Cipafilter Support:
309 517 2022 option 2
Mon - Fri 7 AM - 6 PM CT
1 - Content Filtering - Basic Configuration
Posted by , Last modified by on 08 July 2013 12:56 PM

The first thing to decide with regard to content filtering is whether to run individual subnets in transparent or non-transparent (proxy server) mode.

In transparent mode, no client configuration is required — the CIPAFilter simply intercepts all traffic on ports 80 and (optionally) 443 as it moves through the router.

In non-transparent mode, each client must be configured to make use of a proxy service provided by the CIPAFilter (on port 6226, by default). For example, in Internet Explorer, the CIPAFilter proxy must be added on the Connections tab under Internet Options. Any client accessing the Web via the non-transparent proxy service will be subject to filtering in essentially the same manner as those being transparently proxied with the Yes+SSL method — HTTP traffic will be fully intercepted, and HTTPS traffic will be acted upon according to the state of the Turn on SSL decryption option, as described below (either fully intercepted or subject only to black- and white-listing).

Subnets Authorized to Use Proxy Services

Only machines with IPs in the subnets listed under Subnets Authorized to Use Proxy Services will be allowed to use the proxy server. Subnets are provided in CIDR Notation. If two subnets overlap, the smallest or most specific subnet's configuration applies (just like in the Routing configuration), with the exception of the Transparent Proxy option as described below.

Note: The CIPAFilter's non-transparent proxy functionality is "always on" for any subnets listed here (although you need not use it).

Transparent Proxy

  • Yes+SSL — HTTP and HTTPS connections from this subnet will be transparently intercepted by the CIPAFilter. If Turn on SSL decryption is selected on the SSL Configuration tab, the HTTPS traffic will be inspected/altered in essentially the same manner as HTTP traffic; if decryption is not enabled, HTTPS connections will be subject to domain-based black- and white-listing only (URL black-listing, content-aware filtering, anti-virus, and other features which rely on the unit being able to "see inside" the connection will not function).
  • Yes — HTTP connections from this subnet will be transparently intercepted by the CIPAFilter. HTTPS connections will not be intercepted; they will pass through essentially untouched.
  • No — Connections from this subnet will not be transparently intercepted by the CIPAFilter unless they fall under another subnet entry in the list. (For example, a rule setting to Yes+SSL will still apply to10.1.2.3/32 if the latter is set to No.)
  • Disable — A specific rule will be created to prevent transparent interception of this subnet (overriding any other Transparent Proxy rules that may apply).

Note: Use of the transparent proxying method provides the ability force users into the captive-portal system for (optional) authentication. Although the portal site remains accessible to non-transparent proxy users, the "captive" functionality (that is, the requirement to view it) is not available.

Require Auth

When enabled, users from this subnet must authenticate via user name and password or (where available) a CIPAFilter authentication client. In non-transparent mode, users will receive a standard authentication prompt each time they open their browser. Transparent mode offers additional features, including the ability to use the captive-portal system. Proxy credentials are authenticated against the users on the User Manager page or via the external LDAP authentication method, as specified on the Advanced Configuration tab. Each user's Web traffic is logged by user name, if Web monitoring is active, and can have individual "filtered" or "not filtered" settings.

Clients Use Subnet Group

Selecting this option forces clients on the specified subnet to always use the group selected as the Subnet Group.

Subnet Group

This drop-down lists all of the groups configured on the Group Permissions page. The group selected here will be used if Require Auth is not enabled or if Clients Use Subnet Group is enabled.

Note: If Require Auth is not selected, workstations with a CIPAFilter authentication client installed will automatically be authenticated and filtered based upon the workstation users' group memberships. Workstations without the CIPAFilter authentication client will be filtered based upon the Subnet Group setting for the subnet, with the option to authenticate as another user via the portal system. This method is referred to as optional authentication.

(2 vote(s))
Not helpful

Comments (0)
©Cipafilter 2017. All Rights Reserved.