Operation Mode:

The Operation Mode window displays when Operation Mode is selected from the Mode menu in the navigation panel. This window is used for specifying the operational mode in which the Web Filter will filter the network, and the settings the Web Filter will use for “listening to” traffic and sending traffic.

Mode frame
Select the operational mode in the Mode frame by clicking the radio button for Invisible, Router, Firewall, Bridge, Mobile (for Web Filter software version 5.x.xx) or Mobile Only (if using the Mobile Client in Web Filter software version 4.x.xx), or ICAP (if the Web Filter will be used for off-loading content such as filtering). If using Web Filter software version 4.x.xx, click the Mobile option checkbox if using the mobile mode with the invisible, router, or firewall mode.

In version 5.1.10 or above, choose whether to enable inline HTTPS filtering (Router and Firewall modes) or ONLY HTTPS filtering (Bridge mode)

WARNING: To use the router or firewall mode, Trustwave recommends that you contact a solutions engineer at Trustwave if you need any assistance with setup procedures. To use the bridge mode, see the Installation Guide for special setup.

Listening Device frame
At the Device pull-down menu, select the network card that will be used to “listen to”—as opposed to “send”—traffic on the network. For the invisible mode, you would generally select LAN1 for an external/Internet connection.

Block Page Device frame
In the Block Page Device frame, at the Device to send block page pull-down menu, select the network card that will be used to send the block page to client PCs.

TIP: For the invisible mode, the block page device should be a different device than the one selected in the Listening Device frame. For the router and firewall modes, the device should be the same as the one selected in the Listening Device frame.

Block Page Delivery Method frame
If choosing the invisible mode, the Block Page Delivery Method frame displays.

Select one of two Protocol Methods: "Send Block Page via ARP Table" or "Send Block to Specified Host MAC Address".

NOTE: If choosing "Send Block Page via ARP Table", the Web Filter will use the Address Resolution Protocol method to find the best possible destination MAC address for a packet that contains the block page. If choosing "Send Block to Specified Host MAC Address", the block page will always be sent to the MAC address of a specified host, usually the Web Filter gateway.

If "Send Block to Specified Host MAC Address" is chosen, make a Block Page Route To selection. Specify whether the "Default Gateway" will be used for serving block pages, or if an "Alternate IP Address" will be used as the Block Page Route To address. If an alternate IP address is used, this IP address must be reconciled with the MAC address in order for block pages to be served to client PCs.

Mobile Client Control (Web Filter software version 4.x.xx)
If choosing the mobile mode or option in Web Filter software version 4.x.xx, the Mobile Client Control frame displays. In the Client Resynchronization Time field, specify the interval of minutes for the Web Filter to resynchronize the profile on the end user's workstation with the profile set up for him/her on the Mobile Client Web Filter. (See Mobile Client Deployment Kit for information about using the Mobile Client Software Update feature.)

Block/Warn Page Settings (Web Filter software version 5.0.10+)
If choosing the mobile mode option in Web Filter software version 5.0.10 and higher, the Block/Warn Page Settings frame displays. In the Hostname or IP address to serve block/warn pages field, by default the public IP address displays. This IP address should be modified if a different server will be used for serving block pages to mobile users.

Top

ICAP Server Settings
The ICAP Server Settings frame displays if the ICAP operation mode is selected. This frame is used for configuring options response settings for the ICAP Web Filter server:

1. In the ISTAG field, enter the ISTag (ICAP Service Tag) which is a 128-maximum alphanumeric quoted string of data (including quotation marks but never the null character) used in the options response-header field. This tag provides a way for ICAP servers to send a service-specific “cookie” to ICAP clients so that the ICAP server can communicate with the ICAP client. For example: "835nb0-20a5-3e52671"

2. In the URI field, enter the Uniform Resource Identifier that must specify the complete hostname and path of the resource being requested. For example: icap://icap.logo.com:1344/services/icap-services

NOTE: This string must match what is set up on the ICAP server in order for the ICAP client's request to be accepted by the ICAP server.

3. In the Max Connections (4-150) field, enter the maximum connections the ICAP server will allow for ICAP clients. By default, 30 displays.

4. In the Options TTL in Sections (0-86400) field, enter the time (in seconds) in which the options response is valid. By default, 3600 displays.

5. In the Preview Bytes (0-4096) field, enter the number of bytes to be included in the response header to be sent by the ICAP client for preview by the ICAP server, before the entire request is submitted to the ICAP server. By default, 1024 displays.

6. In the Port field, enter the port number to be used by the ICAP server. By default, this port number is 1344.

NOTE: The port number must be the same one entered for the URI.

WARNING: When using the ICAP mode, the following items must be taken into consideration:
• In order for Tier 3 authentication to work correctly with the ICAP mode, the virtual IP used for authentication has to be a real and available IP address.
• The proxy server must be configured to not forward any traffic to the Web Filter's virtual IP (used for authentication) via ICAP, or else the Tier 3 applet will be blocked if the Web Filter is configured to block uncategorized sites.
• To display block pages correctly and to prevent “looping,” the proxy server has to be configured to not forward any traffic to the Web Filter via the ICAP server. Looping occurs in environments in which a Web Filter is filtering traffic from end users to an internal proxy.
• In order for the authentication form to display correctly, the proxy server must be configured to accept the certificate coming from port 8081 of the Web Filter as being valid.
• Since the authentication form is only accessible via HTTPS, the proxy server must be configured to give workstations access to HTTPS sites from the Web Filter.

Top

Bridge Settings
Bridge mode requires correct cabling as described in the Installation Guide. When you select Bridge mode, the Network Settings frame displays the host name and DNS server settings (configured on the Network > LAN Settings window).

In the Bridge Settings frame, you configure the following settings:

1. IP address: The IP address of the bridge device (usually a bridge card).

2. Subnet mask: The netmask (such as 255.255.255.0) that is correct for the network.

3. Default gateway: The gateway for the network segment.

4. By default if the appliance is powered off or unresponsive, no traffic passes. If you have a bypass card (available with some appliance models), you can choose to pass traffic in case of a problem. Check the box Always allow traffic to flow when inline filtering is unavailable.

5. By default IPv6 traffic is blocked. To allow all IPv6 traffic to pass, check the box Always allow IPv6... (The Web Filter does not currently apply any policy to IPv6 traffic.)

Top

VLANs
In Bridge mode (version 5.1.10 and above), you can apply filtering to specific VLANs. Enter the required information in the grid. See the Administrator Guide for details of required settings.

Top