Policy Server Setup

Transcript

Secure Web Service - Hybrid Policy Server Setup Release 9.2.5 • Manual Version 1.01 M86 SECURITY WEB SERVICE HYBRID QUICK START USER GUIDE © 2010 M86 Security All rights reserved. 828 W. Taft Ave., Orange, CA 92865, USA Version 1.01, published May 2010 for software release 9.2.5 This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written consent from M86 Security. Every effort has been made to ensure the accuracy of this document. However, M86 Security makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. M86 Security shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. Due to future enhancements and modifications of this product, the information described in this documentation is subject to change without notice. Trademarks Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of their respective manufacturers. Part# ER5-SUG_v1.01-0901 II M86 SECURITY, Policy Server Setup POLICY SERVER CONFIGURATION When using the Secure Web Service Hybrid (SWSH), all web traffic initiated by the remote worker computer is redirected to an M86 scanner securely hosted in the cloud. SWSH then scans the traffic, according to the user policy profile, and, if allowed, redirects it to the internet. Navigate to the Secure Web Gateway Management Console and login to M86 SWG: Figure 1-1: SWG Login Screen Accessing the tabs used for all Cloud Management tasks is available by either of the following: • • Navigating to Administration-Cloud-Cloud Configuration Clicking on the main toolbar of the Management Console screen, which directs you to the M86 SWS Getting Started screen of Cloud Security. This console page provides a localized option for all procedures required in configuring M86 Secure Web Service Hybrid computing. The Getting Started Guide screen provides links to perform the following actions: • Open an Amazon Web Service Account • Add an M86 Security Scanner Instance • Provision Remote Worker’s Computers via Policy Server • Connect M86 Scanner Instance to Policy Server • Configure SWS-H Cloud Certification Settings M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION Connect M86 Scanner Instance to Policy Server Once the AWS configurations are complete and an EC2 instance has been successfully launched, it must be connected to the Policy Server configurations, which ensure that the Policy Server is properly set up and that the scanners are running in accordance with customer requirements. Add New Device and Scanner Elastic IP NOTE: SWS-H and SWG support different anti-virus software solutions. Therefore, transaction logs created in the Cloud will be converted to the equivalent field names of the enterprise AV license.  To join the SWS scanner to the Policy Server: 1.) Navigate in the Management Console to Administration - System Settings - M86 Devices. 2.) Right-click Devices and Add Device. 3.) Select Cloud Scanning Server in the Type dropdown menu. 4.) In the Device IP field, enter Cloud Scanner Elastic IP. (M86 recommends using elastic IPs; however, static IPs are acceptable in this field.) 5.) Click Save. Click to commit changes. 6.) Wait for policy distribution to complete NOTE: The initial connection may take up to 30-40 minutes. 2 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE Figure 1-2: Connecting Cloud Instance to Policy Server Configure Email Server Settings The Email Settings screen refers to the Simple Mail Transfer Protocol (SMTP) Server information, which controls sending of emails for the following: system events, application events, software updates, and Cloud provisioning emails. NOTE: User and Email settings must be configured before provisioning can be initiated. Access the Enable Sending Email screen by navigating to Administration System Settings - Mail Server or by clicking and the Email Server Settings link in the SWS Getting Started Guide screen. The following table provides a description of the fields in the Email Server Settings screen: Field Name Description Enable Sending Email Hostname/IP Enables emails to be sent This is the IP address of the SMTP Server you are using (e.g., mail.M86.com). Defines the port that the SMTP Server uses; this is usually Port 25. User name for SMTP Authentication (e.g. VS_NG. This is optional - depending on your SMTP requirements.) Port User Name M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION Field Name Description Password Password for SMTP Authentication (optional depending on your SMTP requirements) The email alerts originate from this pre-defined user and domain name, using the machine name in the email alias name (e.g. CustomerDomain.com). This is a test email address to validate that the messages are being received. For example, [email protected] Originating Domain Test Recipient 1. Click Edit. 2. Check the Enable Sending Email checkbox. 3. Hostname and Originating domain are mandatory fields. Enter the relevant Hostname (either IP or address) and the Originating Domain (machine name). 4. Click Test and check the intended email address to ensure that emails are sent properly. 5. Click Save and then to commit changes. NOTE: Configuration of email server settings is both necessary and important. Without this step, the client will be unable to receive the Agent Installation package, certificate management, and any other SWS-H notification emails. Figure 1-3: Enable Email Sending Configure SWS-H Cloud Certification Settings Once email settings have been enabled, configure the Web Service Certification settings, the Client Routing Settings, and enable the Auto Provisioning Email checkbox. 4 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE The Cloud Configuration screen includes the following tabs: • CA Management • Proxies • Provisioning • Agent Enforcement • Bypass NOTE: The CA Management and Proxies tabs must be configured before any others in the configuration process. CA Management Large organizations that employ their own CA that is already trusted by end-users can generate a Certificate Signing Request (CSR). After the generation of the CSR, the system administrator can export the request (which is signed by SWG’s private key) and send it to the Certificate Authority. The CA will then generate a certificate, which will be imported into the SWG. This procedure makes the process of exporting the certificate to end-users unnecessary. NOTE: As an external option, M86 Security provides a solution for the distribution of the SWS-H Agent and Certificates (p12) via the organizations Active Directory Group Policy Objects (GPO). This solution is a silent installation and distribution of digital certificates as a unique identifier for end-users of the M86 SWS-H Cloud solution. For more information, please refer to the AD Distribution document found in the Documentation / Download section of the M86 website. Figure 1-4: CA Management Tab M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION The CA Management tab is split into two sections. The first section includes nine different information fields, with only the Common Name field mandatory. (Subsequent field information is for informational purposes only and is therefore left to the discretion of the administrator) The second section includes the CA Generation option. The tab includes the following: Field Description Common Name Generally refers to global company name but may also reference a smaller group Generally refers to company headquarters, or the country in which the physical server sits Company details Company details Company details A unit within the company, for example, specific departments such as IT or Finance Email of the system administrator. Expiration date of the certificate issued Either self-signed authority or external Certificate Authorization Country Name State or Province City or Locality Organization Organization Unit Email Expiration Date Issuer The CA Generation section is split into three separate certificate options: • Generate Self-Signed CA • Import CA: Certificate is imported • Import CSR-based CA: Import an SWG generated certificate The CA Generation options include the following Certificate Management Description CA Generation Options: Generate a certificate authority to sign SWG and mobile worker’s certificates Generate Self-signed CA The system administrator serves as the authority and self-signs the certificate. The administrator considers this sufficiently secure. 6 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE Certificate Management Description Import CA The system administrator imports the certificate, together with the private key, into the system via an external Certificate Authority. Import CSR-based CA: A private and public key pair is created and saved directly to the system. Generate CSR Prior to importing the CSR-based CA, generate a digital certificate and have it signed by an external Certificate Authority. Import CSR-based CA Import a certificate signed by the CA after a CSR was generated by SWG. Generate Self-Signed CA Use a self-signed Certificate Authority to sign SWG and mobile worker’s certificates.  To generate self-signed CA: 1.) Navigate in the Management Console to Administration - Cloud Cloud Configuration - CA Management tab. 2.) Click Edit and then click the Generate Self-Signed CA button. 3.) In the Cloud Configuration screen, enter the Common Name field (for example, M86 Security). All other fields in this screen are optional. Click OK. 4.) Certificate information is stored internally in the database. The original Cloud Configuration screen shows the certificate details. 5.) Click Save and then click to commit changes and complete certificate generation. Import CA The Secure Web Gateway system allows you to import new certificates, and supports two types of certificates: The Root CA option allows system administrators to import the certificate into the system together with the private key. This root certificate is uploaded and displayed to users browsing HTTPS sites and is created globally for all scanning servers.  To import a digital certificate for the sender's root CA: 1.) Navigate in the Management Console to Administration - Cloud - Cloud Configuration - CA Management tab. 2.) Click Edit. Click the Import CA button. M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION 3.) In the following Cloud Configuration screen, copy the certificate, private key, and password information. (This certificate information is received through an external Certificate Authority prior to this configuration. NOTE: Certificate information must be copied precisely. This includes beginning and ending information such as spaces and dashes. 4.) Click Save and then click to commit changes and complete certificate generation. Figure 1-5: Import Root CA Import CSR-based CA The CSR-based CA option allows you to import a certificate signed by the CA after a CSR (Certificate Signing Request) is generated by the Secure Web Gateway.  To import CSR-based CA: 1. Navigate in the Management Console to Administration - Cloud Cloud Configuration - CA Management tab. 2. Click Edit. Click the Generate CSR link within the description. 3. In the following Cloud Configuration screen, enter the Common Name (for example, M86 Security). All other fields in this screen are optional. 4. Click OK. The Generate CSR Based CA window is displayed. 8 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE Figure 1-6: Generate CSR Based CA 5. Copy the contents of the Generated Request pane to the clipboard. Click OK. 6. Paste and send this certificate information to an external CA for signing. 7. Return to the original Cloud Configuration screen. Click the Import CSR-based CA button. 8. Paste the externally signed certificate information in the certificate field. Click OK. 9. If the signee is not trusted by the system, a pop-up message will appear alerting you as much. NOTE: Certificate information must be copied precisely. This includes beginning and ending information such as spaces and dashes. 5.) Click Save and then click certificate generation. to commit changes and complete Proxies 6.) The Proxies tab includes the following fields: Protocol Port Cloud proxy Local proxy Corporate Hostname Cloud scanners Corporate proxies Corporate address (www.M86security.com) IP of corporate hostname Verification that corporate hostname and Internal hostname IP correspond Internal Hostname IP Resolve IP • Cloud Proxy: The Cloud proxy field defines the Cloud scanner or Load Balancer used for browsing. It includes the proxy port, region, IP, and the Local Port to browse via SWS-H. M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION The following are the ports to which the agent connects when attempting to access the Cloud scanner/Load Balancer: Proxy Port: This port is used for the tunneling of HTTP transactions performed by the browser. Proxy HTTPS Port: This port is used for the tunneling of HTTPS transactions performed by the browser. Address: ports that the browser uses to connect to the agent within the enduser client. Address will be a hostname or an IP. • Local Proxy: Add the local proxy. The PAC file will include instruction to use the local proxy, if resolvable, as it recognizes you are within the local network. If the corporate hostname is not resolvable, it will use the nearest (region) Cloud proxy available. = Implicit: The local proxy can be left empty in a situation in which the administrator determines for users which proxy to use. = Explicit: Implies that the administrator has entered IP information into the Local proxy field. • Corporate Hostname: The administrator must ensure that the corporate hostname is resolvable with the Internal hostname IP. When the user is outside of the corporate network, the corporate hostname should be resolvable to a different IP. • Internal Hostname IP: The corresponding address for the corporate hostname. For example, the IP address for m86security.com. • Resolve IP: For local proxy usage, the agent must determine that the user is indeed at corporate headquarters. Entering the DNS/hostname in the corporate hostname field and clicking Resolve IP allows the system to verify that the IP address and the corporate hostname correspond. The result is displayed in the Internal Hostname IP field. Figure 1-7: Proxies Tab 10 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE Bypass The Bypass tab includes the following fields: Non-Routable Networks: This table shows all networks or domains (IPs) to bypass while browsing in Cloud proxy or local proxy. Trusted URLs: Choose URLs that you want the Cloud proxy to bypass. Allow the organization to bypass certain URLs that the administrator deems safe (for example, Microsoft update, Mozilla...). Figure 1-8: Bypass Tab Provisioning A remote client can be provisioned by a Provisioned email. Configure the Policy Server to automatically send a provisioning email to target cloud users with a link to the agent installation and with the target user certificate. (This option is suitable for the integration phase or for small rollout of to up to a few hundred users.) NOTE: You can also choose to use the Policy Server to automatically or manually send the target user an email with the client agent installation instructions and/or the target user certificate. The Provisioning tab includes the following: Protocol Port Agent Installer URL Address, chosen by the administrator, where the Agent Installation Package is saved Sends an email to new Cloud users with provisioning instructions. Automatically send an email with provision instructions to new Cloud members checkbox M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION Protocol Port Send an email update upon configuration changes Sends an email to existing Cloud users once changes have been committed Click the Download PAC File button and save the created file. Button to download Agent Installer once all information is configured in Policy Server Download PAC File Download Agent Installer NOTE: Emails will only be sent after configuration, after a new certificate is issued, and after changes have been committed.  Enabling the Automatically send an email with provision instructions to new Cloud members checkbox ensures that update emails are sent to users. Each time a new user receives new Cloud certification or a configuration change has occurred, an update email is sent.  Enabling the Send an email update upon configuration changes is for existing users if changes have been made in the configuration. Figure 1-9: Remote Client Provisioning Before downloading PAC files and the Agent Installation package, the proxies and CA management information/configurations must be completed. To proceed with this tab, refer to the Proxies and CA Management tabs. Download buttons are disabled until all relevant information is input. Build PAC files The PAC file defines how browsers can automatically choose the appropriate proxy server for retrieving a given URL. PAC files contain a "FindProxyForURL(url, host)" function that returns a string with one or more access method specifications. These specifications cause the user to use a particular proxy server or to connect directly. 12 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE Pre-configured M86 PAC files can be created within the management console, or a customer’s proprietary PAC file may also be used. However, customers using a proprietary PAC file must ensure that the local host proxy within the PAC file belongs to M86.  Prepare PAC files pointing to SWS-H scanners: 1. Navigate in the Management Console to Administration - Cloud Configuration- Provisioning tab. 2. Click Edit. 3. Click the Download PAC file button and Save. 4. The PAC file is eventually included in the Agent Installation Package. Define and Download Agent Installation Package Agents are installed for remote worker laptop computers or in situations in which the LAN desktop, whether at headquarters or a branch office, is not a domain member and the user is not authenticated with the domain. An Agent can also be installed in a branch office scenario as an alternative network solution to route the traffic to the cloud scanners. The SWS-H Agent has two main rules: ü Routing: Routing the traffic to the nearest scanner, cloud, or on-premise scanner. ü Authentication: Establish mutual certificate authentication between the logged-on user and the target cloud scanner. The following steps are required to create the SWS Agent installation package: ü Proxies and CA Management configuration ü Agent setting configurations ü Client provisioning Agent Enforcement The Agent Enforcement tab includes two checkboxes, both of which are enabled by default:  Prevent user from disabling agent: Enabling this checkbox ensures that the user cannot disable the agent in the browser, thereby allowing surfing through an M86 agent only.  Enforce PAC file usage via the Secure Web Service Agent: Enabling this checkbox assures that the PAC file being used is an M86 PAC file. Administrators should keep this box unchecked if a proprietary PAC file is used. M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION Figure 1-10: Agent Enforcement Tab NOTE: The “Enforce PAC file usage via Vital Cloud Agent” works only with Internet Explorer. For Firefox users, if this option is enabled, you will be unable to make any changes after the initial installation and after changes have been committed. Group Member Certification Authentication Directories The Authentication directories step is necessary to define the users or user groups who will browse via M86 SWS-H. Enabling the checkbox in this screen allows users or user groups to receive provisioning and update emails, certificates, and installation instructions. Navigate to the Authentication Directories (LDAP) menu or to the Users menu to enable the Issue Vital Cloud Certificate for Group Member checkbox. NOTE: This section relies on previously configured domain users. For more information on domain users and local users, refer to the Management Console Reference Guide on Adding Domain Users.  To issue Cloud certificates for domain users: 1. In the Management Console, navigate to Users Æ Authentication Directory Æ LDAP. (Alternatively, click the Domain Users link in the Cloud Getting Started Guide screen) 2. Right-click the LDAP directory and select the required LDAP group. 3. Click Edit and then enable the checkbox in the screen  Issue Cloud certificates per User: See the Users chapter for instructions on the Issue Vital Cloud Certificate for Group Member checkbox in the User Group Details Screen and Creating a New User Group sections. This task defines the users or user groups who will browse via M86 Secure Web Service Hybrid. Enabling this checkbox allows users or user groups to receive provisioning and update emails, certificates, and installation instructions. NOTE: Use the Group Policy to auto-provision clients with Secure Web Service Agent. 14 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE Email Template The Secure Web Gateway provides an email template to automatically provision Cloud users via email.The provisioning email templates are used if the administrator wants to edit the mail before sending. Otherwise, the default provisioning email will be used.  To setup the provisioning email: 1. Navigate in the Management Console to Administration Æ Cloud Æ Email Template. 2. Click Edit. Select from the Provisioning Email Template dropdown menu the template you want to use. 3. The menu consists of the following templates: Certificate Management Description Select Email Type Select email type with editing capabilities. Email is sent with the certificate attached. Email is sent to inform user that a certificate was issued anew. Follow email instructions. Email arrives with both a certificate and link to the Agent installation. Email arrives with both a certificate and link to the Agent installation after certificate has been re-issued or with a new Agent added. Standard Template Standard Template for Reinstallation Template with Agent Template with Agent for Reinstallation 4. The template is activated for modification. Figure 1-11: Email Template You can modify the contents of the From, Subject, and Message fields (or accept the default settings). Add placeholder lists are provided for modifying the From and Message fields. M86 SECURITY, SWS-H POLICY SERVER CONFIGURATION The placeholder menu includes: SWS-H Agent URL, Username, etc...) You can click HTML View to view the message contents in HTML. 5. Click Save and then click 16 M86 SECURITY, ENTERPRISE REPORTER EVALUATION GUIDE to commit changes.