2 - Content Filtering - Advanced Configuration
Posted by , Last modified by on 08 July 2013 01:06 PM
Proxy Authentication Settings
CIPAFilter supports internal authentication via the User Manager, as well as external authentication via LDAP.
CIPAFilter external authentication systems support Windows Active Directory, Apple Open Directory, and Novell eDirectory. To utilize external authentication, configure your directory server with a user account that has read permissions for all of your users and provide the authentication credentials here. In addition, a search base and the IPof your LDAP server must be provided.
Each authentication method listed under Proxy Authentication Settings comes in transparent (client) and non-transparent flavors. Transparent authentication methods do not need to prompt the user for a user name and password, whereas non-transparent methods do.
Groups are defined on the Group Permissions page. Each user who logs in will be checked for membership in a group of the same name on the LDAP server. If a membership is found, the user will be configured according to the permissions of that group. If no membership is found, the permissions for the default group will be used.
CIPAFilter checks these group memberships upon each user's first access and caches the information for up to one hour, depending on the protocol. Click User Manager page of the Web interface to clear this cache.on the
Additional Authentication Settings
By default, when Require Auth is enabled for a subnet, Web access (ports 80 and 443) is blocked to affected clients until they authenticate. For some implementations, this is sufficient — however, it does leave other ports open, potentially allowing clients to access non-Web-based network resources (for example, chat clients or file-sharing software). Selecting the Block all traffic when authentication is required option will prevent this, by extending the block to all other traffic until the client has been authenticated.
Selecting the Present Captive Portal even when authentication is not required option will enable a "guest access" mode for all subnets which do not require authentication. In this mode, all affected clients will be directed to the captive portal, but, in addition to the normal authentication options, a "Log in as Guest" button will be present, allowing users to proceed even if they don't have credentials. This option is particularly useful for displaying the network's usage policy without requiring a log-in.
The Authentication Time-out field specifies the number of hours a portal log-in session should last for. By default, this is 12 hours, but it can be increased or decreased according to your organization's needs. For instance, a school may wish to have the session last only until the end of a class period. Please note that this value also applies to NAC log-ins, as well as to the guest access feature.
YouTube for Schools
YouTube for Schools is a service provided by YouTube which allows school administrators to define a set of educationally appropriate videos which are accessible from the organization's network. This feature is enabled on a per-group basis, so the corresponding option on the Group Permissions page must also be selected. For more information on setting up YouTube for Schools, please see YouTube for Schools - Frequently Asked Questions.
Only Allow Specified Google Apps Domains
Many Google Web properties, including Gmail, support a custom header which restricts access to the sites to accounts which are members of a specified domain. For instance, if an organization at myschool.edu used Google Apps for e-mail and document sharing, they could restrict users to accessing those sites only through theirmyschool.edu accounts; trying to log in with any other accounts (including "consumer" Gmail accounts) would result in an error.
To make use of this feature, select Enable Google Apps Domain Restriction and enter your organization's Google Apps-enabled domain(s) into the Allowed Google Apps Domains field. Then, enable the corresponding option for each desired group on the Group Permissions page.
Note: Google Apps domain restriction requires the use of SSL decryption. For more information, please see Block access to consumer accounts - Google Apps Help.
Transparent Proxy Exceptions
When in transparent mode, connections to subnets listed under Transparent Proxy Exceptions will not be intercepted by the proxy server. This is useful for applications and services which are not compatible with the transparent proxy method.
Proxy Configuration Settings
When Internet Reporting is enabled, user activity and filter trips are collected for the Internet Reports system to analyze. If this feature is not enabled, the CIPAFilter will not record user activity other than for the purpose of e-mailing the administrator when the content filter is tripped.
The Proxy Port is the port that the CIPAFilter listens for proxy connections on when being used as a non-transparent proxy. The default value is 6226 (8080 in earlier versions).
The X-Forwarded-For header is an HTTP feature which allows a proxy service to pass the IP address of the originating client. (For instance, if a client with IP address 220.127.116.11 attempts to access a Web server via the proxy server 18.104.22.168, the Web server will only see the latter address, unless the X-Forwarded-For header is provided by the proxy server.) When this option is enabled, the CIPAFilter will use the X-Forwarded-For address (where available) in its logs and reports.