to block to ensure the filtering is not circumvented.

  • com.android.browser
  • com.google.android.finsky (market)
  • com.android.settings
  • com.android.packageinstaller

Registration and Enabling Filtering

The initial launch of the Mobile Browser on each device MUST be done while connected to the local wireless network (NOT Edge, 3G or 4g.) This will force device registration and enable filtering to your Rocket appliance. Skipping this step will cause the Mobile Browser to not function.

Upgrade and Uninstall

Upgrade

Android – upgrade via the Android Market

Uninstall

Removing the Mobile Browser application using standard removal procedures for your device will complete the uninstall. No additional steps should be required.

Note:

Customers using iOS should use the Global Proxy option.

Using the Browser

Once the Mobile Browser has been installed and other browsers restricted, web-browsing using the Mobile Browser will be filtered based on policy.

Authentication

There are two ways to filter your devices using the Mobile Browser. If authentication is not required or desired the device will be filtered by the policy applied to the base IP range under Policies > Policy Assignments. If authentication is desired, the Enable Mobile (iPhone/iPod) Authentication check box must be checked under Properties > Content Guide. This will enforce authentication using the user’s network credentials. They will remain authenticated for one hour.

Navigation

The Android Mobile Browser works very similarly to the native Android browser. Upon launch the homepage (Google by default) will load; you can navigate elsewhere type touching the URL bar at the top to display the onscreen keyboard. Additional controls are found by clicking the icon in the uppermost right-hand corner. Here you can reload, move forward and back, create new tabs, remove tabs, control bookmarks and enter the settings panel provided you have the password defined on initial launch.

Mobile Filter for Mac

Install, Uninstall, and Upgrade

Once the pre-install configuration has been completed you may proceed to install the v6 Mac Mobile Filter. Follow the below instructions based on your intended application. Two types of installs are available: Local Install or Remote Install.

Prerequisites

Please refer to the Using the mobile.lsfilter.com Website to Manage Devices page for information about registering your customer account on mobile.lsfilter.com, signing in, configuring your organization information, and adding and managing devices. You must follow these steps before you can perform a local or remote v6 installation.

Note:

Mac Mobile Filter is only supported on Intel-based Macs and not early Power PC (PPC) Macs. If you are unsure what type of Mac you have select About This Mac from the Apple menu.

Local Install

  • 1. Download the MobileFilter.dmg file from Agents and Browsers.
  • 2. From your Mac workstation open and mount the MobileFilter.dmg file.
  • 3. Run the “Mobile Guide.pkg” file to start the installer and click continue on the warning.
    • Introduction – Click Continue.
    • Destination Select – Choose your installation volume and click Continue.
    • Installation Type – Click Install to proceed with the installation. You will be prompted to enter the admin password in order to install.
    • Installation – Shows the Guide installation progress
    • Summary – Click Close and then reboot to finalize the installation.

Remote Install

Ensure you’ve followed the Mac Mobile Filter Pre-Configuration steps before proceeding.

  • 1. Download the installer from Lightspeed Systems at Agents and Browsers.
  • 2. Inside the “install.dmg” file is the .pkg file needed to deploy to clients via Apple Remote Desktop (ARD) or another remote desktop application.
  • 3. Deploy the Mobile Filter Agent package using your remote desktop application.

When this process is complete the Mobile Filter Agent has been installed on all selected machines.

Optional: Deploy XML Configuration File

You can also deploy an XML configuration file during the remote install process. This can prevent possible device ID conflicts within Mobile Filter. Copy the text below and save it as “mobilefilter.xml”.

    • <MobileFilter>
    • <ServerName></ServerName>
    • <BlockOnFailure>false</BlockOnFailure>
    • <BalancedMode>false</BalancedMode>
    • <VerboseLogging>false</VerboseLogging>
    • <OEMMode>false</OEMMode>
    • <FilteringDisabled>false</FilteringDisabled>
    </MobileFilter>

Make sure to push this XML file to the user’s “/Library/lssys/” folder.

Uninstall

You must have the “MobileFilter.dmg” file in order to perform an uninstall. It may be acquired on the Agents and Downloads page. Versioning doesn’t matter as long as the uninstaller is the same version or newer than what is currently installed.

  • 1. From your Mac workstation open and mount the “MobileFilter.dmg” file.
  • 2. Run the Uninstall file to start the uninstaller and click open on the warning.
  • 3. Select Continue to uninstall.
  • 4. Select Remove.
  • 5. Provide admin credentials and click OK. You will not be prompted for a removal password.
  • 6. Upon completion you must reboot, select Reboot Now to restart.

Upgrade

To upgrade the app manually, follow these steps:

  • 1. Obtain the new version of the  Mac Mobile Filter
  • 2. Install the new version over the existing version
  • 3. Install the new version by either double clicking on the file downloaded in Step 1 or by right clicking on it, then selecting Open
  • 4. Double click on MobileFilter.pkg
  • 5. Follow the prompts to install the Mobile Filter app
  • 6. A reboot is required if you install over an existing version of the Mobile Filter.

Chrome Extension Mobile Filter

Note: Web Filter 2 no longer supports the Chrome Extension Mobile Filter. Please upgrade to Web Filter 3 Longhorn to use this extension.

The Mobile Filter extension for Chrome provides content filtering for ChromeOS, allowing school administrators to ensure safe, monitored access on school-distributed Chromebooks. Operating as a Chrome extension, it offers policy-based filtering and off-network activity reporting–all without the need for a proxy. In addition, it provides seamless single sign-on capabilities for ChromeOS devices when they are used off the school network.

Note:

Chrome v37 or higher is required. Please note ChromeOS normally updates to the latest version automatically.

For transparent authentication to work correctly, your Lightspeed Web Filter must be running version 2.9.0 or newer.

When using the Chrome extension you need to consider the following:

    • Register your Google Apps for Education (GAFE) domain with Lightspeed Systems on the mobile.lsfilter.com website so that the extension knows where to find its policy server.

Note:

See the Google Chrome Support article “Manage apps and extensions” for information about how send extensions to devices via the GAFE console.

  • Disable incognito mode (private browsing).
  • Force the Chromebooks to a single domain.

Note:

  • If a user logs in to a email domain that is not registered the device will not be filtered.
  • Developer Tools must be disabled through the GAFE console. This can be accomplished by navigating to Device Management –> Chrome –> User Settings and setting the drop down menu for developer tools to “Never allow use of built-in developer tools”

Server Roles

Managing Server Roles

You can manage child servers from the child server’s Dashboard or from their parent server. The options will vary depending on whether you are logged into the child or parent server.

Note:

Due to latency issues all servers in a parent/child configuration need to be located on a common network with fast and reliable transmission rates.

Managing Server Roles from the Parent Server

If you are logged into the parent server you can manage child servers by clicking Manage All Servers on the Dashboard or by clicking Administration and then Server Roles. The following page will be displayed.

Server Roles on Parent Appliance

  • IP Address – The IP address and optional text describing the child server. Click the IP address to go to the child server’s Dashboard or click Edit Properties to edit the child server’s properties.
  • Role – The role of the child server.
  • Status – The synchronization status of the child server.
  • Manually Sync – Click this link to perform a manual sync on this child server.
  • Remove as child server – Click this link to remove this child server from this parent server. If you are removing an Advanced Reporting child server the following confirmation popup window will be displayed.

remove-advanced-reporting-server

Make sure you have backed up your Management and Web Filter reporting data before you click OK because it will not be migrated to the parent server.

Tip:

You can also modify the active policy server in use by a child server. In addition, if you remove the localhost you can only re-add the child as the policy server by specifying its own IP.

If you click the Edit Properties link the following page will be displayed.

child-server-properties-on-parent

To add a policy server for the child server:

  • 1. Click the Add Policy Server button. The following will be displayed.

add-child-policy-server

  • 2. From the Policy Server dropdown list select policy server for the child server.
  • 3. Click Save.

Managing Server Roles from a Child Server

To manage server roles from a child Administration and then click Server Roles. The following page will be displayed:
server-roles-on-child

  • Server Role – The child server’s server role (Web Filter, Spam Filter, Email Archive, Proxy Server, or Advanced Reporting).
  • Short Description – The user-configured short description for this child server.
  • Parent IP Address – The IP address of this child server’s parent server.
  • Last Sync – When this child server was last synchronized.

Click the Sync Now button to synchronize the child server with its parent server or click here to reconfigure the Child Server to bring up the Converting to a Child Server wizard.

Configuring Server Roles

To configure what role a Rocket appliance will perform follow the steps below.

  • 1. From the Dashboard click Administration.
  • 2. Under Server click Server Roles.
  • 3. Scroll down to Roles.

rocket-server-roles-1

  • 4. Select (check) the role or roles that this appliance will perform, which can be Web Filter, Spam Filter, Email Archive, Proxy Server, Advanced Reporting, Parent Server, or Policy Server.

Note:

Unsupported and conflicting server roles on your appliance will not be available.

  • 5. Click Save.

Configuring Rocket as a Proxy Server

Without a proxy server, if a user accesses a secure HTTPS site only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based on this domain rather than the full URL. Thus, URL patterns for HTTPS sites may not operate correctly.

If you configure a Rocket appliance as a trusted man in the middle (TMITM / MITM) proxy server then all HTTPS requests can be examined just like HTTP requests. When a user requests a secure website, such as banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

(Learn more about this in our whitepaper, SSL Explained.)

Proxy Authentication

Learn more about authentication with the proxy here.

If it is determined to be an allowed request, the proxy server will then carry out the request on the client’s behalf over SSL as expected. If the site is a blocked site, then the request will be denied and the user will see a block page.

Mobile devices may also be configured to use the proxy server. It is not recommended that you use the proxy server in conjunction with the Lightspeed Systems Mobile Filter on laptops. Make sure you configure mobile devices with a proxy server hostname that will resolve both on the inside and outside of your network.

The proxy server listens on TCP port 8080 on Rocket appliances where the Proxy Server role is enabled.

The following diagram shows a Rocket appliance that has been configured as a proxy server.

Proxy Server Network Diagram

To configure a Rocket appliance as a proxy server, follow the steps below.

NOTE: T-Mobile 4G and LTE Devices Are Not Supported

T-Mobile’s implementation caching servers are not compatible with the proxy module in the Lightspeed Systems Rocket. T-Mobile redirects lookup requests to their caching servers in most instances using a 301 redirect. Basically, this allows users to retrieve cached versions of web pages that would normally be blocked by the Rocket appliance. T-Mobile is aware of the issue but as of this time has not taken any steps to resolve. Refer to the “How to make internet settings in T-Mobile U8150-A?” and “Proxy servers disrupting service” discussions on the T-Mobile Support forum for more information.

  • 1. Configure your network
    • – In an Active Directory environment, use Group Policy Objects (GPOs) to enforce the use of the proxy server
    • – In a Novell environment, use ZENworks to enforce the use of the proxy server
  • 2. Configure your Rocket or Bottle Rocket appliance as a proxy server
    • – Connect the Management port on the Rocket appliance to a port on your LAN switch
    • – Log into this appliance
    • – Click Administration and then click Server Roles
    • – Check (select) Proxy Server
    • – Click Save
  • 3. RECOMMENDED: Install the SSL certificate from the Rocket appliance since some SSL sites will not work if the certificate is not installed as a trusted root authority.
    • Download the SSL certificate from the Rocket appliance by going to the fully qualified domain name (fqdn) at http://(fqdn)/lsaccess/proxycert URL. You will need to use the FQDN of the proxy to access the URL and download the certificate.
    • Install the SSL certificate on any of your proxy clients. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.

Note:

For iOS devices running iOS 6.0 and above, you can use Lightspeed Systems Mobile Manager to push a forward proxy configuration that requires no user intervention to use the Rocket appliance proxy server. This is an alternative Web Filter solution that does not require Lightspeed Systems Mobile Browser app. See the Mobile Manager Global Proxy page in the Mobile Manager documentation for more information.

Tags: Man in the middle, MITM, trusted man in the middle, SSL decryption

Configuring Rocket as an Advanced Reporting Server

Follow the steps below to configure a 1600R3-AR Rocket appliance as an Advanced Reporting server.

Setting Up an Advanced Reporting Server

  • 1. Log into the 1600R3-AR Rocket appliance.
  • 2. Follow the steps below to convert the Rocket appliance into a child server.

Note:

See Converting to a Child Server for more information about converting a Rocket appliance into a child server.

    • a. Click Administration.
    • b. Under Server click Server Roles.
    • c. Click Convert to Child Server as shown below.

Convert Child Server

    • This will launch the Convert to Child Server wizard as shown below.

child-server-config-start

    • d. Click Let’s get started to launch the wizard. The following wizard window will be displayed.

child-server-config-server-settings

    • e. Enter the parent server’s IP address, the admin user name, and the admin password.
    • f. From the dropdown list select Advanced Reporting.
    • g. (Optional). Enter optional useful text about the advanced reporting server.
    • h. Click Next. The following confirmation popup window will be displayed.

advanced-reporting-confirmation

    • Make sure you have backed up your Management and Web Filter reporting data before you click OK because it will not be migrated to the Advanced Reporting child server.

Note:

It will take several minutes for the child and parent servers to be configured.

child-server-config-generating

    • i. When the configuration process is complete click Done.

child-server-config-complete

    • The following popup window will be displayed:

restart-child_server

    • j. Click OK to restart the child server.
  • 3. Log into the parent server.
  • 4. Click Administration.
  • 5. Check (select) Record all URLs to record and display all URLs on reports or uncheck (deselect) it to aggregate URLs.
  • 6. Click Update to save your changes.

In environments with newly-installed Advanced Reporting appliances a checkbox is displayed to allow you to search for reporting data on either the new appliance or the parent appliance. This checkbox will only appear on the parent while data is still on the parent appliance itself. Once the data retention period of data on the parent has expired the checkbox will no longer display.

rocket-reports-advanced-reporting-checkbox-rel2.9

Rechilding an Advanced Reporting Appliance

When rechilding an Advanced Reporting appliance a checkbox is displayed to allow retaining statistics data during the rechild process. This can help prevent the loss of important data.
rocket-advanced-reporting-keep-data-rel2.9

Important:

When performing a rechild of the Advanced Reporting Appliance you should always have a current backup available.

Removing an Advanced Reporting Child Server

Follow the steps below to remove an Advanced Reporting child server.

Note:

If you remove an Advanced Reporting child server, all of its Management and Web Filter data will be lost. Therefore, make sure you back it up before you begin this procedure.

  • 1. Log into the parent server.
  • 2. From the dashboard click Administration.
  • 3. Click Server Roles.

Parent Server Roles

  • 4. Under Child Servers click Remove as child server in the Advanced Reporting server’s row. The following popup window will be displayed.

remove-advanced-reporting-server

  • 5. Click OK to confirm.

Converting to a Child Server

To configure an appliance as a child server, follow the steps below.

Warnings!

  • You cannot convert a child server back to a standalone server without a complete re-installation.
  • Due to latency issues all servers in a parent/child configuration need to be located on a common network with fast and reliable transmission rates.
  • 1. Log into the appliance you want to make as the child server.
  • 2. Click Administration.
  • 3. Under Server click Server Roles.
  • 4. Click Convert to Child Server as shown below.

child-server-convert

This will launch the Convert to Child Server wizard as shown below.

child-server-config-start

  • 5. Click Let’s get started to launch the wizard.

Tip:

If you have changed your mind and want to exit the wizard, click ‘I changed my mind, let’s cancel this process.’

The following wizard window will be displayed.

child-server-config-server-settings

  • 6. Enter the following information for the parent and child servers:
    • Parent IP Address. Enter the IP address of the parent server.
    • Admin Username. Enter the admin username of the parent server.
    • Admin Password. Enter the admin password of the parent server.
    • Select roles for this server. Select (check) Web Filter, Spam Filter, Email Archive, Proxy Server, or Reporting Server roles for the child server. The wizard will indicate what server roles are supported.
    • Name or short description of this server (Optional). Enter optional useful text about the child server.

Note:

Please note that the administrator credentials must have access to the root tier. In addition, a sub-tier administrator will not have permissions to convert a server from standalone to a child.

  • 7. Click Next. If you are configuring an Advanced Reporting child server the following confirmation popup will be displayed.

advanced-reporting-confirmation

Make sure you have backed up your Management and Web Filter reporting data before you click OK because it will not be migrated to the Advanced Reporting child server.

Note:

It will take several minutes for the child and parent servers to be configured.

child-server-config-generating

  • 8. When the configuration process is complete click Done.

The following popup window will be displayed:

restart-child_server

  • 9. Click OK to restart the child server.

Notes:

The child server must be restarted or the changes will not take effect.
The child server will be offline as it restarts.

Configuring WCCP

Cisco’s Web Cache Communication Protocol (WCCP) can be used to redirect traffic in real time. In addition, WCCP is scalable and supports load balancing, service assurance (fail safe), and fault tolerance. The Lightspeed Systems Rocket supports WCCP version 1 (WCCPv1) and WCCP version 2 (WCCPv2).

Note:

When setting up WCCP with a Cisco ASA device both the source traffic and the Rocket will need to be behind the same interface of the ASA. Due to limitations for the ASA it cannot route traffic for redirection between interfaces.

To configure WCCP you must first configure it on the Rocket Web Filter and then configure your network devices, such as Cisco ASAs. These steps are described below.

Currently, only devices that can utilize a GRE tunnel for WCCP redirection are supported, including Cisco ASA appliances. This also means that Cisco PIX appliances and Policy Based Routing redirects that rely on Layer 2 are not supported at this time.

Note: The Rocket only supports redirecting HTTP and HTTPS. To redirect HTTPS without certificate errors clients will need to install the proxy certificate from the Rocket.

Step 1: Configure WCCP on the Rocket

To enable WCCP on any tier you must first define the WCCP Router IP on the Root tier. This is universal to all tiers, and only one router can be defined. Once this is defined you can enable WCCP on the root tier and sub-tiers. Currently, the Rocket has a limit of 50 tiers with WCCP enabled. IP range filtering based on tiers will work based on tier address spaces just as filtering does now.

Notes:

For the initial release WCCP will not be supported with Require Proxy Authentication. Only one or the other may be enabled.

When WCCP is enabled it will not honor Require Authentication or Restrict Access. This is due to how it intercepts traffic; it is a design limitation with the proxy we cannot change. Require Authentication and Restrict access will still work for non WCCP ports.

    • 1. Log into the Rocket.
    • 2. Click Web Filter.
    • 3. Click Proxy Server.

Proxy Server Page

  • 4. Select (check) Enable WCCP.
  • 5. In the WCCP Router IP Address window enter the IP address of the WCCP router.
  • 6. Click Save.
  • 7. If you want to enable WCCP on tiers and sub tiers click Administration and perform steps a through c for each tier and sub tier.
    • a. Select the tier under Favorite Tiers.
    • b. Select (check) Enable WCCP.
    • c. Click Update.

Step 2: Configure Redirection on the WCCP Router

Since command structures change greatly from version to version this section only provides basic guidelines. Lightspeed Systems therefore recommends customers utilize documentation from their router manufacturer to enable WCCP redirection. Please note the network you will be redirecting traffic from will need to be behind the same physical interface as the WCCP server.

Tip: See Cisco’s Configuring Web Cache Services Using WCCP page for steps to configure WCCP on a Cisco ASA.

In order to redirect HTTPS from a Cisco ASA you must have HTTPS defined as service group 70. Failure to do this will result in HTTPS traffic either not redirecting or failing to get past the Rocket. For example, if you have named your Cisco interface name as “inside” you would enter the following in in a Cisco ASA with firmware versions 7.2/8.2 (the syntax for firmware versions 8.3+ would be different):

hostname(config)# wccp 70 hostname(config)# wccp interface inside 70 redirect in

In some scenarios as seen with older versions of ASA firmware, it is possible that after a change on the proxy the router will stop redirecting traffic to the Rocket. This is an issue with the Cisco firmware beyond our control. Should this happen the easiest way to address this issue is to reload the router.

Sample Cisco ASA Configuration

This section provides an example of configuring a Cisco ASA.

Note:

This section is only a general guideline to aid you with enabling WCCP. Should you encounter any issues with firewall configuration we recommend contacting a network consultant for configuration assistance.

This section makes some assumptions with the examples.

  • The VLAN defining the internal network here is called “inside”.
  • The Rocket IP address for redirection is 192.168.1.15.

This section only covers terminal level configuration of the ASA. It does not cover configuration utilizing the Cisco Adaptive Security Device Manager (ASDM) web utility.

Step 1

First, we’ll start by defining what our WCCP server IP is by entering
ciscoasa# conf t ciscoasa(config)# access-list wccp-servers extended permit ip host 192.168.1.15 any

Here we have created an access list called “wccp-servers”. We are telling our router that our WCCP Server IP is 192.168.1.15 and that any traffic coming from it should be permitted.

Step 2

Next, now we’ll make some ACLs to define what IP Range gets redirected.

ciscoasa(config)# access-list wccp-traffic-http extended deny ip host 192.168.1.15 any ciscoasa(config)# access-list wccp-traffic-http extended permit tcp 192.168.1.0 255.255.255.0 any eq www

Here we have created an access list called “wccp-traffic-http”. This tells our router two things in this ACL.

  • First, any traffic that matches this ACL for our WCCP Server IP needs to be denied.
  • Second, any traffic that falls into the 192.168.1.0/255.255.255.0 subnet will be redirected by this rule.

The reason we deny traffic here for the WCCP server is to prevent an infinite redirect loop.

Step 3

Next, we’ll want to define what gets redirected. In this case we’re defining the redirect list and what it’s being redirected to as well as which interface this applies to.

ciscoasa(config)# wccp web-cache redirect-list wccp-traffic-http group-list wccp-servers ciscoasa(config)# wccp interface inside web-cache redirect in

To break down our first rule, we’re telling the router this is a web-cache rule. This will redirect all port 80 traffic. In addition, we are telling the router that anything matching the ACL wccp-traffic-http will be redirected in the redirect-list. And we are also telling the router that our group-list (what we’re redirecting traffic to) is wccp-servers.

In the second rule we’re telling what interface to redirect. In this scenario we’re not specifying a specific interface but the name of the VLAN / VLANS that defines our internal network.

Step 4

Now it’s time to define the SSL redirect. (Redirection of SSL Traffic requires that the client install the proxy certificate from the Rocket. This can be downloaded by following the link on the Administration -> SSL Certificate page from the Rocket.)

ciscoasa(config)# access-list wccp-traffic-https extended deny ip host 192.168.1.15 any ciscoasa(config)# access-list wccp-traffic-https extended permit tcp 192.168.1.0 255.255.255.0 any eq https

Here we are doing something similar to the HTTP redirect with a noted difference. A new ACL is defined, “wccp-traffic-https”, and at the end of the second ACL instead of www we are defining it as HTTPS.

Step 5

In order to redirect HTTPS traffic to the Rocket we need to define it as service group 70. Because 70 is not a standard service like web-cache we’ll need to define what it is to the router.

ciscoasa(config)# wccp 70 redirect-list wccp-traffic-https group-list wccp-servers ciscoasa(config)# wccp interface inside 70 redirect in

Just like Step 3 above we’re defining what’s being redirected and what interface to redirect from.

Step 6

Once this is all done we’re ready to save the changes:

ciscoasa(config)# write mem

After this is complete and the Rocket has been configured via the web interface, you can run the following on the ASA to determine it was successful.

show wccp

This should give the following output:

Global WCCP information: Router information: Router Identifier: 192.168.1.1 Protocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 19315 Redirect access-list: wccp-traffic Total Connections Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: wccp-servers Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Service Identifier: 70 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 8865 Redirect access-list: wccp-traffic-https Total Connections Denied Redirect: 4 Total Packets Unassigned: 2 Group access-list: wccp-servers Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 ciscoasa#

Here we can see the inside Interface’s IP address (192.168.1.1), the protocol version of the redirect (2.0), and the service identifiers being redirected. web-cache(HTTP) and 70(HTTPS). Under each section you should see “Number of Cache Engines” and “Number of Routers” set to 1. In this example we also see the Total number of packets redirected for HTTP and HTTPS.

Note: During initial testing Lightspeed Systems observed an issue where changing settings on the proxy sometimes required a reload of the ASA. This is due to a limitation of the ASA and not the Rocket. If you see a scenario where changing Proxy settings causes the ASA to stop passing traffic you will need to run the following to reboot the ASA (WARNING: WHEN RUNNING THIS COMMAND THIS WILL REBOOT THE ROUTER AND STOP ALL TRAFFIC FROM PASSING THE ROUTER UNTIL THE REBOOT COMPLETES):

reload noconfirm

To troubleshoot the ASA to determine if it’s communicating with the Rocket you can run the following commands from a telnet or console session of the ASA:

debug wccp packets debug wccp events

You should see output similar to the following:

CCP-PKT:S00: Received valid Here_I_Am packet from 192.168.1.15 w/rcv_id 000000FD WCCP-PKT:S00: Sending I_See_You packet to 192.168.1.15 w/ rcv_id 000000FE WCCP-PKT:D70: Received valid Here_I_Am packet from 192.168.1.15 w/rcv_id 000000FE WCCP-PKT:D70: Sending I_See_You packet to 192.168.1.15 w/ rcv_id 000000FF WCCP-PKT:S00: Received valid Here_I_Am packet from 192.168.1.15 w/rcv_id 000000FE WCCP-PKT:S00: Sending I_See_You packet to 192.168.1.15 w/ rcv_id 000000FF

This shows the WCCP server and Router communicating with each other.

Troubleshooting

You can also verify that the WCCP router is configured properly with the following commands:

ciscoasa(config)# show wccp interfaces WCCP interface configuration: Vlan1 Output services: 0 Input services: -6 Mcast services: 0 Exclude In: FALSE

This will tell you the specific interface that has been designated for redirection. In this case, Vlan1 or Inside, is our redirection interface.

You can also verify that the proper service redirects are occurring.
ciscoasa(config)# show wccp 70 view WCCP Routers Informed of: 192.168.1.1 WCCP Cache Engines Visible: 192.168.1.15 WCCP Cache Engines NOT Visible: -none-
Here we see that for service 70(HTTPS) our Router is 192.168.1.1. We also see that our cache engine, 192.168.1.15, is visible and communicating with us.

ciscoasa(config)# show wccp web-cache view WCCP Routers Informed of: 192.168.1.1 WCCP Cache Engines Visible: 192.168.1.15 WCCP Cache Engines NOT Visible: -none-

Here we see that for service web-cache(HTTP) our Router is 192.168.1.1. We also see that our cache engine, 192.168.1.15, is visible and communicating with us.

WCCP Configuration for Fortinet

Sample Fortinet Configuration

In the below example, the Lightspeed Systems Rocket’s Management IP is 10.10.10.10.

Fortinet Config File:

fortinet1

The above configuration allows the Fortinet to send traffic to a Lightspeed Systems Rocket Appliance. The Service ID 70 and 0 are used by the Lightspeed Systems Rocket, so please do not use any different numbers here. With this set in place, we now need to create the Firewall Policies using the GUI Interface.

Important: Please make a note of the Rule ID Number you are creating in the firewall. Once you are done making the policy through the GUI, you will need to run a command from the command line utility.

forti2

Note: You must turn off NAT for this firewall rule to work.

The last step must be done from the command line utility of the Fortinet device:

Config firewall policy

Edit <rule ID number you created above>

Set wccp enable

End

Setting up Forward Proxy over GAFE

Forward Proxy for GAFE is set up through the Google Admin console.

1. Log into admin.google.com and navigate to Device Management. Click on Chrome Management on the left-hand navigation bar. Click on User Settings. Make sure that you have the correct organization chosen on the left-hand menu and scroll down to Network. Click the dropdown menu under Proxy Settings – Proxy Mode and select Always use the proxy specified below. The following box will display. Enter your server hostname followed by “:” and your port number into the Proxy Server URL field. (Ex: Our hostname is southernacademy.lightspeedsystems.com and our port is 8093, so we entered “southernacademy.lightspeed.com:8093“) Click Save. 

Note: Prior to setting this up, make sure that your firewall allows connections to your Rocket over the appropriate port (the default port is 8080.)

Pushing SSL Certificates to Chromebooks through GAFE

You will need to push SSL certificates to your Chrome devices in order for the forward proxy to work. You can do this manually on each device by downloading the SSL certificate from the Rocket and installing it on the device. Alternatively, you can push all of the certificates at once through the Google Admin Console.

1. Open your Web Filter and navigate to Settings -> SSL Certificate

6

2. Scroll down to Installed Proxy Certificate and download the Proxy SSL certificate for Chromebook devices. 

7

3. Login to admin.google.com and click on Device Management. 

8

4. Click on Network on the left-hand navigational menu.

9

5. Scroll down and click on Certificates. 

10

6. Navigate to the correct organization on the left-hand navigation menu and click Add Certificate. 

11

7. Navigate to the folder into which you downloaded the Chrome SSL certificate (ls-rocket-chrome) and open it.

12

8. Once the certificate uploads. Check the box next to Use this certificate as an HTTPS certificate authority. and click Save. 

13

Database

Database Categories

Here are the default categories in our database and their descriptions.

Normally Blocked Categories

  • access-denied-Sites that present a login page and we have no way to determine site contents without credentials.
  • extremism-Sites that Encourage or Promote violence to further a set of beliefs or agenda, or attempt to convert others to view that violence is appropriate to further a set of beliefs or an agenda.
  • adult-Adult products, services, situations and humor. Sites that sell lingerie, sex toys, adult videos. Sites that contain nudity that is not pornographic nor art. These sites have non-existent or ineffective user controls to prevent children from accessing adult materials i.e. Pinterest.com.
  • art-Adult art. Art that contains nudity or adult activity and situations.
  • bodyart-Body art, tattoos, body piercings, body modification, scarification, body painting.
  • games-Adult games. Sex games, games containing adult language, situations or humor whether online or board games.
  • language-Strong language, Profanity.
  • alcohol-Production, promotion and sale of alcoholic beverages, Includes Bars that also sell food but NOT restaurants that also sell liquor. Sites that promote or encourage alcohol consumption. Wine tasting, Beer festivals etc.
  • drugs-Sites promoting illicit and illegal drug use
  • gambling-Gambling, casinos, betting, lottery and play-for-cash/sweepstakes
  • offensive-Websites considered to be offensive to both adults and children, Gratuitous images of corpses, self-mutilation, scat
  • parked-Pay per click hosting web sites that park expired domains, these are sites with no real content just links to sites for selling stuff
  • porn-Pornography related sites
  • illicit-Websites containing potentially illegal pornographic material. Porn sites involving children, “teen model”, sites showing young children dressed and posed in sexually suggestive manner. Rape and Snuff porn sites.
  • security-The root security category contains sites that do not clearly fall into one of the subcategories or may fall into multiple categories. This category may also contain sites that are not in themselves bad but contain information that poses a potential security risk
  • proxy-Sites that specifically host or distribute anonymous proxies or sites that operate in such a way that allows the content filter to be bypassed. This is one of the largest security categories. Most sites in this category are manually imported by our research team. Forum and blog sites that contain information on how to find set up or use anonymous proxies are also in this category.
  • malware-Combines the Security.virus, Security.spyware and Security.phishing categories on Lightspeed Rockets.
  • shorteners-Sites that provide URL shortening services.
  • translators-Language translation sites that allow full URL (webpage) translation and DO NOT honor filter restrictions
  • violence-Sites promoting violence and anarchy

Normally Unblocked Categories

  • ads-Ad servers and advertising companies, marketing agencies, graphic design agencies,
  • audio-video-Sources of streaming audio/video as well as downloadable audio/video files. MP3/4, AVI etc.
  • automobile-Automobiles and motorcycles, boats, private aircraft. Enthusiasts, car shows, part suppliers, manufacturers, repair shops and resources.
  • business-Business related sites. Chambers of Commerce, Business groups, services.
  • construction-Resources for home and property improvement. Construction, building, plumbing, electrical, landscapers, gardeners, plumbers, home improvement stores and supplies. Do it Yourself sites.
  • finance-Banking, stock markets, insurance, and financial news
  • jobs-Employment search, offerings and support. Job training and seminars. NOT vocational or trade schools. Resume services, recruiters, HR services.
  • manufacturing-Manufacturing, industrial, and shipping companies, Agriculture, companies involved in the production or movement of products and services. Includes public utilities like power and gas companies, telephone companies.
  • real_estate-Real estate, homes, offices, appraisers, mortgage and title companies, Realtors and property management.
  • computers-Computers & Internet, Hardware and software companies, programming and tech sites, consulting companies, web designers, webhosting companies, domain registration. IT infrastructure or Cloud based services. Mobile apps.
  • consumer_electronics-Sites that manufacture or promote consumer electronics(cell phones, stereos, car audio, mp3 players, DVD players, camcorders, digital cameras, GPS units etc.)
  • filehosting-Sites that host file or photo uploads/downloads, freeware, shareware, offsite hosting companies, examples: Picasa, downloads.com, majorgeeks.com
  • storage-Sites that provide secure, online cloud storage
  • directory-Directories and portals about specialized topics. Bookmark management sites.
  • education-Education and reference sites. Schools, colleges, vocational and trade schools that award a degree or certificate. Tools and resources used in education. Note** Lightspeed policy is that a website that is used and requested by Teachers or Staff and DOES NOT contain adult material will be moved into the education category to provide easy access for schools.
  • arts-Art, art history, architecture, graphic design and illustration. Ballet, theater, art galleries and shows, artists
  • games-Educational games for kids
  • history-History. Historical sites, museums, reenactments, events, archeology.
  • literature-Literature, libraries, writers, publishers, bookstores, book and author sites, reviews, writing tools
  • media-sites that contain media or streaming media with educational value, discovery channel, national geographic channel, teacher tube etc. Sites will be recommended by schools and manually categorized.
  • music-Music education, history, instruments, marching bands, and museums, sheet music, symphonies, orchestras, opera
  • science-Science and technology, astronomy, geology, physics.
  • sex-High school level sex education websites
  • social_science-Social sciences
  • entertainment-Movies, television, radio, and celebrities, Entertainment venues, Ticket Agencies
  • radio_and_tv-Radio and TV stations
  • expired-Domains whose registration has expired
  • family-Family life, cooking, gardening, beauty salons, wedding photographers, funeral homes, party rentals and supplies,
  • food-Restaurants, grocery stores, recipes, cooking supplies. Food related events, bake offs, competitions.
  • health-Health care, fitness clubs, pharmaceuticals, herbal remedies, nursing homes, nutrition, medical, dental.
  • religion-Religion & Spirituality. Churches, synagogues, temples, mosques.
  • forums-Unmoderated personal expression. A moderated forum that limits to a specific topic will be categorized according to the topic, i.e. An automobile forum would be in the Automobile category.
  • blogs-Weblogs that cover a variety of topics. A site that uses a blog platform like WordPress to host a site on a single topic or for a business or organization will be categorized in the appropriate category based on content. photo sharing sites,
  • dating-Dating websites like friendfinder, eHarmony, match.com, sexmatch.com, swingermatch.com, SHOULD BE BLOCKED FOR CHILDREN. Contains adult material like nudity, sexual content, fetishes.
  • im-Instant messaging services
  • mail-Hosted E-mail services such as Gmail, Hotmail, yahoo mail
  • newsgroups-Newsgroups, UseNet and subscription newsletters without a print circulation
  • p2p-Peer to peer and file sharing sites
  • personals-Personal web pages and personal ads
  • social_networking-Social networking and related websites such as Myspace, Facebook, and Orkut. Sites that provide hosting resources for social networks, themes, wallpapers, avatars etc.
  • games-Games, anime, cartoons, wallpapers and screen savers, Ringtones, online greeting cards , Mobile games.
  • general-General interest – Sites that contain Insufficient tokens, have obfuscated scripts, etc. and are not easily categorized automatically.
  • government-Federal, state, local and international government
  • ham-Legitimate sources of email, mail servers and subscription based email. Example school district and business mail servers.
  • hobby-Hobbies, crafts, collecting
  • humor-Humor, puzzles, and brain-teasers
  • kids_and_teens-Kid safe web sites
  • chat-Monitored chat websites suitable for kids
  • law-Law firms, courts, and legal matters. Lawyers, paralegals, stenographers. Legal forms, publications and resources.
  • microsoft-Microsoft and related sites
  • music-Bands and artists, concerts, DJs, lyrics, songwriting, and record labels
  • news-News and magazines with print circulation, TV News websites
  • photography-Photography sites that DO NOT contain adult material, photography equipment, stock photos, photographers, photo exhibits
  • Plagiarism-Web sites that sell term papers, research papers, and other ways to help students cheat
  • search-Major search engines
  • nettools-Sites that contain administrative tools that may be used to bypass network security or content filter. Examples include VPN products, remote access products like logmein.com, teamviewer.com and forum sites or blogs with tutorials or products to bypass workstation security and reset admin passwords.
  • shopping-Shopping sites for online shopping, does NOT include sites that sell adult products, sex toys, lingerie, enhancement products etc.
  • auctions-Auctions, classifieds, pennysaver, camera ads
  • office_supplies-Major office supply websites
  • spam-Shopping websites that use spam email for marketing
  • society-Culture, issues, ethnicity, people, social clubs, girl/boy scouts,
  • crime-Crime and the justice system. Sites that encourage criminal activity.
  • politics-Politics, political activism, political issues, candidates, propositions and measures on the ballot, campaign websites.
  • spam-Sources of spam mail that does not involve porn, gambling, or drugs
  • sports-Sports sites. Teams and athletes. Fishing, boxing, wrestling, Competitive shooting, archery, bicycling.
  • fantasy-Fantasy football, baseball, soccer, etc.
  • martial_arts-Martial arts, competitions, schools, organizations.
  • youth-High schools sports teams and youth sports leagues
  • travel-Hotels, resorts, cruises, transportation and vacation offerings
  • weapons-Web sites about guns, swords, knives, and other weapons
  • world-Foreign language websites that are not positively identify into a specific category either through manual review or by automatic categorization but are in a foreign language .
  • cn-World websites – Chinese
  • de-World websites – German
  • es-World websites – Spanish
  • fr-World websites – French
  • it-World websites – Italian
  • jp-World websites – Japanese
  • kr-World websites – Korean
  • nl-World websites – Netherlands
  • pl-World websites – Polish
  • pt-World websites – Portuguese
  • ru-World websites – Russian

Policies

Policy Management

The Policy Management page has links to AssignmentsRule SetsSchedules, and the Calendar.

The Lightspeed Systems Web Filter module uses Rule Sets (policies) and Assignments to filter traffic based on content category and user.

From this page, you can manage:

  • Rule Sets – View the default Rule Sets, or create your own custom rules.
  • Policy Assignments – Apply built-in or custom Rule Sets to computer names, MAC addresses, computer Organization Units (OUs), IP addresses IP ranges, user groups, user names, or user OUs.
  • Schedules – Apply Rule Sets by day of the week and time range.
  • Calendar – Apply Rules by unique and non-repeating days.

Here’s a quick overview of the steps involved in creating and assigning policies:

  • 1. On the Rule Sets page, examine the built-in Rule Sets to see how categories are allowed or blocked.
  • 2. Create a new Rule Set based on one of the built-in policies: Default, Allow All, or Block All.
  • 3. Give the custom Rule Set a meaningful name and a brief description that will help you apply it to the appropriate users or groups.
  • 4. Modify and save the settings in your new Rule Set according to the requirements of the user or group that will be using it.
  • 5. On the Assignments page, create a new assignment, and then select the authentication source and users or groups. Select the Rule Set to assign, and then save.
  • 6. Administrators can apply changes to sub tiers by selecting the tier from the dropdown list.

Rule Sets

Rule Sets are lists of web site categories, keywords, and actions that control how users can access the Internet.

rule-sets

The Lightspeed Systems Web Filter module comes with three built-in rule sets.

Built-In Rule Sets

  • Default – CIPA-compliant filtered access to Internet content. Content categories such as Adult and Forums, and sites in the Security category are blocked, while most other categories are allowed. The Lightspeed Systems Web Filter module applies this Rule Set to anyone who is not assigned to any other Rule Set.
  • Allow All – Unfiltered access to all Internet content, including Adult, Forums, and Security category.
  • Block All – No Internet access. All categories are blocked.

You can create local exceptions to define different content for your users. For example, you may want to allow access to Webmail sites for teachers, but not students. You would create two different Content Filter Property Sets: One for teachers with Forums Webmail category allowed; and one for Students with Forums Webmail blocked. To simplify the process, you can use the three predefined Rule Sets as a starting point for your custom Rule Sets.

Creating a Rule Set

    • 1. From the Policy Management dashboard, click Rule Sets, and then click New Rule Set.
    • 2. In the New Rule Set form, enter a meaningful name and description.

new-rule-set

  • 3. Choose a rule set from the Copy Settings From dropdown list, and then click Save. This action populates your new rule set with allowed and blocked categories from the rule set you selected.
  • 4. On your new Rule Sets form, review and select options to apply for this Rule Set.
  • 5. Click Save.

Important:

Rule Sets are not active until you assign them. Use the Assignments page to see a list of policy assignments, change policy assignments, or add new policy assignments.

Search Engines

  • Filter image search thumbnails (Google and Bing) – Remove image thumbnails from search results from blocked content categories.
  • Force safe search (Google, YouTube and Bing) – Restrict all Google, YouTube, and Bing searches to enable their “safe search” feature.
  • Block Google HTTPS search (fail-safe) – Restrict all secure connection HTTPS searches on Google. (This blocks *.google.com). Learn more
  • Disable Google auto-complete – Check (select) this option to prevent Google instant search.
  • Allow YouTube for Schools – Allow only YouTube pages within the YouTube for Schools portal. You must have a YouTube for Schools code to enable this feature. Enter your code on the General page.
  • Select blocked search keywords to filter – Use the selected Block Search Keywords lists to filter search results.

Image Searches on Google Drive

If you block Unknown URLs, Domains and IP Addresses under Category Options thumbnails will not be displayed for image searches using the Research tool on Google Drive (formerly Google Docs). This is due to the fact that the Web Filter module expects a source URL or domain to be appended at the end of the search string, which the Google Drive Research tool does not provide.

Non-HTTP Traffic

  • Filter non-HTTP traffic by IP address – The Content Filter is designed to filter HTTP traffic; therefore, it has the ability to distinguish HTTP traffic from everything else. With this option enabled, the Content Filter will block the non-HTTP sessions (e.g., HTTPS, FTP, SMTP, etc.) with a destination IP address in a category that is set to “Block”.
  • Block non-HTTP traffic to unknown IP addresses – Similar to the above feature, when this option is enabled, the Content Filter will block any non-HTTP sessions with a destination IP address that is not categorized in the content database.

URL Patterns

The Content Filter can allow or block requests that match the selected lists of URL Patterns. Select the URL pattern list to use, then choose to block or allow requests from each list.

Note

URL pattern policies take precedence over force safe search and blocked keyword options.

Lockouts

The Lightspeed Systems Web Filter module temporarily locks out users who persistently try to visit blocked web sites. This feature was designed to help prevent content filter abuse. Locked out users lose their Internet access until the lockout expires. When this abusive behavior is detected, the abuser’s Internet access is blocked (based on IP) for a configurable amount of time. An optional email can also be sent to notify a responsible party that the Lockout has occurred.

Use the Lockouts report to view and manage locked-out users.

suspended

Because the Lockout options are configured in each Rule Set, you can apply different settings to various user groups and times of day.

  • Block internet access for: 15 minutes – Temporarily block the user from continued web access for X number of minutes. (Maximum 60 minutes, default of 15)
    • Alert Only – To send a notification and alert, without suspending the user’s internet access, set the Block Internet Access to 0 (zero) minutes.
  • Tolerance – A Lockout will occur when a user attempts to access a Lockout category more than X times in X seconds. (Maximum 60 seconds, default of 5 times in 60 seconds)
  • Email Notifications – Email notifications will be sent to the provided email addresses whenever a lockout occurs. Separate multiple addresses by comma. The email identifies the IP address. If the locked out machine is running the User Agent, the email will also identify the logged-in user.

worddav2e43e2562ec3c65a098a2f9fcd0936cd

Lockouts Video

Access Page

The Access Page is the page that is presented to users when they attempt to visit a blocked site. You can configure override access and custom access pages for custom user lists or your entire organization.

access-page-table

  • Override duration – Use the slider to set the override duration, which can be from 15 to 120 minutes.
  • Require username and password to override – Select (check) this option to require users to enter their network login and password to unblock the requested web site.
  • Restrict username account to override access list – Check (select) this option and then select the list from dropdown list. If you use an override list, the required username entered must match an entry in the selected list in order to have access to perform the override. If you do not use an override list, the required username entered must match the current known user identity. This is to ensure the user performing the override is the same user who was redirected to the access page.
  • Allow users to submit blocked websites for review – This option allows users to click a link to submit the requested site to Lightspeed Systems staff for review and recategorization.
  • Require email address and review reason – You can also require users to submit their email address and review reason. If you enable this option users will be presented with a form they can complete.
  • Use custom access page – To enable a custom access page check (select) the checkbox and select the custom access page from the dropdown list.

See Override Users for more information about creating custom override users lists.

Blocked for Review Video

Category Options

You can set options for each content category, as well as for local categories.

worddav7a739855af1cc5085ce18c7e997b4e65

  • Allow/Block – Use the toggle to allow access for each content category.
  • Overrides – Select (check) to apply this rule set’s Override settings so users can visit web sites that would otherwise be blocked.
  • Lockout – Select (check) to apply this rule set’s Lockout settings to temporarily block Internet access for users who persistently try to visit blocked web sites.
  • File Extensions – (Optional) Open the dropdown menu to select a Blocked File Extensions list to this content category.

See a full list of Lightspeed Systems categories and their descriptions on the Database Categories page.

Tag: Ruleset, rulesets, rule set, rule sets

Assignments

Assignments apply a Rule Set to a user, device, or group. Rule Sets are not active until you assign them.

Assignment Basics

  • On the Assignments page, you can see a list of policy assignments, change policy assignments, or add new policy assignments
  • Rule Sets can be assigned to computer names, computer Organization Units (OUs), IP addresses IP ranges, user groups, user names, or user OUs. You can browse for assignees using the authentication sources defined in Tiered Administration, or you can enter assignments manually

policies_assignments

Assignment priorities

Users are evaluated by assignments in the numerical order listed on the Assignments page. The first assignment has the highest priority, the second is next, and so forth.

For example, if you have configured an assignment based on IP range as your first assignment the Web Filter module will evaluate users on that assignment first. If you wish to change the order of the assignments simply hover the cursor over an assignment’s row and drag it up or down accordingly.

Checking Assignments

To search the list of policy assignments and check the assignment for an IP, click the magnifying glass icon next to Assignments. The following will be displayed. You can search by Auth source or Username. Click the Search Options link to expand the list of search fields to search by IP Address, Computer Name, Computer OU, User OU, or User Group. Click Check Assignment to see your results.

search-web-filter-policy-assignments

 Assigning a Rule Set

    • From the Policy Management page, click the Assignments tab, and then click New Assignment.

new-policy-assignment

    • From the Type dropdown list, select the authentication type, which can be User Name, Computer Name, MAC address, Computer OU, IP Address, IP Range, User Group, User Name, or User OU.

Important

Assignments to user OUs are not inherited down to users who are in lower-level OUs. The policy assignment only applies to the OU that the user account is in and does not cascade down.

If you selected IP Address or IP Range enter the IP address or IP address range as appropriate. The following are valid IP ranges:

192.168.1.0-192.168.1.254 Range of IP addresses
192.168.1.0/24 CIDR notation
192.168.1.0/255.255.255.0 Subnet notation
  • If you selected User Name, Computer Name, Computer OU, or User Group perform the steps below:
    • Choose the authentication source from the Authentication Source dropdown list.
    • Use the search box to locate and select the user, computer name, computer OU, or user group.
    • Enter the assignee.
  • Enter a meaningful description.
  • Scroll to the bottom of the New Assignee form, and then use the Web Filter Rules dropdown list to select the Rule Set to assign.
  • Click Save to apply the Rule Set to your Assignee.

Assign Tier Policies

You can select a rule set or an advanced rule set to be applied if a user does not match any of your assignments by selecting from the dropdown list below Tier Policy.

Allowed Referrers

If users access an allowed website that incorporates content from blocked websites the content from those websites will be blocked. Use the Allowed Referrers page to create lists of domains that can load content from websites that are normally blocked.

For example, many school sites utilize content from outside sites that are normally blocked. If you add www.myschooldomain.edu as an allowed referrer it would allow outside content when being referred from that domain. This, however, would not extend to the actual content itself should a user attempt to load such content directly.

web-filter-allowed-referrers-page

Note:

This feature is only available for the inline Web Filter. It is not currently supported for mobile or proxy clients.

Click an Allowed Referrers list to view and edit it, click the X in its row to delete it, and click Add List to add a new Allowed Referrers list.

Note:

You cannot delete an Allowed Referrers list if it has been assigned to a rule set.

Add a New Allowed Referrers List

Follow the steps below to create a new Allowed Referrers list.

    • 1. From the dashboard click Web Filter.
    • 2. Click Allowed Referrers.
    • 3. Click Add New List. The follow will be displayed.

add-allowed-referrers-list-form

    • 4. Enter a name for the list.
    • 5. Optional. Enter a description for the list.
    • 6. Enter the domains that will be allowed referrers (for example, www.domain.com). Each domain must be entered on a separate line. In addition, wildcards are not supported. Please note that entries must be an exact match. The following screenshots shows a valid completed Allowed Referrers list.

completed-allowed-referrers-list-form

Note:

HTTPS traffic is not affected by referrers.

  • 7. Click Save.

An Allowed Referrers list is not active until you assign it to a rule set.

Assign an Allowed Referrers List to a Rule Set

Follow the steps below to assign an Allowed Referrers list to a rule set.

    • 1. From the dashboard click Web Filter.
    • 2. Under Policies click Policy Management.
    • 3. Click Rule Sets.
    • 4. Click the rule set you want to use.
    • 5. Under Search Engines check (select) the Allowed Referrers lists you want use.

rule-set-for-allowed-referrers-list

  • 8. Click Save to save your changes.

URL Patterns

Override Users

The Override Users page allows you to configure lists of users, user OUs, or user groups who can perform overrides when presented with an access page.

Override Users Page

To edit an override users list click its name.
To delete an unassigned override users list click the X in its row.

Override Users Video

Configuring a New Override Users List

    • 1. From the dashboard click Web Filter.
    • 2. Under Policies click Override Users.
    • 3. Click New List. The following popup window will be displayed.

New Override Users Popup

    • 4. Enter a name for the new override users list.
    • 5. Enter a meaningful description.
    • 6. Click Save.
    • 7. Click the name of the override users list you just created. A screen similar to the following will be displayed:

Override Users List

    • 8. Click Add User. The following popup window will be displayed:

Add Override User Form

    • 9. From the Type dropdown list select the user type, which can User Name, User Group, or User OU.
    • 10. Choose the authentication source from the Authentication Source dropdown list.

Note:

The way Google authentication works it can be used for personal overrides but not the “teacher override” where the override is performed for another user.

  • 11. Use the search box to locate and select the user, user OU, or user group.
  • 12. Enter a meaningful name.
  • 13. Enter a meaningful description.
  • 14. Click Save.

To delete a user name, user group, or user OU click the X in its row.

Note:

Override users lists are not active until you assign them to a rule set. Follow the steps below to assign an override users list to a rule set.

Assigning an Override Users Lists to a Rule Set

    • 1. From the dashboard click Web Filter.
    • 2. Under Policies click Policy Management.
    • 3. Click Rule Sets.
    • 4. Click the rule set you want to use.

Assign override users list

    • Check (select) Require username and password to override.
    • Check (select) Restrict username account to override access list.
  • 6. Select the override users list from the dropdown list.
  • 7. Click Save to save your changes.

Custom Access Pages

When a user attempts to visit a blocked web site, the Lightspeed Systems Web Filter displays the Access Page. The Access Page shows the site name and reason for blocking, and, depending on how you configure and assign your Rule Sets, invites the user to submit a site for review, or override the filter temporarily to visit the web site.

challenge_override

Custom Access Page Video

You can create customized Access Pages (block pages) with your own image and text from the Custom Access Pages form. You can also assign custom access pages to different schools or user levels (student, staff, administrators), by associating a custom access page with a Rule Set.

To create a new a Custom Access Page

CustomAccess1

  • 1. To add a new Custom Access Page, click New Page. This action opens the Add Custom Access Page form.
  • 2. Give your new page a name, and a brief description.
  • 3. Click Save. This action opens the Edit form.
  • 4. Enter your school name, and upload an image file for your custom banner. Images should be in JPG or PNG format, and must be no larger than 660 x 120 pixels.
  • 5. When you have finished editing your page, click Save and view to see the results. Click the Back button in your web browser to return to the Edit form. Click Back again to return to the list of Custom Access Pages.

Note: You cannot assign a Custom Access Page until all required fields have been populated.

To edit an existing Custom Access Page:

  • 1. Click the name of the page to edit. This action opens the Edit form.
  • 2. When you have finished editing the page, click Save.

Note: Custom Access Pages do not take effect until you assign them to a Rule Set.

To assign a Custom Access Page to a Rule Set

  • 1. From the dashboard click Web Filter.
  • 2. Under Policies click Policy Management.
  • 3. Click Rule Sets.
  • 4. Click the rule set you want to use.
  • 5. Scroll down to Access Page.
  • 6. Check (select) Use custom access page.
  • 7. Select the custom access page from the dropdown list.
  • 8. Click Save to save your changes.

assign-custom-access-page

Blocked Search Keywords

The Blocked Search Keywords page is where you define words the Web Filter module should block when a user attempts to search for web sites to visit. If a user’s search text matches an entry in a blocked keyword list, the search query is blocked.

blockedsearch

Adding/Modifying a list

You can create and maintain your own lists of blocked search keywords, to block searches.

  • 1. Click New List. This action opens the Create Blocked Keywords List form.
  • 2. Give your new list a name, and a brief description.
  • 3. Add keywords, one per line. Please keep the following in mind
    • One entry per line.
    • Press Enter between entries.
    • Wildcards are not supported.
    • Exact phrases are not supported. For example, keywords “one two three” would match a search for “one two three” as well as “two three one” and “five four three two one”. It is considered a match if all of the search keywords are present in some fashion.
  • 4. When you have finished editing the list, click Save. To discard your changes without saving, click Cancel.

Example Blocked Keyword List

We’ve prepared a list of blocked keywords that you can download and use in your web filter.

  • 1. Right-click in the link below and choose Save As.

*** WARNING *** OFFENSIVE CONTENT ***

Keywords.txt

  • 2. Open the downloaded file in a plain text editor such as Notepad (Windows) or TextEdit (Mac)
  • 3. Select all the text in the file, and copy to the clipboard.
  • 4. On your Rocket, navigate to Web Filter / Policy Management / Blocked Search Keywords and click New List.

wf-block-keywords

  • 5. Give the list a name and a description.
  • 6. In the Search Keywords field, click the right mouse button and select Paste to add the keywords from the text file.
  • 7. Click Save.

Note: Blocked Search Keywords do not take effect until you assign them to a Rule Set.

BlockedSearch2

Adding a Blocked Keyword Search List to a Rule Set

  • 1. Click Policy Management.
  • 2. Click Rule Sets.
  • 3. Click the rule set you want to assign the block keywords list to. A screen similar to the following will be displayed.
  • 4. Under Select blocked keywords to filter check (select) the blocked keyword list (or lists) you want to add to this rule set.
  • 5. Click Save.

add-blocked-keyword-list

Blocked Keywords Video

Blocked File Extensions

The Blocked File Extensions page is where you define File Extension lists to filter. A File Extension list contains extensions the Web module should block when a user attempts to download content matching the list.

The Lightspeed Systems Web Filter includes four predefined File Extension lists: Audio, Compressed, Executable, and Video. Each list contains file extensions for the most common file types in each category. You can add file extensions to each list, or you can create your own lists.

Blocked File Extension Video

Here are some examples of when you should block file extensions:

    • For sites such as Microsoft Update, use the Executable Files list if you do not want users on your network to download and apply updates that have not yet been tested by your local IT administrators
    • For sites such as CNN.com, use the Video Files list if you want to allow access to news articles, but not streaming media because of excessive bandwidth usage

Editing a list

      • 1. Click the name of the list to edit. This action opens the Edit File Extensions List form.
      • 2. Add file extensions, one per line.
      • 3. When you have finished editing the list, click Save. To discard your changes without saving, click Cancel.

BlockedFileExtensions1

You can also create your own lists of blocked file extensions, to block file types not included in the four built-in lists, such as file types that sometimes contain executable code, including macro-enabled document templates (dotm), installer files (msi), script files (vbs, pl, py and others), Windows help files (hlp and chm), registry entries (reg), and so on.

To add a new category of blocked file types

      • 1. Click New List. This action opens the Create File Extensions List form.
      • 2. Give your new list a name, and a brief description.
      • 3. Add file extensions, one per line. (Do not include the “.” before the extension. One entry per line. Press [Enter] between entries.)
      • 4. When you have finished editing the list, click Save. To discard your changes without saving, click Cancel.

Assigning Blocked File Extensions

Blocked File Extensions do not take effect until you assign them to a Rule Set. Follow the steps below to assign a blocked file extensions list to a rule set.

      • 1. On the dashboard click Web Filter.
      • 2. Click Policy Management.
      • 3. Click Rule Sets.
      • 4. Click the name of the rule set you want to assign the blocked file extension list to.
      • 5. Scroll down to the category table you want to add the blocked file extensions to.
      • 6. Click the slider to enable the category.

select-blocked-file-extensions

      • 7. From the dropdown list on the right-hand side select the blocked file extension list.
      • 8. If appropriate, check (select) Override or Lockout or both.

save-blocked-file-extensions

      • 9. Click Save.

assigned-blocked-file-extensions-list

      • 10. Optional. Click Blocked File Extensions to verify that the blocked file extensions list has been assigned to the rule set.

See Rule Sets for more information about configuring rule sets.

Calendar

Use the Calendar page to create custom days that can be used for Schedules.

calendar-page-screenshot

Creating a new custom day:

  1. From the dashboard click Web Filter.
  2. Click Policy Management.
  3. Click the Calendar tab.
  4. Navigate to the day you want to configure as a custom day by using the right arrow to go one month forward, the left arrow to go one month back, and the Today button to go to today’s date.
  5. Click the date to make it a custom day. Please note the date’s color will change to red as confirmation. To clear it, click it again.
  6. Repeat Steps 4 and 5 as necessary.

Schedules

Schedules control access to resources by time. These rules allow you to choose specific times of day, and days of the week to apply Rule Sets. For example, you may want to apply the Default rule set during work/school hours, and then switch to a custom rule set for evenings and weekends. In addition, you can make schedules for unique and non-repeating days on the Calendar page.

schedule-page

Important:

As with Rule Sets, Schedules do not take effect until you assign them on the Assignments page.

Creating a new schedule

  • On the Policy Management page, click Schedules.
  • Click New Advanced Rule Set. This action opens the New Schedule form.
  • Enter a meaningful name in the Name field.
  • Enter a brief description in the Description field.
  • Select a base rule set from the Base Rule Set dropdown list. (Base rule sets are defined on the Rule Sets tab.)
  • Click Save. A screen similar to the following will be displayed:

add-new-rule-to-schedule

Adding a new rule to the schedule:

    • Click Add New Rule to select a Rule Set to apply. This action opens the New Rule form.

new-rule-form

    • Select a Rule Set to apply from the dropdown list.
    • Enter a meaningful description.
    • Choose the days to apply the rule or check (select) School out, which will create a custom day.
    • Click the All day radio button or the Specified time range radio button and then select the start and stop times.
    • Click Save to close the New Rule form. A screen similar to the following will be displayed.

schedule-with-one-rule

  • Repeat Step 2 to add more rules if needed.

Click the X in a rule set’s row to delete it from a schedule.

If you created a custom day with the School out option described above click Manage Calendar Days, which will take you to the Calendar page so you can add custom days.

schedule-with-custom-day

Web Zones

General

Web Zones are like virtual rooms that teachers can use to temporarily override content filter rules. Web Zone Managers can activate a zone for five minutes to three hours. Any teacher authorized as a Web Zone administrator can specify web sites the students can or cannot access.

Note:

You can skip the following steps if your teachers will be using Launch to manage Web Zones for groups they own. Configuration is easy using Launch Admin Tools. Documentation for teachers is here.

Use the Web Zones pages to:

  • Appoint Web Zone Managers to create and manage Web Zones
  • Create Fixed Web Zones for specific IP addresses and ranges
  • Administer Open Web Zones created by Web Zone Managers

You can also learn about:

  • How a Web Zone Administrator creates and manages Web Zones from the Web Zone View portal
  • How students join Web Zones from the Join a Web Zone portal

Three types of Web Zones

    • Fixed zones are defined by static IPs
    • Open zones allow any user to request membership and likewise request dismissal
    • Created in Launch for pre-defined groups — which require configuration using Launch Admin Tools only

Note:

You cannot use Web Zones in conjunction with Thin Client User Agent servers.

Web Zone Managers

This page controls which users have permission to manage Web Zones. Permission can be given by user group, user name, or user OU (Organizational Unit) with the more user specific taking priority. When one is added you may control whether they “Can create Open Zones” as well as “Can edit allow-lists on Fixed Zones.” Added users are validated against the authentication method defined in Authentication Sources.

Web Zone Managers

Adding a Web Zones Manager

    • 1. In the dashboard click Web Filter.
    • 2. Under Web Zones click Managers.
    • 3. Click New Manager.

edit-web-zone-manager

    • 4. From the Type dropdown list select User Group, User Name, or User OU.
    • 5. From the Authentication Source dropdown list select the authentication source.
    • 6. Use the search box to locate and select the user, user OU, or user group.
    • 7. Enter a meaningful User name.
    • 8. Check (select) the following permissions as needed:
      • Can create Open Zones: Accounts with this permission are allowed to create and save as many Open Zones as they wish by connecting to http://Server_Name/zones/. They will only be able to see and edit zones which they themselves have created. Users can then join active Open Zones by connecting to http://Server_Name/joinzone/
      • Can edit allow-lists on Fixed Zones: When an administrator logs into http://Server_Name/zones from a machine that is part of a Fixed Zone (the machine’s IP matches the defined range of the Fixed Zone) they will automatically be taken into the details page for that fixed zone. If this option is enabled they will then have the ability to edit the Allowed sites list. Otherwise they will be limited to editing the zone expiration time and the blocked list.
    • 9. Click Save.

To delete a Web Zones Manager: Move the mouse cursor over the right side of the Managers list until an X appears. Click the X to remove the Web Zone Manager from the list.

To update permissions for a Web Zones Manager: In the Managers list, click the name of the user, group, or OU to update, and then select (check) or unselect (uncheck) permissions.

edit-web-zone-manager

Click Save to apply your changes.

The Web Zones page is where you create and administer Fixed Web Zones, and administer Open Web Zones.

Fixed Zones are lists of IP addresses or ranges. Any computer with an IP address within the web zone automatically becomes part of the zone. Fixed Web Zones can only be created from the Lightspeed Systems Rocket Dashboard.

Open Zones are created on the fly by teachers in the Web Zone View portal. Students can request to join these web zones by navigating to a web page in their browser. Open Web Zones can only be created from the Web Zone View portal.

web-zones-page

Note: The Web Zone rules (allowed and blocked URLs) take effect when a Lightspeed Systems Rocket administrator or Web Zone Manager activates the zone.

Creating a Web Zone

The Web Zone View

The Web Zone View page is the management portal for Web Zone Managers. From this page, web zone managers can:

  • Create new Open web zones.
  • Activate or deactivate existing Open or Fixed web zones.
  • Edit the Allow and Block lists for Fixed and Open web zones.
  • Admit and dismiss users from Open web zones.

The Web Zone View page is hosted on the Lightspeed Systems Rocket Appliance. To reach the page, Web Zone managers navigate to http://Server_Name/zones, and then log in with their network credentials.

WebZoneView1

Creating a new open Web Zone

    • 1. Click Add Web Zone.

WebZoneView2

  • 2. Enter a meaningful name that students will be able to locate easily from the Join a Web Zone page, and then click Save.

An Open Web Zone is a list of allowed and blocked URLs, created as needed by a Web Zone Manager in the Web Zone View portal (http://Server_Name/zones/). Users can request to join open zones by connecting to http://Server_Name/joinzone/ and searching for active web zones.

Configuring the Web Zone

The next step is to configure the Web Zone Rules.

    • From the Web Zone Rules dashboard, click to select the Web Zone to configure, and then click the Rules button.
    • Enter URLs in the Allowed Sites and Blocked Sites lists, and then click Save Rules.

Note the option to Block all URLs (except for allow list).

Note: Sites in the porn and security categories will always be blocked, even if a Web Zone manager uses “*” to allow all available URLs.

WebZoneView3

Activating a Web Zone

  • 1. Click the green “start” icon to activate a Web Zone.

When a zone is active, you will see a countdown of the remaining time. To change the remaining time, click the timer to open a dropdown list.

Managing Web Zone Users

    • 1. Click Users to view and manage web zone memberships. You must approve requests to join and leave an Open Web Zone.

worddav2a38dcbfc112d2ef7c9666309df0dad9

Creating and activating a Fixed Web Zone

A Fixed Web Zone is a list of IP addresses or ranges, and a list of allowed and blocked URLs. Only Lightspeed Systems Rocket administrators can create Fixed Web Zones. Any computer with an IP address within the range of a fixed web zone automatically becomes part of the zone.

Web Zone Managers can activate a fixed Web Zone when they log into the http://Server_Name/zones/ portal. Depending on the permissions you assign, a web zone manager may also be able to temporarily update the list of allowed or blocked URLs in an active fixed Web Zone.
new-fixed-web-zone-form

To create a Fixed Web Zone, navigate to the Web Zones page, and then click New Fixed Web Zone. Click Save to create the zone, edit the URL lists, and enter IP addresses and ranges.

worddav1b7408745ba86304241b0621e0945b5f

Address Space

You must specify the IP address or Range for which it is to be applied. You can add as many IP addresses or ranges as you need, but you cannot reuse addresses or ranges that are assigned to other fixed web zones.

Enter IP addresses in the following format, and then click Add:

192.168.1.0 single IP address
192.168.1.0-192.168.1.254 range of IP addresses
192.168.1.0/24 CIDR notation for same range as above

You can enter as many addresses as you need.

Note: Fixed Web Zones take effect only when you activate them. When the activation time limit is reached, the exceptions created by the Web Zone are removed, and the user’s Rule Set will apply.

Joining a Web Zone

The Join Web Zone page is the student portal for Web Zone users.

From this page, students can:

  • Search for web zones to join
  • Request to join a web zone
  • Request to leave a web zone

The Join Web Zone page is hosted on the Lightspeed Systems Rocket Appliance. To reach the page, users navigate to http://Server_Name/joinzone, and then search for active Web Zones to join.

JoinWebZone1

A student selects a Web Zone to join, and is then prompted for first and last names, or network login name and password, depending on how the Web Zone is configured.

JoinWebZone2

The Web Zone manager can then approve or ignore the student’s request to join the zone.

worddav6f041055a83e1395082a9f065e1fff12

When it’s time to leave a web zone, the student sends another request.

JoinWebZone4

Note: Students can only join one Web Zone at a time, and cannot leave a Web Zone until removed by the Web Zone manager (teacher), or the zone is deactivated.

Teacher Guide to Web Zones

Web Zones – Introduction

Web Zones are a powerful tool for balancing IT and educator administration.

Your Internet filtering software from Lightspeed Systems includes the ability to create customized web zones. These web zones are like virtual rooms that teachers create and manage. Students can request to join these web zones by navigating to a web page in their browser. Within these zones any teacher authorized as a web zone administrator can specify rules for what web sites the students can or cannot access. Teachers can even override existing content filter rules.

EXAMPLE: So, let’s say you were teaching a unit on how special effects are produced in movies. You may have five web sites that you would like your fifth graders to use for research, but two of them are blocked by the content filter. Instead of going to your IT staff for help, now you can take matters into your own hands and add the two sites to a web zone. Once a student has joined that web zone, the rules will now be applied to their browsing session.

Open Zones

Open zones are created on the fly. They are called open simply because authorized teachers can create them at any time from any where, and students can request access to these zones when the zone is active. This functionality differs from a fixed zone in that fixed zones apply to specific IP’s or IP address ranges. If a teacher or student is within one of these IP ranges as setup by the IT staff, the users are automatically placed into that zone and do not have the option to leave.

Once IT has specified you as an authorized web zone administrator, you can manage your open zones by simply opening a web browser and navigating to a local network address provided by your IT staff. Login using your regular network credentials. To create a new web zone, you’ll first give it a good descriptive name, like “Special Effects in Movies.”

Whenever an open web zone is created the zone is automatically activated as noted by the toggling Active/Inactive button at the top right. Just below, you’ll see we have a user management panel containing lists for pending user requests and joined users. Your students will have access to a web page where they can request to join an active web zone.

Right below the user management panel are the domain rules. From our example, we’d want to add under the Allowed List the two sites that are normally blocked by the content filter. Essentially you are expanding your students’ normal access rights to include these two additional sites. So you don’t have to enter all five sites you want them to use, only those that are normally blocked.

IMPORTANT: Do not include the protocol (http:// or https://) in your domain rules. Review this and other rules in another wiki article, Allowed & Blocked list rules for proper entry of Allowed & Blocked list entries.

However, if you want to help your students stay on task, we can enter all five web sites and select the “block all domains expect for allowed list” (under the Block List). This restricts use of the Internet to only the five sites located in the Allowed box.

TIP: You’ll need to communicate the web zone name for students to join it. In addition, if you’ve limited their access to a few sites, you’ll need to provide these web addresses separately because the rules are not displayed for students to see. Perhaps you could include them in the assignment, in favorites/bookmarks, or on your whiteboard.

Joining a Web Zone

Your students will open a web browser and navigate to the “join request” page–your IT staff will provide the URL.

TIP: You may want to bookmark this “join request” page on each computer or have a shortcut on the desktop to assist your students.

From this page students will be asked for first and last name and the name of the web zone you wish for them to join. When the user begins to type in the name of the web zone, all matching and active web zones will be displayed to select from. Once a student has sent the join request, they will not be able to join another zone until the teacher takes action upon that request.

You’ll see here on the zone management page that a request type of “join request” requires your response. Once you allow that student to join the zone, they are admitted; and the browsing rules of the zone are applied to them.

Students wishing to leave the zone for any reason can submit a “leave request” from the page where they first requested to join the zone. The system knows that they are already joined to a zone and prompts them with the appropriate action. Again once the student submits the request to leave the zone, the teacher sees a request type of leave request and can release the student from the zone.

IMPORTANT: Users can be joined to just one web zone at a time. So be sure to accept their leave requests in a timely fashion. Note, you can select all requests at once.

Fixed Web Zones

If your administrator has setup a fixed web zone for a range of IP addresses (e.g., a computer lab), things go a little differently. For instance, students don’t have to request to join or leave a join since they are accessing the Internet from within that fixed range of IPs. If you login from within that IP range, you’ll immediately be placed into that zone. The teacher can still manage the domain rules and activate and deactivate the zone when needed.

Note: Proper Allowed & Blocked site entry
Please follow Allowed & Blocked list rules for proper entry of Allowed & Blocked list entries.

Watch: Overview of Teacher Web Zones

Using Web Zones in the Lightspeed Dashboard

Teachers: If you’re using the Lightspeed Dashboard and SIS integrated, you can create and use Web Zones seamlessly from there!

Reports – Management

Reporting with the Rocket

Your Lightspeed Systems Rocket includes a link to a Reports Gallery. (The exact content of this page will vary depending on which software modules you have installed.)

reports-gallery

Navigating Reports

reports-gallery-options

  • To change the reporting period, open the dropdown menu below the report title to select a standard date range, or select Custom to specify start and end dates for the report.
  • On the Summary reports page, hover the mouse pointer over any segment of the pie chart for more information.
  • Click any column heading to sort it in ascending order, sort in descending order, or hide the column. For many columns you can select Summarize if you have an Advanced Reporting child server in your network. Selecting this option will create a summary report based on your selection.

Report Column Menu

  • Click the export button (export-button) to export any report as a CSV or PDF file.
  • Click the gear button (gear-button) to:
    • Create custom reports from Email, Management, and Web Filter reports and to save, update, or delete custom reports.
    • Save a report as a favorite (add to the left navigation bar) or remove from favorites (remove from the left navigation bar).
    • Create scheduled reports from custom, Email, Management, Summary, and Web filter reports.
  • Click the filter button (filter-button) on any custom, Email, Web Filter, or Management report to filter the list results.
  • Select Show tier data from the dropdown menu to display data for the root, all tiers, or specific user-configured tiers.

Saving and Deleting Report Favorites

To save a report as a favorite (save it to the left sidebar), click the gear button and select Save as favorite. To delete a favorite report (remove it from the left sidebar), click the gear button and select Remove from favorites.

Sort a Report

  • Click any column heading to sort in ascending order. Click again to sort in descending order.
  • Some report types, for example Activity Logs, open a dropdown menu when you click a column heading.
    • Summary – Create a Summary Report based on the selected column
    • Sort ASC – Sort the column in ascending order (A to Z)
    • Sort DESC – Sort the column in descending order (Z to A)

r3-00418

Select Date/ Time Range

  • To change the reporting period, open the dropdown menu below the report title to select a standard date range, or select Custom range to specify start and end dates for the report.

1_6_2016 , 12_44_39 PM - Lightspeed Rocket Console - Mozilla Firefox

Scheduling a Report

Scheduling a Report

Scheduled reports are built-in or custom reports that are emailed to one or more users either daily, or once a week. Scheduled reports are listed under the Scheduled category for easy access.

Selecting Columns

  • Click the gear button [gear] to select columns to view in the current report.

Selecting Columns

Selecting Columns2

Selecting Filters

Filters allow you to limit the report to include only the information you want to see.

There are two ways to filter reports:

  • Click the Data Options button [Clip 009] in the upper right corner to open the Data Options sidebar, then select the items to filter.

Selecting Filters

  • Click an item in the report grid to include only the selected item (Quick Filter) or add the item to the Data Options pane (Add to filter).

Selecting Filters2

Using Data Options to Filter a Report

  • 1. If the blue Data Options sidebar is not visible, click the Data Options button [Clip 009] in the upper right corner.
  • 2. Select (check) the checkbox next to one or more items to filter. This action opens a text field or dropdown list below the selected item.
  • 3. In the text field, type the item to filter, then press [Enter].

Note: By default, the report filters on an exact match for the filtered term. To broaden the search, use the “*” wildcard to include any combination or number of characters. For example, if you search the Activity Log for gmail.com, you probably won’t get any results. If you add a wildcard to the search (*.gmail.com) you will see results for all subdomains of gmail.com, such as www.gmail.com and imap.gmail.com. For more information on using wildcards, please refer to URL Patterns.

Tip: You can add multiple terms to a filter. In the following example, the search filter will include the IP address 10.1.15.124, as well an IP range using wildcards :10.2.*.*.

Using Data Options to Filter a Report

Note: To remove an item, click the “x” on the right side of the item.

  • 4. Click Apply button to generate a report with your filter options.
  • 5. Optional. Click Save to save your filtered report as a custom or scheduled report.

Viewing Reports for a Tier

  • Click to select Tiers from the dropdown menu to display data for the Root tier, All Tiers, or favorite (starred) tiers.

r3selectfilters4

Filtering from the Report Grid

Selecting Filters2

You can click directly in the report grid to add the selected data as a filter.

To select items directly from the report, follow these steps:

  • Generate the report.
  • Left-click to select an ite

Viewing Details for a Summary Report

  • On Summary reports, mouse over any segment of the pie chart for more information.

View Details for a Summary Report

Drill Down

Click any item in the first column of the grid and select Drill down to view a custom report filtered by your selection.

r3summaryURL

Exporting Reports

To export any custom, Email, Management, Summary, or Web Filter report as a CSV or PDF file. Click the export button and select either Export to CSV or Export to PDF. A popup window similar to the following will be displayed:

exporting-reports

Filtering Reports

Filters allow you to customize the information presented to just what you want to see.

You can filter reports in one of the following ways:

  • Click the filter report button () in the upper right-hand corner, which will display the filtering menu.
  • Click the filter by row values button (the gear button() in a report row), which will display a pop-up populated with values in that row.

Using the Filter Report Button

If you clicked the filter report button (filter-button) a panel similar to the following will be displayed on the right side of the report’s page.

  • Click the slider (flip to the right) above a field to delete it.
  • Click the slider (flip to the left) above a hidden field to restore it.
  • Enter or select parameters to filter them.

(Note: If you enter a parameter by mistake simply click it to delete it.)

  • Click the Apply button to apply your filter settings.
  • Click the Reset button to clear all filtering parameters.
  • Optional. Click the gear button to save your filtered report as a custom or scheduled report.

Using the Filter by Row Values Button

If you clicked the filter by row value gear button (gear-button) a pop-up similar to the following will be displayed.

filter-by-row-options

To filter the report by a specific value, click its row in the pop-up. For example, if you clicked Device: Mobile Device as shown above the report would be filtered by that value.

Lockouts

What does this report tell me?

The Web Filter module temporarily locks out users who persistently try to visit blocked web sites. Locked out users lose their Internet access until the lockout expires. Use rule sets to configure lockout behavior.

Why should I use this report?

Use this report to audit excessive attempts to access blocked web sites.

lockouts-screenshot

How do I read it?

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – The IP address of the locked out machine.
  • User – The logged-in user’s network login name.
  • Computer – This column shows the computer name where the user logged in.
  • Category – The Content Database category assigned to the requested site at the time the user was locked out.
  • Time – This column shows the date and time the user triggered the lockout for too many blocked requests.
  • Expires – The date and time when the lockout will automatically expire.
  • Expire Now – Click the X to reset a user’s lockout and re-enable Internet access.

NoteIf the User and Computer columns are blank, the computer at this IP address is not running the User Agent.

The following is the user view of a Lockout:

lockout

Mobile Devices Report

What Does this Report Tell Me?

The Mobile Devices report shows a list of mobile devices that access your network.

Why Should I Use this Report?

Use this report to track usage of mobile devices accessing your network.

mobile-devices

How Do I Read It?

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • Device ID – The device ID (Host ID) of the mobile device.
  • User – The user who registered this mobile device.
  • Auth Source – The authentication source used to register to this mobile device.
  • Last Checked In – The date when this mobile device last accessed your network.
  • First Checked In – The date when this mobile device first accessed your network.
  • Action – Click Delete Device to remove this mobile device from your network.

Override Sessions

What does this report tell me?

The Override Sessions report shows a list of users who have temporarily bypassed the content filter by supplying their login credentials on the access page.

Why should I use this report?

Depending on how you have configured rule sets, users can override the filter temporarily to visit access blocked sites. Use this report to determine which users are accessing blocked content.

Overrides

How do I read it?

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – The IP address of the machine where the override was requested.
  • Username – The username of the logged in person when the override was requested.
  • Computer – The host name of the machine where the override was requested.
  • Time – The date and time when the override occurred.
  • Expires – The date and time when the override will automatically expire.
  • Expire Now – Click the X to reset a user’s override request and block the site.

Note: If the User and Computer columns are blank, the computer at this IP address is not running the User Agent.

Identification History

What does this report tell me?

The Identification History Report shows a historical list of user logins and logouts that the Lightspeed Systems Web Filter module recorded for the specified time interval.

Why should I use this report?

Use this report to track your Users’ logins as they move from computer to computer throughout your network.

identification-history

How do I read it?

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – The IP address of the computer where the user logged in. Additional details about this IP address (for example, other devices) will be displayed in the rows below.

The following columns are only populated if the computer is running the Lightspeed Systems User Agent service.

  • User – The logged-in user’s network login name.
  • User DN – The user’s Distinguished Name (DN). The DN uniquely identifies a user on your network.
  • User OU – The user’s Organizational Unit.
  • User Groups – The user’s Active Directory group memberships.
  • Computer – This column shows the computer name where the user logged in.
  • Computer DN – The computer’s Distinguished Name (DN). The DN uniquely identifies a computer on your network.
  • Computer OU – The computer’s Organizational Unit.
  • Action – The user action:
  • Login: The user was authenticated by the User Agent.
  • Logout: The user logged out of the Lightspeed Systems Web Filter module.
  • Authenticated: The user authenticated from the Access Page
  • Interrogation: The policy server detected traffic from the user’s IP address, and requested user information from the User Agent.
  • Heartbeat: The User Agent sent a periodic notification to verify that the user is still logged in.
  • Auth Source – The directory service that authenticated the user.
  • Time – This column shows the date and time when the Lightspeed Systems Web Filter module discovered the User.
  • Expires – The date and time when the user’s current network login expires.

Note: If the User and Computer columns are blank, the computer at this IP address is not running the User Agent.

Authentication History

What does this report tell me?

The Authentication History report lists users who have logged into the Web Filter module to access web sites. This setting is controlled by the Authentication page in the Web Filter module settings.

Why should I use this report?

Use this report to see which users are logging into the Web Filter module to access the web. You can also manually expire (log out) user sessions.

authentication-history

How do I read it?

Note: A handset icon () indicates that the computer is a mobile device.

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – The IP Address of the computer where the user logged in. Additional details about this IP address (for example, other devices) will be displayed in the rows below.
  • User – The logged-in user’s network login name.
  • Device – The name of the device.
  • Auth Source – The directory service that authenticated the user.
  • Auth Type – The method used to authenticate this user.
  • Time – This column shows the date and time when the Lightspeed Systems Web Filter module discovered the User.
  • Expires – When the authentication for the user will expire. If available, hover the mouse over the date and click the X to log the user out of the Web Filter module.

Note: If the User and Computer columns are blank, the computer at this IP address is not running the User Agent.

Blocked for Review

What does this report tell me?

The Blocked for Review Report displays a list of blocked web sites where the user requests that you review the URL or domain to make sure the site is correctly categorized.

Why should I use this report?

Depending on how you have configured rule sets, users can submit blocked sites for review by an administrator. Occasionally, the Lightspeed Systems Web Filter module may include a site in a category that is ordinarily blocked, for example, Adult or Security. Use this report to view content that your users believe to be over-blocked. The report has links to allow you to add the site to a local category such as “local-allow”.

blocked-for-review

How do I read it?

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – The IP Address of the user requesting the review.
  • URL – The URL of the blocked site. Click the URL to review the content in a new browser window.
  • Email – The email address of the user requesting the review.
  • Reason – Users can enter a brief message to explain why they feel a site should be recategorized.
  • Category – The Content Database category assigned to the site at the time it was blocked.
  • Recategorize – Click to open the Categorized Sites page, where you can add the site to a local category.
  • Time – The date and time when the review request originated.

Reports – Top Traffic

Top Traffic by Protocol

What does this report tell me?

The Top Traffic by Protocol Report summarizes web traffic by TCP/UDP port number.

Why should I use this report?

Use this report to audit your network traffic by TCP/UDP port number. Unusual traffic on common port numbers such as SMTP (25) and FTP (20 and 21), or on random unreserved port numbers can indicate malware, unauthorized servers, or access to proxies. Note that many client/server applications also use various unreserved ports for legitimate communication.

How do I read it?

top-traffic-by-protocol

The report shows a pie chart depicting TCP/UDP protocols followed by a tabular list of the top protocols sorted by total incoming and outgoing megabytes.

  • Protocol – This column shows the TCP/UDP port number that generated the traffic. For commonly-used protocols such as HTTP, HTTPS, and SMTP, the protocol name is listed next to the port number.
  • Sessions – The number of sessions opened between the Internal IP and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Top Traffic by User

What does this report tell me?

The Top Traffic by User Report summarizes web traffic by users.

Note:

The Top Traffic by User Report is only available with an Advanced Reporting Rocket Appliance.

Why should I use this report?

Use this report to audit your network traffic by user account. Unusual traffic by users can indicate unauthorized or inappropriate web activity.

How do I read it?

top-traffic-by-user

The report shows a pie chart depicting traffic by users followed by a tabular list of the top users sorted by total incoming and outgoing megabytes.

  • IP Address – This column shows the IP address of the user that generated the traffic.
  • User – The user’s login name.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each user.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each user.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each user.

Top Traffic by Internal IP

What does this report tell me?

The Top Traffic by Internal IP Report provides a summary of IP traffic of users and computers on your network plus the bytes in and out this amounted to.

Why should I use this report?

Use this report to audit the busiest Internet users on your network.

How do I read it?

top-traffic-by-internal-ip

The report shows a pie chart depicting internal IP addresses followed by a tabular list of IP addresses sorted by total incoming and outgoing megabytes.

    • IP Address – This column shows the IP address of the computer that visited the sites.

Sessions – Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.

  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Top Traffic by Domain

What does this report tell me?

The Top Traffic by Domain Report provides a list of external URLs/domains visited by users on your network and the number of times users visited each domain.

Why should I use this report?

Use this report to audit the busiest sites on the Internet where your users visit.

How do I read it?

top-traffic-by-domain

The report shows a pie chart depicting content domains followed by a tabular list of the top domains sorted by total incoming and outgoing megabytes.

  • Domain – This column shows the domain visited.
  • Requests – This columns shows the number of times users attempted to visit sites in each domain.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Top Traffic by External IP

What does this report tell me?

The Top Traffic by External IP provides a count of external URLs/domains visited by each user on your network plus the bytes in and out this amounted to.

Why should I use this report?

Use this report to audit the busiest Internet users on your network.

How do I read it?

summary_traffic-by-external-ip

The report shows a pie chart depicting external IP addresses followed by a tabular list of IP addresses sorted by total incoming and outgoing megabytes.

    • IP Address – This column shows the IP address of the visited site.

Sessions – Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.

  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Top Traffic by Category

What does this report tell me?

The Top Traffic by Category Report summarizes web site visits by content category.

Why should I use this report?

Use this report to discover the categories your users visit most often.

How do I read it?

top-traffic-by-category

The report shows a pie chart depicting content categories followed by a tabular list of the top categories sorted by total incoming and outgoing megabytes.

  • Category – This column shows the Content Filter Category.
  • Requests – This columns shows the number of times users attempted to visit sites in each category.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Reports – Top Categories

Top Blocked URLs

What does this report tell me?

The Top Blocked URLs displays a list of blocked web pages, the content filter category, and the number of attempts made to each blocked site.

Why should I use this report?

Use this report to audit the most popular blocked web sites, the content filter category, and the number of attempts made to each blocked site.

How do I read it?

top-blocked-urls

The report shows a pie chart depicting blocked URLs followed by a tabular list of the top blocked URLs sorted by number of attempts.

  • URL – This column shows the specific URL that was blocked. Click the URL to review the content in a new browser window.
  • Category – This column shows the Content Filter Category of the blocked URL.
  • Blocks – This column shows the number of times users attempted to reach the blocked content.

Top Search Queries

What does this report tell me?

The Top Search Queries Report displays a list of all Search Queries ranked by frequency.

Why should I use this report?

Use this report to audit what users are searching for on the Internet.

How do I read it?

top-search-queries

The report shows a pie chart depicting search queries followed by a tabular list of the top queries sorted by number of searches.

  • Search Query – This column shows the word or phrase of the Search Query. Click Search Query to view a list of Users who made the specified Search Query.
  • Searches – This column shows the number of times your users searched for the word or phrase in the Search Query.

Top Blocked Domains

What does this report tell me?

The Top Blocked Domains report displays a list of blocked domains, the content filter category, and the number of attempts made to each blocked site.

Why should I use this report?

Use this report to audit the most popular blocked domains and the users attempting to go to these sites.

How do I read it?

top-blocked-domains

The report shows a pie chart depicting blocked domains followed by a tabular list of the top blocked domains sorted by number of attempts.

  • Domain – This column shows the specific domain that was blocked.
  • Category – This column shows the Content Filter Category of the blocked URL.
  • Blocks – This column shows the number of times users attempted to reach the blocked content.

Top Blocked Categories

What does this report tell me?

The Top Blocked Categories Report summarizes the blocked content attempts by category.

Why should I use this report?

Use this report to discover the categories most often blocked by the Lightspeed Systems Web Filter module.

How do I read it?

top-blocked-categories

The report shows a pie chart depicting blocked content categories followed by a tabular list of the top blocked categories sorted by number of attempts.

  • Category – This column shows the Content Filter Category.
  • Blocks – This column shows the number of unsuccessful attempts to reach content for the listed category.

Reports – Top Traffic

Traffic by User & Internal IP

What does this report tell me?

The Traffic by User report displays web traffic by users.

Why should I use this report?

Use this report to audit your network traffic by user and internal IP address. Unusual traffic by users can indicate unauthorized or inappropriate web activity.

How do I read it?

trafficbyuser&intip

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • User – The user’s login name.
  • IP Address – This column shows the IP address of the user that generated the traffic.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each user.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each user.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each user.

Traffic by Category

What does this report tell me?

The Traffic By Category Report summarizes traffic by Lightspeed Systems Content Database categories and acts as a complement to the Top Traffic by Category Report.

Why should I use this report?

Use this report to discover the categories your users visit most often.

How do I read it?

Traffic By Category Report

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • Category – This column shows the Content Filter Category. If you click a category it will open up the Traffic By Domain Report filtered by category.
  • Requests – This column shows the number of times users attempted to visit sites in each category.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by Internal IP and Protocol

What does this report tell me?

The Traffic by Internal IP & Protocol Report shows all the IP addresses on the network that have generated Internet traffic along with web traffic by TCP/UDP port number.

Why should I use this report?

Use this report to see who is generating what sort of traffic on your network.

How do I read it?

web-filter_traffic-by-internal-ip-and-protocol

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – This column shows the IP address of the computer that visited the sites.
  • Protocol – This column shows the TCP/UDP port number that generated the traffic. For commonly-used protocols such as HTTP, HTTPS, and SMTP, the protocol name is listed next to the port number.
  • Sessions – The number of sessions opened between the Internal IP and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by User

What does this report tell me?

The Traffic by User report displays web traffic by users.

Why should I use this report?

Use this report to audit your network traffic by user. Unusual traffic by users can indicate unauthorized or inappropriate web activity.

How do I read it?

traffic-by-user-report

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – This column shows the IP address of the user that generated the traffic.
  • User – The user’s login name.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each user.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each user.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each user.

Traffic by Protocol

What does this report tell me?

The Traffic by Protocol Report summarizes web traffic by TCP/UDP port number.

Why should I use this report?

Use this report to audit your network traffic by TCP/UDP port number. Unusual traffic on common port numbers such as SMTP (25) and FTP (20 and 21), or on unreserved port numbers can indicate malware, unauthorized servers, or access to proxies. Note that many client/server applications also use various unreserved ports for legitimate communication.

How do I read it?

traffic-by-protocol

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • Protocol – This column shows the TCP/UDP port number that generated the traffic. For commonly-used protocols such as HTTP, HTTPS, and SMTP, the protocol name is listed next to the port number.
  • Sessions – The number of sessions opened between the Internal IP and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by Internal and External IP and Protocol

What does this report tell me?

The Traffic by Internal IP & External IP & Protocol Report shows all the IP addresses on the network that have generated Internet traffic along with web traffic by TCP/UDP port number.

Why should I use this report?

Use this report to see who is generating traffic on your network.

How do I read it?

traffic-by-internal-ip-external-ip-and-protocol

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • Internal IP – This column shows the IP address of the computer where the user logged-in.
  • External IP – This is the destination IP address of the requested site.
  • Protocol – This column shows the TCP/UDP port number that generated the traffic. For commonly-used protocols such as HTTP, HTTPS, and SMTP, the protocol name is listed next to the port number.
  • Sessions – The number of sessions opened between the Internal IP and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by Internal and External IP

What does this report tell me?

The Traffic by Internal & External IP Report shows all the IP Addresses on the network that have generated Internet traffic along with a quick summary of their network statistics.

Why should I use this report?

Use this report to see who is generating traffic on your network.

How do I read it?

traffic-by-internal-ip-and-external-ip

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • Internal IP – This column shows the IP address of the computer where the user logged-in.
  • External IP – This is the destination IP address of the requested site.
  • Sessions – The number of sessions opened between the Internal IP and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by Internal IP

What does this report tell me?

The Traffic by Internal IP Report shows all the IP Addresses on the network that have generated Internet traffic along with a quick summary of their network statistics.

Why should I use this report?

Use this report to see who is generating traffic on your network.

How do I read it?

traffic-by-internal-ip

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – This column shows the IP address of the computer that visited the sites.
  • Sessions – The number of sessions opened between the Internal IP and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by Domain

What does this report tell me?

The Traffic by Domain report provides a list of domains and the amount of incoming and outgoing Internet traffic generated by each computer on your network.

Why should I use this report?

Use this report as a quick audit for the external sources and destinations of Internet traffic for your network.

How do I read it?

traffic-by-domain

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • Domain – This column shows the domain visited. Click the domain name to visit it.
  • Requests – This column shows the number of times users attempted to visit sites in each domain.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Traffic by External IP

What does this report tell me?

The Traffic by External IP Report shows all the destination IP addresses on the network that have generated Internet traffic along with a quick summary of their network statistics.

Why should I use this report?

Use this report to see who is generating traffic on your network.

How do I read it?

web-filter_traffic-by-external-ip

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – This column shows the IP address of visited site.
  • Sessions – The number of sessions opened between the computer or user and the External IP. Session count helps to identify the type of traffic. For example, streaming media often opens a single session but transfers a large amount of data, whereas web browsing opens many sessions with relatively small amounts of data.
  • Incoming (MB) – This column shows the total inbound traffic in megabytes for each category visited.
  • Outgoing (MB) – This column shows the total outbound traffic in megabytes for each category visited.
  • Total (MB) – This column shows the sum of the incoming and outgoing traffic in megabytes for each category visited.

Suspicious Search Queries

What does this report tell me?

The Suspicious Search Queries Report provides a detailed list of Users and suspicious or inappropriate Search Queries.

Why should I use this report?

Use this report as a quick audit for potentially inappropriate Search Query activity.

How do I read it?

suspicious-search-queries

  • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
  • IP Address – This column shows the IP address of the computer where the Search Query originated. Click IP address to view a set of detailed reports specific to that IP address.
  • User – This column shows the logged-in User name. Click User to a view a set of detailed reports specific to that User.
  • Computer – This column shows the Computer name where the Search Query originated. Click Computer to view a set of detailed reports specific to that Computer.
  • Search Query – This column shows the suspicious word or phrase in the Search Query.
  • Domain – This column shows the search engine used to make the Search Query.
  • Category – The Content Database category assigned to the domain at the time of the query.
  • Time – This column shows the time the User made the suspicious Search Query.

Note: If the User and Computer columns are blank, the computer at this IP address is not running the User Agent.

Reports – Other

Search Queries

What does this report tell me?

The Search Queries Report provides a detailed list of Users and what they searched for on the Internet.

Why should I use this report?

Use this report to audit User search activity and discover potentially inappropriate Internet usage.

How do I read it?

search_queries

    • Gear Button – Click this button to filter the report by populated fields in this row. See Filtering Reports for more information.
    • Question Mark (question-mark) – A blue question mark (suspicious-icon) indicates that the search query is suspicious.

Note: You can filter this report to show only suspicious search queries or no suspicious queries. See Suspicious Search Queries more information.

  • IP Address – The IP Address of the computer where the user logged in.
  • User – The logged-in user’s network login name.
  • User OU – The logged-in user’s OU.
  • User Groups – The logged-in user’s groups.
  • Device – This column shows the device name where the user logged in.
  • Search Query – This column shows the word or phrase in the Search Query.
  • Domain – This column shows the search engine used to make the Search Query.
  • Category – The Content Database category assigned to the site at the time it was blocked.
  • Action – Shows whether the query was allowed or blocked.
  • Rule Set – The Rule Set assigned to the user.
  • Time – This column shows the date and time the User made the Search Query.

Note:
If the User and Computer columns are blank, the computer at this IP address is not running the User Agent.

Report Queue

If there are reports in the queue and you are on the Reports Gallery page a button with the number of reports in the queue will be added page as shown below:

reports-multiple-reports-in-queue

To display the reports queue report click the reports in the queue button and the following page will be displayed:

reports-queue-multiple

What does this report tell me?

This report displays which report is currently being generated and which reports are in the queue.

Why should I use this report?

Use this report to monitor the status of reports in the queue.

How do I read it?

The report shows a tabular list of the reports in the queue.

  • Report – This column shows the name of the report in the queue.
  • User – This column shows the user who started this report.
  • Status – This column shows the current status of the report.
  • Action – If this report is queued you can click Cancel Report to cancel it.
  • Created – This column shows the date and time when this report was created.
  • When a report is completed it will be deleted from the table.

If you click a link to leave the current page while a report is in the queue or being generated a popup window will be displayed asking you want to leave the page.

reports-leave-page-popup

Custom Reports

You can create custom reports from Email, Management, Web Filter, and existing custom reports. Custom reports are automatically added to the Custom Reports section in the Reports Gallery for easy access.

custom-reports-section

Creating Custom Reports

To create a custom report, follow the steps below.

  • 1. Click the report you want to modify in the Reports Gallery.
  • 2. Click the filter button to display the filtering pane.
  • 3. Hide columns, display columns, and entering filtering parameters as needed.

Note

See Filtering Reports for more information.

  • 4. Click the Apply button.
  • 5. Click the gear button.
  • 6. Select Save as Custom Report.

Note

You can also save a custom report as a scheduled report. See Scheduled Reports for more information.

Updating Custom Reports

To update a custom report, follow the steps below:

  • 1. If you are not currently viewing the report, select it.
  • 2. Click the gear button.
  • 3. Select Update Custom Report. A popup window similar to the following will be displayed:

update-custom-reports

  • 4. If necessary, enter a new name in the Name field.
  • 5. Click Save.

Deleting Custom Reports

To delete a custom report follow the steps below:

  • 1. Click the gear button.
  • 2. Select Delete Custom Report. A confirmation popup window will be displayed.
  • 3. Click OK.

Scheduled Reports

You can schedule any report and have it emailed as a CSV or PDF file on a daily or weekly basis. Scheduled reports are automatically added to the Scheduled Reports section in the Reports Gallery for easy access.

scheduled-reports

Note:

Tier administrators can only view and delete reports for their tier.

Creating a Scheduled Report

Follow the steps below to create a scheduled report.

  • 1. Create a new or select an existing report in the Reports Gallery.
  • 2. Click the gear button.
  • 3. Select Save as Scheduled Report. A popup window similar to the following will be displayed.

save-scheduled-report

  • 4. Optional. Edit the name of the scheduled report in the Name field.
  • 5. Enter one or more email addresses in the Emails field. Multiple addresses must be separated by commas.
  • 6. Click the Daily Report or Weekly Report radio button. If you are creating a weekly report select the day of the week you want the report delivered from the dropdown list.

Note

Scheduled reports are limited to 10,000 rows. Therefore, you might want to consider a daily report instead of a weekly report if your report is lengthy. Or, you can use filtering to reduce the size of your report.

  • 7. Select CSV or PDF in the Export Format dropdown list.
  • 8. Click Save.

Your scheduled report will be added to the Scheduled Reports section of the Reports Gallery.

Viewing and Editing Scheduled Report Details

You can view and edit scheduled reports by clicking its name in the Reports Gallery. Click Save to save any changes you make.

view-edit_scheduled-reports

  • Name – The name of the report, which can be edited.
  • Emails – The destination email addresses for the report, which can be edited.

Note

Separate multiple email addresses with commas.

  • Sent – How often (daily or weekly) the report is sent.
  • for tier – The tier for which this report covers.

Note

This field will not be displayed if the report covers all tiers.

  • Format – The file format of the report, which can be CSV or PDF.
  • Search Params – The search parameters for this report.

Deleting Scheduled Reports

To delete a schedule report, follow the steps below:

  • 1. Click the report’s Delete Scheduled Report button. A confirmation popup window will be displayed.
  • 23. Click OK.

Summary Reports

If you have an Advanced Reporting child server in your network you can create summary report versions of custom, Email, Management, and Web Filter reports that consolidate activity in both graphical and tabular format. To create a summary report follow the steps below.

  • 1. Select the custom, Email, Management, and Web Filter report you want to summarize.
  • 2. Click the filter report button (filter-button) in the upper right-hand corner, which will open the filter report pane.
  • 3. In the filter pane scroll down to Summarize and then select the report column to summarize the report by from the dropdown list.

summarize-report-dropdown

  • 4. Click Apply.

The following is an example of the Web Activity report summarized by IP address.

summary-report-sample

Tip

You can save these reports as custom reports, schedule these reports, and export these reports. See Custom ReportsScheduled Reports, and Exporting Reports for more information.

Spam Filter Rule Sets

r3-00750

Spam Filter Rule Sets are lists of actions that control how emails are filtered. The Rocket Spam Filter module comes with two built-in rule sets:

  • Allow Spam – Emails matching this rule set are allowed
  • Block Spam – Emails matching this rule set are blocked

Creating a Spam Filter Rule Set

  • 1. Open the Policies menu in the left sidebar, then click Rule Sets.
  • Click the green “+” icon. This action opens the following page:

r3-00751

  • 2. Enter a meaningful name.
  • 3. Enter a brief description.
  • 4. Choose a Rule Set from the Copy Rule Set dropdown list.
  • Click Save.

Note that Spam Filter Rule Sets are not active until you assign them. Use the Spam Filter Assignments page to see a list of policy assignments, change policy assignments, or add new policy assignments.

Deleting a Spam Filter Rule Set

To delete a Spam Filter rule set, mouse over the entry you wish to remove, then click the X on the right side of the row.

Editing a Rule Set

r3-00752

  • From the Spam Filter Policy Management page, click Rule Sets.
  • Click the name of the rule set you want to edit.
  • You can edit the parameters described in the sections below. (Click Save to save any changes you make.)

Filtering

Select (check) any of the following to set what filtering techniques this Spam Filter rule should follow.

  • Block email determined to be spam – Select (check) this field to block email determined to be spam.
  • Block email having adult subjects – Select (check) this field to block email with adult subjects.
  • Filter email using email patterns – Select (check) this field to filter email with email patterns. See Spam Filter Email Patterns for more information.

Spam Summary

Select (check) any of the following to configure nightly emails with a summary of emails received that day.

  • Send spam summary email – Select (check) this field to send nightly emails with a summary of emails received that day.
  • Include email that was not blocked – Select (check) this field to list email that was not block in the nightly spam summary emails.
  • Include email blocked by an adult subject – Select (check) this field to list email that was blocked for containing an adult subject in the nightly spam summary emails.
  • Include email blocked by an email pattern – Select (check) this field to list email blocked by an email pattern in the nightly spam summary emails. See Spam Filter Email Patterns for more information.
  • Include email blocked by a user rule – Select (check) this field to list email that was blocked by a user rule in the nightly spam summary emails. See Spam Filter Rules for more information.
  • Include email blocked by a DNS block list – Select (check) this field to list email that was blocked by a DNS block list in the nightly spam summary emails. See Spam Filter General for information about creating a DNS block list.
  • Include email blocked by virus detection – Select (check) this field to list email that was blocked due to virus detection in the nightly spam summary emails.

Category Options

You can set options for each content category, as well as for local categories.

  • Allow/Block – Select (check) to allow access for each content category.

Once you have created Rule Sets, you are ready to Assign them.

Support Tools

General

The Support Tools page provides information about your Rocket configuration that can help administrators and Lightspeed support staff diagnose and resolve issues with your Rocket appliance.

Click Support Tools button in the top left area of the Rocket dashboard to open the Support Tools page. Note that this button is only visible to “root” level administrators and Lightspeed staff.

rocketdashboard

Connectivity

This page opens when you navigate to Support Tools and click Connectivity in the left sidebar.

In order for your Rocket appliance to function correctly, it must be able to connect to Lightspeed servers over the Internet. The Connectivity page reports on current connection status to these servers.

What’s on this page?

This page shows the results of the connectivity test between your Rocket appliance and the following Lightspeed servers:

  • Lightspeed Content Database — required for content filtering
  • Lightspeed Update Server — required for Rocket software maintenance
  • Licensing — required for product license verification

connectivitytest

What does it tell me?

The Connectivity Test page can help you verify that your Rocket is able to connect to the Internet so it can filter web requests. If the Rocket is unable to connect with these servers, this indicates that one or more of the following issues is preventing communication:

  • Communication is being blocked by your firewall
  • The DNS server is configured incorrectly
  • The Rocket’s network interfaces are configured incorrectly

When should I use it?

If your Rocket is not filtering web traffic, use the Connectivity Test to verify that its connection to the Internet is not being blocked. Here are some examples of connection errors you may encounter:

  • 1. The firewall is blocking outbound communication on a port required by the Rocket (in this case, SSH port 1999):

blockedatfirewall

  • 2. DNS error. The DNS server the Rocket is using does not have any record for the domain name (ddb.lsfilter.com) the client is looking up.

dnserror

  • Connection refused. The requested host is not resolving to the correct IP address, or the request is being redirected to a different server, which is refusing the connection.
  • Connection timed out. The Rocket was unable to connect to the requested host because the host did not respond in time to acknowledge the request.

refused

If the Connectivity Test results indicate that the Rocket is communicating with the Lightspeed servers but is still not filtering web traffic, please follow the steps in this Knowledgebase article to resolve the issue.

Dashboard

What’s on this page?

The Dashboard page shows the general health and configuration of your Rocket hardware and software. The information on this page is for reference only, and cannot be modified.

supportdashboard

What does it tell me?

  • Rocket software version, uptime, and current date, time, and time zone
  • Hardware configuration for your Rocket
  • Downloadable core dumps generated by the system in the event of a software failure.

When should I use it?

The Support Tools Dashboard provides information that can be useful when troubleshooting Rocket issues with Lightspeed technical support.

Software

  • System Time – The current year, month, day, hour, minutes, seconds. and time zone. Incorrect time and date settings can cause scheduled rule sets to be applied inconsistently. To modify the system time settings, click Administration in the top right corner of the page, then click Localization.
  • Uptime – The number of days, hours, minutes, and seconds since the last time the Rocket was restarted.
  • Version – The software version number currently installed on your Lightspeed Rocket Appliance. To update the software version, or to control how your Rocket applies automatic updates, click Administration in the top right corner of the page, then click Software Updates. For an explanation of major and minor software version numbers, see What Do Release Numbers Mean?

Hardware

  • Hardware Platform – The model number for your Rocket appliance is shown here. The Rocket Appliance is available in a variety of hardware platforms to meet differing requirements.
  • CPU – The make and model of the processor, including processor speed and number of cores (if applicable) installed on this Rocket.
  • RAM – The total amount of memory (RAM) on the Rocket, in gigabytes. To see the amount of memory in use, click Processes in the left navigation bar.
  • Network – The Rocket is equipped with two or more Network Interface Cards (NIC), each with its own configuration for speed, duplex, and IP address / subnet mask. To modify the settings for each NIC, click Administration in the top right corner of the page, then click Network Interfaces.
    • Interface – The interface number, starting at 0 (zero).
    • Auto-select – Indicates whether the interface is currently configured to negotiate speed and duplex settings automatically (true), or is configured manually (false).
    • Speed – The current maximum transfer speed in megabits / second for the port.
    • Duplex – The current duplex mode of the port: half, or full.
    • MAC Address – Each NIC has a unique MAC address that identifies it on the network. This field reports the MAC address for each NIC installed in the Rocket.
    • IP Address – Each NIC can have its own IP address. This field reports the IPv4 address configured for the NIC.
    • Subnet Mask – Each NIC can be configured to communicate on a defined subnetwork. This field reports the subnet mask configured for each NIC.
    • IPv6 Address – Each NIC can have its own IP address. This field reports the IPv6 address configured for the NIC.
    • Status – The port status, which can be active (in use and actively transmitting / receiving data) or no carrier (not configured, or not transmitting or receiving data).
  • Disks – Hard disk drives in the Rocket are logically defined as virtual drives, which can encompass all or part of a single hard drive or multiple hard drives. The Disks section of the page reports the status of each virtual drive.
    • Mount Point- The mount point is a location within the file system “tree” structure that addresses a specific virtual drive. This field reports the location in the Rocket’s file system for each virtual drive.
    • Device – The physical (hardware) address of the hard drive housing the virtual drive.
    • Size – The total capacity of this virtual drive in gigabytes.
    • Used – The amount of used space (in gigabytes) on this virtual drive.
    • Available – The amount of free space (in gigabytes) on this virtual drive.
    • Capacity – The current in-use percentage (Used/Size * 100) of this virtual drive.

Core Dumps

A core dump is a memory image written to disk when a service crashes (terminates abnormally). Lightspeed technical support staff can analyze core dump file in a debugger to determine the cause of the crash.

The name of the core dump file consists of the service that crashed (for example, ddbUpdate), followed by “.core.” and then a numeric identifier.

Once you’ve identified and resolved the issue that caused the core dump, you can delete (permanently remove) the file(s) to free up disk space.

  • To download a core dump file, click the file name.
  • To delete an individual core dump file, mouseover the row containing the file, then click the small “X” button on the right side of the row.
  • To delete all core dump files, click Delete All.

Database

This page opens when you navigate to Support Tools and click Database in the left sidebar.

The Rocket appliance stores configuration and statistical information in a set of database tables, from which the Rocket generates reports. The information on this page is for reference only, and cannot be modified.

This page refreshes automatically to reflect updated database activity. To turn this off, un-check the Auto-refresh check box in the top right area of the page.

What’s on this page?

The Database page contains information about database table size and current database activity.

SupportDatabase

What does it tell me?

The information on this page is primarily useful for troubleshooting issues with Lightspeed technical support specialists.

When should I use it?

If your Rocket is running out of disk space, the Table Sizes area of this page can show you which tables contain the most data. Here are a couple of possible solutions:

  • Lower retention time: If you do not need to store a lot of data, lowering retention time is a possible solution. Be aware that lowering retention will cause a loss of data for anything older than the configured the retention time.
  • Enabling iSCSI: Offloading your disk I/O to a separate device can help you maintain an appropriate retention time while still accommodating high data usage.

If your Reports take an unusually long time to generate, the Activity area of the page may help you identify long-running database queries.

Table Sizes

The Table Sizes section lists the amount of disk space used, in megabytes, for each table in the database.

Category Tables

  • category_domains: Local domain categorization
  • category_ips: Local IP categorization
  • category_urls: Local URLs

Statistics Tables

  • stats_filter: Allowed/blocked statistics
  • stats_traffic_by_host: Bytes in/out statistics for internal IP address and external hosts
  • stats_traffic_by_peer: Bytes in/out stats for internal and external IP with protocol
  • stats_traffic_by_user: Bytes in/out by username
  • stats_ident: Identification statistics

Message Tables

  • archive_messages: Email archive table
  • spam_messages: All spam messages

Note: This list of tables includes all products. You can disregard table sizes for any modules that are not installed or licensed on this Rocket.

Activity

The Activity grid lists the most recent database queries.

  • DATID: This is the OID (Object Identifier) of the database. This number is unique to this specific Rocket.
  • DATNAME: This is the name of the database housing the tables. The default database name is “ls”.
  • PROCPID: Process ID of this backend
  • USESYSID: OID of the user logged into this backend
  • USENAME: Name of the user logged into this backend
  • APPLICATION_NAME: Name of the application that is connected to this backend
  • CLIENT_ADDR: IP address of the client connected to this backend. If this field is null, it indicates either that the client is connected via a Unix socket on the server machine or that this is an internal process such as autovacuum.
  • CLIENT_HOSTNAME: Host name of the connected client, as reported by a reverse DNS lookup of client_addr. This field will only be non-null for IP connections.
  • CLIENT_PORT: TCP port number that the client is using for communication with this backend, or -1 if a Unix socket is used
  • BACKEND_START: Time when this process was started, i.e., when the client connected to the server
  • XACT_START: Time when this process’ current transaction was started, or null if no transaction is active. If the current query is the first of its transaction, this column is equal to the query_start column.
  • QUERY_START: Time when the currently active query was started, or if state is not active, when the last query was started
  • WAITING: t (true) if this backend is currently waiting on a lock, otherwise f (false).
  • CURRENT_Query: Text of this backend’s most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed.

IO Statistics

This page opens when you navigate to Support Tools and click IO Statistics in the left sidebar. This page refreshes automatically to reflect updated I/O activity. To turn this off, un-check the Auto-refresh check box in the top right area of the page.

What’s on this page?

This page consists of two tabs:

  • I/O Statistics
  • RAID

IOStats

What does it tell me?

This page shows you a list of input/output and RAID statistics for the storage devices on your Rocket.

IO Statistics

The IO Statistics tab displays general I/O statistics for all Rocket devices. This tab is divided into Devices and Processes tables, which are described below.

Note:

By default, Auto-refresh, which auto-refreshes the page, is checked (enabled). De-select (uncheck) it to disable auto refresh.

Devices

The fields displayed by the Devices table are described below.

  • DEVICE – The device’s name.
  • R/S – The number of read operations per second.
  • W/S – The number of write operations per second.
  • KR/S – The kilobytes of data read per second.
  • KW/S – The kilobytes of data written per second.
  • WAIT – The number of times this device was in a wait state.
  • SVC_T – The average service time for input/output requests (in milliseconds) that were issued to the device.
  • %B – The bandwidth utilization (in percent) for the device.

Processes

process is an instance of a particular executable program running on the Rocket.

RAID

This page opens when you navigate to Support Tools and click the RAID in the IO Statistics page.

The RAID tab displays data for RAID devices associated with this Rocket appliance.

SupportRAID

The fields displayed by this table are described below.

Controller

This table contains a summary of the RAID controller properties.

View Event Log

RAIDviewlog

Logs

RAIDeventlog

Tips and Troubleshooting

Using Firewall URL Filtering

The Lightspeed Systems Web Filter supports Firewall URL Filtering for policy server communication. This can be very useful for large ISP-like environments that cannot put a Lightspeed Rocket Appliance inline.

HTTP URL lookups with Firewall URL Filtering is fully supported. However, non-HTTP traffic will not be filtered. In addition, the following options are not supported when running Firewall URL Filtering:

Tier options:

  • Internal ignore lists
  • External ignore lists

Web Filter General options:

  • Decode SSL Certificates
  • Bypass on failure
  • Block P2P networks
  • Block proxy requests
  • Disable Google encrypted search

Rule Set options:

  • Block Google HTTPS search (fail-safe)
  • Filter non-HTTP traffic by IP address
  • Block non-HTTP traffic to unknown IP addresses

When running Firewall URL Filtering the following reports will not have any data:

  • Top Blocked Categories
  • Top Blocked Domains
  • Top Traffic By Category
  • Top Traffic By Domain
  • Top Traffic By External IP
  • Top Traffic By Internal IP
  • Top Traffic By Protocol
  • Traffic By Domain
  • Traffic By External IP
  • Traffic By Internal IP
  • Traffic By Internal IP & External IP
  • Traffic By Internal IP & Protocol
  • Traffic By Protocol

YouTube Troubleshooting

Allow for Staff Only

You can allow YouTube for staff only by creating a specific rule set for the staff that allows YouTube for staff and another rule set that blocks YouTube for students. The only way to properly block YouTube is through an SSL proxy.

YouTube is blocked but access page now showing

The only way to control the traffic within YouTube is using proxy. The LS aAccess page is not displayed on YouTube because YouTube is https and the LS Access page will not display on secure sites unless a SSL cert is installed on the workstations or proxy.You can learn more about SSL traffic and proxy here and about selectively accessing Google services here.

How do I block YouTube but allow specific video

The only way to block YouTube while allowing specific videos is to enable proxy.

YouTube is allowed but it is still being blocked

YouTube could be blocked for a variety of reasons. You should make sure that you are correctly using SSL and proxy.

You should also make sure that the  “Block Google and YouTube HTTPS (fail-safe)” option within your Rule Sets is turned off.

Google and the Mobile Filter

The following are troubleshooting tips for any issues that may arise with the Mobile Filter not properly filtering Google traffic:

Mobile Filter is blocking Google Traffic

If your Google traffic works fine at school, but is blocked when students connect their devices to other networks, then you should try the following solutions

Within the Web Filter interface, navigate to Rule Sets and uncheck the Disable Google auto-complete option under Search Engines. 

Mobile Filter is blocking YouTube

If your YouTube traffic is fine at school, but is blocked when student connect to other networks, then you should try the following solution:

Within the Web Filter interface, navigate to Rule Sets and uncheck the Allow YouTube for Schools option under Search Engines. 

Google Troubleshooting

Google SSL Decryption Exclusion

The following are SSL Decryption Exclusions needed for all Google products:

Needed for most Google services: 
googleapis.com
accounts.gstatic.com
fonts.gstatic.com
ssl.gstatic.com
googleusercontent.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
accounts.google.com
tools.google.com
pack.google.com

For Gmail: 
mail.google.com
gmail.com

For Chromebooks: 
gweb-gettingstartedguide.appspot.com
omahaproxy.appspot.com

For Google Drive: 
drive.google.com
googledrive.com

For Google Docs: 
docs.google.com
googledocs.com

For Google Classroom: 
classroom.google.com

For Google Talk (Hangouts): 
talk.google.com
hangouts.google.com

For YouTube: 
accounts.youtube.com
csi.gstatic.com

For the iOS Gmail App:
inbox.google.com

Google Apps/Drive not Loading

Google Apps and Drive will usually not load properly due to SSL decryption exclusions missing.

Add the following SSL Decryption Exclusions:

clients1.google.com
clients3.google.com
accounts.google.com
ssl.gstatic.com
ssl.google-analytics.com
drive.google.com
clients4.google.com
googleapis.com
docs.google.com
csi.gstatic.com
docs.googleusercontent.com
googledrive.com
talk.google.com
googleusercontent.com
s.ytimg.com
video.google.com
lh3.google.com
lh4.google.com
lh5.google.com
lh6.google.com

Please clear your devices’ history and cache after doing so.

Google Safesearch not Being Enforced

In order for the Force Google safe search to work, the DNS server must be inside the Rocket Appliance and not have any path to the Internet that is not filtered.

Let’s test the Force Google safe search feature.

Do an nslookup for www.google.com.

  • If you get www.l.google.com then the force Google safe search will not work correctly. It means that either an internal DNS server already has www.google.com in its cache or the DNS server is not sitting behind the Rocket and has a clear path to the Internet.
  • If you return forcesafesearch.google.com then you should not be able to access non safe search results.

Additional Information:

When you do a DNS lookup for www.google.com what actually will be returned is www.l.google.com. The IP addresses for l.google.com are determined by your location. The Lightspeed Systems Rocket watches for DNS requests for www.google.com and hijacks the return. Instead of returning www.l.google.com, we return forcesafesearch.google.com with a set of location specific IPs.

Note: Forcing Google Safe Search is a DNS remap and therefore is a global setting unless users want to set up separate DNS servers for staff vs. students.

Many customers choose to enable ‘Force Safe Search’ located under Policies > Property Sets > Content Filter Sets. What most don’t realize is that this will only work if the search engine has a safe-search feature. And even then many search engines are not designed in a manner where they can be forced on, all the time.

Google.com, Bing.com and YouTube.com are currently the only search engines we can stand behind and guarantee their effectiveness. Typically customers decide to use one sole search engine, blocking all others. Then they set up a redirect to that search engine.

That’s what we will cover here.

Setting Up Bing and Google Redirects

Once this is complete, it will block all unwanted search engine requests by redirecting them to Google.com or Bing.com (whichever you choose). A redirect takes the place of the typical block page. In order to be redirected, the site must be in a blocked category that is defined with a redirect URL.

You must first choose to which search engine you want your users redirected to. The following instructions will use Google.com but this can be substituted with Bing.com or other search engine.

  • 1. Move Google.com to local-allow or another globally allowed category
    • a. Click Web Filter Module > Categorized Sites
    • b. Search for Google.com
    • c. Once found, edit the entry by clicking on Google.com under the results section and change the category to local-allow or another globally allowed category, making sure to also select any sub-domains in our database
    • d. Repeat above steps under categorized URLs with google.com/search, google.com/images, & images.google.com/images
  • Set a redirect on the ‘search’ category
  • 2. Click Categories > +Add Redirected Category
      • a. Using the dropdown, locate the search category
      • b. Make the Redirect URL:

    google.com/search

  • 3. Block the ‘search’ category and enable ‘Force safe searches’
    • a. Click Policy Management > Rule Sets > The applicable rule set
    • b. Under Search Engines verify Force safe searches is checked
    • c. Locate the search category and set it to be blocked and Save Settings
    • d. Repeat for all applicable Content Filter Property Sets

Verify Sites

In the above steps all domains/urls/ips under the search category were blocked. If you have modified or moved any of those domains/urls/ips to a different category, they will not be affected by this redirection procedure.

Students can see Inappropriate Content in Google

Google offers several services that you may want to allow or block selectively based on policy settings. Although not sharing the Google domain, youtube.com is a Google service and applies just the same to the below information. With the Lightspeed Systems Web Filter, you can selective allow and block access to Google services.

The nature of SSL (https) traffic and how we handle it

By design SSL traffic is fully encrypted. This encryption detects any attempt to decrypt this traffic between the user machine and the server and if any is found it will shutdown the connection. This is a good thing because we all rely on the safety on encrypted transactions every day. Without this safety we would not be able to do things like online banking and online shopping. What this means from a filtering perspective is that the data in the packets including the full URL is not readable. This does not mean that the Lightspeed Systems Web Filter cannot properly filter SSL (https) traffic; however, this does mean that this traffic is handled differently.

At a minimum during the https handshake phase, the domain name of the host server is shared as part of the SSL certificate. For the majority of websites this provides appropriate policy decisions.

With modern browsers and operating systems the filter not only receives the domain’s name (google.com) but also the specific host (mail.google.com). This allows web filters to make differentiated decisions on host names where multiple services are provided within a single domain. This ability is very important for appropriate policy decisions with Google websites.

These two options are enabled by using the SSL Decoder option in the web filter.

If you desire full URL detail for SSL sessions, the Lightspeed Systems Web Filter can also provide this capability through the use of an SSL proxy. When an SSL proxy is used the proxy server becomes a trusted man in the middle. Because the proxy server is trusted it is allowed to decrypt the data portion of the packet and allows the web filter to make decisions in exactly the same way that non encrypted traffic is analyzed.

The use and capabilities of these various SSL options are dictated by the design of SSL and the Lightspeed Systems Web Filter fully supports all of these options.

Things to understand

  • Most of the services either require or allow encrypted access
  • Google shares or moves IP addresses between services all the time
  • Google uses a single wildcard certificate (*.google.com) for all of these services
  • Google supports TLS with SNI for accessing these services

An Overview of Google Sites

Google Sites is a component of Google services that are delivered completely as HTTPS or encrypted traffic. Google delivers each site as a separate URL of the base host of sites.google.com. The nature of SSL traffic requires special handling when you want to filter at the URL level. The reason behind this is that for many encrypted sites information in the URL needs to be protected because if it was exposed to devices that existed between the client machine and the server critical personal information could be exposed. Without this level of protection online banking or shopping would not be possible.

In order to filter HTTPS/SSL traffic at the URL level an HTTPS proxy must be used. As part of the configuration of the HTTPS proxy the client machine and web browser is directed to trust the proxy server to decrypt, analyze, and re-encrypt their traffic. The Lightspeed Rocket Web Filter has a proxy mode that supports the use of an HTTPS proxy. Once this is setup both on the Rocket and on the workstations the Lightspeed Systems Rocket will see and make policy decisions on the full URL detail of all SSL requests.

TLS and SNI

TLS with SNI Support is the key to blocking or allowing select Google services. When this is used the Rocket can determine the specific hostname the user is attempting to visit–so even though the actual traffic is encrypted, the policy lookup can distinguish between an attempt to go to Google Docs (docs.google.com) or perform an encrypted search (encrypted.google.com).

In order for the Rocket to make this determination, the following conditions must be met.

  • The SSL Decoder must be enabled
  • You must be using a browser/OS combination that properly supports TLS with SNI

If either of these conditions is not met, then the Lightspeed Systems Web Filter in use must make the policy decision based on either the IP address or the SSL certificate. Because of items 2 and 3 listed above, neither of these services is going to be a reliable method for selectively blocking or allowing access to Google Services.

    • Read more on

Server Name Indication

    • to better understand how it extends SSL and TLS protocols allowing for SSL content filtering.

This Microsoft blog post explains why Microsoft did not implement SNI support in Windows XP:

Unfortunately, SNI support isn’t available on Windows XP, even in IE8. IE relies on SChannel for the implementation of all of its HTTPS protocols. SChannel is an operating system component, and it was only updated with support for TLS extension on Windows Vista and later. The Google folks could avoid the name mismatch problem for downlevel clients by returning a certificate containing multiple hostnames (e.g. “SubjectCN=mail.google.com; SubjectAltNames=DNS Name=gmail.com”) but apparently doing so is problematic because they have so many hostnames in use on their load-balanced servers.

Browsers/OS combinations that properly support TLS and SNI

IE7 IE8 IE9 IE10 IE11 Firefox 3.5.10 Firefox 3.6.6+ Firefox 4.0+ Safari Chrome Opera
XP SP2 Not Supported N/A N/A N/A N/A Blocks Properly (note 1) Blocks Properly (note 1) Blocks Properly (note 1) Not Supported Not Supported Not tested
XP SP3 Not Supported Not Supported N/A N/A N/A Blocks Properly (note 1) Blocks Properly (note 1) Blocks Properly (note 1) Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly
Vista x86 Blocks properly Blocks properly Blocks properly N/A N/A Not Supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly Blocks properly Blocks properly
Vista x64 Blocks properly Blocks properly Blocks properly N/A N/A Not Supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly Blocks properly Blocks properly
7 x86 N/A Blocks properly Blocks properly Blocks properly Blocks properly Not supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly Blocks properly Blocks properly
7 x64 N/A Blocks properly Blocks properly Blocks properly Blocks properly Not supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly Blocks properly Blocks properly
Win 8 N/A N/A N/A Blocks properly Blocks properly Not supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly Blocks properly Blocks properly
Win 8.1 N/A N/A N/A N/A Blocks properly Not supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks properly Blocks properly Blocks properly
OSX 10.5 PPC N/A N/A N/A N/A N/A Not Supported Not Supported N/A Not Supported N/A Not Supported
OSX 10.5 Intel N/A N/A N/A N/A N/A Not Supported Not Supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks Properly Not Supported
OSX 10.6+ N/A N/A N/A N/A N/A Not Supported Not Supported Blocks Properly (note 1) Blocks Properly (note 1) Blocks Properly Not Supported
  • Note 1 – During testing some browsers will begin using TLS method and then revert to the old mode requiring failsafe blocking.As long as the initial mode is using the TLS support and failsafe blocking is turned on, we will block without over-blocking.
  • Note 2 – TLS 1.0 must be enabled in the browser for proper support.

As an example:

In order to block this particular encrypted Google Sites URL. (https://sites.google.com/site/newstudyhall/) while allowing others, you need to enable the SSL Proxy option. Then put the specific sites you want blocked in a locally blocked category and/or those you want to allow in a locally allowed category.

Google Play/Music

Do the following to block Google Play on all browsers:

    • Block the following domains (Required):
        play.google.com

 

      • music.google.com
    • Block the following URLs (Required):
        google.com/play
    • Block the following domains (Optional: In certain cases these certificates were not seen when Fail-Safe was enabled):
        ggpht.com

 

      • lh1.ggpht.com

 

      • lh2.ggpht.com

 

      • lh3.ggpht.com

 

      • lh4.ggpht.com

 

      • lh5.ggpht.com

 

      • lh6.ggpht.com

 

      • sb-ssl.google.com
    • Enable the following:
        SSL Decoder

 

    • Google Fail-Safe

Notes

Google Fail-Safe is not required if the browser is Google Chrome. The Chrome browser will fail to load the page entirely well before *.google.com is used. If you are in a multi-browser environment the Google Fail-Safe will be required to allow proper blocking.

In Safari and Firefox the initial request will go to play.google.com. Should this fail it will revert to Non-TLS and try *.google.com. The Google Fail-Safe will need to be enabled for proper blocking. Should that fail it will hit the above certificates in an attempt to make a connection (see Optional section). If all of the previously mentioned domains are blocked it will fail and not be able to retrieve a web page.

In IE8 on XP the Fail-Safe must be on to block properly. None of the above certificates will be requested when the Fail-Safe is enabled. However, if you would like to allow Google Docs/Apps while blocking Google Play/Music on IE8 with XP you will be unable to as *.google.com will be the first certificate IE8 attempts to use. In this case it is an all or nothing solution.

Google and the Mobile Filter

The following are troubleshooting tips for any issues that may arise with the Mobile Filter not properly filtering Google traffic:

Mobile Filter is blocking Google Traffic

If your Google traffic works fine at school, but is blocked when students connect their devices to other networks, then you should try the following solutions

Within the Web Filter interface, navigate to Rule Sets and uncheck the Disable Google auto-complete option under Search Engines. 

Mobile Filter is blocking YouTube

If your YouTube traffic is fine at school, but is blocked when student connect to other networks, then you should try the following solution:

Within the Web Filter interface, navigate to Rule Sets and uncheck the Allow YouTube for Schools option under Search Engines. 

NIC Limited Connectivity – Windows 10 Build 1607

Microsoft has changed the URL for the online connectivity test that is built into Windows 10 Build 1607. The URL has changed from msftncsi.com to msftconnecttest.com. As a result, when using Captive Portal, client devices could receive a message indicating limited connectivity when attempting to access your organization’s network.

In order to resolve this issue, you will need to add the new URL (msftconnecttest.com) to your Destination Exemption list.

Web Filter 3

Navigate to Web Filter > Authentication > Destination Exemptions and click the green plus sign to add a new Destination Exemption.

desexce

Enter msftconnecttest.com into the Domain/IP Address box, enter an optional description into the Description box. Select Web Auth Exemption and click Save. Remember to Save and Deploy in order to save your settings.

desexe2

Web Filter 2

Navigate to Authentication > Destination Exemptions.

  • 1. From the dashboard click Web Filter.
  • 2. Click Authentication.
  • 3. Click Add Exemption under Destination Exemptions. The following will be displayed.

AddExemptionPopup

  • 4. Enter the domain or IP address (msftconnecttest.com)  you want to exclude from authentication.
  • 5. Optional. Enter a meaningful description.
  • 6. Check (select) Web Auth Exemption
  • 8. Click Save.

 

High Memory Usage

High memory usage by the Rocket is normal and not a cause for alarm, as the Rocket runs on a  UNIX/Linux platform that handles RAM differently than a Windows machine.

UNIX allocates the majority of the RAM to running processes. When those processes are no longer in use they remain in allocation to be used again.
When the process is no longer in use it is given a certain amount of time to stay live. If that process is not called on by the end of that time period, it will reach a 0 lifetime and be marked to be replaced by another process. As a result, regardless of the workload, your RAM bar will not change.

You should only be concerned about memory usage if the memory bar is red or shows “0” in memory.

Access Page not Loading

If you are having issues with the Access (block) page not loading, you can attempt the following solutions:

Determine what the user is doing when the Access Page is not showing up.

1. Check and make sure that you can get to the admin login for the Rocket. The same service that serves the Access Page serves the admin login. If you are unable to reach the Rocket’s GUI, there may be a service that needs to be restarted. Contact Support for this.

2. If you are using the Inline Filter then the Access Page will not resolve for HTTPS websites. The only way to successfully get the Access Page to resolve for HTTPS websites is to use the man-in-the-middle proxy option. This allows the Rocket to redirect HTTPS sessions, rather than timing out the page when it gets blocked (as it occurs when the Inline Filter is used.)

3. If the Access Page is not resolving for any users, regardless of the site being HTTP or HTTPS, the first thing you will want to do is check to see if there is a hostname under Administration > Network Interfaces (Web Filter 2) or Settings > Network Interfaces (Web Filter 3). If there is a hostname, then it will need to have a DNS entry in order to resolve the Access Page for your users. The Rocket will use this hostname for the Access Page and it will not function correctly without the DNS entry.

4. If the hostname is resolving, but all users, or users on a separate VLAN are not getting the Access Page, please check and make sure there are no ACLs preventing access to the Management NIC and that there are no routing errors that could prevent communication across the VLANs. The Access Page resolves from the Management NIC, and users will not be able to resolve the Access Page without being able to access the Management NIC.

Pinterest, Facebook, Snapchat, Instagram, Twitter Issues

Blocking/Allowing Snapchat

Follow these steps to update policies so they can operate with the new YouTube functionality.

    • 1. Log into the Rocket appliance.
    • 2. In the dashboard click Web Filter.
    • 3. Under Policies click URL Patterns.
    • 4. Click New List.
    • 5. Enter a meaningful name.
    • 6. Optional. Enter a description.
    • 7. Enter the following URLs:

appspot.com

snapchat.com

data.flurry.com

    • 8. Click Save.
    • 9. Under Policies click Policy Management.
    • 10. Click Rule Sets.
    • 11. Perform Steps a through e on every rule set where you have want Snapchat blocked
      • a. Click the rule set you want to update.
      • b. Scroll down to URL Patterns.
      • c. Check (select) the URL pattern you created above.
      • d. Select Block from the dropdown list (select Allow if you want to Allow Snapchat instead of blocking it)
    • 12. Click Save.

Blocking/Allowing Instragram

Follow these steps to update policies so they can operate with the new YouTube functionality.

    • 1. Log into the Rocket appliance.
    • 2. In the dashboard click Web Filter.
    • 3. Under Policies click URL Patterns.
    • 4. Click New List.
    • 5. Enter a meaningful name.
    • 6. Optional. Enter a description.
    • 7. Enter the following URLs:

instagramstatic-a.akamaihd.net

cdninstagram.com

    • 8. Click Save.
    • 9. Under Policies click Policy Management.
    • 10. Click Rule Sets.
    • 11. Perform Steps a through e on every rule set where you have want Snapchat blocked
      • a. Click the rule set you want to update.
      • b. Scroll down to URL Patterns.
      • c. Check (select) the URL pattern you created above.
      • d. Select Block from the dropdown list (select Allow if you want to Allow Instagram instead of blocking it)
    • 12. Click Save.

Pictures Not Showing Up in Pinterest

Images may not show up in Pinterest due to a CDN miscategorization. Categorizing the following domain as “local-allow” in your Rule Sets usually solves the issue:

s-media-cache-ak0.pinimg.com

Pictures Not Showing Up in Facebook

Images may not show up in Facebook due to a CDN miscategorization. Categorizing the following domain as “local-allow” in your Rule Sets usually solves the issue:

scontent.xx.fbcdn.net

Users Getting Wrong Rule Set

Users may be getting the wrong rule set for a variety of reasons. Please make sure that your rule sets are set up correctly and that the correct Rule Sets are Assigned to the correct users or groups.

For newly created Rule Sets to work, they must be at a higher level than any previously assigned Rule Sets. For example, if you have one Rule Set assigned to your Student user group at the bottom of the Assignments list, and another Rule Set that is assigned to a certain IP range, which includes certain student devices, at the top of the Assignments list, then the IP range Rule Set will be given priority over the overall Rule Set.

In the example below,you can see our sample Assignment list. The higher the assignment, the more priority it has. You will see that we have the Student Computer IP Range assignment at #2, while the Goldenstate/Students group at #6. As a result, the Rule Set associated with the Student Computer IP Range group will always be prioritized over the one associated with the Goldenstate/Students group. (in our case, both groups receive the same Rule Set, but that may be different in your case)

ssig

In general, Rule Sets work best when paired with an Authentication Source. If you have not yet setup User Agents or other form of Authentication the device may not be sending its users info/groups to the Lightspeed Rocket.

Websites not Working Correctly after PAC File Upload

Websites may not work correctly after a PAC file is uploaded for various reasons.

First, you should check if any subdomains related to the website in the PAC file are being blocked by the Web Filter. You can use the Web Activity report to determine if any of the subdomains are blocked. Simply search by your IP, and then note if any of the sub domains related to the site you are attempting to access are in a blocked category. You can then re-categorize them as instructed below.

Example: If you are using a PAC file for vimeo.com, you may see vimeo.com as being in an allowed category, but a subdomain, such as cdn.vimeo.com in a blocked category. In that case you will have to re-categorize cdn.vimeo.com

Categorized Sites

Use the Categorized Sites page to search the Content Database for a URL. The search results will show how the URL is currently categorized.

From the search results, you can add a domain to your Local-Allow and Local-Block lists, create redirection rules for built-in or local categories, or add a domain to one of the default categories.

Search for any sub domains that pertain to the PAC file website. Re-categorize them if they are currently categorized in a blocked category.

To update the category for a domain:

  • 1. Search for the domain, URL, or IP address on the Categorized Sites page.

searchdatabase

  • 2. In the search results, click to edit the domain you want to recategorize.

recategorized

  • 3. Click to open the Category dropdown list, and select a local category or an existing default category, then click Save.

SSL Decryption Exclusions

If the sites are categorized correctly, but still will not work, you may need to add SSL Decryption Exclusions for the sites. Some domains or sites will not allow MITM proxies. To bypass this you will need to add an SSL Decryption Exclusion for the site.

SLL Decryption Exclusion

Follow the steps below to configure a domain to be excluded from SSL decryption by the Proxy Server.

  • 1. From the dashboard click Web Filter.
  • 2. From there, click Proxy Server under Module Settings.
  • 3. After that, click Add SSL Decryption Exclusion (Note: you must have Decrypt SSL Traffic checked and saved).
  • 4. Enter the domain name.
  • 5. Optional: Enter a meaningful description.
  • 6. Click Save.

Important: If you are using GAFE services, a current list of SSL exclusions as recommended by Google can be found in this help article.

Cannot Access Web Interface Wrong Userame Password

If you cannot connect to the interface due to a wrong username/password error, we will need to reset your password.

Please have an SEU contact Support at support@lightspeedsystems.com or open a Support case and request a password reset. Once we receive the request we will reset the password and reply to the email with the new password.

Note: This method of password reset only works for Local Users. Users that utilize other authentication sources (such as Active Directory or Google) will need to reset their passwords through those sources directly.

Learn how to add an SEU here.

Error: Invalid Parameter Value for redirect_uri: not public domains not allowed

You may encounter this error if your Rocket FQDN is set to an invalid field. You will need to change the hostname of the Rocket to a valid field in order to solve this error.

Note: Changing the hostname of the Rocket will not affect the rest of your network if you leave the internal DNSpointing to the same IP. You may also need to re-push SSL certificates. 

Microsoft Word app not working on iPads proxied with the Web Filter

Users who experience issues with the Microsoft Word app not working on iPads due to being proxied by the Web Filter should add the following domains to their SSL Exclusions list:

  • live.com
  • microsoft.com
  • microsoftonline-p.com
  • microsoftonline.com
  • msedge.net
  • office.com
  • office.net
  • office365.com

Part of Site isn’t loading

At times, parts of sites (such as images) will not load. This is usually due to the site using a CDN that is blocked by the Web Filter to host images/media.

You can solve this issue in two ways:

1. Allow associated CDNs by categorizing them as local allow or by using URL Patterns.

Note: You can use this tool in order to determine which CDNs websites are using.

2. Enable the site as an allowed referrer to associate sites.

Note: Make sure that you fully trust the site before setting it as an allowed referrer or allowing CDNs.

Website not loading

There are various reasons for website not to be loading on a particular device. The following troubleshooting steps will help guide you through potential causes and solutions:

1. Is the website blocked?

Check the web activity report to determine what is being blocked and for whom. If you cannot get a website to load, then it is probably blocked because of policies associated with your particular rule set.

You can unblock the website by changing rule sets and assignments, recategorizing it, or add is an an SSL Exclusion.

2. Is there an unintended rule set order?

Verify that the user experiencing issues with the website is assigned to the correct rule set. An incorrect rule set assignment could lead to incorrect rule sets being applied to the profile, blocking the website.

App isn’t working

There are various reasons for an app not to be working on a particular device. The following troubleshooting steps will help guide you through potential causes and solutions:

1. Is the app blocked?

Check the web activity report to determine what is being blocked and for whom. If you cannot get an app to work, then some of the URLs the app uses are probably blocked.

You can unblock the app by changing rule sets and assignments, recategorizing it, or add is an an