Operation Mode:

The Operation Mode window displays when Operation Mode is selected from the Mode menu in the navigation panel. This window is used for specifying the operational mode in which the Web Filter will filter the network, and the settings the Web Filter will use for “listening to” traffic and sending traffic.

Mode frame
Select the operational mode in the Mode frame by clicking the radio button for Invisible, Router, Firewall, Mobile (if using the M86 Mobile Client), or ICAP (if the Web Filter will be used for off-loading content such as filtering).

WARNING: To use the router or firewall mode, M86 recommends that you contact a solutions engineer at M86 Security if you need any assistance with setup procedures.

Listening Device frame
At the Device pull-down menu, select the network card that will be used to “listen to”—as opposed to “send”—traffic on the network. For the invisible mode, you would generally select LAN1 for an external/Internet connection.

Block Page Device frame
In the Block Page Device frame, at the Device to send block page pull-down menu, select the network card that will be used to send the block page to client PCs.

TIP: For the invisible mode, the block page device should be a different device than the one selected in the Listening Device frame. For the router and firewall modes, the device should be the same as the one selected in the Listening Device frame.

Block Page Delivery Method frame
If choosing the invisible mode, the Block Page Delivery Method frame displays.

Select one of two Protocol Methods: "Send Block Page via ARP Table" or "Send Block to Specified Host MAC Address".

NOTE: If choosing "Send Block Page via ARP Table", the Web Filter will use the Address Resolution Protocol method to find the best possible destination MAC address for a packet that contains the block page. If choosing "Send Block to Specified Host MAC Address", the block page will always be sent to the MAC address of a specified host, usually the Web Filter gateway.

If "Send Block to Specified Host MAC Address" is chosen, make a Block Page Route To selection. Specify whether the "Default Gateway" will be used for serving block pages, or if an "Alternate IP Address" will be used as the Block Page Route To address. If an alternate IP address is used, this IP address must be reconciled with the MAC address in order for block pages to be served to client PCs.

Mobile Client Control
If choosing the mobile mode, the Mobile Client Control frame displays. In the Client Resynchronization Time field, specify the interval of minutes for the Web Filter to resynchronize the profile on the end user's workstation with the profile set up for him/her on the M86 Mobile Client Web Filter.

Top

ICAP Server Settings
The ICAP Server Settings frame displays if the ICAP operation mode is selected. This frame is used for configuring options response settings for the ICAP Web Filter server:

1. In the ISTAG field, enter the ISTag (ICAP Service Tag) which is a 128-maximum alphanumeric quoted string of data (including quotation marks but never the null character) used in the options response-header field. This tag provides a way for ICAP servers to send a service-specific “cookie” to ICAP clients so that the ICAP server can communicate with the ICAP client. For example: "835nb0-20a5-3e52671"

2. In the URI field, enter the Uniform Resource Identifier that must specify the complete hostname and path of the resource being requested. For example: icap://icap.logo.com:1344/services/icap-services

NOTE: This string must match what is set up on the ICAP server in order for the ICAP client's request to be accepted by the ICAP server.

3. In the Max Connections (4-150) field, enter the maximum connections the ICAP server will allow for ICAP clients. By default, 30 displays.

4. In the Options TTL in Sections (0-86400) field, enter the time (in seconds) in which the options response is valid. By default, 3600 displays.

5. In the Preview Bytes (0-4096) field, enter the number of bytes to be included in the response header to be sent by the ICAP client for preview by the ICAP server, before the entire request is submitted to the ICAP server. By default, 1024 displays.

6. In the Port field, enter the port number to be used by the ICAP server. By default, this port number is 1344.

NOTE: The port number must be the same one entered for the URI.

WARNING: When using the ICAP mode, the following items must be taken into consideration:
• In order for Tier 3 authentication to work correctly with the ICAP mode, the virtual IP used for authentication has to be a real and available IP address.
• The proxy server must be configured to not forward any traffic to the Web Filter's virtual IP (used for authentication) via ICAP, or else the Tier 3 applet will be blocked if the Web Filter is configured to block uncategorized sites.
• To display block pages correctly and to prevent “looping,” the proxy server has to be configured to not forward any traffic to the Web Filter via the ICAP server. Looping occurs in environments in which a Web Filter is filtering traffic from end users to an internal proxy.
• In order for the authentication form to display correctly, the proxy server must be configured to accept the certificate coming from port 8081 of the Web Filter as being valid.
• Since the authentication form is only accessible via HTTPS, the proxy server must be configured to give workstations access to HTTPS sites from the Web Filter.

Top

Apply Settings
Click Apply to apply your settings.

NOTE: If block pages are not being served, you must change the settings in the Block Page Route frame by making the following entries:

a) Click "Alternate IP Address".
b) Enter the IP address of the router or device that will serve block pages.
c) Click Apply.

Related Topic:

Back | Top



© M86 Security. All rights reserved.