Overly restrictive Web filtering

Similar Messages

• Can Cisco connect be used for small business web filtering?

  I am searching for a web filtering solution for our small church.  The core requirement is to use a hardware-based solution to filter all internet traffic.  Our current wiring looks like this: [ISP router] --> [switch] --> [Open Mesh wireless access points].  Can I connect a Linksys EA2700/3500/4500/6500 between the [ISP router] and the [Switch], disable the Linksys wireless, and use Cisco Connect to filter all the internet traffic?
  More info: We will only have a handful of wired/wireless devices which we have control over.  We expect most of the rest of the traffic to be generally outside our control via personally owned devices connecting thru the public wifi.  Therefore any solution which requires installation of software on individual devices will not work.
  (If there are other threads on this topic I'd be more than happy to read them, I just couldn't find any.)
  Thanks!!

  Hey
  check this article:
  http://www.oracle.com/technology/pub/articles/cunningham-database-xe.html
  Regards

• DirectAccess 2012R2 - Web Filtering

  I have a need to do web filtering (I think). What I have is an external web site (not Corpnet) that can only be accessed from a Corpnet IP address range. Based on this When I go to that web site Split Tunneling sends the traffic down the client side ISP, and
  not down the Corpnet side.  Since the web site will only allow connects from certain IP address ranges I need that traffic to go down the Corpnet route.  I would like to keep  Split Tunneling turned on.  I did find this article (http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/),
  but it deals with TMG and I'm not sure how to move that over to Window 2012 R2 DA.  Can someone help me with this?
  Thanks,
  Ken ...
  Ken Lutz - Spokane County

  Hello,
  You can try a specific Naming Resolution Policy in an additional GPO for your DirectAccess client based on the FQDN of you website.
  This will add the website into the NRPT tables and when your client will try to connect to it, the request will be sent to the DirectAccess infrastructure instead of the ISP.
  Gerald

• How to restrict the filters' interaction between two (or more) dashboard pages?

  Hello,
  I work in OBIEE 10.1.3. and I don't have a lot of experiense with this product.
  I have a problem with report filters’ interaction between dashboard pages. I have created two pages in one dashboard and I navigate from page 1 to page 2. Reports from page 2 have more restrictive data filters (for example, Fiscal Month = Current Month & Fiscal Year = Current Year) than reports from page 1 (Fiscal Month <= Current Month & Fiscal Year = Current Year). If I start from the page 1 and then navigate to the page 2 by clicking on the column that is used for navigation all reports on both pages work fine. However, when I return to page 1 (by clicking on the page name) the data in the reports there is skewed, displaying only the data for Fiscal Month = Current Month. I checked the reports filters and they all get reset from (Fiscal Month <= Current Month) to (Fiscal Month = Current Month). I tried to resolve this by canging filters back to what they were, saving the report, and starting over, but it does not help.
  If anyone knows the solution for my problem, please respond to my post.
  Thank you,

  You can use this workaround:
  Page1: Fiscal Month : CASE WHEN 1=1 THEN 'Fiscal Month' END
  Make this field as 'is prompted' for all the reports in page1.
  For Page2:
  Fiscal Month : CASE WHEN 2=2 THEN 'Fiscal Month' END
  Make this field as 'is prompted' for all the reports in page2.
  This way OBIEE will treat them as two separate fields and the filters will not be messed up.

• Bizarre VPN behavior with Cymphonix Web Filtering Device

  We just purchased some Cymphonix web filtering devices.  These devices sit in-line (as a bridge) on the way from our internal network to the inside interface of our failover pair of 5520 ASAs.  The ASAs are active/passive, single context.  The software rev is 8.4(2).
  We run about 320 site-to-site VPNs as well as AnyConnect VPNs to our ASAs.  When I brought the Cymphonix devices in-line, all appeared to be working.  Traffic was flowing out to the internet from our internal network.  I was seeing stats and analysys from the Cymphonix device.  However, after a few minutes, almost all of our VPNs went down (both site-to-site and Anyconnect).  Traffic from the internal network to the internet was still working fine.  When I tried to re-establish an Anyconnect VPN using my laptop on an outside connection, it failed.  The message said the ASA "rejected" the connection.  I turned up some debug on the ASA and got messages that included text like "internal error".  Once I cabled the inside of the ASA directly back to the switch instead of going through the Cymphonix (and rebooted the ASA, just to be safe), the VPNs came back up.
  I'm scratching my head, to put it mildly.  A VPN is negotiated to the ASA.  The traffic involved in establishing and maintaining the VPN will never see the Cymphonix box because the ASA processes it and it goes no further.  So, how can connecting something to the inside interface of the ASA cause the VPNs to crumble?  I should be able to connect anything I want or nothing at all to the inside of the ASA and it shouldn't matter one bit to the health of the VPNs.  Here's another twist:  all of the traffic that comes out of those site-to-site VPNs is delivered to an interface other than the inside (traffic from our customers is delivered to an isolated part of our network).  So the inside interface is even more "uninvolved" in those site-to-site VPNs.
  Traffic from the internal network out to the internet was flowing fine.  Basic functionality was fine.  Since I first tried this, I've wondered if I should have used a cross-over cable, but I find that hard to accept as a problem.  How could non-VPN traffic be working fine our to the internet if I needed a cross-over cable?  I'm reasonably certain the interfaces on the ASA are supposed to support auto-MDIX anyway.
  Anybody have an idea of where to start on this one?
  Thanks
  Patrick

  Hi Patrick,
  I appreciate that you seek help here but assumptions alone won't bring anyone any further.
  To help us to help you: include the debugs, I mean more details than "some debug included the message internal error"
  Give us details (sanitize usernames, passwords, public addresses) and logs resp. debug output.
  Networks are deterministic, the art is to understand how things are determined.
  Regards,
  MiKa

• Make WSUS accessible over the web

  We're in the process of deploying WSUS on Windows 2012 R2 in our environment and I have a question regarding access over the web...  I would  like to provide clients with the ability to access the update server regardless of being connected to
  the company internal network.  I see that the standard GPO settings call for following, and in our lab it is working fine.  One the same internal network.
  Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Update
  Specify intranet Microsoft update service location
  Set the intranet update service for detection updates:
  http://serverhostname:5830
  Set the intranet statistics server: http://serverhostname:5830
  So, If I wanted to change this to HTTPS and make it accessible over the web, based on my experience with Windows Server the steps would look something like this:
  1. Create Internal and external DNS record that will resolve the internal IP address of the WSUS server and the External IP address of the WSUS server.  wsus.domain.com for example.
  2. Purchase a Godaddy or competing certificate from a public store and install it for the default site in IIS. Configure HTTPS bindings to answer on port 5830.
  3. Configure GPO mentioned above to utilize
  https://wsus.domain.com:5830
  ~~~~~~~~~~~~~~~~~
  Seems pretty straight forward.. However I am wondering if this configuration is supported, recommended, or if anyone else out there has it configured in this way? Our deployment will service approximately 300 workstations from a single installation at our
  datacenter. Any insight or recommendations would be greatly appreciated. Thank you!
  Adam Tyler / [email protected]

  Specify intranet Microsoft update service location
  Set the intranet update service for detection updates:
  http://serverhostname:5830
  Set the intranet statistics server: http://serverhostname:5830
  Actually it's port 8530.
  So, If I wanted to change this to HTTPS and make it accessible over the web, based on my experience with Windows Server the steps would look something like this:
  1. Create Internal and external DNS record that will resolve the internal IP address of the WSUS server and the External IP address of the WSUS server.  wsus.domain.com for example.
  2. Purchase a Godaddy or competing certificate from a public store and install it for the default site in IIS. Configure HTTPS bindings to answer on port 5830.
  3. Configure GPO mentioned above to utilize
  https://wsus.domain.com:5830
  ~~~~~~~~~~~~~~~~~
  Seems pretty straight forward..
  That part is, yes. :)
  However I am wondering if this configuration is supported, recommended, or if anyone else out there has it configured in this way?
  It's not supported. It's not recommended, as described, although you're well on your way. And, the real kicker.. strictly speaking, it's not licensed for use in that manner. Let me e'splain why.
  The licensing for WSUS restricts its use to only clients that are licensed to the entity operating the WSUS server. As such client identity is a key component of strict licensing compliance.
  While Server-Side SSL certainly ensures the client only connects to an authorized server, it does not identify the client, nor restrict the client by known identity, and it wouldn't even prevent an unauthorized client from accessing that server -- all that's
  needed is a copy of the CER. So there's that, which is probably not a deal killer, even considering the strictest interpretation of the licensing, because the risk is fairly low, and MS really isn't going to chase you down because you *might* be capable of
  offering services to unlicensed client systems.
  Here's the real risk: Access to the SSL certificate would also permit a rogue downstream server to dump your complete collection of updates, groups, and approvals to itself, effectively giving the operator of that rogue server information about what security
  updates are approved, and when they were approved, but also which updates are NOT approved -- which offers up some sensitive information about existing vulnerabilities in those workstations. In effect, security of the public certificate becomes paramount.
  More significantly, someone using the API can dig out even more sensitive information about client computers, actual installations, etc. without even setting up a WSUS server, all they need is a working API installation (which can be done on any desktop
  operating system).
  SSL is definitely the minimum requirement for this type of deployment, but in conjunction with making the client services available via SSL, you'll also want to BLOCK access to /DssAuthWebService, /ServerSyncWebService, and /ApiRemoting30 via the firewall.
  Blocking /ApiRemoting30 is fairly straightforward as it requires an authenticated connection anyway, so mostly that's a matter of properly securing the server logons, but downstream server sync is anonymous by default, so you'll want to configure required
  authentication for downstream servers. You won't have any, of course, but that will also preclude the possibility of any. Configuring DSS Authentication is discussed in the WSUS Deployment Guide in TechNet.
  Having said all of that, the conventional way in which WSUS services have been made available to Internet-based clients is via VPN using a replica server without a content store. VPN-based clients get approvals from the replica WSUS server, but then download
  content direct from Microsoft. Client installs updates when downloads are complete.
  VPN is a headache for a lot of orgs, though, and it requires active participation on the part of the computer user, which sometimes impedes successful deployment of updates in a timely manner.
  The ideal methodology, but also a PITA to set up, would be to access that WSUS server via an IPSec-encrypted Direct Access connection. This eliminates the end-user from the process, and ensures client identity through IPSec/DA authentication.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• How can I set my WebI filters to Null and not Null

  Folks,
  I have created a report in WebI and now I am to set up some filters as Null and some Not Null.
  How can I set my WebI filters to Null and not Null?
  Regards,
  Bashir Awan

  Hi,
  As you said you could do it at the report level and also at the universe level.
  One more way is to create the filters in the universe levele and add them in thequery filter.
  Ex: in the filter you need to write :
  Column1 is null and and column 2 is not null etc.
  Hope this will help.
  If this did't  solve your problem then please explain it in detail.
  Cheers,
  Ravichandra K

• How do I access my external drive over the web with my iPhone. The drive is attached to my Time Machine.

  How do I access my external drive over the web with my iPhone. The drive is attached to my Time Machine. I am new to Apple and am trying to get all my stuff working together.

  This is not a supported feature of iPhone or Time Capsule.

• Displaying report in .pdf format while Running oracle reports over the web

  I am running a report over the web via IE. I am suing .pdf
  format as the file type. The problem I am facing is that the
  report comes out with a blank in acrobat reader if there are
  just one or two records - i.e less thatn one pagefull. THe
  reports displays output only when there ar more than one
  pagefull of records.
  Any explanation for this bezarre behavior and any suggestions?
  I will very much appreciate your help.
  Regards
  Prasad.

  in R12 I found 2 choice
  1) when submitting requests (if available) you can set the output format by using the Options button (upon sompletion section):
  layout --> format --> select format you need (RTF/HTML/EXCEL/PDF)
  2) in the request form (view->request) selecr the report you want to reprint in the Tools menu select print/republish, in the html page that pop up select output format you want, number of copies =1 submit
  www2p

• Update to IOS 6 has been a nightmare. Facebook would allow me to save pictures unless I granted access to my foto album. Does this mean my pictures are going be planted all over the web? The safari keeps crashing and loading is slow.

  update to IOS 6 has been a nightmare. Facebook would allow me to save pictures unless I granted access to my foto album. Does this mean my pictures are going be planted all over the web? The safari keeps crashing and loading is slow. Most infuriating is that YouTube was deleted from my entertainment apps and I now have to pay for it if I want it back!! This is a bloody disgrace.

  Back up all data.
  Boot into Recovery by holding down the key combination command-R at the startup chime. Release the keys when you see a gray screen with a spinning dial.
  Note: You need an always-on Ethernet or Wi-Fi connection to the Internet to use Recovery. It won’t work with USB or PPPoE modems, or with proxy servers, or with networks that require a certificate for authentication.
  When the OS X Utilities screen appears, follow the prompts to reinstall the OS. You don't need to erase the boot volume, and you won't need your backup unless something goes wrong. If your Mac was upgraded from an older version of OS X, you’ll need the Apple ID and password you used to upgrade, so make a note of those before you begin.

• ASA5505 WEB FILTERING

  Hi Experts,
  i am going to implement a ASA5505 in one of my offices. I would like to use web filtering feature on it.
  Will it cause any performance degradation in ASA? will it utilized more memory?
  Thanks
  Vipin

  Hi,
  Web filtering with Websense or blocking certain sites using MPF? In either case, only an excesive amount of traffic will cause the CPU to go high. It is really hard to calculate the amount of CPU or memory that this process may take, but I am assuming only high amount of traffic could cause a degration on the performance on the ASA.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
  Mike

• New Web Filtering in iOS7

  Apple have introduced the Web Filtering option in iOS7, but there is little informaiton out there explaining how this works.  Apart from being able to turn it on, and add whitelist or blacklist sites - is there any more?  How does Apple determine what content is blocked?  Are there categories?  Can we see them?  Can we control them?
  Without a bit more information on this feature and how it operates it's hard to trust it.
  Does anyone have any more information on this feature?

  Email?...just click on my Accout....or directly to [email protected]
  Yes, we want to offer a service for customers that include a very secure server thats hosted on hosteurope.de included is a workspace for 5000min Video and a safe dedicated bandwidth up and down. Firstly there is no need to invest in new hardware or network infrastructure. The second is the security thing, we dont want the people to handle around with their open ports to the internet, because thats a huge risk for sensitive production enviromets because that might be an open door for hacker. You cannot ensure that there are always competent Admins onside.
  Also the access to the server is hardly to handle with a standard DSL-Connection. What is if 10 users want to watch the same clip? Do you have a upload of min 10mbit?
  And: Dontyou need a management of the users?? The Integrationsample has just none. I think thats recommendend for a review application. Appart from that you can just upload 10clips!?
  Another point is the fact we love in FCsvr, updated features and bugfixes do not need to install a new version locally. So we did a lot of thinking, an come to the conclusion that thats the best. So, in case of that services we cannot offer that for free. Je decided to charge a annual fee.
  The online sample of RevApp is just to try a bit around, till end of november we want to include much more features.
  I am curious about that what eZ will release and how they handle the local istallation and the usermanagement...
  We are also very interested in People who have a critical look on our solution an help us to improve. Ideas of future features are also very welcome.
  So no offence at all, hope more people give us a feedback like you.
  Greetings Jan

• Global Web Filtering Options

  I am looking for a global web filtering solution for our business but am having trouble finding a solution that will work acceptably for us globally.
  The problem is that our campany has hundreds of very small offices (mostly only 2-3 users with the odd larger office) located in remote locations all around the world where WAN links are very expensive and slow.
  We use all small office type cisco routers in our remote offices of various types (such as 800 series) and are rolling out WAAS/WAVE solutions to optimise our slow WAN links as much as possible, and all sites have site-to-site VPNs from the routers to our UK-based data centres.
  Currently we use Websense configured on the local routers at a few of our offices with a regional server in places such as the UK for most of Europe, and Mobile for most of the US for example.
  We could expand this to all locations, including Australasia, Middle East, Far East and Africa etc. but due to the remote locations we would need many local servers in many countries as the infrastructure to have just one regional Websense server isn't good enough in these areas and web performance would be too slow to be useable due to the latency to the Websense server location. It simply isn't financially feasible to put in hundreds of servers at lots of 2-3 man offices in the middle of no-where so I've been looking at other options.
  I was hoping a hosted solution would be the answer, but I've looked at WebSense's hosted service and it doen't appear to cover all regions (just has server farms in US/Europe which is no good for Africa etc.) I've also looked at Symantec MessageLabs but this has the same problem as there is no coverage in the Middle East/Asia/Africa etc and it proxies all web traffic so performance at these sites would probably be appaling with the limited bandwidth on top of the latency to the closest MessageLabs servers.
  I've now seen that Cisco have a new IOS Content Filter which uses Trend database servers. This sounded promising as it appears to cache the URL checks on the router making the server location less of an issue. But I'd still like to know where in the world they cover (I've seen reference to only 4 data centres globally). My other concern with this solution is whether it integrates into AD, so we can apply policies based on the user accounts like we do currently with the WebSense solution. The last thing is the price of this solution as it appears to be licensed based on the number of routers rather than the number of users. As our users are so spread out with only 2-3 users per router on average this is likely to mean for us this solution will be ridiculously expensive, can anyone advise if this is the case?
  My question therefore is can anyone advise on a solution for this that will work with our Cisco infrastructure in all our offices without having to purchase lots of servers for remote locations? I've seen that other vendors such as the Astaro Security Gateway have web filtering built into their products without the need for external servers, but I'd prefer to stick with Cisco if at all possible.
  Many thanks for any advice/help anyone can give me in this area.
  Paul

  Hi Paul,
  IOS Content filtering is licensed on a per router basis, you are right. So, probably that would not scale for you.
  Cisco has other solutions with Web Filtering and Ironport engines. The challenge in your setup is that each remote site would need to "call" to a central web filtering location that will be making the decision on allowing or no. Or you would need a service that scales well on a per contintent basis. There are some new Cisco web filtering options that could scale with servers almost everywhere in the world. But I don't think you can get a consice answer from this forum about your potential choices here.
  You local Cisco team will be able to provide you with these options. You are welcome to give them my email if they need to talk to me internally.
  I hope it helps a little.
  PK

• Web Filtering / URL Filtering

  Dear All,
  I am looking forward to buy the cisco ASA Firewall with the below mentioned part number.
  ASA5525-SSD120-K9 kindly please let me know whether it supports WEB Filtering / URL Filtering.
  or do i need to go for any other model or license.
  Awaiting your quick responses as it is very urgent.
  Responses are highly appreciated..

  That's the hardware
  You also need a software subscription for the URL/web stuff/IPS
  Near the bottom of this page:  http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html
  there is a chart with the options and part numbers.

• Web Filtering Cisco ASA 5510

  Hello !
  I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
  What u guys recommand !
  Thanks

  Hi Neji,
  Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
  Block URLs using Regular Experessions (Regex)
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
  CSC module:
  http://www.cisco.com/en/US/products/ps6823/index.html
  How to enable the CSC module:
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
  ASA CX module (ASA 5512,5525,5545,5545,5555)
  http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
  Scansafe:
  http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
  Configuration Cisco Cloud Web Security
  http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
  Ironport:
  http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
  How to integrate the ASA with Ironport (WCCP):
  https://supportforums.cisco.com/docs/DOC-12623
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html