TMG and Symantec DLP web filter

Similar Messages

• ICAP URL for Symantec DLP Web Prevent?

  Does anyone know the ICAP URL to use in the S370 for sending data to a Symantec Network Prevent for Web service?

  This is working for us now.
  The ICAP DLP server entry in our Ironports looks like this for us.
  : 1344, icap://:1344/reqmod
  We are using S370's talking to Symantec Network Prevent Web virtual servers for DLP inspection.
  Thanks,
     Chris

• Symantec web filter cloud server with wccp

  Hi All,
  My web filter is now from symantec cloud.  Which I created a vm windows 2008 r2 and install the client site proxy.  So all user now are using proxy settings on that local server IP with the port 3128.  
  Is it possible to make that server connect to wccp on cisco asa 5515x?  It's annoying to have proxy settings especially on smart phones.  I don't know if symantec have a linux CSP version, maybe wccp will work fine with a linux server.
  Thanks and more power.

  Hello Phillipe,
  Yes, You nail it down.
  With this Setup the asa is going to generate a Router ID and Just like OSPF is going to use the higher Ip . In this scenarios should use the interface where the Iron port is. But sometimes the higher is the outside interface ( public one) so we are going to have an issue and there is no solution . The Iron Ports servers can handle this. Other than those ones cannot.
  Just like OSPF is going to use the higher Ip as the Router Identifier so when he SENDS the packets to the server is going to send it with the wrong ip
  Regards

• Best Web Filter and Application control for K-12 School using Chromebooks

  Sophos UTM has good education pricing and provides all this and a lot more
  Wil replace the firewall and has excellent web filtering and application control
  Also nice features for education like allowing google apps but limiting to your google domain

  We are currently using Barracuda Web Filter (410) with a Watchguard firewall. This school year we are launching Google for Education with 160 Chromebooks to start the program.
  We need to upgrade our webfilter and are considering another Barracuda as well as Litespeed, Websense and perhaps OpenDNS. 
  is there anyone who is in a similar situation that has some recommendation?
  Here are a few more details:
  School is 900+ students
  300 wired workstations
  Active directory environment
  Ruckus Wireless with 30+ access points
  This topic first appeared in the Spiceworks Community

• Wireless and web filter

  On our campus, we have k-12 that use our network.
  We have 4 WiSM and 4 4404 controllers.   Wireless network requires to go through Cisco NAC system.   Now, this "high school" need to have their wireless network to go through 8e6 R3000 network filtering appliances.   We already set up separate SSID for university and high school.  SSID are broaadcast all over the campus.
  Is anyone have experience in traffic routing with Cisco Wireless (Lwapp), Cisco NAC, and 8e6 R3000 Enterprise filtering.
  My manager recommend this:
  The most appropriate and simplest setup is to run the device in "Invisible" mode -- packets are mirrored to the filter.  I believe this is how things are currently set up (correct me if I'm wrong), so configuration changes associated with a physical relocation should not be drastic.  Requirements for this change beyond racking the unit in a different location include:  assigning a new management IP, changing the synchronization setup on Source/Target units, definition of subnets/VLANs to monitor (depends on current filtering config) and switch configuration to push traffic to the device.  (Corrections to this list are welcome
  Your thought on this?

  Have you considered Cisco Mobility Express?
  AP521s controlled by WLC526.  Multiple access (SSIDs and VLANS) with Web Page authentication for clients.
  http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/index.html
  The Cisco Partner Reseller Helpline can help convert Business requirements into Product SKUs as well...
  https://www.myciscocommunity.com/docs/DOC-1377

• What is a web filter and why is it prevetning me from using firefox?

  Firefox allows me to search on google but as soon as i click the next link/to go on the page i want is doesnt work. Instead it talks about a web filter saying that the page i tried to visit could not be checked by web filter. This also happens when i use internet explorer. How do i fix this?

  A web filter can be a piece of software installed on your computer, or on a network you are connected to that checks the content of the sites you are trying to visit. Talk to the owner of the network you are trying use, or the owner of the computer.
  It's also possible you have malware, try scanning for malware with the directions at [[Troubleshoot Firefox issues caused by malware]]

• How to get user 'logged in' to ironport web filter without launching IE

  We have an issue with some employees who use third party programs that traverse the Internet.  These programs are 100% allowed by the organization as they are required for day to day business.  Some programs go over the Internet to communicate for certain reasons, such as a live chat help support, or ordering products, etc..
  The problem is that some of these users log in and never even touch Internet Explorer for awhile.  They will go on and start working right away.  Well if they don't try to access an Internet site via IE, then the Ironport does not 'log them in', and they are known as unauthenticated.  Of course this doesn't happen with everyone.  There's nothing wrong with people coming in a little early and checking the local news online.
  We were thinking up if it's possible to have each user 'touch' the ironport web filter in some way during a logon script, unbeknown to the end user, so that they are 'signed in' and whatever Internet connected application they launch has access through to the Internet.  Right now they need to at least launch IE and go to some site (say Google or MSN) and via NTLM credentials transparently passed through IE7, 8 or 9, they can simply close the page and go about their business.  Note: they MUST go to an external site.... not an internally hosted one (such as our Intranet, time clock or HR self service pages).
  So is there any commands we can put in via kix or bat or something that will say "Hey Ironport, %username% just logged in at 10.x.x.x".  Then maybe to make it more advanced, a logoff script that says "Hey Ironport, %username% just logged OFF of 10.x.x.x".  This way when our hourly timeout happens, they aren't immediately booted from their Internet applications (if they don't keep an IE window open that is).
  Right now our ASA Firewall uses WCCP to forward port 80 to the ironport web filter.  The Ironport is a transparent proxy.
  Thanks!

  So it looks like you are moving the authentication from the Ironport S160 to the ASA5500 series firewall?
  I guess we are looking at something simpler, like a way to 'touch' the internet and pass NTLM credentials, because then the Ironport knows who the user is.
  If the user does not 'touch' the internet with IE, and say they use some other program that does not pass NTLM credentials (say Firefox or live chat program, or an ftp program, etc...) They are likely to be blocked, because the Ironport doesn't know who they are.
  Your link seems to lead to a complicated setup for something that seems so simple.  I'm not sure how that relates to an Ironport S160.. it seems to focus on the ASA5500. Also we want it to be completely 100% transparent to the end user.
  This is how it worked with a Barracuda web filter appliance...
  A DCAgent program sat on each domain controller. As users logged in or out of the domain, this agent passed this current activity to the Barracuda web filter appliance.
  The Barracuda appliance knew exactly who was logged in because of this little program on the domain controller(s) that kept it updated. Based on this, policies could be assigned based on Active Directory group memberships. ie) HR and Marketing can access Facebook, while others cannot.
  I guess I'm looking for similar functionality with the Ironport S160. If there's any way the domain controller, or even the client PC can say "Hey Ironport, %username% is logged on here at %ip_address%". That way the Ironport would know who they are, and there would be no unnecessary authentication boxes (besides the user logging into the windows domain). They could use internet connected apps that do not pass NTLM authentication. I guess the client PC or the domain controller would also have to tell the IronPort when they signed off, just so we don't have to deal with authentication timeouts. This way, say they are in our internet chat help program... after an hour, it will cut out and disconnect them - because the IronPort forgets who they are (unless they are actively using the internet with IE).
  So for now, we just use the bypass option for the affected internet services.  The default browser is IE, so the reality is that we are not suffering any tremendous inconvienence.  It's just that we want to ensure we have the best robust solution, and we can handle these types of situations with programs other than IE accessing internet resources.

• After ios5 upgrade cant get out to the internet via wireless, it wont  get past our Smart Filter (web filter)

  I just upgraded my 3GS to IOS5, and now at work when i am connected to our WiFi I can no longer get out to the internet.
  A little back story on how it worked prior to ios5:
  I would connect via wireless, and then load Safari and type in a webpage I wanted to go to.  A pop up box would come up, to authenticate me on our Web filter server (Running Smartfilter), I woudl enter my regular Active Directory username and Password and boom, i could then surf to my hearts content.
  After the upgrade, I connect to the wireless, load Safari, type in the webpage i want to go to, and the progress bar moves abotu 3mm and then stops, I never get the smart filter prompt.
  I have tried a full reset on the phone, forget network, reset all network settings, I even tried putting in the IP address of the smart filter box as a proxy and still it doesnt work.  I have gone to smartfilters website to see if anyone else has posted there, or if there was a clue as to why it doesnt work, but nothing so far.
  anyone else having this problem? any ideas?
  If it wasnt broken, why would apple mess with it!  a LOT of companies run smartfilter as well as other web filters.  I thought apple was trying to seduce corporate customers, and so far a lot of poeple are dissapointed that they cant get to the internet.
  tha
  nks in advance for any assistance.
  j

  I am having the same problem.  The issue also occurs with Safari on Mac OS 10.7.  I work for a school and I am sure that other schools are using smartfilter too.

• Problem with my company's web filter, Barracuda when I try to access the internet

  I'm having problems accessing the internet on my tour.  Ever since my company put me on their BlackBerry Enterprise Server it appears that when accessing certain web sites the Barracuda web filter comes on.  It's so frustrating... on top of it my company doesn't pay for my phone at all.  Therefore, I do use my BlackBerry for personal as well as business. 
  I spoke with the IT guy and he initially thought it was the Desktop Software I downloaded to my computer, but we have uninstalled it and re-booted my phone and it's still happening.  I called Verizon Wireless and they tell me that it's because I'm on the company's enterprise server and that I am tied to their internet service and that's why I'm getting the Barracuda access denied on certain sites that they have restricted.  I am incredibly frustrated and don't know what to do...  I want to stay on their server because of the push email and the synchronization  for all my contacts and calendar.  Any help is much appreciated...
  Thanks.
  TinaMarie

  mabbas wrote:
  The blackberries are designed to send everything through the corporate network, when using an Enterprise Server.
  Hi and Welcome to the Forums!
  Just to be sure that this is clear -- they are not "designed" as you state...rather, the BES admins can force all Internet traffic through BES (and thereby apply filters) or they can allow it to go direct through the carrier network. The IT Policy placed onto the device at BES activation is in control of how the traffic flows.
  Cheers!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Common headers and footers in web applications

  I want to include common headers and footers in all web applications. I do not want to include the header/footer in each application WAR file. I've tried to follow Orion's tutorial for building a response filter, and I get it working to the point that the header and footer show up on the page, but no other content shows up.
  Has anyone used filters to include static headers and footers in web applications?
  And is there an easier way to do this, that I'm not seeing??

  Hi Anu,
  I have already gone through the document. In that i dint find anything related to headers and footers.Only thing that is available is sorting the dimension headers.
  Please let me know if you have any other info regarding this.
  Thanks & Regards
  Ambica Atluri

• ISE and Symantec SEP 11 Interworkering Question

  Hi guys,
  I have a question about ISE and Symantec SEP 11.
  In my customer envrionment, they want to build a wireless byod work place.  But the endpoints are installed SEP software.
  Do you know the workflow for the SEP, when it check the system is not secrity then put my endpoints to the guest VLAN.
  In my opinion, the endpoints should authenticationed and authorized by ISE first.
  Then, the endpoints should connect to internet successfully.
  Now, if the endpoints using SEP software to check the system status.
  What should the SEP do if the system is not safe?
  Is the SEP return a signal to Switch, let it change the Vlan configuration of the interface to the Guest Vlan ?
  But this action will cause the AP disconnect to the WLC, and makes all the clients which is connect to this AP is disconnect.
  Somebody knows it ?
  Thank you !

  HI Chetan,
  Thanks for your reply.
  I've search the SEP web site and found some work flow. And I combine them to my environment.
  I'm not sure it's right, the flow is:
  1. Client computer connects and send logon through EAP.
  2. The WLC forwards the user name and passwrod to the LAN Enforcer.
  3. The LAN Enforcer forwards the username and password to the ISE server.
  4. The ISE server generates and EAP challenge.
  5. The LAN Enforcer receives the EAP challenge and adds the Host Integrity check.
  6. The LAN Enforcer checks the Host Integrity results and forwards them to the ISE server.
  7. The ISE server performs EAP authentication and sends the result to the LAN Enforcer.
  8. The LAN Enforcer receives the authenticaiton result and forwards it and the action to take to the WLC.
  9. If the client passes the EAP and Host Integrity challenges, the WLC allows network access.
  But when i configure the WLC, the RADIUS server address is the ISE server ip address. That means WLC forwards the username and password to the ISE server directly, and it will not through to the LAN Enforcer.
  So this is very confused me.
  Do you know why?
  Thank you !
  Regards,
  Yuxiang.

• Uploading a text file from webi filter area as part of the query condition

  Post Author: balasura
  CA Forum: Publishing
  Requirement : Uploading a text file from webi filter area as part of the query condition Hi, I am in a serious requirement which I am not sure available in BO XI. Can some one help me plz. I am using BO XI R2, webi I am generating a ad-hoc report, when I want to give a filter condition for a report, the condition should be uploaded from a .txt file. In the current scenario we have LOV, but LOV could hold only a small number of value, my requirement is just like a lov but the list of values will be available in a text file ( which could number to 2000 or 2500 rows). I would like to upload this 2500 values in the form of a flat text file to make a query and genrate report. Is it possible in BO XI? For Eg:- Select * from Shipment Where u201CShipment id = u2018SC4539u2019 or Shipment id = u2018SC4598u2019u201D The u201Cwhereu201D condition (filter) which has shipment id will be available in a text file and it needs to be loaded in the form of .txt file so that it will be part of the filter condition. Content of a .txt file could be this shipment.txt =============== SC4539 sc2034 SC2343 SC3892 . . . . etc upto 2500 shipment Ids I will be very glad if some could provide me a solution. Thanks in advance. - Bala

  Hi Ron,
     This User does not have the access to Tcode ST01.
     The user executed Tcode SU53 immediately following the authorization failure to see the authorization objects. The 'Authorization obj' is blank and under the Description it has 'The last Authorization check was successful' with green tick mark.
    Any further suggestions, PLEASE.
  Thanks.

• Firefox with my mac is not letting me pinch and close to zoom in and out on web pages

  firefox will not allow me to use my track pad to pinch and close to zoom in and out on web pages

  Some gestures have been removed in Firefox 4+ versions.
  You can restore the zoom feature by changing the values of the related prefs on the <b>about:config</b> page.
  * browser.gesture.pinch.in -> <b>cmd_fullZoomReduce</b>
  * browser.gesture.pinch.in.shift -> <b>cmd_fullZoomReset</b>
  * browser.gesture.pinch.out -> <b>cmd_fullZoomEnlarge</b>
  * browser.gesture.pinch.out.shift -> <b>cmd_fullZoomReset</b>
  * browser.gesture.pinch.latched -> <b>false</b>
  To open the <i>about:config</i> page, type <b>about:config</b> in the location (address) bar and press the "<i>Enter</i>" key, just like you type the url of a website to open a website.<br />
  If you see a warning then you can confirm that you want to access that page.<br />
  *Use the Filter bar at to top of the about:config page to locate a preference more easily.
  *Preferences that have been modified show as bold (user set).
  *Preferences can be reset to the default via the right-click context menu if they are user set
  *Preferences can be changed via the right-click context menu: Modify (String or Integer) or Toggle (Boolean)

• Web Filter Recommendations

  Hi All,I have a couple of computers that are in need of some kind of web filtering. They run 24/7 and are out in the boonies somewhere where the nights are long and boring. Thus the night shift likes to surf the web to pass the time. This is causing issues, such as a crypto locker variant that has now rendered one of the machines useless. This is costing money as operating out there without a computer causes major production problems. To that end, I am looking for a web filter that I can use on these machines that wont necessarily require a huge amount of trial and testing, talking to sales people, getting quotes, etc. While an enterprise solution would be nice, for now I just need to put something on these 2 machines, quickly and relatively inexpensively that will allow me to block traffic to all web sites except those deemed...
  This topic first appeared in the Spiceworks Community

  Josh,
  I have 10,000 wireless devices. I call BS. You are right some vendor / dept yelled loud enough .. I feel for you.. It will be a up hill battle.
  I would do this . Create a standard that will get most devices to conform to. Some older medical devices wont be able to do AES. So you may be stuck with a WPA/TKIP security.
  Good luck .. hit me up on my blog my80211.com if you have specific questions. Ill see what I can do to help .. We likely run the same equipment and apps and have good relationships with some of the vendors.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• BM access rule and port for Web Manager

  The Netware Webacess and the Netware Web Manager is working fine
  internally. What are the ports to open and the rules to create on the
  Border Manager so it can be access froum outside. How to configure the BM
  Omar

  In article <MLMqe.411$[email protected]>, wrote:
  > The Netware Webacess and the Netware Web Manager is working fine
  > internally. What are the ports to open and the rules to create on the
  > Border Manager so it can be access froum outside. How to configure the BM
  >
  WebAccess just (normally) wants port 80. You can static NAT it, or reverse
  proxy it through BMgr. Older versions of BMgr (3.6 or earlier) put in
  default filter exceptions for reverse proxy (both port 80 and 443), but
  later versions require you to add your own filter exceptions.
  NetWare Web Manager - do you mean for Novonyz Web Server? If so, the port
  used depends on what you configured for it. You could use static NAT, or
  generic tcp proxy, or (I think) reverse proxy for whatever port Web Manager
  is using. Newer web manager for Apache uses port 2200, I think.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***