Anda di halaman 1dari 22

WDS Connector

SM

Installation Guide

Product Version: 6.9

Document Date: 02/2011

Proprietary and Confidential

WDS ConnectorSM Installation Guide - Product Version: 6.9

TABLE OF CONTENTS
1 INTRODUCTION...................................................................................................................... 3 1.1 Requirements for installation ............................................................................................. 3 1.2 Download the WDS Connector Setup Wizard .................................................................. 5 1.3 Run the WDS Connector Setup Wizard ............................................................................ 8 1.4 Set up users for the WDS Connector .............................................................................. 11 2 3 4 5 REINSTALLING THE WDS CONNECTOR........................................................................... 13 AD CONFIG EDITOR ............................................................................................................ 15 UNINSTALLING THE WDS CONNECTOR .......................................................................... 18 MANAGING THE WDS CONNECTOR LOGS ...................................................................... 19 5.1 Turning on the WDS Connector Logs ............................................................................. 19 5.2 Viewing the WDS Connector Logs .................................................................................. 19 6 ENABLING NTLM ON WINDOWS CLIENTS ....................................................................... 21

Proprietary and Confidential

02/11

Page 2

WDS ConnectorSM Installation Guide - Product Version: 6.9

1 Introduction
The WDS ConnectorSM, which is an enhancement to the Web Protection Service, allows users to access the web through Web Protection using existing local network domain credentials. This capability, known as transparent authentication, eliminates the need for Web Protection to authenticate a user each time the user opens a browser. Instead, Web Protection validates the user automatically whenever the user opens a browser. Administrators of the Web Protection service can continue to apply group policies to users, as well as track individual web usage, threats, and more.

1.1

Requirements for installation


Before you install WDS Connector, ensure that the following requirements are met: Web Protection service must be enabled. A Domain Controller must reside within the customers Intranet and must be running Active Directory. You need the DNS name or IP address of this controller. Each user that WDS Connector authenticates must have an account in Active Directory. That account must contain the same email address that the Web Protection Control Console contains. You must have Customer Administrator or higher privileges on the Web Protection Control Console. The local Intranet must contain a Windows server that can run the WDS Connector software and serve as a proxy server. This server must meet the following requirements:. The server must be running Windows Server 2003 or higher software and Microsoft Management Console (MMC) Services snap-in. All available updates for the servers version of Windows must also be installed. The firewall on the proxy server must allow access by user clients. Specifically, port 3128 tcp must be open outbound to the internet. The proxy settings in Internet Explorer on the proxy server must be turned off for installation. The time clock of the proxy server must be reasonably accurate, at least within one hour of the actual time within its time zone. It is recommended that your LAN use a Network Time Server to ensure this synchronization. The proxy server must be running .NET 2.0 or higher. If the server is not running .NET 2.0 or higher, the installer notifies you during the initial setup and installs .NET for you. NTLM enabled Browser (FF< IE on Windows) NTLM information must be passed from the client machine. See Section 6

Although the installer installs .NET 2.0, if the server also is running an earlier version of .NET, the earlier version of .NET can continue running normally. Recommendation: It is recommended that you implement the Directory Integration feature within Account Management prior to using WDS Connector. In this way, you greatly increase the likelihood that user email addresses in Active Directory match the email addresses in the Web Protection Control Console.

Proprietary and Confidential

02/11

Page 3

WDS ConnectorSM Installation Guide - Product Version: 6.9

Determine Web Protection Authentication


The Access Controls window allows you to define the manner in which users will be authenticated when accessing the Web. For example, you can register a list of accepted IP addresses for your organization. There are three mechanisms provided that allows you into the Web Protection system.

Note: More than one authentication can be used in conjunction, if desired.


IP Range Authentication Advantages: No user login required No passwords need to be maintained for users No software to install Can be deployed at the edge of the network using routing Disadvantages: Group policies cannot be applied (all users have one policy) No individual reporting, all reporting is grouped by the external IP address

Explicit User Authentication Advantages: Group policies can be applied (different users can have different policies) Individual reporting on a per user basis No software to install Disadvantages: Requires users to log in once per browser session Passwords must be maintained and/or authenticated against corporate server. Transparent Authentication (WDS Connector) Advantages: No user login required No passwords need to be maintained for users in the Web Protection system Group policies can be applied (different users can have different policies) Individual reporting on a per user basis Disadvantages: Requires software to be installed on the corporate infrastructure Requires Active Directory and NTLM authentication to recognize users Requires that each user has an email address in active directory that matches a corresponding email address in the Web Protection Control Console. Requires that users log on to the domain interactively.
Proprietary and Confidential

02/11

Page 4

WDS ConnectorSM Installation Guide - Product Version: 6.9

Installing WDS Connector on a Windows server, perform the following steps:

1.2

Download the WDS Connector Setup Wizard


You must first download the WDS Connector Setup Wizard from your Web Protection Control Console. 1. Ensure that the proxy settings in Internet Explorer on the proxy server are turned off. 2. Log in to the Web Protection Control Console. The Web Protection Control Console appears.

3. Click the Setup tab. The Web Protection Setup screen appears. If your Web Protection includes IP Address Range Authentication, the Web Protection Setup screen appears as follows. If your Web Protection does not include IP Address Range Authentication, then only the Web Protection Setup screen appears.

4. Click the Download WDS Connector link A Run screen appears and asks if you want to Run or Save the installation program.

Proprietary and Confidential

02/11

Page 5

WDS ConnectorSM Installation Guide - Product Version: 6.9

5. Depending on the computer from which you accessed the Web Protection Control Console, perform the steps for one of the following two scenarios: If you accessed the Web Protection Control Console from the Windows server that will be the proxy server, do the following:

A. Select Run.
The installer checks for Windows updates and the presence of .NET 2.0. If .NET 2.0 is not installed, the installer installs it. The installer redisplays a Run screen.

NOTE: If all applicable Windows updates are not installed, the installation fails.

B. Select Run again. The WDS Connector Setup Wizard opens. C. Continue with the Run the WDS Connector Setup Wizard section.
If you logged into the Web Protection Control Console from a computer other than the proxy server, do the following:

A. Select Save. B. Transfer the files you downloaded to the proxy server using a memory stick, a CD-ROM or some other means. C. On the proxy server, locate the file you downloaded and double-click to run it. A Run screen appears, asking if you want to Run or Save the installation files. D. Select Run. The installer checks for Windows updates and the presence of .NET 2.0. If .NET 2.0 is not installed, the installer performs an installation of .NET.
Proprietary and Confidential

02/11

Page 6

WDS ConnectorSM Installation Guide - Product Version: 6.9

The installer redisplays a Run screen.

NOTE: If all applicable Windows updates are not installed, the installation fails.
E. Select Run again. The WDS Connector Setup Wizard opens. F. Continue with the Run the WDS Connector Setup Wizard section.

Attention: If your system receives the following error message during the Web Protection Setup, it means Short File Names are disabled. Continue with the following steps to enable this information.

1. Click OK The following WDS Connector Install screen displays.

2. Click OK to continue the Web Protection installer setup.

The WDS Connector Installation screen displays.

3. Click Close to exit your installer and reboot your system to continue the Web Protection installer setup.

Proprietary and Confidential

02/11

Page 7

WDS ConnectorSM Installation Guide - Product Version: 6.9

Note: After completing these steps you have to reboot your system and begin to install the WDS Connector from the start.

1.3

Run the WDS Connector Setup Wizard


After you download the installation package and select Run, the following screen appears. Complete the steps that follow to set up WDS Connector.

1. Click Next. The License Agreement page appears.

2. Select I Agree, and click Next. The Select Installation Folder screen appears.

Proprietary and Confidential

02/11

Page 8

WDS ConnectorSM Installation Guide - Product Version: 6.9

3. Use the default folder or click the Browse button to select a different folder for the WDS Connector software. 4. Click Next. An installation confirmation screen appears.

5. Click Next. The installation of software begins. When the software has been installed, a WDS Connector Login configuration screen appears.

6. Enter the username and password you normally use to access the Web Protection Admin Console, and click Next. The Setting Active Directory Connection Information screen appears.

Proprietary and Confidential

02/11

Page 9

WDS ConnectorSM Installation Guide - Product Version: 6.9

7. In the AD Hostname FQDN field, enter the fully-qualified domain name (FQDN) of the Active Directory domain controller in the local intranet.

NOTE: Although an FQDN is preferred because it minimizes network requests, a non-FQDN domain name is also allowed in this field.
8. In the Domain\Username field, enter a user name for the domain controller, using standard Windows domain user name format. Standard Windows user name format includes the domain name, followed by a backslash (\), followed by the username (for example, acme-domain\johndoe).

NOTE: The user name you enter must have read access to the Active Directory.
9. Enter a password for the user name in the Password field. 10. Click Next. A confirmation information screen displays

NOTE: The Test button can be used to validate your AD settings. For more information regarding this functionality see Chapter 4 for more details.
The Account setup screen appears.

11. Select Local System account or enter a User name and password for a unique WDS Connector account.

NOTE: If you set up a unique account for WDS Connector, you must also administer the account on the Active Directory domain controller.
12. Click Next. The installation is complete.

13. Click Close.

Proprietary and Confidential

02/11

Page 10

WDS ConnectorSM Installation Guide - Product Version: 6.9

14. To verify that WDS Connector is running, access your Windows services screen. 15. Go to Start > All Programs > Administrative Tools > Component Services

For most Windows systems, you access the Windows services screen through Windows Control Panel.

16. Check the screen to verify that the WDS Connector has started.

1.4

Set up users for the WDS Connector


The browser settings on each users personal computer must be administered for the new proxy server. These settings must include port 3128 as the browsers access port on the proxy server. For example, to manually set the Windows Internet Explorer browser for an individual P.C., you access the Local Area Network (LAN) Settings screen in Internet Explorer and administer the Proxy Server section for the following: The use of a proxy server by the browser The IP address or host name of the proxy server Port 3128 for the proxy server connection

Proprietary and Confidential

02/11

Page 11

WDS ConnectorSM Installation Guide - Product Version: 6.9

Contact your local support Web site or local support personnel for information on various methods of configuring browser proxy settings to point to the WDS Connector.

Important: For the WDS Connector to authenticate a user, the user must already have an account in Active Directory (AD), and the AD account must include an email address that matches an email address in the Web Protection Control Console. If Microsoft Exchange is installed and running on the AD server and the user already has an Exchange account, the users email address is automatically populated in AD when the users AD account is created. However, when Exchange isn't already running on the proxy server, or when Exchange is running on a different server, the users email must be added manually into the users AD account.

Proprietary and Confidential

02/11

Page 12

WDS ConnectorSM Installation Guide - Product Version: 6.9

2 Reinstalling the WDS Connector


If, for some reason, you must reinstall the WDS Connector, the installation software checks that the WDS Connector is not running before the installation software resumes the installation. During the reinstallation sequence, you might see the following screen:

In this case, do the following steps: 1. Click No. A number of screens may appear and disappear as the WDS Connector shuts down. Then, the following screen appears.

2. Select the default Repair WDS Connector option, and click Cancel. The wizard prompts for confirmation on exit.

3. Click No. The Welcome screen appears again.

Proprietary and Confidential

02/11

Page 13

WDS ConnectorSM Installation Guide - Product Version: 6.9

4. Click Finish. Continue with the installation as in the Run the WDS Connector Setup Wizard section of this document.

Proprietary and Confidential

02/11

Page 14

WDS ConnectorSM Installation Guide - Product Version: 6.9

3 AD Config Editor
If you wish to edit your Change Settings for Web Protection including the:
Host Name Domain Password

Go to All Program > WDS Connector > AD Config Editor

The Edit Active Directory Connection screen displays.

1. Type the changes you wish to make. 2. Click Test A Success Information window displays.

Proprietary and Confidential

02/11

Page 15

WDS ConnectorSM Installation Guide - Product Version: 6.9

3. Click OK and then Click Save. 4. Restart your Connector. To Restart your Connector go to Go to Start > All Programs > Administrative Tools > Component Services. In the event that your AD Hostname is invalid, the following Failure Information pop-up displays to alert you to one of these issues: This is an invalid AD Hostname The AD Hostname is not visible to this machine The AD is not running on that machine The AD Hostname machine is down.

5. Click OK to edit your information. 6. Click Test and if successful, Click OK and Save. 7. Restart your Connector. To Restart your Connector go to Go to Start > All Programs > Administrative Tools > Component Services.
Proprietary and Confidential

02/11

Page 16

WDS ConnectorSM Installation Guide - Product Version: 6.9

If the User Name or Password is invalid, the following Failure Information pop-up displays.

8. Click OK to edit your information. 9. Click Test and if successful, Click OK and Save 10. Restart your Connector. To Restart your Connector go to Go to Start > All Programs > Administrative Tools > Component Services.

Proprietary and Confidential

02/11

Page 17

WDS ConnectorSM Installation Guide - Product Version: 6.9

4 Uninstalling the WDS Connector


To remove the WDS Connector program from your server, perform the following steps: 1. From the Start button on the P.C., select All Programs. The list of programs appears. 2. Select WDS Connector from the list. Then select WDS Connector Uninstall from the pop-up menu. A confirmation page appears.

3. Click Yes. The WDS Connector is removed from your server.

Proprietary and Confidential

02/11

Page 18

WDS ConnectorSM Installation Guide - Product Version: 6.9

5 Managing the WDS Connector logs


The WDS Connector can generate logs of activity. These logs are turned off by default, but for troubleshooting purposes in conjunction with support personnel, you might want to turn the logs on.

CAUTION: The logs can generate a lot of data. You should only turn on the WDS Connector logs for troubleshooting purposes. Otherwise, the logs quickly begin to take up disk space.

5.1

Turning on the WDS Connector Logs


To turn on the logs, perform the following steps: 1. From the Start button on the Windows Task Bar, select All Programs. The list of programs appears. 2. Select WDS Connector from the list. Then select WDS Connector Configuration Manager from the pop-up menu. The WDS Connector Configuration Manager page appears.

3. Click Turn Logging On. The button changes to Turn Logging Off. WDS Connector is ready to send data to its logs.

5.2

Viewing the WDS Connector Logs


To view the WDS Connector Logs, perform the following steps: 1. In your Window Explorer, locate the directory in which you installed WDS Connector. The default location is within the Program Files directory at C:\Program Files\ WDS Connector. 2. From the WDS Connector directory, access the following path: WDS Connector Proxy\var\logs The logs directory appears.
Proprietary and Confidential

02/11

Page 19

WDS ConnectorSM Installation Guide - Product Version: 6.9

3. Double-click any file name to view its contents.

Proprietary and Confidential

02/11

Page 20

WDS ConnectorSM Installation Guide - Product Version: 6.9

6 Enabling NTLM on Windows clients


The WDS Connector requires NTLM information and the client must be configured to use NTLM. Unfortunately, newer versions of Windows operating systems (Vista and beyond) do not inherently provide NTLM information when used in conjunction with newer versions of Windows Server (2008 and beyond). To enable NTLM on a Windows client, the following entry must be added to the Windows registry: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000000

This can be automated by using a login script to add the entry to the client machines upon login. A .reg file must be created and then called from a batch file. In the script folder of the Windows Domain Controller machine, create a new text file and call it something like WDS_Connector_Fix.reg for convenience. This file should contain the following text (the blank line is necessary): Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000000 An associated batch file must contain the line similar to the one below (replace the Domain Controller Host and script share to include a valid UNC path to the script folder): regedit /s \\<Domain Controller host>\<script share>\WDS_Controller_Fix.reg This batch file also needs to be added to the appropriate domain in the Group Policy Editor. WARNING: McAfee recommends using caution when editing the registry on any computer. While the change suggested is relatively low risk, please note that changing the Windows Registry may have unexpected consequences. Be sure to back up all work prior to executing any changes.

Proprietary and Confidential

02/11

Page 21