1 - Content Filtering - Basic Configuration
Posted by , Last modified by on 08 July 2013 12:56 PM
The first thing to decide with regard to content filtering is whether to run individual subnets in transparent or non-transparent (proxy server) mode.
In transparent mode, no client configuration is required — the CIPAFilter simply intercepts all traffic on ports 80 and (optionally) 443 as it moves through the router.
In non-transparent mode, each client must be configured to make use of a proxy service provided by the CIPAFilter (on port 6226, by default). For example, in Internet Explorer, the CIPAFilter proxy must be added on the Connections tab under Internet Options. Any client accessing the Web via the non-transparent proxy service will be subject to filtering in essentially the same manner as those being transparently proxied with the Yes+SSL method — HTTP traffic will be fully intercepted, and HTTPS traffic will be acted upon according to the state of the Turn on SSL decryption option, as described below (either fully intercepted or subject only to black- and white-listing).
Subnets Authorized to Use Proxy Services
Only machines with IPs in the subnets listed under Subnets Authorized to Use Proxy Services will be allowed to use the proxy server. Subnets are provided in CIDR Notation. If two subnets overlap, the smallest or most specific subnet's configuration applies (just like in the Routing configuration), with the exception of the Transparent Proxy option as described below.
Note: The CIPAFilter's non-transparent proxy functionality is "always on" for any subnets listed here (although you need not use it).
Note: Use of the transparent proxying method provides the ability force users into the captive-portal system for (optional) authentication. Although the portal site remains accessible to non-transparent proxy users, the "captive" functionality (that is, the requirement to view it) is not available.
When enabled, users from this subnet must authenticate via user name and password or (where available) a CIPAFilter authentication client. In non-transparent mode, users will receive a standard authentication prompt each time they open their browser. Transparent mode offers additional features, including the ability to use the captive-portal system. Proxy credentials are authenticated against the users on the User Manager page or via the external LDAP authentication method, as specified on the Advanced Configuration tab. Each user's Web traffic is logged by user name, if Web monitoring is active, and can have individual "filtered" or "not filtered" settings.
Clients Use Subnet Group
Selecting this option forces clients on the specified subnet to always use the group selected as the Subnet Group.
This drop-down lists all of the groups configured on the Group Permissions page. The group selected here will be used if Require Auth is not enabled or if Clients Use Subnet Group is enabled.
Note: If Require Auth is not selected, workstations with a CIPAFilter authentication client installed will automatically be authenticated and filtered based upon the workstation users' group memberships. Workstations without the CIPAFilter authentication client will be filtered based upon the Subnet Group setting for the subnet, with the option to authenticate as another user via the portal system. This method is referred to as optional authentication.