Surf Control v5.5 manual Network Considerations, Deployment Recommendations, DMZ Recommendations

Page 14

INSTALLATION DECISIONS

Network Considerations

2

NETWORK CONSIDERATIONS

You can install SurfControl on a single ISA Server or in multi-server arrays. In an ISA Standard Edition installation, Web Filter is installed on a single ISA Server. In an ISA Enterprise Edition environment, Web Filter is installed on multiple servers.

DEPLOYMENT RECOMMENDATIONS

SurfControl recommends the following when deploying Web Filter for ISA Server:

If Web Filter for ISA Server is used as a proxy, it does not need to be installed in a specific location in the LAN. However, if it is used as a firewall, consult the Microsoft ISA templates for network placement recommendations.

Use a firewall to deny HTTP traffic from all IP addresses except for the ISA server.

Firewall clients should be configured so that the browser uses a proxy service.

DMZ RECOMMENDATIONS

In a perimeter network (DMZ) installation, Web Filter is installed on one or more ISA Servers located between a perimeter firewall and an internal firewall. SurfControl recommends the following when deploying Web Filter for ISA Server in the DMZ:

If the ISA Server is part of the DMZ domain, Web Filter for ISA Server should be a member of the domain that users log into.

Is there a one-way or two-way trust relationship between the Web Filter ISA Server and the corporate domains? Two-way trust relationships are very reliable. One-way trusts will cause problems if configured to trust the wrong way.

Are there multiple domain controllers? The ports required to query the domain controllers should already be open via System Policy LDAP to localhost. If not, check to see which ports if any, must be opened for this purpose.

When Web Filter for ISA is deployed in a DMZ, it may be unable to query the domain controllers for a variety of reasons:

It cannot resolve the IP addresses of the domain controllers.

It is unable to authenticate to the domain controllers.

Access is blocked by a firewall, preventing Web Filter from enumerating groups using NT objects.

To Resolve a domain controller name resolution issue:

Add an entry to the LMHosts file on the Web Filter server(s) for the domain controllers. See the following Microsoft KB article for more information: http://support.microsoft.com/ Default.aspx?kbid=180094

Enable NETBIOS over IP on the Web Filter server(s).

SurfControl Web Filter for ISA v5.5

Starter Guide

9

Image 14
Contents SurfControl Web Filter Trademarks SurfControl Web Filter Table of Contents Appendix Chapter HOW WEB Filter and ISA Server Interact Microsoft ISA Server EditionISA Server System Requirements Hardware RequirementsGeneral System Requirements SQL Server Licensing System Requirements Installation Decisions Network Considerations User Name ResolutionIntroduction Database OptionsDMZ Recommendations Network ConsiderationsDeployment Recommendations Network Considerations Firewall Port Configuration Web Filter communication portsISA Server 2004/2006 ISA Server AuthenticationISA Server User Name Resolution EUMEUM on Windows 2000 and 2003 domain controllers Methods of Installing EUMEUM Agent on Domain Controllers EUM on Windows NT domain controllersBefore installation Logging Levels NetwareeumIgnoring Users in NetWare EUM Installing the Login Agent on Windows 2000 EUM Login AgentInstalling the Login Agent on NT Domains Login Agent LocationEumLogin.ini file Below is a copy of the supplied .ini fileHow to configure the file EumLogin.ini file sectionsConfiguring a logon and logoff script Add an Exception to the Windows FirewallSQL Server Express Database ConsiderationsDatabase Platforms SQL Server SQL Server minimum requirements on Web Filter serverWindows Authentication Database AuthenticationReasons to Install SQL Server on a Dedicated Server SQL AuthenticationCategorization Options Other ConsiderationsInternet Threat Database Internet Threat Database Improvement ProgramRemote Administration Client Mail NotificationsRemote Administration Client minimum requirements Privacy Edition ConsiderationsInstalling Web Filter Installation Process NetWare client on to the Web Filter serverInstalling SQL Server Express Optional Installing Surfcontrol WEB Filter Select I accept the terms of the license agreementInstalling SurfControl Web Filter Select SurfControl Web Filter Installing SurfControl Web Filter Installing SurfControl Web Filter Changes to the Server Configuring WEB Filter Configuring Web Filter Configuring Web Filter Configuring Web Filter Configuring Web Filter Configuring Web Filter Threat Database Internet Threat Database Update screen is displayedAutomatic Database Management screen is displayed Configuring Web Filter Click Add to list Enterprise User Monitoring recommended NetBIOS Configuring Web Filter Configuring Web Filter Installing Service Pack Installing Service Pack Installing Service Pack Further Configuration Firewall Policy Rules for ISA Server 2004 Post Installation TasksALL Installations Network DependentInstalling the EUM Agent on Your Domain Controllers User Name Resolution Making changes to the EUM Agent configuration Select Domain Controllers screen is displayedUser Name Resolution Installing the EUM Login Agent on Your Network Installing NetwareeumAdd Web Filter Servers to NetWare EUM Automatically loading the NetWare EUMUnloading the NetWare EUM Ignored users in NetWare EUMInstall Surfcontrol Report Central Installing the Remote Administration Client Select I accept the terms of the license agreement Select Remote Administration Installing the Remote Administration Client Remote Administration Client and Windows Vista InstallShield Wizard Complete screen is displayedFirewall Policy Rules Allow Internet Threat Database UpdatesConfigure IE and the VCA Allow VCA Spider FunctionalityFrom Access Rule Destinations, click Add Allow the Remote Administration Client AccessConfigure a Firewall Policy Rule for the VCA From the Primary Connection Information screen, click NewEnter 8888 in the Port Range From field Allow Remote Access to Surfcontrol Report CentralSRC Click Apply in the Firewall Policy window Appendix Contact Technical Support Location Contact information Sales and Feedback