Symantec Web Gateway 5.0 Getting Started Guide en
Symantec Web Gateway 5.0 Getting Started Guide en
Symantec Web Gateway 5.0 Getting Started Guide en
21178633
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 5.0 PN: 21178633
Legal Notice
Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Contents
Chapter 1
Chapter 2
Chapter 3
Contents
Specifying internal email and external proxy servers for report accuracy ............................................................................... 53 Testing Symantec Web Gateway for successful blocking or monitoring ........................................................................... 53 Testing Symantec Web Gateway Threat Center connectivity ................ 54
Chapter 4
Index
.................................................................................................................... 67
Chapter
About Symantec Web Gateway What's new What you can do with Symantec Web Gateway Where to get more information
Fast protection at the Web gateway across multiple protocols for inbound and outbound web traffic Protection against malware threats on all Web file transfer channels Ability to inspect for, detect, and block active and dormant botnets URL filtering with flexible policy controls and in-depth reporting (the URL filtering license is required)
Advanced application control capabilities with ability to monitor and control usage by end-users spanning multiple applications Detection of compromised endpoints by network fingerprinting and behavioral modeling Comprehensive Web reporting and alerting Flexible policy controls, which allow policy creation on Web-based criteria and control over of how policies are applied across an organization SSL-encrypted network traffic monitoring for URL content filtering, blacklisted-domain matching, and malware Adaptability to deploy as an appliance or as a virtual machine on VMware ESX/ESXi 4.1/4.0 Integration with Symantec Data Loss Prevention to discover, monitor, and protect confidential data
Symantec AntiVirus Engine, the winner of over 40 consecutive VB100 Awards since 1999 Insight is a Symantec reputation-based technology that can flag probable malware not previously known to Symantec. Highly scalable technology to meet the needs of any size organization without added latency, which ensures minimal affect on user browsing performance The Symantec Global Intelligence Network, which continuously collects data and provides the data to Symantec Web Gateway The Symantec Global Intelligence Network encompasses some of the most extensive sources of Internet threat data in the world. Symantec Web Gateway uses this threat data to offer comprehensive and up-to-date protection against the latest threats.
What's new
Table 1-1 describes the major new features or enhancements since Symantec Web Gateway 4.5.
Introducing Symantec Web Gateway What you can do with Symantec Web Gateway
Table 1-1
Symantec Data Loss Prevention You can route outbound HTTP/HTTPs traffic through integration a Symantec Data Loss Prevention server to discover, monitor, and protect confidential data. HTTPS decryption Symantec Web Gateway can check SSL-encrypted network traffic for URL content filtering, blacklisted-domain matching, and malware detection. SSL-encrypted network traffic can also be routed to and inspected by Symantec Data Loss Prevention. Symantec Web Gateway Virtual Edition runs as a virtual machine on VMware ESX/ESXi 4.1/4.0 so that you can run Symantec Web Gateway on the hardware of your choice. See About Symantec Web Gateway Virtual Edition on page 57. Integrated proxy The Symantec Web Gateway proxy can perform as a traditional FTP, HTTP, HTTPS, and SOCKS proxy. The Symantec Web Gateway proxy also enables HTTPS decryption and Symantec Data Loss Prevention integration. You can schedule automatic, encrypted backups of Symantec Web Gateway policies and configuration.
Virtual deployments
Introducing Symantec Web Gateway What you can do with Symantec Web Gateway
Protect computers from Symantec Web Gateway detects and blocks malware from spyware, botnets, and viruses Web sites and Internet downloads. Symantec Web Gateway must be installed in the inline network configuration or as a proxy server to block downloads. Block selected Internet applications by category You can configure Symantec Web Gateway to prevent peer-to-peer sharing, streaming media, games, and other Internet applications from accessing the Internet. Symantec Web Gateway can block individual Web sites or categories of Web sites. To block Web sites by category, you must have the URL filtering license. You can display reports on a wide range of statistics. Available reports include most accessed Web sites, most active users, infected clients, most common malware, network attacks, and infection sources. Click a statistic in a report to get more information about that user, computer, Web site, category, and so on. Symantec Web Gateway can issue alerts for attacks, infections, and system events. Symantec Web Gateway transmits alerts by email, syslog, or SNMP. Symantec Web Gateway can automatically block inbound and outbound Internet access for infected computers to prevent malware from spreading. Symantec Web Gateway can pass outbound Web traffic through Symantec Data Loss Prevention to protect your company's data assets. You must have a separate Symantec Data Loss Prevention appliance. Symantec Web Gateway can monitor SSL-encrypted Internet traffic for malware or pass the encrypted traffic to Symantec Data Loss Prevention. You must have a separate Symantec Data Loss Prevention appliance to analyze SSL-encrypted traffic for data loss.
Display reports
Configure alerts
Symantec Web Gateway Implementation Guide Symantec Web Gateway Getting Started Guide Symantec Web Gateway Release Notes
10
More information about Symantec Web Gateway (continued) Description and location
Visit the following Symantec Web sites for more information about Symantec Web Gateway:
Knowledge base articles Articles to help you troubleshoot issues with Symantec Web Gateway www.symantec.com/business/support/index?page=landing&key=58161 SymConnect Forum Users post the questions that other users and Symantec Technical Support answer www.symantec.com/connect/security/forums/web-gateway Product alerts Subscribe to late-breaking news about new releases and hot issues http://www.symantec.com/business/support/ index?page=content&key=58161&channel=ALERTS English PDF documentation All available .pdf document for Symantec Web Gateway in English www.symantec.com/business/support/ index?page=content&key=58161&channel=DOCUMENTATION Technical Support Contact information and downloads www.symantec.com/enterprise/support Licensing Information about how to register, activate, and manage existing license https://licensing.symantec.com/acctmgmt/index.jsp Virus encyclopedia Information about all known threats; information about hoaxes and access to white papers about threats www.symantec.com/business/security_response/index.jsp Documentation about data loss prevention Information about how to configure and use Symantec Data Loss Prevention See the Symantec Data Loss Prevention Administration Guide, which available with the download of the Symantec Data Loss Prevention software.
Chapter
Preinstallation checklist System requirements About Symantec Web Gateway network configurations About the Symantec Web Gateway operating modes Port connections for typical network configurations Diagrams of typical network configurations Ports and settings that Symantec Web Gateway uses Connections, ports, and indicators on the Symantec Web Gateway appliance
Preinstallation checklist
Table 2-1 contains the decisions that you should make and the items that you should have on hand before you install Symantec Web Gateway. Table 2-1 Item
Review the system requirements.
Determine if you intend to use the The use of the Symantec Web Gateway proxy dictates Symantec Web Gateway proxy. which operating modes you can use and requires you to use the management port.
12
Determine how you want to install The manner in which you connect to your network Symantec Web Gateway in your affects its capabilities. network. See About Symantec Web Gateway network configurations on page 16. See Port connections for typical network configurations on page 18. See Diagrams of typical network configurations on page 20. Determine which operating mode you intend to use. The operating modes let you either monitor Internet traffic or monitor traffic and block traffic. See About the Symantec Web Gateway operating modes on page 18. Configure your firewall to allow traffic from Symantec Web Gateway. Ensure that the necessary ports are open in your firewall and other network devices to allow Symantec Web Gateway to function properly. See Ports and settings that Symantec Web Gateway uses on page 27. Have a computer with an Ethernet Connect a computer to the management port on port for initial setup. Symantec Web Gateway to initially configure it. Any computer and operating system works for this (Required for physical appliance purpose. This computer must have a supported Web only.) browser to access the Web GUI. See Connections, ports, and indicators on the Symantec Web Gateway appliance on page 33. See System requirements on page 15. Decide on an administrator user name and password. Decide on an administrator name and password for access to the Web GUI. The primary administrator can create additional administrator accounts for access to the Web GUI. Specify an email address in the setup wizard. Symantec Web Gateway sends alerts and reports to this email address. If you click the Forgot Password? link on the Logon page, and Symantec Web Gateway sends a new password to this address.
13
14
Know your IP address and related Determine if you intend to use a single IP address or network settings for the Symantec two IP addresses. Web Gateway appliance. With one IP address, you can use a static address or you can rely on DHCP. Symantec recommends that you use a static IP address. The two IP address configuration is recommended if you plan to connect Symantec Web Gateway in the inline network configuration. Symantec Web Gateway requires two IP addresses if you intend to install Symantec Web Gateway in a proxy configuration. The IP addresses must be static and in different subnets. In the two IP address configuration, Symantec Web Gateway uses one IP address for communication with the Web GUI through the management port. Symantec Web Gateway uses the other IP address for communication with the user. For example, Symantec Web Gateway uses this IP address to send the end user blocking pages and authentication requests. The two IP addresses must be on different networks. To specify a static IP address for Symantec Web Gateway, obtain an IP address in your network that is not in use by another computer. You need the following network settings for a static IP address:
IP address Subnet mask Default gateway Primary DNS Secondary DNS (optional) DNS suffix (optional)
15
If you intend to use DNS, you must provide a DNS address. Optionally, you can provide a second DNS address and a DNS suffix.
Have a list of your internal subnets. You must specify your internal subnets in Symantec Web Gateway after you run the setup wizard. See Post-installation tasks on page 42. Have up to five normal and two crossover Ethernet cables. You need up to four normal and up to two crossover Ethernet cables. The number of cables that you need depends on your network configuration and the number of LAN and WAN ports on the appliance. Crossover Ethernet cables are included with your appliance. The Ethernet cables should have the typical RJ-45 (8P8C) jacks. See Port connections for typical network configurations on page 18. See Diagrams of typical network configurations on page 20.
After you complete the preinstallation checklist, you can proceed with the installation. See Installing Symantec Web Gateway on page 36.
System requirements
Table 2-2 lists the supported system requirements.
16
Symantec Web Gateway model 8490 Symantec Web Gateway model 8450 007 009
Web browser
Computer that you use to access the Symantec Web Gateway Web GUI: Microsoft Internet Explorer 8/7/6
Mozilla Firefox 3
Mozilla Firefox 3
In most cases, Symantec Web Gateway does not require changes to any user software including the Web browser. However, if you configure Active Directory integration to use NTLM 401 authentication (only used in inline or tap network configurations), you may have to change the Web browser configuration on user computers. This change prevents an authentication pop-up window. You may also have to change the Web browser configuration on user computers if you use the Symantec Web Gateway proxy.
See System requirements for Symantec Web Gateway Virtual Edition on page 62.
17
Inline
Blocks file transfers, Web sites, and phone-home attempts. Inline configuration requires more network connections than port span/tap. See Figure 2-1 on page 21.
Proxy
Only analyzes the proxy traffic that is explicitly proxied to Symantec Web Gateway proxy. This means that Symantec Web Gateway can only analyze HTTP, HTTPS, FTP, and SOCKS Internet traffic. This configuration requires changes in your network to ensure that users' browsers use the Symantec Web Gateway proxy to access the Internet. See Figure 2-4 on page 24.
Inline + proxy
A combination of both the inline network configuration and the proxy network configuration. Symantec Web Gateway can explicitly analyze both the proxy traffic and native traffic that pass through the WAN/LAN ports. See Figure 2-1 on page 21.
Works the same as the inline configuration and the inline + proxy configuration but this configuration contains a second set of LAN and WAN ports. In an inline configuration, Symantec Web Gateway supports both of the LAN ports and WAN ports. In an inline + proxy configuration, Symantec Web Gateway only supports proxy function on LAN1 and WAN1 ports. Symantec Web Gateway only supports dual homing on the 8490 appliance. See Figure 2-3 on page 23.
18
Planning for installation About the Symantec Web Gateway operating modes
Monitoring
Symantec Web Gateway does not block any Internet traffic, but it provides reports on user activity. This mode can be useful as an initial test of Symantec Web Gateway.
19
Port connections for typical network configurations Connect Connect Management Monitor to to
Port on your LAN switch (required)
Description
Connect LAN to
Connect WAN to
Not used
Simple port span/tap network configuration. See Figure 2-1 on page 21.
Network tap Port on your or a port on LAN switch your LAN (optional) switch that is set to span mode (required) Not used Port on your LAN switch (required)
Simple inline with no Simple inline network proxy or the proxy is at configuration. If a proxy the firewall exists in the network, it is connected to the firewall. See Figure 2-1 on page 21.
Inline with two firewalls You can connect two Port on your and two Symantec Web Symantec Web Gateway LAN switch Gateway appliances appliances to two firewalls (required) as part of a high-availability environment. You can configure the firewalls in active/active failover or active-standby failover. You should configure the Symantec Web Gateway appliances identically except for the network settings. See Figure 2-2 on page 22. Inline with one NIC external proxy that is connected to Symantec Web Gateway If your proxy server is Port on your connected to the corporate LAN switch LAN rather than the firewall, (required) install Symantec Web Gateway between the corporate LAN and the proxy server. See Figure 2-6 on page 26.
Not used
Not used
20
Port connections for typical network configurations (continued) Connect Connect Management Monitor to to
Not used
Description
Connect LAN to
Port on the proxy; connect LAN2 to the proxy also (required)
Connect WAN to
Port on your layer 3 switch; connect WAN2 to a separate layer 3 switch (required)
For greater throughput on Port on your the proxy server, you can LAN switch connect a single Symantec (required) Web Gateway appliance with two LAN and two WAN ports to a proxy server. You can also connect a single Symantec Web Gateway appliance with two LAN and two WAN ports to two proxy servers. See Figure 2-3 on page 23.
Inline with two NIC external proxies that are connected to Symantec Web Gateway and to the firewall Central Intelligence Unit
The proxy server is Port on your connected to the firewall and LAN switch Symantec Web Gateway. (required) See Figure 2-5 on page 25. An appliance that is Port on your configured to manage other LAN switch appliances is called a Central (required) Intelligence Unit.
Not used
Not used
Not used
Not used
21
Figure 2-1
WAN Port
Management Port
LAN Port
Crossover Cable
Protected Computers
22
Figure 2-2
Inline with two firewalls, two external proxies, and two Symantec Web Gateway appliances
Proxy Server
Internet
Proxy Server
WAN Port
WAN Port
LAN Port
Crossover Cable
Corporate LAN
Network Management PC
Protected Computers
23
Figure 2-3
Proxy Server
Internet
Internet Firewall or NAT LAN2 Port
WAN1 Port
WAN2 Port
(Router)
Network Mgmt. PC
Protected Computers
Protected Computers
24
Figure 2-4
Network Mgmt PC
Corporate LAN
Protected Computers
25
Figure 2-5
Inline Symantec Web Gateway with an external proxy server connected to firewall
Network Mgmt PC
Corporate LAN
WAN Port
Protected Computers
26
Figure 2-6
Internet
Network Mgmt PC
Corporate LAN
LAN Port
Protected Computers
Planning for installation Ports and settings that Symantec Web Gateway uses
27
Figure 2-7
Management Port
Network Mgmt PC
Monitored Computers
Symantec Web Gateway ports and settings Port (Protocol) From To Description
User-defined Delivers the SMTP mail SMTP servers notifications of alert conditions. User-defined (Optional) DNS servers Performs external DNS lookups, if configured.
<hostname/IP>
UDP/53 (DNS)
28
Planning for installation Ports and settings that Symantec Web Gateway uses
Symantec Web Gateway ports and settings (continued) Port (Protocol) From To
Symantec LiveUpdate servers
Description
Supplies the antivirus definitions downloads.
liveupdate.symantec.com TCP/80 (HTTP) Symantec Web liveupdate.com Gateway symantecliveupdate.com <hostname/IP> pool.ntp.org (default) UDP/123 (NTP) Symantec Web Gateway
User-defined Retrieves NTP servers Network Time Protocol data from one or more Time servers. User-defined (Optional) SNMP servers Provides the Simple Network Management Protocol (SNMP) trap and alerts, if configured. Active Directory servers (Optional) Retrieves LDAP User information from Active Directory server, if configured.
<hostname/IP>
UDP/161 (SNMPv3)
<hostname/IP>
Planning for installation Ports and settings that Symantec Web Gateway uses
29
Symantec Web Gateway ports and settings (continued) Port (Protocol) From
Symantec Web Gateway
To
Description
Symantec This port Threat center enables the servers following: Symantec Web Gateway software update downloads, botnet signatures, and other updates. Symantec Technical Support may use this port for remote system diagnosis.
filterdb.iss.net
TCP/443 (HTTP)
(Optional) Downloads optional URL filtering data. (Optional) Validates your software license for URL classification data.
license.cobion.com
TCP/443 (HTTP)
<hostname/IP>
TCP/443 (Proprietary)
Central Symantec (Optional) Polls Intelligence Web Gateway Symantec Web Unit (CIU) Gateway for its status and data.
30
Planning for installation Ports and settings that Symantec Web Gateway uses
From
Symantec Web Gateway
To
CIU
Description
(Optional) Retrieves updates to configuration options from CIU.
<hostname/IP>
UDP/514 (Syslog)
User-defined (Optional) syslog servers Delivers malware alerts or system alerts to remote syslog, if configured. dc interface (Optional) Forwards audit success entries from the security log of the domain controller to Symantec Web Gateway, which permits Symantec Web Gateway to apply filtering policies based on LDAP.
Endpoint computer
Symantec (Optional) Web Gateway Symantec Web Gateway to authenticate end user clients. Symantec Web Prevent communication channel (Optional) Used to communicate with the Symantec Web Prevent server.
Planning for installation Ports and settings that Symantec Web Gateway uses
31
Note: <hostname/IP> denotes the configuration that you provide based upon your local network architecture and your implementation plan for Symantec Web Gateway Table 2-7 describes the proxy settings that Symantec Web Gateway uses. Table 2-7 Settings
SOCKS Settings
From
Web browser client
To
Symantec Web Gateway
Description
You can enable Symantec Web Gateway proxy as SOCKS proxy for TCP and for UDP network traffic such as HTTP and FTP. Symantec Web Gateway supports the following SOCKS version 5. The default port is 1080, and you can modify as per your network configuration. The proxy listens for FTP traffic at the port that you specify. The default port is 8021,and you can modify as per your network configuration.
FTP Settings
8021
FTP client
32
Planning for installation Ports and settings that Symantec Web Gateway uses
From
Web browser client
To
Symantec Web Gateway
Description
The proxy listens for HTTP/S traffic from the user Web browser at the specified ports. The default port ranges from 8080-8083, and you can modify as per your network configuration. These ports can only be used for the HTTP/S proxy.
8443
The Symantec Web Gateway proxy listens for SSL traffic at the port that you specify. If you enable the internal HTTP/S proxy, the SSL port must be different than the HTTP/S ports. The default port is 8443, and you can modify as per your network configuration.
Planning for installation Connections, ports, and indicators on the Symantec Web Gateway appliance
33
Connection or port
USB ports
Serial port
Access to the required Internet services See Ports and settings that Symantec Web Gateway uses on page 27. Domain controller (for authentication) See Port connections for typical network configurations on page 18. Monitor Ethernet port If you deploy Symantec Web Gateway in a port span/tap network configuration, connect the monitor port to the network tap or a port on your LAN switch that is set to span mode. See Port connections for typical network configurations on page 18.
34
Planning for installation Connections, ports, and indicators on the Symantec Web Gateway appliance
Table 2-8
Connection or port
Keyboard
Mouse Power
Chapter
Installing Symantec Web Gateway Installing the Symantec Web Gateway appliance into a rack Configuring a computer to access Symantec Web Gateway for installation Running the setup wizard Post-installation tasks Accessing the Web GUI Connecting Symantec Web Gateway to your network About ensuring Internet connectivity if Symantec Web Gateway is disabled Testing the bypass mode Specifying internal networks Enabling URL filtering, Internet program monitoring, and other features Creating static routes for the inline network configuration Specifying a mail server for alerts and reports Specifying internal email and external proxy servers for report accuracy Testing Symantec Web Gateway for successful blocking or monitoring Testing Symantec Web Gateway Threat Center connectivity
36
Description
Mount the Symantec Web Gateway appliance into a rack, but do not connect the Ethernet cables yet. See Installing the Symantec Web Gateway appliance into a rack on page 37.
Step 2
Configure and connect a computer to Symantec Web Gateway for initial installation.
You use a directly connected computer to initially configure Symantec Web Gateway. See Configuring a computer to access Symantec Web Gateway for installation on page 37. You specify the primary administrative user, network configuration, and initial settings for Symantec Web Gateway in the setup wizard. See Running the setup wizard on page 38.
Step 3
When you finish the installation, perform the post-installation tasks to ensure that you properly configure and test Symantec Web Gateway. See Post-installation tasks on page 42.
Installing Symantec Web Gateway appliances Installing the Symantec Web Gateway appliance into a rack
37
1 2 3 4
Attach the included rails to the appliance. Install the appliance in a 19-inch (483mm) rack. Connect the power cord to the appliance and then to a power supply. If your appliance came with two power cords, connect the second power cord.
38
1 2 3
Copy the license file to the local hard drive on the computer. Access the network configuration settings on the computer. Set the IP address of the computer to the following address: 192.168.254.253
Set the subnet mask of the computer to the following address: 255.255.255.0 You do not have to configure any other network settings such as default gateway or DNS.
5 6
Save the settings. Connect an Ethernet cable from this computer to the management port on the back of the Symantec Web Gateway appliance.
Press the power button on the front of the Symantec Web Gateway appliance. The appliance takes several minutes to start.
On the computer that is connected to the management port, start a Web browser and go to the following URL: http://192.168.254.254 The setup wizard automatically appears the first time that you install the product.
3 4 5
On the Welcome panel, click Next. On the License Agreement panel, read the license agreement, check the box indicating that you accept the terms of the agreement, and then click Accept. On the Install License panel, do the following tasks:
39
If you do not install a license now, there is a two week grace period. During this time the product runs as if the Symantec Web Gateway license were installed.
On the Select Server Type panel, click Web Gateway, and then click Next. You can only change the server type in the setup wizard. You cannot change it in the Web GUI after the setup wizard finishes.
On the User Information panel, specify the following information about the primary Web GUI system user:
Login Name Type a login name for the primary Web GUI administrator. Use ASCII characters only. The login name is case sensitive. Type a password for the primary Web GUI administrator. Type the password again to verify its accuracy. Optionally, you can type a description for the current user account. This description appears on the Edit User page. Type a complete email address such as [email protected]. Symantec Web Gateway sends alerts and reports to this email address. If you click the Forgot Password? link on the login page, a new password is sent to this address.
Password
8 9
Click Next. On the Server Information panel, specify the following information:
Name Type a descriptive name for Symantec Web Gateway with ASCII characters. The server name can include spaces. The server name is not used for network access to Symantec Web Gateway. It appears in reports and alerts. If you use a Central Intelligence Unit to manage multiple Symantec Web Gateway appliances, this name identifies each Symantec Web Gateway appliance.
40
Mode
Select one of the following default operating mode options: Monitoring Click this option if you only want to view reports on user malware activity but not block malware. Blocking Click this option if you want to block inbound and outbound malware for user computers at your site. You can also view reports on malware activity. You can override these default operating modes with custom policies. Symantec recommends that you do not use Blocking mode, if you use the Inline configuration and you do not have static routes configured.
See About the Symantec Web Gateway operating modes on page 18. Select one of the following network configurations:
41
Network Settings
Do the following tasks: To specify one IP address for the Web GUI and a separate IP address for the monitoring and blocking capabilities of Symantec Web Gateway, check Enableseparatemanagementandinlinenetworks. Specify if you want to use Automatic (DHCP) resolution or if you want to manually specify IP addresses. Symantec Web Gateway does not support DHCP when you enable separate management and inline networks. If you did not check Enable separate management and inline networks, specify the Management Network Settings. Specify the IP address and related network settings for the Web GUI, monitoring capabilities, and blocking capabilities. If you checked Enable separate management and inline networks, specify the following settings: Management Network Settings Specify the IP address and related network settings for the Web GUI. The use of DHCP is disabled. Inline Network Settings Specify the IP address and related network settings for the monitoring and blocking capabilities. DNS Settings You can specify up to two IP addresses. You can optionally also specify a DNS suffix.
Proxy Settings
(Optional, if you intend to use Check Use proxy for Web Gateway secure external proxies) communications (SSL) with Symantec Threat Center if you intend to have Symantec Web Gateway to use an external proxy to communicate with Symantec Threat Center. Also specify the proxy IP address and port. Check Analyze ports used by proxy if you want Symantec Web Gateway to inspect the external proxy traffic from clients. Also specify the HTTP proxy port/port range and the FTP port.
42
Click the drop-down list and select your time zone. The time zone settings do not apply if you use Symantec Web Gateway as a proxy.
Post-installation tasks
After you install the appliance and run the setup wizard, perform the following post-installation tasks to ensure that you properly configure and test Symantec Web Gateway. Table 3-2 Step
Step 1
Description
If you selected the inline networking configuration., disconnect the Ethernet cable from the management port and connect it to the LAN port on Symantec Web Gateway. You do not need to switch to the LAN port if you use the two IP configuration. If Symantec Web Gateway is in bypass mode in this configuration, leave the Ethernet cable connected to the management port to access the Web GUI. With all other configurations, leave the Ethernet cable connected to the management port. In all configurations, keep the other end of the cable connected to your computer.
43
Description
On the computer that is connected to the management port, set the IP address to an IP address that is on the same network as the new IP address that you specified for Symantec Web Gateway. Also, set the subnet mask to match the Symantec Web Gateway IP address. This process is similar to the process to access the setup wizard, except that you do not use the 192.168.254.253 IP address. See Configuring a computer to access Symantec Web Gateway for installation on page 37.
Step 3
Access the Web GUI to test Symantec Web Gateway and to perform post-installation configurations. See Accessing the Web GUI on page 44.
Step 4
Connecting Symantec Web Gateway to your network. Test bypass mode. (Inline configuration only)
After you access the Web GUI, you can connect Symantec Web Gateway to your network. See Connecting Symantec Web Gateway to your network on page 45. If you configure Symantec Web Gateway for the inline configuration, test to ensure that the bypass mode operates properly. See About ensuring Internet connectivity if Symantec Web Gateway is disabled on page 46. See Testing the bypass mode on page 48.
Step 5
Step 6
When you specify your internal networks, Symantec Web Gateway knows which networks are internal and which are external. See Specifying internal networks on page 49.
Step 7
Enable key filtering Configure the following features: and monitoring Enable Insight reputation-based security features. Enable application control
Enable content filtering Enable record browse view times See Enabling URL filtering, Internet program monitoring, and other features on page 50.
44
Create static routes, If you plan to connect Symantec Web Gateway in the if needed. inline network configuration, specify static routes. (Inline configurations only) See Creating static routes for the inline network configuration on page 52.
Step 9
Specify servers and You should specify your servers and external proxies proxies for reports so that they appear in your alerts and reports. and alerts. See Specifying a mail server for alerts and reports on page 52. See Specifying internal email and external proxy servers for report accuracy on page 53.
Step 10
Test Symantec Web Test Symantec Web Gateway to ensure that it blocks Gateway. and monitors Web traffic as you intend it. Also test the connection to the Threat Center. See Testing Symantec Web Gateway for successful blocking or monitoring on page 53. See Testing Symantec Web Gateway Threat Center connectivity on page 54.
Installing Symantec Web Gateway appliances Connecting Symantec Web Gateway to your network
45
1 2
On the computer in the LAN connected to Symantec Web Gateway, start a Web browser. In the Web browser, type the following:
http://IP address
Where IP address is the address that you specified for the Symantec Web Gateway appliance in the setup wizard. For example, if the IP address that you specified for the appliance is 192.168.42.24, go to the following URL: http://192.168.42.24
For certain Web browsers, you may need to configure a certificate security exception to access the Web GUI. Typically, this step is only required at the first login per computer per session.
In the Web GUI, click Administration > Configuration > Operating Mode, uncheck Service Enabled to disable Symantec Web Gateway, and then click Save. When you disable the service, Symantec Web Gateway is in bypass mode. See About ensuring Internet connectivity if Symantec Web Gateway is disabled on page 46. You can check the Symantec Web Gateway service status at Administration > Configuration > Operating Mode.
Disconnect your computer from the management port of the Symantec Web Gateway appliance. You can set the TCP/IP configuration of the computer as desired and redeploy it as needed in your network.
46
Installing Symantec Web Gateway appliances About ensuring Internet connectivity if Symantec Web Gateway is disabled
Connect the LAN, WAN, and management ports as required for the network configuration and mode that you configured. See Port connections for typical network configurations on page 18.
With Symantec Web Gateway service disabled, try to access the Internet from a computer in the LAN. You should be able to access the Internet. The bypass LEDs on the back of the Symantec Web Gateway appliance should be on. See Connections, ports, and indicators on the Symantec Web Gateway appliance on page 33.
In the Web GUI, click Administration > Configuration > Operating Mode, and then check Service Enabled to enable Symantec Web Gateway.
Hardware bypass does not generate any reports for scanning, monitoring, and blocking.
Installing Symantec Web Gateway appliances About ensuring Internet connectivity if Symantec Web Gateway is disabled
47
Table 3-3
For bypass mode to function properly, ensure that you use the proper type of Ethernet cables to connect to the LAN. Two solid LEDs on the back of the Symantec Web Gateway appliances indicate bypass mode is on. See Connections, ports, and indicators on the Symantec Web Gateway appliance on page 33. Note: If you connect the wrong type of Ethernet cable from Symantec Web Gateway to the LAN, Internet connectivity is blocked when Symantec Web Gateway is disabled or off. In bypass mode, Symantec Web Gateway works the same as if you were using a crossover Ethernet cable. In the inline network configuration, you may need to connect a crossover Ethernet cable between the LAN port on Symantec Web Gateway and the main LAN switch. One or two crossover cables are included with Symantec Web Gateway, depending on the number of LAN ports on your appliance. Most Ethernet cables are straight-through cables. Table 3-4 describes the cable options for LAN port. Table 3-4 Connecting the LAN cable in the inline network configuration
LAN auto sensing behavior Cable options for Symantec Web Gateway LAN port
The LAN switch that is connected to Symantec Web Gateway has auto sensing that detects the cable type and adjusts to properly route network traffic. You can connect either a straight-through or a crossover Ethernet cable from the LAN port on Symantec Web Gateway to the main LAN switch. However, Symantec recommends that you install the type of cable that is recommended in the following row. If the LAN switch is unintentionally turned off, auto sensing may not function.
48
Table 3-4
LAN auto sensing behavior Cable options for Symantec Web Gateway LAN port
The LAN switch that is connected to Symantec Web Gateway does not have auto sensing and automatic correction for the Ethernet cable type. You must connect the correct type of Ethernet cable to ensure that bypass mode works. The type of cable to use depends on the cable that was connected between the WAN and LAN before you installed Symantec Web Gateway, as follows: If the Ethernet cable between the WAN and LAN was a straight-through cable, connect a crossover Ethernet cable to the Symantec Web Gateway LAN port. If the Ethernet cable between the WAN and LAN was a crossover cable, connect a straight-through Ethernet cable to the Symantec Web Gateway LAN port.
In all cases, connect a straight-through Ethernet cable from the WAN to the WAN port on Symantec Web Gateway.
If you configure Symantec Web Gateway in the port span/tap network configuration and the appliance is turned off or disabled, Internet traffic passes unchanged. In the port span/tap network configuration, the appliance never blocks Internet traffic if it is turned off or disabled. Always use a straight-through Ethernet cable to connect the appliance to the network tap or port that is configured in span mode. See Testing the bypass mode on page 48.
49
In the Web GUI, click Administration > Configuration > Operating Mode, and then uncheck Service Enabled to disable Symantec Web Gateway. When you disable the service, Symantec Web Gateway is in bypass mode. See About ensuring Internet connectivity if Symantec Web Gateway is disabled on page 46.
With Symantec Web Gateway service disabled, try to access the Internet from a computer in the LAN. You should be able to access the Internet. The bypass LEDs on the back of the Symantec Web Gateway appliance should be on but not blinking. See Connections, ports, and indicators on the Symantec Web Gateway appliance on page 33.
3 4
Click Administration > Configuration > Operating Mode, and then check Service Enabled to enable Symantec Web Gateway. Test Symantec Web Gateway to ensure that it functions properly. See Testing Symantec Web Gateway for successful blocking or monitoring on page 53.
1 2
In the Web GUI, click Administration > Configuration > Network. Check Apply Static Routes to Internal Networks if the following conditions apply, and then click Save and ignore the rest of this procedure:
You have configured static routes. Your internal networks are the same as or more than the static routes.
See Creating static routes for the inline network configuration on page 52.
Under Internal Network Configuration, click Add a Network. Normally, do not check Define internal network as addresses not in the following list. That setting is for special cases of when you install Symantec Web Gateway in front of an external proxy.
50
Installing Symantec Web Gateway appliances Enabling URL filtering, Internet program monitoring, and other features
In Subnet, type the IP address of your internal subnet. For example, if your internal computers are in the range 10.42.24.0 to 10.42.24.255, type 10.42.24.0.
In Netmask, type the netmask for the subnet. For example, if your internal computers are in the range 10.42.24.0 to 10.42.24.255, type 255.255.255.0. Symantec Web Gateway supports the wide subnets also known as supernets. If portions of your network are in a contiguous wide range, it is not necessary to have multiple separate internal network entries for each range. A single wide range is sufficient.
6 7 8
Optionally, in Description, type a description of the internal network. If your internal network has computers in separate network ranges, specify additional networks. Click Save.
1 2
In the Web GUI, click Administration > Configuration > Modules. Check the appropriate box to enable the following features:
Enable Application Control Allow, monitor, or block the programs that access the Internet. Configure application control policies on the Edit Policy page. This feature is included in the Symantec Web Gateway license. If you have the URL filtering license, you can enable URL filtering. Configure URL filtering policies on the Edit Policy page.
Installing Symantec Web Gateway appliances Enabling URL filtering, Internet program monitoring, and other features
51
Bypass Whitelist for Content Filter If you check Bypass Whitelist for Content Filter, you disable the internal whitelist and your custom whitelist. The Web pages in those whitelists that Symantec Web Gateway normally ignores are subject to monitoring and blocking. This feature requires the URL filtering license. The internal whitelist contains the domain names for definition updates and software updates of antivirus vendors and software vendors. Due to security concerns, Symantec cannot publish the contents of the internal whitelist. Symantec recommends that you not bypass the whitelist for content filter. Record browse time Symantec Web Gateway records the approximate amount of time that each user views Web sites. This feature requires the URL filtering license. The following settings are available for this module: Threshold Web browsing activity under this value is not recorded. The default is 5 minutes. Sensitivity If Symantec Web Gateway detects no Web browsing activity after this time has elapsed, it stops tabulating the browse time. Symantec Web Gateway ignores or records the browse time depending on the Threshold value. The default is 3 minutes.
Insight
Symantec Web Gateway can block, monitor, ignore, or allow access to files and other sources of malware based on reputation-based security. Insight is a Symantec technology that can flag probable malware not previously known to Symantec.
Click Save.
52
Installing Symantec Web Gateway appliances Creating static routes for the inline network configuration
1 2 3
In the Web GUI, click Administration > Configuration > Network. Click Add a Static Route. In Destination, type the IP address of the subnet. For example, if computers on the network have IP addresses in the range 10.10.20.0 to 10.10.20.255, type 10.10.20.0.
In Netmask, type the netmask for the subnet. For example, if you specified a destination of 10.10.20.0, type 255.255.255.0.
In Gateway, type the IP address of the router or switch. The gateway is the IP address of the router, such as 10.10.20.100.
6 7
Add additional static routes for each internal subnet. Click Save.
Installing Symantec Web Gateway appliances Specifying internal email and external proxy servers for report accuracy
53
1 2
In the Web GUI, click Administration > Configuration > Email. Specify your own mail server IP address, port, and email address from which email should appear to be from. The mail server that you specify must support the SMTP email protocol.
Uncheck Requires Authorization if the server does not require authentication. This server does not require authentication.
Click Save.
Specifying internal email and external proxy servers for report accuracy
Because of their special roles, you must specify internal email and external proxy servers to ensure that report results are accurate. To specify internal email and external proxy servers for report accuracy
1 2 3 4
In the Web GUI, click Administration > Configuration > Servers. Click Add a server. Specify the server parameters. Click Save.
54
Installing Symantec Web Gateway appliances Testing Symantec Web Gateway Threat Center connectivity
1 2
Start a Web browser on a computer in the LAN that is connected to Symantec Web Gateway. On the Internet, go to the following URL: www.symantec.com The Symantec Web site should display normally without any block messages.
On the Internet, go to the following URL: testwebgateway.com/test/bltest.htm Blocking mode or monitoring mode should be indicated as follows:
Blocking mode If you configure Symantec Web Gateway in blocking mode, a block page appears in your Web browser. If the block page does not appear, Symantec Web Gateway is not correctly configured to block access to spyware. If you configure Symantec Web Gateway in monitoring mode, the test page appears in your Web browser. To check for successful monitoring, find the computer in the Web GUI reports. The report should show that the computer accessed a malware page. If the Web GUI does not indicate that the computer accessed a malware page, Symantec Web Gateway is not correctly configured to monitor access to spyware.
Monitoring mode
See About the Symantec Web Gateway operating modes on page 18.
Installing Symantec Web Gateway appliances Testing Symantec Web Gateway Threat Center connectivity
55
1 2
In the Symantec Web Gateway Web GUI, click Administration > Configuration > Network. Beside Test Connection to Symantec Threat Center, click Test. The following message appears when the test connection is successful: Connection to Symantec Threat Center from Appliance Serial No. (Appliance ID) is successful.
56
Installing Symantec Web Gateway appliances Testing Symantec Web Gateway Threat Center connectivity
Chapter
About Symantec Web Gateway Virtual Edition Installing Symantec Web Gateway Virtual Edition System requirements for Symantec Web Gateway Virtual Edition About configuring the VMware virtual switch About adding the VMware LAN Network virtual switches
58
Installing Symantec Web Gateway virtual edition Installing Symantec Web Gateway Virtual Edition
See About Symantec Web Gateway network configurations on page 16. The bypass mode is unsupported. Symantec Web Gateway Virtual Edition does not have a bypass mode like the Symantec Web Gateway appliances. For Symantec Web Gateway Virtual Edition, in an inline network configuration, network traffic is halted when the service is disabled or the physical host computer is turned off. See About Symantec Web Gateway network configurations on page 16. See About ensuring Internet connectivity if Symantec Web Gateway is disabled on page 46. Connecting management computers to the Management network. The VMware snapshot is unsupported. You must connect the computers that you want to access the Web GUI to the Ethernet port that is assigned to the Management network. Symantec does not support restoring from a VMware snapshot. Use the instructions in this guide to install Symantec Web Gateway Virtual Edition.
Installing Symantec Web Gateway virtual edition Installing Symantec Web Gateway Virtual Edition
59
Action
Review system requirements. Ensure that you have a supported version of VMware and that the virtual machine is provisioned appropriately. See System requirements for Symantec Web Gateway Virtual Edition on page 62.
Step 2
Download the Virtual image If you purchase a license for Symantec Web Gateway, you can files. download the Virtual image files from the Symantec File Connect site. To access Symantec File connect, on the Internet, go to the following URL: https://fileconnect.symantec.com/ If you have not yet purchased a license, you can download the Virtual image files from our product Trialware site. To access the Symantec Web Gateway Trialware site, on the Internet, go to the following URL: http://www.symantec.com/business/products/ trialware.jsp?pcid=pcat_security&pvid=web_gateway_1 Ensure that you put all of the virtual image files in the same directory.
Step 3
Do the following tasks to prepare your virtual machine: Add the VMware LAN network virtual switches and configure their port properties. Each Symantec Web Gateway port that you use (management, WAN, LAN, and monitor) requires one unique virtual switch. See About adding the VMware LAN Network virtual switches on page 64. Configure the default VMware virtual switch. See About configuring the VMware virtual switch on page 63.
60
Installing Symantec Web Gateway virtual edition Installing Symantec Web Gateway Virtual Edition
Action
Deploy the OVF template.
Step 5
You can set the memory reservation in vSphere in the Resources > Memory > Reservation settings. See System requirements for Symantec Web Gateway Virtual Edition on page 62.
Installing Symantec Web Gateway virtual edition Installing Symantec Web Gateway Virtual Edition
61
Action
Configure virtual network adapters.
Adapter 2 WAN - WAN network Adapter 3 LAN - LAN network Adapter 4 Monitor - Span/tap network
62
Installing Symantec Web Gateway virtual edition System requirements for Symantec Web Gateway Virtual Edition
For more information about how to perform the tasks or navigate to the settings that are described in Table 4-2, consult your vSphere documentation.
System requirements for Symantec Web Gateway Virtual Edition Minimum for production environment
90 GB (thick provisioned format) The memory requirement is based on your network configuration mode, as follows:
Port span/tap mode: 4 GB Inline mode: 4 GB Proxy mode: 8 GB Inline + proxy mode: 8 GB CIU mode: 4 GB
CPUs
Table 4-4 lists the system requires for the host. Table 4-4 Requirement
VMware ESX Server or VMware ESXi Server CPU type CPUs (includes Hyper-Threading) CPU speed Hardware virtualization Disk space
System requirements for the ESX/ESXi host Minimum for production environment
Version 4.0 or 4.1
64-bit 2
Installing Symantec Web Gateway virtual edition About configuring the VMware virtual switch
63
System requirements for the ESX/ESXi host (continued) Minimum for production environment
The memory requirement is based on your network configuration mode, as follows:
Port span/tap mode: 4 GB Inline mode: 4 GB Proxy mode: 8 GB Inline + proxy mode: 8 GB CIU mode: 4 GB
Physical NICs
Port span/tab mode: 2 Inline mode: 3 Proxy mode: 2 Inline + proxy mode: 3 CIU mode: 1
For any property that Table 4-5 does not specify, use the default value.
64
Installing Symantec Web Gateway virtual edition About adding the VMware LAN Network virtual switches
For more information about how to configure port properties, refer to your vSphere documentation. After you configure the VMware virtual switch, map the virtual switches to your network the same as you would for a non-virtual installation. See Port connections for typical network configurations on page 18.
Installing Symantec Web Gateway virtual edition About adding the VMware LAN Network virtual switches
65
Figure 4-1
VMWare ESX
Virtual Symantec Web Gateway
Network Adapters 1 2 3 4
Virtual Switches
LAN Port
Monitor Port
Table 4-6 describes the values that you should use in vSphere when you create a LAN Network virtual switch. Table 4-6 Property
Connection Type VLAN ID Promiscuous Mode Failback Notify Switches
For any property that Table 4-6, does not specify, use any value. For more information about how to add a VMware LAN Network virtual switch and configure port property settings, refer to your vSphere documentation.
66
Installing Symantec Web Gateway virtual edition About adding the VMware LAN Network virtual switches
After you configure the VMware LAN virtual switch, map the virtual switches to your network the same as you would for a non-virtual installation. See Port connections for typical network configurations on page 18.
Index
A
alerts 52 antivirus 5 appliance connections and ports 33 mounting into a rack 37 supported models 15 application control controlling access 50
G
Global Intelligence Network 5
H
help 9
I
inline + proxy network configuration about 16 diagram 20 installing 38 inline network configuration about 16 creating static routes 52 diagram 20 ensuring Internet connectivity 46 installing 38 port connections 18 installation post-installation tasks 42 preinstallation checklist 11 running setup wizard 38 Symantec Web Gateway 36 Symantec Web Gateway Virtual Edition 58 internal networks 49 Internet applications controlling access 50 IP addresses 43
B
blocking mode about 18 installing 38 testing 53 browse time 50 browser, Web. See Web browser bypass mode about 46 LED indicators 33 testing 48
C
Central Intelligence Unit installing 38 port connections 18 crossover cable 18, 46
D
documentation, product 9 dual homing network configuration about 16 diagram 20
L
LAN Ethernet port 18, 33 license 11 LiveUpdate 27
E
email server 5253 ESX/ESXi. See virtualization Ethernet cables 46 Ethernet ports 18 external proxy 11, 53
M
management port 18, 33 mgmt port. See Management port modes, operating. See operating modes monitor port 18, 33
68
Index
N
network configurations about 16 diagrams 20 port connections 18 virtualization, supported 57 networks, internal 49 new features 6
O
operating modes 18 OVF template 58
P
port span/tap network configuration about 16 diagram 20 ensuring Internet connectivity 46 installing 38 port connections 18 ports appliance 18, 33, 46 connecting the appliance 45 used by Symantec Web Gateway 27 post-installation tasks 42 preinstallation checklist 11 proxy network configuration about 16 installing 38
SSL Deep Inspection URL and port 27 static routes 49, 52 Symantec Domain Controller Interface URL and port 27 Symantec Threat Center testing connectivity 54 URL and port 27 Symantec Web Gateway accessing the Web GUI 44 configuring computer access to 37 ports and URLs 27 proxy settings 27 testing blocking and monitoring 53 bypass mode 48 Threat Center connectivity 54 Symantec Web Gateway proxy diagram 20 Symantec Web Gateway Virtual Edition. See virtualization system requirements 15 system users specifying 39
T
tap. See port span/tap tests. See Symantec Web Gateway: testing third-party proxy server. See external proxy Threat Center testing connectivity 54 URL and port 27 threats 5
U
URL filtering enabling 50 URLs, Symantec Web Gateway 27 USB ports 33
R
rack, mounting appliance 37 reports specifying mail server for 52 specifying proxy servers 53
V
virtual edition. See virtualization virtual network adapters 58 virtualization about 57 adding LAN network virtual switches 64 configuring the virtual switch 63 installing 58
S
serial port 33 setup wizard initial installation 38 SMTP 52 span. See port span/tap
Index
69
virtualization (continued) network virtual switch configuration 64 supported network configurations 57 system requirements 62 virus. See antivirus VMware adding LAN network virtual switches 64 configuring the virtual switch 63 snapshot 57 system requirements 62 vSphere. See virtualization
W
WAN Ethernet port 18, 33 Web 2.0 5 Web browser system requirements 15 Web GUI 44 whitelist 50