LANCOM Systems GmbH Adenauerstr. 20/B2 52146 Würselen Germany E-Mail: info@lancom.eu LANCOM Content Filter Option Internet www.lancom.eu . . . c o n n e c t i n g y o u r b u s i n e s s LANCOM Content Filter Option 쮿 110756/0510 쮿 Handbuch Manual 110756_LC-OPTION-ContentFilter.i1 1 06.05.
LANCOM Content-Filter
© 2010 LANCOM Systems GmbH, Wuerselen (Germany). All rights reserved. While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery. The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from LANCOM Systems.
LANCOM Content- Filter Preface Preface The LANCOM Content-Filter acts to filter out Internet websites with undesirable content. It enables you to allow or forbid access to certain website pages and to carry out checks on the content of an online server according to predefined categories. The use of the LANCOM Content-Filter Option may in certain countries be subject to certain restrictions by data-privacy laws or directives, and/or to company guidelines.
LANCOM Content- Filter Preface and contact addresses for LANCOM Support, please refer to the enclosed leaflet or the LANCOM Systems Web site. Information symbols EN 4 Very important instructions. Failure to observe these may result in damage. Important instruction that should be observed. Additional information that may be helpful but is not essential.
LANCOM Content- Filter Contents Contents 3 1.1 Prerequisites for installation 1.1.1 System requirements 1.1.2 Package content 1.1.3 Configuration computer with the Windows operating system 1.1.4 Up-to-date LANconfig 1.1.5 Up-to-date firmware in the LANCOM 3 3 3 1.2 Online registration 4 1.3 Activating the LANCOM Content-Filter Option 5 1.4 Checking the activation 6 2 Configuring the LANCOM Content Filter 2.1 Introduction 3 4 4 8 8 2.2 Requirements for using the LANCOM Content Filter 10 2.
LANCOM Content- Filter Contents EN 3 Advanced configuration of the LANCOM Content Filter with LANconfig 3.1 General settings 14 3.2 Settings for blocking 3.2.1 Block-Text 3.2.2 Error-Text 17 18 20 3.3 Override settings 3.3.1 Override text 21 23 3.4 Profiles in the LANCOM Content Filter 3.4.1 Profiles 3.4.2 Blacklist addresses (URL) 3.4.3 Whitelist addresses (URL) 3.4.4 Category-Profiles 25 25 28 29 30 3.5 Options with the LANCOM Content Filter 32 3.
LANCOM Content- Filter Chapter 1: Activating the LANCOM Content- Filter Option 1 Activating the LANCOM Content-Filter Option This brief chapter informs you how to activate the LANCOM Content-Filter Option on your LANCOM. Activation takes place in four steps: 햲 Ensuring that the prerequisites for installation are fulfilled EN 햳 Online registration 햴 Entry of the activating code 햵 Checking the activation 1.1 Prerequisites for installation 1.1.
LANCOM Content- Filter Chapter 1: Activating the LANCOM Content- Filter Option The computer must have access to the LANCOM device that is to be configured. Access may be via the LAN or via remote access. 1.1.4 Up- to-date LANconfig EN The latest version of LANconfig and LANmonitor are available for download from the LANCOM Systems homepage under www.lancom.eu/download/. We recommend that you update these programs before continuing to the installation. 1.1.
LANCOM Content- Filter Chapter 1: Activating the LANCOM Content- Filter Option Registration is anonymous and can be completed without specifying personal data. Any additional information may be of help to us in case of service and support. All information is of course treated in the strictest confidence. Online entry of registration information 햲 Start a web browser and access the LANCOM Systems web site under www.lancom.eu/routeroptions.
LANCOM Content- Filter Chapter 1: Activating the LANCOM Content- Filter Option When using the command line interface (e.g. Telnet), enter the command feature followed by the activation key: Feature EN 1.4 Please be aware that activating the LANCOM Content-Filter Option is valid only for a certain time period. You can have an e-mail sent to you in good time before the license expires (WEBconfig: LCOS menu tree Setup Config License expiry e-mail).
LANCOM Content- Filter EN Chapter 1: Activating the LANCOM Content- Filter Option If activation was successful, you can continue by configuring the LANCOM Content-Filter.
LANCOM Content Filter Chapter 2: Configuring the LANCOM Content Filter 2 Configuring the LANCOM Content Filter 2.1 Introduction EN The LANCOM Content Filter enables you to filter certain content from your network, so preventing access to Internet pages with content that is illegal, dangerous or offensive. It also enables you to stop private surfing on specific sites during working hours.
LANCOM Content Filter EN Chapter 2: Configuring the LANCOM Content Filter All settings relating to categories are stored in category profiles. You select from predefined main and sub-categories in the LANCOM Content Filter: 58 categories are divided into 14 subject groups such as “Pornography, Nudity", "Shopping" or "Illegal Activities". You can activate or deactivate each of the categories in these groups.
LANCOM Content Filter Chapter 2: Configuring the LANCOM Content Filter 2.2 Requirements for using the LANCOM Content Filter The following requirements must be met before you can use the LANCOM Content Filter: 쐃 The firewall must be activated and an appropriate firewall rule must select the content filter profile. EN 쐇 The content filter profile must specify a category profile and if desired a whitelist and or blacklist for each part of the day.
LANCOM Content Filter EN Chapter 2: Configuring the LANCOM Content Filter 쐋 Select one of the pre-defined security profiles (basic, work, parental control): Basic: This profile mainly blocks access to the categories pornography, illegal, violent or discriminatory content, drugs, SPAM and phishing Work: In addition to the settings for the basic profile, this profile also blocks the categories shopping, job search, gaming, music, radio and certain communications services such as chat.
LANCOM Content Filter Chapter 2: Configuring the LANCOM Content Filter A whitelist Three category profiles Firewall rule The preset firewall rule is named CONTENT-FILTER and uses the action object CONTENT-FILTER-BASIC. EN The firewall rule is not created automatically if the LANCOM Content Filter is installed on a device that has been configured already. The rule must be added manually. This firewall rule must include one of the action objects that are pre-defined for the Content Filter.
LANCOM Content Filter Chapter 2: Configuring the LANCOM Content Filter ALWAYS: 00.00-23.59 hrs NEVER: 00.00-0.00 hrs Blacklist The preset blacklist is named "MY-BLACKLIST" and it is empty. Here you can optionally enter URLs which are to be forbidden. EN Whitelist The preset whitelist is named "MY-WHITELIST" and it is empty. Here you can optionally enter URLs which are to be allowed. Category profiles There are three category profiles: BASIC-CATEGORIES, WORK-CATEGORIES and PARENTAL-CONTROL.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig 3 Advanced configuration of the LANCOM Content Filter with LANconfig EN The program LANconfig contains a special menu to configure the content filter. 3.1 The operation of the LANCOM Content Filter may be restricted by your country's data protection regulations or by company guidelines. Please check any regulations that may apply before putting the system into operation.
LANCOM Content Filter EN Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig LANconfig: Content-Filter General WEBconfig: LCOS menu tree Setup UTM Content-Filter GlobalSettings Operating This is where you can activate the LANCOM Content Filter. Action- on- Error: This is where you can determine what should happen when an error occurs.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Default: Block The users of the content filter are automatically removed from the user list when no connection has been made from the IP address concerned via the content filter for 24 hours. EN Action- on- License- Expiration: The license to use the LANCOM Content Filter is valid for a certain period.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig 3000 milliseconds Special values: The value 0 means unlimited timeout. Values smaller than 100 milliseconds are not reasonable. Settings for blocking You adjust the website-blocking settings here: EN 3.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Alt. source IP for block URL: This is where you can configure an optional sender address to be used instead of the one that would normally be automatically selected for this target address. If you have configured loopback addresses you can specify them here as sender address.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Examples of the country code: de-DE: German-Germany de-CH: German-Switzerland de-AT: German-Austria en-GB: English-Great Britain en-US: English-USA The country code must match the browser language setting exactly, e,g, "de-DE" must be entered for German ("de" on its own is not sufficient).
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig adds a link for activating the override for a button for activating the override You can use a tag with attributes to display or hide parts of the HTML document: ... .
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Language This item offers the same settings as described under ’Language’ →Page 18 above. Text Enter the text that you wish to use as error text for this language. Possible values: EN 254 alphanumerical characters Default: Blank Special values: You can also use HTML tags for the error text. The following empty element tags can be used as tag values: 3.
LANCOM Content Filter EN Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig LANconfig: Content-Filter Override WEBconfig: LCOS menu tree Setup UTM Content-Filter GlobalSettings Override-Active This is where you can activate the override function and make further related settings. Override-Duration The override duration can be restricted here. When the period expires, any attempt to access the same domain and/or category will be blocked again.
LANCOM Content Filter Category: For the duration of the override, all URLs are allowed that fall under the affected categories (as well as those which would already have been allowed even without the override). Domain: For the duration of the override all URLs in this domain are allowed, irrespective of the categories they belong to. Category-and-Domain: For the duration of the override, all URLs are allowed that belong to this domain and also to the allowed categories.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Language This item offers the same settings as described under ’Language’ →Page 18 above. Text Enter the text that you wish to use as override text for this language. Possible values: EN 254 alphanumerical characters Default: Blank Special values: You can also use HTML tags for blocking text if you wish to display different pages depending on the reason why the website was blocked (e.g.
LANCOM Content Filter BOTH when the override type is "Category-and-Domain" and the override was successful ERROR when the override fails OK if either CATEGORY or DOMAIN or BOTH are applicable If several attributes are defined in one tag, the section should be displayed if at least one of these conditions is met. All tags and attributes can be abbreviated to the first two letters (e.g. CF-CA or CF-IF BL). This is necessary as the blocking text may only contain a maximum of 254 characters.
LANCOM Content Filter EN Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig LANconfig: Content-Filter Profiles Profiles WEBconfig: LCOS menu tree Setup UTM Content-Filter Profiles Profiles Name The profile name that the firewall references must be specified here. Possible values: Name of a profile Default: Blank Timeframe Select the timeframe for this category profile and, optionally, the blacklist and the whitelist.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig If timeframes overlap when multiple entries are used for a content filter profile, all pages contained in one of the active entries will be blocked for that period of time. If a period remains undefined when several entries are used for a content filter profile, access to all websites is unchecked for this period.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig 3.4.2 Blacklist addresses (URL) EN This is where you can configure websites which are to be blocked. LANconfig: Content-Filter Profiles Blacklist addresses (URL) WEBconfig: LCOS menu tree Setup UTM Content-Filter Profiles Blacklists Name Enter the name of the blacklist for referencing from the content-filter profile.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig suffix to the URL, e.g. www.mycompany.de/ . For this reason it is advisable to enter the URL as: www.mycompany.de* . Individual URLs are separated by a blank. Default: 3.4.3 EN Blank Whitelist addresses (URL) This is where you can configure websites to which access is to be allowed.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig * for any combination of more than one character (e.g. www.lancom.* encompasses the websites www.lancom.de, www.lancom.eu, www.lancom.es, etc.) ? * for any one character (e.g. www.lancom.e* encompasses the websites www.lancom.eu, www.lancom.es) EN Please enter the URL without the leading http://.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Category profile The name of the category profile for referencing from the content-filter profile is entered here. Possible values: Blank Category settings For each main category and the associated sub-categories, it is possible to define whether the URLs are to be allowed, forbidden or allowed with override only.
LANCOM Content Filter EN Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig The category profile must subsequently be assigned to a content-filter profile (together with a timeframe) to become active. Possible values: Allowed, forbidden, override Default: Allowed 3.5 Options with the LANCOM Content Filter This is where you can determine whether you wish to be notified of events and where LANCOM Content Filter information is to be stored.
LANCOM Content Filter EN Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig LANconfig: Content-Filter Options WEBconfig: LCOS menu tree Setup UTM Content-Filter GlobalSettings Events: This is where you define how you wish to receive notification of specific events. Notification can be made by e-mail, SNMP or SYSLOG. You can specify that messages for different events should be output in different ways. Error: For SYSLOG: Source “System”, priority “Alarm”.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig EN For SYSLOG: Source “Admin”, priority “Info”. Default: SNMP notification E- mail recipient: An SMTP client must be defined if you wish to use the e-mail notification function. You can use the client in the device, or another client of your choice. No e-mail will be sent if no e-mail recipient is defined,.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Day of month: For monthly snapshots, set the day of the month when the snapshot should be taken. Possible values: Max. 2 characters Default: EN 1 It is advisable to select a number between 1 and 28 in order to ensure that it occurs every month. Weekday: For weekly snapshots, set the day of the week when the snapshot should be taken.
LANCOM Content Filter EN Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig The firewall rule should be limited to the target service “http” so that only outgoing HTTP connections are examined. Without this restriction all packets will be checked by the content filter, which could lead to a loss of system performance.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Example: When a web page is accessed, the data packets pass through the firewall and are processed by the rule CONTENT-FILTER. The action object CONTENT-FILTER-BASIC checks the data packets using the content-filter profile CONTENT-FILTER-BASIC. Timeframe Timeframes are used to define the periods when the content-filter profiles are valid. One profile may have several lines with different timeframes.
LANCOM Content Filter Chapter 3: Advanced configuration of the LANCOM Content Filter with LANconfig Stop time Here you set the stop time (time of day) when the selected profile ceases to be valid. Possible values: Maximum 5 characters, format HH:MM Default: EN 23:59 Weekdays Here you select the weekday on which the timeframe is to be valid.
LANCOM Content Filter Chapter 4: Status messages 4 Status messages 4.1 LANmonitor EN LANmonitor allows you to see the most important status messages from the LANCOM Content Filter at a glance. 4.1.
LANCOM Content Filter EN Chapter 4: Status messages 4.1.2 Maximum processing time: Maximum time taken to process a URL, assuming this is less than the timeout value. Average processing time: Average time taken to process a URL. Average processing time (last 5 min.): The average time taken to process a URL in the last 5 minutes. Requests to rating server: Number of URL requests processed by the rating server.
LANCOM Content Filter Chapter 4: Status messages EN Displaying content filter category statistics This dialog displays the list of all categories with the number of blocked accesses to the content filter and the share of all accesses in percent. You can use the Content-Filter categories menu to save the currently displayed values to a file or to load saved values for display in the LANmonitor.
LANCOM Content Filter Chapter 4: Status messages 4.1.3 Functions in LANmonitor Additional functions are available for you to influence the LANmonitor display: EN Click with the right-hand mouse button on the URL counter entry in LANmonitor and select Reset URL counter to reset the values for this particular area to zero. Click on the right-hand mouse button on the Top-10 entry in LANmonitor and selectFlush Top-10 lists and cache to reset the values for this particular area to zero. 4.
LANCOM Content Filter Chapter 4: Status messages Whitelisted-URLs Displays the number of websites accessed that are on the whitelist. Category-Statistics- Flush This option allows you to delete (flush) the category statistics and the last snapshot. Log- Flush This option allows you to delete (flush) the log table and the override log. Statistics- Flush This option allows you to delete (flush) the statistics. The counters are reset to 0. 4.2.
LANCOM Content Filter Chapter 4: Status messages Content Filter’ →Page 32). The snapshot copies the category statistics table to the last last snapshot table, overwriting the contents of the last snapshot table. The category statistics values are then reset to 0. Category Name of the category in question. EN Hits Number of websites called that are assigned to the relevant category. 4.2.
LANCOM Content Filter Chapter 4: Status messages User- MAC Indicates the MAC address of the user who performed the override. Target URL Indicates the website for which the override was performed. Cache Cache- Current-Size Indicates the current size of the cache. The cache stores the categorizations for the URLs that the evaluation server queries. There is one cache entry for each domain. The cache size influences how often the server needs to be queried.
LANCOM Content Filter Chapter 4: Status messages Hits Number of attempted calls of this website. Top-10- Overidden- Hosts This table lists the ten most frequently called websites accessed using the override function. EN Host Indicates the host of the website. Category Indicates the category that the website is assigned to. Hits Number of calls of this website that were allowed on the basis of an active override. 4.2.
LANCOM Content Filter Chapter 4: Status messages Min serv time Minimum time taken for the rating server to process a request. Avg proc time Average time taken to process a URL. Avg serv time Average time taken for the rating server to process a request. EN Proc timeouts Number of times that URL processing exceeded the timeout period.
LANCOM Content Filter Chapter 4: Status messages Max connections The maximum number of simultaneous connections to the content-filter proxy. Proxy connections limit The maximum allowed number of connections to the content-filter proxy. EN 5min avg connections Number of connections to the content-filter proxy in the last 5 minutes. Connection statistics since The time when collection of the connection statistics started.
LANCOM Content Filter Chapter 5: Tutorial: Using multiple content filter profiles 5 Tutorial: Using multiple content filter profiles The LANCOM Content Filter allows you to configure several content filter profiles. You can use this option in order to create, for example, one content filter profile for your employees and another content filter profiles for trainees. When a company employs trainees under the age of eighteen this may not only be useful but also a legal requirement.
LANCOM Content Filter EN Chapter 5: Tutorial: Using multiple content filter profiles 쐏 You then create your content filter profiles under Profiles. A content-filter profile assigns the relevant category profiles and optional blacklists and whitelists to different timeframes. The firewall refers to this content-filter profile. 쐄 Enter the Name EMPLOYEES for the content filter profile EMPLOYEES. Under Timeframe select the time when the category profile should apply, e.g. “ALWAYS”.
LANCOM Content Filter EN Chapter 5: Tutorial: Using multiple content filter profiles 쐆 After you have created content filter profiles for your employees and for your trainees, the overview of content filter profiles could look like this: If you have created different content filter profiles, you will have to modify the settings in the firewall (also see ’Firewall settings for the content filter’ →Page 35). 쐊 A firewall rule must be created in the firewall for each content filter profile.
LANCOM Content Filter EN Chapter 5: Tutorial: Using multiple content filter profiles 쐅 Define a rule for the action object CONTENT-FILTER-EMPLOYEES: 52
LANCOM Content Filter EN Chapter 5: Tutorial: Using multiple content filter profiles 쐈 Under Actions assign the action object CONTENT-FILTER-EMPLOYEES to the rule CF-EMPLOYEES: 53
LANCOM Content Filter Chapter 5: Tutorial: Using multiple content filter profiles 쐉 You should now specify further details for the rule, e.g. whether the rule should apply to a certain IP range. To make this setting, click on Stations and specify a range of IP addresses to which this rule should apply. EN These details in the firewall rule determine the criteria used to allocate users to a certain content-filter profile.