Secure Web


Symptom

I want to change the default layout of the blocking pages. How can I add my company logo and add custom blocking forms?

Problem

The blocking pages are webpages, which are used to give the user a response when a web request could not be satisfied. All these neccesary files are supplied with the proxy installation, but they can be changed and adapted to your needs.

Solution

The blocking pages are located within the installation directory of the proxy. ("/opt/cyan/sweb/templates")

Linux / Appliance / VMWare:

  • Please login with your administrative user account (or csupport on the appliance)
  • If you don't have root permissions, you need to change to the root user:
    $ sudo -s
  • Change into the directory "/opt/cyan/sweb/templates"
  • There you can edit the files error.html and delay.html
    • error.html contains the default layout for the blocking page.
    • delay.html contains the layout for the delay page you see during virus scans.
  • After you edited the files, restart the Secure Web service by using the command:
    $ /etc/init.d/sweb sweb restart
  • With the next blocked or delayed request you should see your new layout.

Windows:

  • Change into the directory "\sweb\templates"
  • There you can edit the files error.html and delay.html
    • error.html contains the default layout for the blocking page.
    • delay.html contains the layout for the delay page you see during virus scans.
  • After you edited the files, restart the Secure Web service via the Windows services menu. The necessary service is called "Cyan Proxy Server".
  • With the next blocked or delayed request you should see your new layout.

Caution

Please do not change any CYAN variables in the html files. These are necessary for the proxy server to add information.

Do not overwrite the included images files. Use your own instead. With an upgrade the included images might be replaced.

Symptom

I want to set up Firefox settings with GPOs.

Problem

Firefox manages it's own settings and ignores the default settings configured on the PC.

Solution

Before proceeding with distribution of proxy settings for Firefox, download and extract the package FirefoxADM on the server with Active Directory on it: http://sourceforge.net/projects/firefoxadm/ 

  • In the Group Policy Object Editor perform the following:
    User Configuration > Windows Settings > Scripts (Logon/Logoff)
  • Expand the following levels within the tree:
    User Configuration > Windows Settings > Scripts (Logon/Logoff)
  • Open Proxy Settings in the main policy area
  • Select the Show Files button; this will display the folder that contains the script location
  • Copy and paste the script firefox_login.vbs from the FirefoxADM package into the folder
  • Go back to the Logon Properties window and click Add
  • Open the location of the start scripts folder where the script was just copied to, select the file and click the Openbutton
  • Click OK and then OK again to save the changes
  • Expand the User Configuration level in the tree
  • Right-click Administrative Templates and select Add/Remove Templates
  • Click the Add button and browse to the location of the startup template firefoxdefaults.adm, select the file and click Open. Click Close.
  • Expand the Administrative Templates level under Computer Configuration
  • Select Mozilla Firefox Default Settings in the tree
  • Double-click Proxy Settings in the main policy area
  • Select the radio button Enabled
  • At this point you can begin entering the proxy settings that are to be pushed to users.This information can be found in your provisioning email.
  • Once finished click OK
Note: This policy and any following changes will only be refreshed when the user logs out and in. It is recommended to force a GPO update from command prompt if possible.
The command for this is: gpupdate /force.
 
  • Open the domain or organizational unit in the Group Policy Object Editor
  • Expand the following levels: Computer Configuration > Windows Settings > Scripts (Logon/Logoff)
  • Open Startup in the main policy area
  • Select the Show Files button, this will display the folder the script will be stored in
  • Copy and paste the script firefox_startup.vbs from the FirefoxADM package into the folder
  • Returning to the window, click Add in Startup properties
  • Browse to the location of the start scripts folder where the script was just copied to, select the file and click theOpen button
  • Click OK and then OK again to save the changes
  • Expand the Computer Configuration level in the tree
  • Right-click Administrative Templates and select Add/Remove Templates
  • Select the Add button and browse to the location of the startup template firefoxlock.adm, select the file and clickOpen. Click Close.
  • Expand the Administrative Templates level under Computer Configuration
  • Select Mozilla Firefox Locked Settings in the tree
  • Double-click Proxy Settings in the main policy area
  • Select the radio button Enabled
  • The proxy settings can now be inserted that are to be pushed to users
  • Once finished click OK

 

Symptom

I got a problem which cannot be solved by the knowledge base articles or the howto's. What to do next? Which information does the support need to get me a solution?

Solution

For further support you can send an email to [email protected] or call our support team at: +43(0)133933333.

The support hours are from Monday to Friday from 9am to 5pm CET.

If the knowledge base or the howtos cannot help you, please answer the following questions in your email:

  • What architecture do you have? (Windows/Appliance/Linux/VMWare)
  • Which proxy version are you using?
  • Are you using authorization?
  • If yes, which kind of authorization? (Basic, NTLM, ...)
  • What version of Active Directory you are using?
  • What is your license number? (or is it a demo version?)
  • For questions about the Cyan Reporting system: Which database you are using?
  • Please attach some log files and your configuration file:
    • In the appliance version download the needed files over the interface. Change to the appliance menu and refer to maintenance/support. There you can create and download a support package.
    • Under linux/windows/VMWare you find the log files under: INSTALLDIR/.../sweb/logs and the configuration under INSTALLDIR/.../sweb/data/config.db
  • A detailed description about the problem. If possible please send a description on how to reproduce the problem.

Symptom

After the last update of the proxy machine, I cannot access the interface any more. I always get an HTTP 500 error when I try to connect. Even If I try to use the management IP address pre-configured on the appliance solution I get the same error.

Problem

The Cyan Secure Web interface is running on a Java application. After every upgrade the interface needs to be unpacked. If there is an error during this process, you won't be able to connect to the interface.

Solution

Linux / Appliance / VMWare version:

  • Login on the command line with your administrative account
  • Stop the interface by using the command:
    $ /etc/init.d/sweb admin stop
  • Remove the incomplete unpacked files:
    $ rm -rf /opt/cyan/sweb/appsrv/webapps/sweb2/
    $ rm -rf /opt/cyan/sweb/appsrv/webapps/middleware/ (only necessary since version 2.x)
    $ rm -rf /opt/cyan/sweb/appsrv/webapps/crs/
    $ rm -rf /opt/cyan/sweb/appsrv/work/Catalina/localhost/*
    $ rm -rf /opt/cyan/sweb/data/sweb_data*
  • As next step make sure that the permissions are correct:
    $ chown -R sweb:sweb /opt/cyan/sweb/appsrv/*
  • Start the interface again:
    $ /etc/init.d/sweb admin start
  • Please wait a few minutes and you should be able to login as you used to do.

If you still are not able to connect to the webinterface and the browser shows this error:

javax.xml.ws.WebServiceException: Failed to access the WSDL at: http://localhost:9992/middleware/cyanusermanagement.soap?wsdl

The you need to delete the user database:

  • Login on the command line with your administrative account
  • Delete the database with
    $ rm /opt/cyan/sweb/data/sweb_users*
  • Restart the webinterface
    $ /etc/init.d/sweb admin restart 

 

Symptom

I want to use FTP with the Cyan Secure Web proxy. How do I specify the correct FTP credentials to use?

Problem

To use FTP with the proxy, you need to specify which FTP server the proxy should use, and optionally what authentication parameters are necessary.

Solution

Cyan Secure Web supports following FTP authentication schemes:

  • If you don't use authentication on the proxy:
    OPEN Remote_Host
    USER Remote_User
    PASS Remote_Pass

  • If you are using authentication, you need to specify the authentication data:
    USER Remote_User@Remote_Host Proxy_User
    PASS Remote_Password
    ACCT Proxy_Password

    or

    USER Remote_User@Proxy_User@Remote_Host
    PASS Remote_Password@Proxy_Password

You should choose the scheme depending on which FTP client you use and whether you use authentication or not.

Symptom

Every time I try to connect to a host via direct IP (for example http://1.2.3.4/index.html) I get a blocking page that IP requests are not allowed. Where can I disable this feature?

Problem

Per default the Cyan Secure Web proxy is blocking IP requests (due to securtiy reasons). Every time a request goes directly over an IP address to a host, the proxy will block the request and deliver the blocking page to the client.

Solution

You can allow IP requests separately for HTTP and HTTPS, or you can define a list which hosts you like to allow.

To do these changes change go to the Cyan Secure Web interface. Under the Services Tab change to Proxy Settings/Web Proxy/IP Requests.

Symptom

When I try to access a web page via HTTPS I get a blank page without an error message in Internet Explorer. In Firefox I get the message that the proxy is blocking the request. Why do I not see any blocking page?

Problem

if you have enabled the categorization filter, the proxy will also check hosts via HTTPS. If you try to connect via HTTPS to a website which is denied by the filter, the proxy will block the request.

With this version it is not possible for the proxy to send a blocking page inside the SSL tunnel to the client. Thus you don't get a blocking page from the proxy but from the browser when the request is blocked.

Solution

Change to Cyan Secure Web Interface and allow the specific host or the category of the blocked request.

Symptom

Cyan Secure Web Support sent me a binary file. How can I upload it to the Secure Web machine?

Solution

With the linux/appliance version:

  • You need an scp client to upload the new file to the proxy machine. You can use WinSCP (www.winscp.net) or pscp (putty download), or any other scp client of your choice.
  • Use your administrative user credentials or the csupport user credentials for the proxy machine.
  • Afterwards stop the proxy services:
    $ /etc/init.d/sweb stop
  • Make a backup of the old service:
    $ cp /opt/cyan/sweb/bin/sweb /root/sweb-backup
  • Overwrite the new one with the old one:
    $ cp /sweb /opt/cyan/sweb/bin/sweb
  • Make sure that the permissions are correct:
    $ chmod +x /opt/cyan/sweb/bin/sweb
    $ chown sweb:sweb /opt/cyan/sweb/bin/sweb
  • Start the proxy services again:
    $ /etc/init.d/sweb start

For the windows version:

  • Stop the proxy services under the administration tools/Services (stop the Cyan Configuration Service)
  • Backup the old binary file located at: INSTALLDIR\...\sweb\bin\sweb.exe
  • Replace the old binary with the new one
  • Start the services again

Symptom

I always get a blocking page when I try to access a specific web site. It says that the request is denied because of the category filter.

Problem

The category filter of the proxy is blocking the request.

To avoid this, you can add a list of URLs to a user defined categories and set this category to allow.

Solution

To allow a site, proceed as following:

  • Login to the Secure Web interface.
  • Change to the menu point: Proxy Settings/Web Proxy/URL Filter
  • Here you are able to assign URLs to 10 user defined categories. (e.g. "www.google.com/")
  • Once you added a URL to a user defined category, you can allow or deny it via the category within your profile

Caution

When you try to enable a portal side like www.tiscali.it or www.bild.de, some of the site content usually is located on different hosts.

When you allow tiscali.it or bild.de and you see an incomplete page or garbled layout, you need to check where the blocked content is located. Right click with you mouse on the site and select "view page source". There you can see all requests made for this web page.

When you allow all the involved hosts, you should be able to see a complete page.

Symptom

When i try to access some sites, i always get a blocking page with "blocked by reason category 80", but when I try to allow this category I cannot find it in the proxy interface.

Problem

Category 80 of the IBM SDK's blocking list is not supported by the Secure Web proxy at the moment.

Solution

You need to deactivate the category 80 over the command line by adding a configuration key manually to your config database.

Proceed step by step:

On linux/appliance:

  • Connect to the command line using your administrable account
  • Open the config database by using this command:
    $ sqlite3 /opt/cyan/sweb/data/config.db
  • Add the key for category 80:
    insert into config values('','','filter','filters_tree_0_categories_ibmsdk_40080','0');
  • Restart the secure web service:
    $ /etc/init.d/sweb sweb restart

For the windows solution, please contact [email protected].

Symptom

When I try to download an archive file, i get a delay page or a virus scanning error, although I didn't enable Anti Virus scanning.

Problem

If you enabled DAI (Deep Archive Inspection), the archive downloads over the proxy will proceed the same way as they do during virus scanning. The file will be saved on the proxy machine, scanned for the content inside and sent to the client afterwards.

Solution

There are two ways:

  1. Deactivate the DAI feature: In your profile under application blocking you can deactivate the DAI feature.
  2. Add an application filter exception for the host. In your profile under application blocking you can specify a list of trusted hosts. Requests to hosts stated in this list won't use the DAI feature any more.

Symptom

The performance over the proxy is decreasing, surfing gets slower and slower.

Problem

There can be many problems about that:

  • Your DNS is too slow
  • Your hard disk is running out of free space
  • You have a high I/O on your system
  • Some changes in the network?
  • Bandwidth controller

Solution

Try some test on your system:

To check the DNS use following commands:

  • $ dig www.news.at
  • $ dig www.bild.de
  • $ dig www.tiscali.it

You can check the hard disk usage with this command:

  • $ df --si

To check the health status of your machine use the following command. If you got a high load, it could be that some processes are keeping the proxy busy.

  • $ top

Use this command to check the health status:

  • $ vmstat 5

If you can't find the problem, please contact us at [email protected] and attach all those points to the mail for information.

Symptom

The Adobe Update Manager cannot connect via the proxy. It always shows connection problems. Without the proxy the Update Manager works.

Problem

There are several possible problems:

  • If NTLM authentication is enabled, the manager won't be able to pass the credentials to the proxy.
  • The manager normally starts as system user account and is not able to send correct user data to the proxy.
  • With virus scanning enabled, the proxy will try to send a delay page to the Update Manager during the download. The manager doesn't recognize this page, disconnects the download and tries again. This will result in multiple broken download on the proxy machine.
  • Since version 8, Adobe Update Manager uses range requests. They are denied on the proxy per default.

Solution

You will find a pre-configured user agent for the Adobe Update Manager in the Cyan Secure Web interface.

Change to Proxy Settings, Web Proxy/User Agents. You can check the configuration of the user agent there.

Make sure that the agent has "no virus scanning", or "decelerated send" enabled and uses "no authentication".

Symptom

The Windows Update Manager cannot connect via the proxy. It always shows connection problems. Without the proxy the update works.

Problem

There are several possible problems:

If NTLM authentication is enabled, the Windows Update Manager won't be able to pass the credentials to the proxy. It usually starts as system user account and is not able to send correct user data to the proxy.

With virus scanning enabled, the proxy will try to send a delay page to the Update Manager during the download. The Update Manager doesn't recognize this page and disconnects the download.

Solution

You will find a pre-configured user agent for the Windows Update Manager in the Cyan Secure Web interface.

Change to Proxy Settings, Web Proxy/User Agents. You can check the configuration of the user agent there.

Make sure that the agent has "no virus scanning", or "decelerated send" enabled and uses "no authentication".

Symptom

The web interface isn't reachable anymore, or I cannot login.

Even if I try to restart the interface on the command line, I get the error: ABNORMAL TERMINATION.

Problem

Most likely your hard disk is full. The interface cannot unpack or write log files any more. When you restart the interface, the process is not able to shut down correctly.

Solution

Remove files, which are blocking the system.

You are able to check if the hard disk is full with the following command:

$ df --si

You can try to remove some log files from the /opt/cyan/sweb/logs directory.

Once you freed some space, restart the interface by using the command:

$ /etc/init.d/sweb admin restart

Symptom

I haven't enabled the HTTPS interception feature, but I still get an certificate error.

Problem

When you try to access a host, which is blocked by the category blocker via HTTPS, the proxy needs to send a blocking page to the client in this HTTPS connection.

The certificate's name won't match the target host's name, thus triggering a certificate error on the browser.

Solution

There are two ways to get rid of the message:

Enable the host. You can find how to enable the host in the KB Article Can't access HTTPS sites

Deactivate the feature "Send blocking Page into SSL tunnel". You can enable or disable the feature under the https interception settings

Symptom

When I try to connect to an FTP server, which needs authentication, I get no authentication popup to enter my username and password.

Problem

If you want to authenticate on an FTP server over HTTP you need to use the correct syntax to connect.

Solution

Use following syntax to authenticate and connect to your FTP server over HTTP:

ftp://ftpusername:[email protected]/

Symptom

When I try to connect to the Internet over my smart phone it doesn't work. When I change the network settings to use the proxy, it still won't work.

Problem

Most mobile phone cannot detect the proxy settings used for the network automatically. You need to specify where to find the proxy.

When you have authentication enabled, you need to make an exception for the mobile phone.

Solution

You can find the network settings for the iPhone/iPad under WIFI Settings/Your network on the bottom. There you can set up the phone to use the proxy server.

On the proxy server you need to generate an IP instance entry for the mobile device. Assign a profile to this entry afterwards to use your ruleset for the device.

Symptom

When I try to watch a video or audio stream with the Windows Media plugin, I get no stream, or an authentication popup. Even after I typed in my username and password nothing changed.

Problem

You should have this problem only when you authenticate via NTLM. The windows media player plugin cannot send a correct NTLM token.

Solution

There are two ways to solve this problem:

  1. When you turn on IP caching (enabled per default), your authorisation will be cached. You only need to access another website and then you're able to see the stream
  2. You enter a new user agents in the Cyan Secure Web interface under Proxy Settings/Web Proxy/User Agents with following credentials:
    • Regular Expression: NSPlayer
    • Authentication: No Authentication
    • Virus Scan Action: decelerated send
    • When you try to access a stream via Windows Media plugin now, you won't be authenticated.

Caution

When the request isn't authenticated, the default profile will be used!

(If you block Streaming Media in your default profile, then you won't see the video after applying the solution)

Appliance


Symptom

I want to access the command line of the Cyan Secure Web Appliance, but I don't know how to login.

Problem

Per default there is no login for the command line enabled on the appliance solutions. (for security reasons)

Solution

To change to the command line you need to enable the csupport user. To do this change into the Secure Web interface. Navigate to the orange appliance menu, Maintenance and Appliance Accounts. Now you can enable the csupport user and specify a password.

With this user you can now login to the command line (for example over putty) and change to the root shell by using the command:

$ sudo -i

Symptom

My machine doesn't respond any more and I already had contact with Cyan Support to identify the problem. They told me to do a unit replacement.

Problem

When the machine has a hardware defect, you need to replace the whole machine.

For backing the whole system up you can use the delivered sdcard. Plug it into the sdcard reader on the back of the machine and trigger a manually backup under the Cyan Secure Web interface located at: Appliance menu/Maintanence/Sdcard.

Solution

Please do the following steps:

  • Call Cyan Support and describe the problem
  • Forward the six digit serial number from the back of the machine to cyan support
  • Wait for a call from pyramid
  • Call Cyan again when the new machine arrive to go through the setup.
  • Give Cyan a feedback about the machine

Reporting system


Symptom

When I try to generate a user/group/ip based report, the list of users are empty! Even if I click on update user list, nothing change.

Problem

There can be two cases:

  1. By default no data will be feeded into the database. You need to setup the proxy log feeder to feed the reporting data into the database.
  2. To use the user/group/ip list feature, the Cyan Reporting System need to run a maintenance job first. This job will move the user/group/ip data into the specific table inside the database. After that you should be able to use the list in your named report.

Solution

To enable the log feeder service, change to the Secure Web Interface. Under the services menu tab go to Logging/reporting/log feeder. There you need to enable the log feeder and specify the location of the CRS system.

Under the Cyan Reporting System interface you can see when the maintenance job will run the next time. To trigger the job manually change into the CRS interface, Settings/Maintenance and click on the run now button. This job needs to be run once before you can use the user/group/ip feature when you create a new named report.

Symptom

Every report I create contains no data. When the report is finished and I open it, I get a message that the report contains no data.

Problem

There are two possible problems:

  1. You have chosen a time range for which no data is logged in the database
  2. The log feeder service is not enabled, so the reporting database is still empty.

Solution

To enable the log feeder service, change into the Cyan Secure Web Interface. In the services menu change to logging/report logging/log feeder. There you can enable and configure the Cyan Secure feeding service to move the data into the Cyan Reporting System. After an hour (default log rotation time) you should be able to generate reports.

Symptom

I need to generate a report with specific data inside it, which isn't available in the current CRS reports list. How can I get a new report?

Solution

To request a new report, contact support and send following information:

What should the report show in general?

Which criteria do you want to apply?

What should the report look like? (What do you like to see In the first row, what in the second, what kind of chart do you want to see at the end of the report)

We will prepare the new template and you will get it with the next patch update.