Module Settings
Module settings are used to configure the behavior of modules on a Web Gateway appliance. These modules are also known as engines or filters.
For example, the Anti-Malware module calls the scanning engines, such as the Gateway Anti-Malware (GAM) engine, when the body of a response sent by a web server should be scanned for infections.
By configuring the settings for this module, you can modify the scanning process. Depending on what you configure, the module might not call the GAM engine, which is the default, but a different engine for scanning.
Other modules are the URL Filter module, the TIE Filter module, or the Authentication module.
Different settings for a module
A module can have one particular instance of settings or several. Different instances of module settings are distinguished by their names. Usually, they differ in how the values of the various settings options are configured.
For example, after the initial setup of Web Gateway, there is one instance of the settings for the Anti-Malware module available by default. The settings name for this instance is Gateway Anti-Malware settings.
When the module runs with these settings, it calls the GAM engine for scanning, as this behavior is configured for one of the settings options.
After importing the Advanced Threat Defense rule set, however, a second instance of settings for the module is available. Its name is Gateway ATD settings.
When the module uses these settings, a web object is passed on from Web Gateway to Advanced Threat Defense for scanning, as the value for the relevant option within the settings differs now from the value for the same option in the default settings.
You can also create and configure settings instances of your own for any of these modules to let them show the behavior that meets your requirements.
Contents
- Anti-Malware settings.
- Authentication settings.
- Authorized Override settings.
- Azure Directory Settings.
- Cache settings.
- Cloud Access Log Data Residency settings.
- Cloud Storage Encryption settings.
- Coaching settings.
- Composite Opener settings.
- Data Loss Prevention (Classifications) settings.
- Data Loss Prevention (Dictionaries) settings.
- Data Trickling settings.
- File System Logging settings.
- Hardware Security Module settings.
- ICAP Clients settings.
- Next Hop Proxy settings.
- Progress Page settings.
- SSL Client Context with CA settings.
- SSL Client Context without CA settings.
- SSL Scanner settings.
- TIE Filter settings.
- Stream Detector settings.
- Time Quota settings.
- URL Filter settings.
- Volume Quota settings.
Anti-Malware settings
The Anti-Malware settings are used for configuring the Anti-Malware module, which handles activities related to anti-malware filtering on a Web Gateway appliance.
Instances of these settings include the following.
- Gateway Anti-Malware settings — Default settings
Gateway Anti-Malware settings
The Gateway Anti-Malware settings are the settings for the Anti-Malware module that are by default available after the initial setup of Web Gateway.
Select Scanning Engines and Behavior
Settings for selecting a combination of scanning engines and their behavior in case one of them detects an infection.
The scanning engines can be seen as sub-modules that run together as one module, the Anti-Malware module, to scan web objects.
Select Scanning Engines
| Option | Definition |
|---|---|
| Full Skyhigh coverage: The recommended high-performance configuration |
When selected, the Skyhigh Gateway Anti-Malware engine and the Skyhigh Anti-Malware engine are active. Web objects are then scanned using: Proactive methods + Virus signatures If you are running Web Gateway with a license for Skyhigh Gateway Anti-Malware in addition to the one for Web Gateway itself, this option is selected by default. |
| Layered coverage: Full Skyhigh coverage plus specific Avira engine features — minor performance impact |
When selected, the Skyhigh Gateway Anti-Malware engine, the Skyhigh Anti-Malware engine, and, for some web objects, also the third-party Avira engine are active. Web objects are then scanned using: Proactive methods + Virus signatures + Third-party engine functions for some web objects |
| Duplicate coverage: Full Skyhigh coverage and Avira engine — less performance and more false positives |
When selected, the Skyhigh Gateway Anti-Malware engine, the Skyhigh Anti-Malware engine, and the third-party Avira engine are active. Web objects are then scanned using: Proactive methods + Virus signatures + Third-party engine functions |
| Skyhigh Anti-Malware without mobile code scanning and emulation |
When selected, only the Skyhigh Anti-Malware engine is active. Web objects are then scanned using: Virus signatures This is the option that you must select when running Web Gateway with a license for Web Gateway only, but without a license for Skyhigh Gateway Anti-Malware. The Skyhigh Gateway Anti-Malware license includes a license for Avira. |
| Avira only: Only uses Avira engine — not recommended |
When selected, only the Avira engine is active. Web objects are then scanned using: Third-party engine functions |
| Skyhigh Advanced Threat Defense only: Send files to an MATD appliance for deep analysis through sandboxing | When selected, only scanning by Advanced Threat Defense is active. |
| Stop virus scanning right after an engine detected a virus | When selected, engines stop scanning a web object as soon as one of them has detected an infection by a virus or other malware. |
Mobile Code Behavior
Settings for configuring a risk level in classifying mobile code.
The risk level ranges from 60 to 100.
A low value means the risk in proactively scanning the behavior of mobile code and not detecting that it is malware is low because the scanning methods are applied very strictly. Mobile code will then be classified as malware even if only a few criteria of being potentially malicious have been detected.
This can lead to classifying mobile code as malware that is actually not malicious (“false positives”).
While more proactive security is achieved with a stricter setting, accuracy in determining which mobile code is really malicious will suer. Consequently, the appliance might block web objects that you want to get through to your users.
A high value means the risk in not detecting malicious mobile code is high (more “false negatives”), but more accuracy is achieved in classifying mobile code correctly as malicious or not (fewer “false positives”).
Mobile Code Behavior
| Option | Definition |
|---|---|
| Classification threshold |
Sets a risk level as described above on a slider scale.
|
Advanced Settings
Advanced settings for all scanning engines.
Advanced Settings
| Option | Definition |
|---|---|
| Enable Antivirus prescan |
When selected, performance of the sub-modules is improved by reducing the load sent to them for scanning. This option is by default selected. We recommend that you keep this setting. |
|
Increase Web Gateway performance by making a light-weight pass on:
|
These options are available if Enable Antivirus prescan option is selected. You can select one of them to configure the range of file types that light-weight malware scanning should be applied to. The options are related to each other. If the first option is selected, the other two options are not effective. The second option includes the first option, the third option includes the first and the second option. The third option is selected by default. Files matching the selected option are not passed on to standard anti-malware scanning. The URL Filter module is involved to verify whether the web site that a file is downloaded from is trustworthy. Virus and malware filtering information is updated in intervals, which can modify the categorization of file types as safe or rarely exploited or hosted on trustworthy web sites. |
| Provide GTI web and file reputation queries to Skyhigh Gateway Anti-Malware |
When selected, information on the reputation of files retrieved from the Global Threat Intelligence (GTI) system is included in the scanning result. Online GTI web reputation and categorization services need to be enabled for anti-malware filtering. To ensure this, a rule is provided in the Set URL Filter Internal Settings rule set, which is nested in the Common Rules rule set. |
| Allow local-only lookups in air-gapped environment |
When selected, URL category and file reputation lookups are only performed in the local database if Web Gateway is running in an air-gapped environment. We recommend that you do not select this option unless there is strong reason for it. |
| Enable heuristic scanning | When selected, heuristic scanning methods are applied to web objects. |
| Custom AV scan timeout settings |
When selected, a timeout (in seconds) can be set for the scanning process that is applied to web objects.
Default: 3600 |
Advanced Settings for Skyhigh Gateway Anti-Malware
Advanced settings for the Skyhigh Gateway Anti-Malware scanning engine.
Advanced Settings for McAfee Gateway Anti-Malware
| Option | Definition |
|---|---|
| Enable detection for potentially unwanted programs | When selected, web objects are scanned for potentially unwanted programs. |
| Enable mobile code scanning | When selected, mobile code is scanned. |
| Enable removal of disinfectable content detected in HTML documents by mobile code filter | When selected, the content described here can be removed. |
Advanced Settings for Avira
Advanced settings for the Avira scanning engine.
Advanced Settings for Avira
| Option | Definition |
|---|---|
| Maximum size of archive member |
Limits the size (in MB) of a member in an archive that the Avira engine scans for infections. If an archive member exceeds this size, it is not scanned and the archive is blocked. The default size limit is 1024 MB. |
Authentication settings
The Authentication settings are the settings for the Authentication module, which handles authentication of users and user groups.
Authentication Method
Settings for selecting an authentication method.
Authentication Method
| Option | Definition |
|---|---|
| Authentication method |
Provides a list for selecting an authentication method. You can select one of the following:
Alternatively, LDAP Digest Authentication can be configured. You can also configure Secure LDAP (LDAPS), using LDAP version 3.
After selecting a method, settings that are specific to it appear below the common settings |
Authentication Test
Settings for testing whether a user with given credentials would be authenticated.
Authentication Test
| Option | Definition |
|---|---|
| User | Specifies the user name that is tested. |
| Password | Specifies the tested password. |
| Authenticate User | Executes the test. |
| Test result | Displays the outcome of the test. |
Common Authentication Parameters
Settings common to all authentication methods.
There is also an advanced setting that is common to all authentication methods. It is described at the end of this main section after the last of the subsections for the specific authentication parameters.
Common Authentication Parameters
| Option | Definition |
|---|---|
| Proxy Realm | Specifies the location of the proxy that receives requests from users who are asked to authenticate. |
| Authentication attempt timeout | Limits the time (in seconds) that elapses before the authentication process finishes if not completed successfully to the specified value. |
| Use authentication cache |
When selected, authentication information is stored in a cache. Authentication is then based on this stored information, rather than on information retrieved from an authentication server or the internal user database |
| Authentication cache TTL | Limits the time (in minutes) that authentication information is stored in the cache to the specified value. |
NTLM-Specific Parameters
Settings for the NTLM authentication method.
NTLM-Specific Parameters
| Option | Definition |
|---|---|
| Send domain and machine name to the client |
When selected, the names of the appliance and its domain are sent to the client that a user who is to be authenticated sent a request from An appliance can be joined to more than one domain, so different domain names can be used when connecting to a client, which can lead to problems with user authentication. Sending a particular domain name to the client might result in an authentication failure because a particular user name is unknown in this domain. Web browsers do usually not require domain name information, but some third-party applications that Web Gateway works with might require it. So we recommend proceeding as follows:
There are, however, applications that require this option to be selected anyway. Otherwise they will close the connection to Web Gateway. This applies, for example, to some .NET based applications and to some popular open-source products, such as the Cntlm proxy. |
| Default NTLM domain |
Specifies the name of the default Windows domain used for looking up authentication information. This is one of the domains you have configured on the Appliances tab of the Configuration top-level menu. |
| Get global groups | When selected, information about global user groups is searched for on the Windows domain server. |
| Get local groups | When selected, information about local user groups is searched for on the Windows domain server. |
| Prefix group name with domain name (domain \group) | When selected, the name of the Windows domain appears before the name of the user group when authentication information about this group is sent from the domain server |
| Enable basic authentication |
When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. |
| Enable integrated authentication |
When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. |
| Enable NTLM cache |
When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. |
| NTLM cache TTL | Limits the time (in seconds) that authentication information is stored in this cache to the specified value. |
| International text support |
Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
NTLM-Agent-Specific Parameters
Settings for the NTLM Agent authentication method.
NTLM-Agent-Specific Parameters
| Option | Definition |
|---|---|
| Use secure agent connection | When selected, the connection used for communicating with the NTML Agent is SSL-secured. |
| Authentication connection timeout in seconds | Limits the time (in seconds) that elapses before the connection to the NTLM Agent is closed if no activities occur on it to the specified value. |
| Agent Definition | Provides a list for entering the agents that are involved in performing NTLM authentication. |
| Default NTLM domain |
Specifies the name of the default Windows domain used for looking up authentication information. This is one of the domains you have configured on the Appliances tab of the Configuration top-level menu. |
| Get global groups | When selected, information about global user groups is searched for on the Windows domain server. |
| Get local groups | When selected, information about local user groups is searched for on the Windows domain server. |
| Prefix group name with domain name (domain\group) | When selected, the name of the Windows domain appears before the name of the user group when authentication information about this group is sent from the domain server. |
| Enable basic authentication |
When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. |
| Enable integrated authentication |
When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. |
| Enable NTLM cache |
When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. |
| NTLM cache TTL | Limits the time (in seconds) that authentication information is stored in this cache to the specified value. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
User Database Specific Parameters
Settings for the User Database authentication method.
User Database Specific Parameters
| Option | Definition |
|---|---|
| Send domain and machine name to the client | When selected, the names of the appliance and the domain it has been assigned to are sent to the client that a user who is to be authenticated sent a request from. |
| Enable basic authentication |
When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. |
| Enable integrated authentication |
When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. |
| Enable NTLM cache |
When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. |
| NTLM cache TTL | Limits the time (in seconds) that authentication information is stored in this cache to the specified value. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
LDAP-Specific Parameters
Settings for the LDAP authentication method.
LDAP-Specific Parameters
| Option | Definition |
|---|---|
| LDAP server(s) to connect to | Provides a list for entering the LDAP servers that authentication information is retrieved from. |
| List of certificate authorities | Provides a list for entering the certificate authorities that issue certificates when a Secure LDAP (S-LDAP) connection is used for communication with an LDAP server. |
| Credentials | Specifies the user name of an appliance for logging on to an LDAP server. |
| Password |
Sets the password for a user name. The Set button opens a window for configuring a new password. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
| Enable LDAP version 3 |
When selected, version 3 of the LDAP protocol is used. If you want to configure Secure LDAP authentication, also known as LDAPS, it is this LDAP version that you must use. This version is by default selected. |
| Allow LDAP library to follow referrals | When selected, the lookup of user information can be redirected from the LDAP server to other servers. |
| Connection live check | Limits the time (in minutes) that elapses between checks to see whether the connection to the LDAP server is still active to the specified value. |
| LDAP operation timeout | Limits the time (in seconds) that elapses before the connection to the LDAP server is closed if no communication occurs to the specified value. |
| Base distinguished name to user objects | Specifies the Distinguished Name (DN) in the directory on an LDAP server where the lookup of user attributes should begin. |
| Map user name to DN |
When selected, the name of the user who asks for authentication must map to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server. |
| Filter expression to locate a user object |
Specifies a filtering term for restricting the lookup of user attributes To substitute the user name in the filtering term, u% is used as a variable. |
| Get user attributes | When selected, user attributes are looked up on the LDAP server to authenticate a user. |
| User attributes to retrieve | Provides a list for entering the user attributes that should be retrieved from an LDAP server. |
| Attributes concatenation string | Specifies a string for separating user attributes found by a lookup, for example, / (slash). |
| Get groups attributes | When selected, user group attributes are also looked up on the LDAP server to authenticate a user. |
| Base distinguished name to group objects | Specifies the Distinguished name (DN) in the directory on the LDAP server where the lookup of group attributes should begin. |
| Filter expression to locate a group object |
Specifies a filtering term for restricting the lookup of group attributes To substitute the user name in the filtering term, u% is used as a variable. |
| Group attributes to retrieve | ve Provides a list for entering the group attributes that should be retrieved from an LDAP server. |
Digest Authentication
Settings for LDAP digest authentication.
Digest Authentication
| Option | Definition |
|---|---|
| Enable digest authentication | When selected, digest authentication is performed as method for authenticating users under LDAP. |
| Digest algorithm |
Lets you select an algorithm to calculate hash values for passwords. When user credentials are submitted from a browser to the proxy on Web Gateway, the password is encrypted using this hash. You can select one of the following:
|
| User attribute with password hash | Specifies the attribute of a user entry on the LDAP server that stores the value for the authentication hash. |
| Nonce maximal use count |
Sets a limit to repeated uses of the nonce (number only once) that is transmitted in the authentication process and required as a parameter for calculating the authentication hash. The maximum number of times that a nonce can be used by default is 100. |
| Nonce maximal TTL |
Sets a limit to the time period (in minutes) that a nonce remains valid The maximum time that a nonce can remain valid by default is 30 minutes. |
| Enable digest URI check |
When selected, a check is performed to ensure that the URL that a client sends as a parameter for calculating the authentication hash is the same as the URL that this client sends in its request for accessing a particular destination in the web. If this check fails, the request is blocked. As this check might also fail due to problems with the different formats that the browsers on the clients use for sending URLs, it is optional. The check is enabled by default. |
| Allow digest authentication only | When selected, digest authentication must always be performed if a user is to be authenticated under the LDAP authentication method. |
Novell eDirectory Specific Parameters
Settings for the Novell eDirectory authentication method.
Novell eDirectory Specific Parameters
| Option | Defnition |
|---|---|
| LDAP server(s) to connect to | Provides a list for entering the eDirectory servers that take the role of LDAP servers in providing authentication information. |
| List of certificate authorities | Provides a list for entering the certificate authorities that issue certificates when a Secure LDAP (S-LDAP) connection is used for communication with an LDAP server. |
| Credentials | Specifies the user name of an appliance for logging on to an LDAP server. |
| Password |
Sets a password for a user name. The Set button opens a window for configuring a new password. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
| Enable LDAP version 3 | When selected, version 3 of the LDAP protocol is used. |
| Allow LDAP library to follow referrals | When selected, the lookup of user information can be redirected from an LDAP server to other servers. |
| Connection live check | Limits the time (in minutes) that elapses between checks to see whether the connection to an LDAP server is still active to the specified value. |
| LDAP operation timeout | Limits the time (in seconds) that elapses before the connection to an LDAP server is closed if no communication occurs to the specified value. |
| eDirectory network address attribute | Specifies the name of the attribute that provides the network addresses used for an eDirectory server |
| eDirectory network login time attribute | Specifies the name of the attribute that provides the logon time used on an eDirectory server. |
| eDirectory network minimal update interval | Specifies the time that elapses (in seconds) before information from an eDirectory server is updated. |
| Base distinguished name to user objects | Specifies the Distinguished name (DN) in the directory on an LDAP server where the lookup of user attributes should begin. |
| Map user name to DN | When selected, the name of the user who asks for authentication must map to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server. |
| Filter expression to locate a user object |
Specifies a filtering term for restricting the lookup of user attributes To substitute the user name in the filtering term, u% is used as a variable. |
| Get user attributes | When selected, user attributes are looked up on the LDAP server to authenticate a user. |
| User attributes to retrieve | Provides a list for entering the user attributes that should be retrieved from an LDAP server. |
| Attributes concatenation string | Specifies a string for separating user attributes found by a lookup, for example, / (slash). |
| Get groups attributes | When selected, user group attributes are also looked up on the LDAP server to authenticate a user. |
| Base distinguished name to group objects | Specifies the Distinguished name (DN) in the directory on an LDAP server where the lookup of group attributes should begin. |
| Filter expression to locate a group object |
Specifies a filtering term for restricting the lookup of group attributes To substitute the user name in the filtering term, u% is used as a variable. |
| Group attributes to retrieve | Provides a list of group attributes that should be retrieved from an LDAP server |
RADIUS-Specific Parameters
Settings for the RADIUS authentication method.
RADIUS-Specific Parameters
| Option | Definition |
|---|---|
| RADIUS server definition | Provides a list for entering the RADIUS servers that authentication information is retrieved from. |
| Default domain name | Specifies the name of the domain that information is retrieved from if no other domain is specified. |
| Shared secret | Sets the password used by an appliance to get access to a RADIUS server. |
| Radius connection timeout in seconds | Limits the time (in seconds) that elapses before the connection to the RADIUS server is closed if no traffic occurs to the specified value. |
| International text support | Specifies the set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
| Value of attribute with code |
Sets the code value for the attribute retrieved with the user group information, according to RFC 2865. For example, 25 is the code for the “class” attribute. |
| Vendor specific attribute with vendor ID |
Sets the Vendor ID that is required for retrieving vendor-related data in the search for user group information. According to RFC 2865, the vendor ID is a part of the vendor attribute, followed by several subattributes. Its code value is 26. |
| Vendor subattribute type |
Sets a code value for the type of subattributes included in a vendor attribute. according to RFC 2865. Since not all vendors adhere to this structure, we recommend specifying 0 as value here. This allows the authentication module to retrieve all available vendor information. |
Kerberos Specific Parameters
Settings for the Kerberos authentication method.
More settings for this authentication method can be configured using the Kerberos Administration system settings, which can be accessed under the Configuration top-level menu.
Kerberos Specific Parameters
| Option | Definition |
|---|---|
| Extract group membership IDs from the ticket |
When selected, information to identify the groups that a user is a member of is retrieved from the ticket that is used in the process of authenticating users under the Kerberos authentication method. When this option is selected, the following option becomes accessible. |
| Look up group names via NTLM | When selected, the names of the groups that a user is a member of are retrieved using the NTLM authentication method. |
Authentication Server Specific Parameters
Settings for the Authentication Server method.
Authentication Server Specific Parameters
| Option | Definition |
|---|---|
| Authentication server URL | Specifies the URL of a server that is used under this method to look up authentication information. |
| Require client ID | When selected, the authentication server requires the ID of the client that a user sent a request from. |
| Store authentication result in a cookie |
When selected, the information retrieved from the authentication server is stored in a cookie. If cookie authentication is implemented, the cookie is added to the next request sent by the respective user, so that this user need not authenticate again. |
| Allow persistent cookie for the server | When selected, a cookie can be used persistently for sending multiple requests to the authentication server. |
| Cookie TTL for the authentication server in seconds | Limits the time (in seconds) that a cookie sent with a request to the server is stored to the specified value. |
| Cookie prefix | Specifies a prefix that is added on the appliance to a cookie, for example, MWG_Auth. |
One-Time Password Specific Parameters
Settings for the One-time Password authentication method.
One-Time Password Specific Parameters
| Option | Definition |
|---|---|
| OTP server | Specifies the IP address and port number of the OTP server that Web Gateway connects to when authenticating a user under the One-time Password authentication method. |
| Communicate with SSL and trust certificate below |
When selected, communication with the OTP server is performed using an SSL-secured connection. When this option is selected, the information in the following four fields is no longer grayed out and the Import button below these fields becomes accessible. The fields provided detailed information about the certificate that is currently used in SSL-secured communication with the OTP server.
|
| WS client name | Specifies the user name for Web Gateway in communication with the OTP server. |
| WS client password | Specifies the password for Web Gateway in communication with the OTP server. |
| OTP message |
Specifies the prefix to messages that are sent from the OTP server to Web Gateway and the delimiters that include a message. By default a message looks like this:
|
Skyhigh Client Proxy
Settings for the SWPS (McAfee Client Proxy) authentication method.
Skyhigh Client Proxy
| Option | Definition |
|---|---|
| Customer ID | Provides an identifier for a customer |
| Shared password |
Provides a password for a customer. Clicking Set opens a window that allows you to set the password. |
| Keep domain in group name |
When selected, domain information contained in the name of a user group is kept. This option is selected by default. |
| Remove custom headers used for authentication |
When selected, headers contained in the information that is submitted for authentication are removed. This option is selected by default. |
| Verify token timestamp |
When selected, the timestamp of a token that is submitted to achieve authentication is checked on Web Gateway. If the timestamp differs from the current system time on Web Gateway by more than the configured clock skew, authentication fails. Access is then blocked for the client that submitted the token This option is selected by default. |
| Maximum clock skew tolerance |
Sets the maximum time (in seconds) that the timestamp of a token and the system time on Web Gateway may differ before authentication fails. For example, if the skew value is 300 seconds and the current system time 9:00 a. m., 8:54 or 9:06 a. m. as the timestamp of a token will already let authentication fail. Default: 300 seconds We recommend checking the NTP settings for date and time on Web Gateway and its clients if authentication failures occur and synchronizing manually if needed. |
| Export MCP credentials to XML file |
Lets you export the credentials that are submitted when applying the SWPS (Skyhigh Client Proxy) authentication method. By default a message looks like this:
|
Advanced Parameters
Setting for configuring advanced authentication.
This setting is the same for all authentication methods. Its description is so also provided at the beginning of this description of the authentication settings, after the description of the common settings.
Advanced Parameters
| Option | Definition |
|---|---|
| Always evaluate property value |
When selected, a new evaluation to assign a value to a property is performed each time a rule containing this property is processed. If a value has been stored for a property in the cache, it is not used. While using cache values is recommended to improve performance, there can be situations where the new evaluation of a property is required. In these situations, the same property is used more than once within the authentication rules and with the same settings of the Authentication module. A new evaluation ensures the most current value is assigned to the property each time. |
Authorized Override settings
The Authorized Override settings are used for configuring the module that handles authorized overriding.
Hours and Minutes of Maximum Session Time
Settings for configuring the maximum time length of a session with authorized overriding.
Hours and Minutes of Maximum Session Time
| Option | Definition |
|---|---|
| Days | Sets the days of an Authorized Override session |
| Hours | Sets the hours of an Authorized Override session. |
| Minutes | Sets the minutes of an Authorized Override session. |
Azure Directory settings
The Azure Directory settings are the settings for the Azure Directory module, which handles the retrieval of user group lists from an Azure Active Directory (Azure AD).
There is no default instance of the Azure Directory settings.
Application Settings
Settings for the application that is registered at a Microsoft Application Registration Portal to represent Web Gateway in communication with an Azure AD.
Application Settings
| Option | Definition |
|---|---|
| Tenant ID | Identifies an Azure AD |
| App ID | Identifies the application. |
| Password | Provides the password that the application submits when attempting to access the Azure AD. |
| Redirect URI | Identifies a location that a request for accessing the Azure AD is redirected to. |
Search Parameters
Settings for the parameters used when searching for user group information in an Azure AD.
Search Parameters
| Option | Definition |
|---|---|
| Map user name to UPN | Map user name to UPN |
| Filter expression to locate a user object |
Specifies a term that serves as a filter when searching for a user name. Within this term use {user} to substitute the user name, for example:
|
| UPN attribute |
Specifies the UPN attribute that is searched for. Default: |
| Group attribute |
Specifies the group attribute that is searched for. Default: |
| Group name |
Specifies the name of the group that is searched for Default: |
| Filter user groups |
When selected, user groups in an Azure directory are filtered based on a keyword when a search is conducted. The search can also use more than one keyword. The keywords are entered in the Group keywords list. |
| Use cache | When selected, user group information that is searched for is stored and retrieved from a cache. |
| Cache entry TTL | Limits the time (in minutes) that an entry remains in the cache. Default: 30 minutes |
Group keywords list - List entry
| Option | Definition |
|---|---|
| String | Specifies a keyword that appears in the name of a user group. |
| Comment | Provides a plain-text comment on a group name keyword. |
Network Setup
Settings for the network setup that is configured to enable the retrieval of user group lists from an Azure AD.
Network Setup
| Option | Definition |
|---|---|
| Use system proxy list to connect to MS Graph API | When selected, the proxies that have been configured for Web Gateway on an appliance system and entered in a list are used when setting up a connection for retrieving user group information from an Azure AD. |
| TCP timeout |
Limits the time (in seconds) that a TCP connection is kept open if no traffic occurs in the process of retrieving user group information. Default: |
| Search operation timeout |
Limits the time (in seconds) that elapses before a search operation performed to retrieve user group information is terminated. Default: |
| Retry interval if token request fails |
Specifies the time that must elapse after a failed token request before a new request is performed in the process of retrieving user group information. Default: |
| List of certificate authorities |
Provides a list of certificate authorities that are used for securing the communication performed to retrieve user group information under HTTPS. Clicking Add or Edit opens windows for adding or editing the list. |
| Revocation checking method order |
Allows you to choose the order in which to use the OCSP and CRL methods for checking whether a certificate has been revoked.
|
| Treat OCSP response 'unknown' as revoked | When selected, a certificate is considered as revoked if the response to an OCSP query is that its revocation status is unknown. |
Cache settings
The Cache settings are module (engine) settings for configuring the behavior of the web cache on Web Gateway.
The following particular settings are provided for the Cache module after the initial setup.
- Cache HTTP — Default settings
Cloud Access Log Data Residency settings
The Cloud Access Log Data Residency settings are used for configuring geographic regions where web access data is stored when the Hybrid solution is enabled.
Data Residency Settings
You can create and name multiple instances of this setting and reuse them in policy rules.
Data Residency Settings
| Option | Definition |
|---|---|
| Store in |
Specifies the country or region where the cloud access log data is stored.
|
Cloud Storage Encryption settings
The Cloud Storage Encryption settings are used for configuring the encryption and decryption of cloud storage data.
Encryption Parameters
Settings for encrypting and decrypting cloud storage data.
Encryption Parameters
| Option | Definition |
|---|---|
| Cipher |
Provides a list for selecting an algorithm to encrypt and decrypt cloud storage data. The following algorithms can be selected:
|
Coaching settings
The Coaching settings are used for configuring the module that handles coaching.
Hours and Minutes of Session Time
Settings for configuring the length of a coaching session.
Hours and Minutes of Session Time
| Option | Definition |
|---|---|
| Days | Sets the days of a coaching session. |
| Hours | Sets the hours of a coaching session. |
| Minutes | Sets the minutes of a coaching session. |
Composite Opener settings
The Composite Opener settings are module (engine) settings for configuring the Composite Opener, which extracts data from archives and similar files on Web Gateway.
Instances of the Composite Opener settings include:
- Default settings — Default settings
Default settings - Composite Opener
Default settings are available for the Composite Opener after the initial setup of Web Gateway. They are called Default.
Extraction Process Handling
Settings for the extraction process that is performed by the Composite Opener.
Extraction Process Handling
| Option | Definition |
|---|---|
| Set maximum level of nested objects |
When selected, the number of nesting levels that the Composite Opener will handle when extracting objects is limited to the value that is configured here. When this limit is exceeded, no file opening is performed.
Default: 100 |
| Set size limit for uncompressed data |
When selected, the size of uncompressed data that the Composite Opener will provide when extracting objects is limited to the value that is configured here. When this limit is exceeded, no file opening is performed and the value of the Error.ID property is set to 10064.
Default: 4096 MB |
| Set limit for compression ratio |
When selected, the size of the compression ratio that the Composite Opener will handle when extracting objects is limited to the value that is configured here. When this limit is exceeded, no file opening is performed and the value of the Error.ID property is set to 10065.
For example, if you set this value to 1000, the maximum compression ratio is 1:1000 Default: 1000 |
Data Loss Prevention (Classifications) settings
The Data Loss Prevention (Classifications) settings are used for configuring entries in classification lists that specify sensitive or inappropriate content.
DLP Classifications Parameters
Settings for configuring the use of classification lists when searching for sensitive or inappropriate content.
DLP Classifications Parameters
| Option | Definition |
|---|---|
| Tracking policy |
Sets the scope of the search for sensitive or inappropriate content in the body text of requests and responses. The search is carried out for all classifications that have been selected. You can, however, configure it in the following ways:
This goes on until all classifications have been processed.
This goes on until all classifications have been processed. |
| DLP Classifications | Provides a list for selecting entries in classification lists from the system lists provided under DLP Classification on the lists tree. |
The following table describes an entry in the DLP Classifications list.
DLP Classifications Parameters – List entry
| Option | Definition |
|---|---|
| DLP Classification | Provides information about detecting sensitive or inappropriate content |
| Comment | Provides a plain-text comment on an entry. |
Advanced Parameters
Settings for configuring advanced functions for data loss prevention.
Advanced Parameters
| Option | Definition |
|---|---|
| Reported context width |
Limits the number of characters shown around a matching term in a list to the specified value. The matching term is the value of the DLP.ClDssificDtion.MDtched.Terms property. |
| Context list size |
Limits the number of matching terms shown in a list to the specified value. The matching terms are the values of the DLP.ClDssificDtion.MDtched.Terms property. |
Data Loss Prevention (Dictionaries) settings
The Data Loss Prevention (Dictionaries) settings are used for configuring text and wildcard expressions that specify sensitive or inappropriate content.
DLP Dictionary Parameters
Settings for configuring text and wildcard expressions specifying sensitive or inappropriate content.
DLP Dictionaries Parameters
| Option | Definition |
|---|---|
| Tracking policy |
Sets the scope of the search for sensitive or inappropriate content in the body text of requests and responses. The search is carried out for all dictionary entries that have been created. It can, however, be configured in the following ways:
|
| Dictionary | Provides a list for entering text strings and wildcard expressions that are sensitive or inappropriate content or match with it. |
The following table describes an entry in the Dictionary list.
Dictionary – List entry
| Option | Definition |
|---|---|
| Text or wildcard expression | Specifies a text string or wildcard expression that is sensitive or inappropriate content or matches with it. |
| Comment | Provides a plain-text comment on a text string or wildcard expression. |
Advanced Parameters
Settings for configuring advanced functions for data loss prevention.
Advanced Parameters
| Option | Definition |
|---|---|
| Reported context width |
Limits the number of characters shown around a matching term in a list to the specified value. The matching term is the value of the DLP.Dictionary.Matched.Terms property. |
| Context list size |
Limits the number of matching terms shown in a list to the specified value. The matching terms are the values of the DLP.ClDssificDtion.MDtched.Terms property. |
Data Trickling settings
The Data Trickling settings are used for configuring the data trickling process that is applied when a user has started the download of a web object.
Data Trickling Parameters
Settings for the portions of a web object that are forwarded in data trickling mode
Data Trickling Parameters
| Option | Definition |
|---|---|
| Size of first chunk | Specifies the size (in bytes) of the first chunk of a web object that is forwarded using the data trickling method. |
| Forwarding rate |
Specifies the portion of a web object that is forwarded every five seconds. The forwarding rate is the thousandth part of the entire volume that is to be forwarded multiplied by the value you configure here. |
File System Logging settings
The File System Logging settings are used for configuring the rotation, deletion, and pushing of log files that are maintained by logging rules.
File System Logging Settings
Settings for the log that stores rule-maintained log files.
File System Logging Settings
| Option | Definition |
|---|---|
| Name of the log | Specifies the name of a log. |
| Enable log buffering |
When selected, the log is buffered. The buffer interval is 30 seconds. |
| Enable header writing | When selected, the header below is added to all log files. |
| Log header | Specifies a header for all log files. |
| Encrypt the log file | When selected, log files are stored encrypted. |
| First password, Repeat password | Sets a password for access to encrypted log files. |
| [Optional] Second password, Repeat password | Sets a second password for access to encrypted log files. |
Settings for Rotation, Deletion, and Pushing
Settings for log file management.
The settings for rotating, deleting, and pushing rule-maintained log files include the same options and are configured in the same way as the corresponding settings for module-maintained log files, which are configured as part of the Log File Manager settings.
Hardware Security Module settings
The Hardware Security Module settings are used to configure the handling of private keys on a Hardware Security Module.
HSM Server
Settings for implementing an HSM solution on the Web Gateway appliance that you are currently configuring.
HSM Server
| Option | Definition |
|---|---|
| Start local HSM server |
When selected, an HSM solution for storing and loading keys is implemented on this appliance. Other Web Gateway appliances in your network can connect to this appliance as clients. The appliance then takes the role of as server towards these clients. |
| Crypto module |
Provides a list for selecting an HSM solution.
The module card and the appliance are provided by a Skyhigh partner (Entrust).
The remote server is provided by a Skyhigh partner (Thales).
|
| Keys to be loaded |
Provides a list of IDs for the private keys that are stored on a Hardware Security Module and can be loaded from there. For every key that you want to use, you must add the key ID in string format to this list. The key IDs are configured when private keys are generated on the Hardware Security Module. |
| Allow local connections | When selected, connections are allowed for using the functions of a Hardware Security Module on the appliance that you are currently configuring. |
| Allow remote connections | When selected, connections are allowed for letting other appliances that are configured as clients of this appliance use the functions of a Hardware Security Module. |
| HSM server port definition list | Provides a list of the ports on the appliance that takes the role of a server towards other appliances. |
| Permitted clients | Provides a list of other appliances in your network that run as clients of this appliance. |
These tables describe the entries in the key list and the lists of HSM server ports and permitted clients.
Keys to be loaded – List entry
| Option | Definition |
|---|---|
| String | Specifies the key ID for a private key that is stored on the Hardware Security Module. |
| Comment | Provides a plain-text comment on a key. |
HSM server port definition list – List entry
| Option | Definition |
|---|---|
| Listener address | Specifies the IP address and port number of a port on the appliance that takes the role of a server towards other appliances. |
| Comment | Provides a plain-text comment on a port. |
Permitted clients – List entry
| Option | Definition |
|---|---|
| Host | Specifies the host name or IP address of an appliance that is permitted to run as client of this appliance. |
| Certificate | Provides a certificate that a client submits when connecting to the server |
| Comment | Provides a plain-text comment on a permitted client |
Server Identification
Settings for the certificate that an appliances submits when taking the role of a server towards other appliances that run as its clients.
A certificate issued by the Skyhigh root CA is provided by default after the initial setup of a Web Gateway appliance. We recommend that you replace this certificate by a certificate of your own.
Server Identification
| Option | Definition |
|---|---|
| Subject, Issuer, Validity, Extensions, Private key | These fields provide information on the server certificate that is currently in use. |
| Server certificate |
Provides buttons for performing various activities that are related to a server certificate:
|
HSM Client
Settings for configuring an appliance as client of an appliance that has an HSM solution implemented.
HSM Client
| Option | Definition |
|---|---|
| Use remote HSM server | When selected, this appliance runs a client of another appliance that has an HSM solution implemented |
| Remote server | Provides a list of appliances in your network that have an HSM solution implemented and that this appliance can connect to. |
This table describes an entry in the list of remote servers.
Remote server– List entry
| Option | Definition |
|---|---|
| Host | Specifies the host name or IP address of an appliance in your network that takes the role of a server towards this appliance. |
| Certificate | Specifies the certificate that an appliance submits when connecting to a client. |
| Comment | Provides a plain-text comment on a remote server. |
Client Identification
Settings for the certificate that this appliance submits when connecting as a client to an HSM server.
A certificate issued by the Skyhigh root CA is provided by default for this client after the initial setup of a Web Gateway appliance. We recommend that you replace this certificate by a certificate of your own.
Client Identification
| Option | Definition |
|---|---|
| Subject, Issuer, Validity, Extensions, Private key | These fields provide information on the client certificate that is currently in use. |
| Client certificate |
Provides buttons for performing various activities that are related to a client certificate:
|
Troubleshooting
Settings for troubleshooting the use of a Hardware Security Module.
Troubleshooting
| Option | Definition |
|---|---|
| Write connection traces | When selected, traffic on the connections set up for using the functions of a Hardware Security Module are traced. |
ICAP Client settings
The ICAP Client settings are the settings for the ICAP Client module, which handles communication between an ICAP client on a Web Gateway appliance and ICAP servers.
Instances of the ICAP Client settings
There are no instances of the ICAP Client settings available by default.
After importing suitable rule sets, instances are available as follows:
- ReqMod — Available after importing the Data Loss Prevention (DLP) with ICAP rule set
- ReqMod for Cloud — Available after importing the Data Loss Prevention (DLP) with ICAP for Cloud rule set
ICAP Service
Settings for ICAP servers that the ICAP client on an appliance sends requests to.
ICAP Service
| Option | Definition |
|---|---|
| List of ICAP Servers |
Provides a list for selecting a list of servers that are used in ICAP communication. Requests coming in from ICAP clients are distributed to the servers on the selected list in round-robin mode. |
| Add | Opens the Add List window to let you add a list of ICAP servers. |
| Edit | Opens the Edit List window to let you edit a list of ICAP servers. |
| Select deployment type for these settings |
Allows you to select the type of deployment for the Web Gateway appliance that you want to run an ICAP client on. You can select one of the following deployment types:
|
| Exclude below user-defined ICAP request header(s) |
Drops authentication headers that are included by default when an ICAP client sends a request to an ICAP server. Configuring this option is useful because some ICAP servers don't accept lengthy authentication headers in a request and respond with an error message. This option can be configured for on-premise and cloud use. You can drop either or both of these headers:
|
The following table describes an entry for an ICAP server in the list.
List of ICAP servers — List entry
| Option | Definition |
|---|---|
| URI |
Specifies the URI for an ICAP server using the following format:
The list contains the following entry for an ICAP server by default:
|
| Respect max concurrent connections limit | When selected, the ICAP client on the appliance does not open more connections at the same time for sending requests than the ICAP server can handle. |
| Comment | Provides a plain-text comment on an ICAP server |
Secure ICAP (ICAPS) Certificate Verification
Settings for configuring certificate verification in Secure ICAP communication.
Secure ICAP (ICAPS) Certificate Verification
| Option | Definition |
|---|---|
| Enable server certificate verification |
When selected, certificate verification is performed in Secure ICAP (ICAPS) communication. This option can be configured for on-premise and cloud use. This allows you to implement certificate verification, for example, in the communication between an ICAP client running in the cloud and a DLP server that runs on-premise on a Web Gateway appliance taking the role of an ICAP server. To perform this verification, the ICAP client checks whether the certificate sent by the DLP server (ICAP server) is included in a list of trusted server certificates. |
| Server certificate list |
Provides a list of trusted server certificates for performing verification in Secure ICAP communication. There is no list available by default. |
| Add |
Opens the Add List window where you can add a list of server certificates. The ICAP client does not accept any server certificate that has a private key with a format of less than 2048 bit. |
| Edit | Opens the Edit List window where you can edit a list of server certificates. |
Next Hop Proxy settings
The Next Hop Proxy settings are used for configuring next-hop proxies to forward requests that have been received on the appliance to the web.
Next Hop Proxy Server
Settings for next-hop proxies.
Next Hop Proxy Server
| Option | Definition |
|---|---|
| List of next-hop proxy servers | Provides a list for selecting a next-hop proxy server list. |
| Round robin |
When selected, the Next Hop Proxy module uses the next-hop proxy following the one in the list that has been used last. When the end of the list has been reached, the first next-hop proxy in the list is again selected. |
| Fail over |
When selected, the Next Hop Proxy module tries the first next-hop proxy in the list first If the first next-hop proxy fails to respond, it is retried until the configured retry maximum has been reached. Then the second next-hop proxy in the list is tried, and so on, until a server responds or all are found to be unavailable. |
| Sticky | When selected, the Next Hop Proxy module uses the same next-hop proxy over a time period that you can also configure. |
| Minimum time for stickiness |
Sets the period of time (in seconds) that the same next-hop proxy is used for forwarding a request. The default time period is 300 seconds. |
| Proxy style requests |
When selected, requests in proxy style are forwarded to the requested web servers using next-hop proxies. This options is selected by default. |
Progress Page settings
The Progress Page settings are used for configuring the progress page that is shown to users when they are downloading web objects.
Progress Page Parameters
Settings for the progress page
Progress Page Parameters
| Option | Definition |
|---|---|
| Templates | Provides settings for the templates that are used by the progress page. |
| Timeouts | Provides settings timeouts that are related to the progress page. |
Templates
Settings for the templates used by the progress page.
Templates
| Option | Definition |
|---|---|
| Language |
Provides settings for selecting the language of the progress page
|
| Collection |
Provides a list for selecting a template collection.
|
| Template name for progress bar page |
Provides a list for selecting a template.
|
| Template name for download finished page |
Provides a list for selecting a template.
|
| Template name for download canceled page |
Provides a list for selecting a template.
|
Timeouts
Settings for the timeouts that are related to the progress page.
Timeouts
| Option | Definition |
|---|---|
| Delay for redirects to progress page | Limits the time (in seconds) that elapses before the progress page appears to the specified value. |
| File availability time before download | Limits the time (in minutes) that elapses before a file is no longer available to a user before the download to the specified value |
| File availability time after download | Limits the time (in minutes) that elapses before a file is no longer available to a user after the download to the specified value. |
SSL Client Context with CA settings
The SSL Client Context with CA settings are used to configure the sending of certificates with information about the certificate authority to the clients of a Web Gateway appliance.
Define SSL Client Context (Certificate Authority)
Settings for sending a certificate to the clients with information about the certificate authority.
Define SSL Client Context (Certificate Authority)
| Option | Definition |
|---|---|
| (Current certificate and default root certificate authority) |
Under Subject, Issuer, and other field names. information about the certificate is provided that is currently sent to the clients of an appliance in SSL-secured communication. Information is also provided about the root certificate authority (root CA) that signed this certificate. After the initial setup, the certificate is signed by the default root certificate authority. This certificate authority is Skyhigh. The certificate is therefore called a self-signed certificate, as Skyhigh signed a certificate for one of their own products. Self-signed certificates are not trusted by all partners in SSL-secured communication. For further administration of the SSL functions on Web Gateway, we recommend that you create your own root certificate authority. Use the Generate New option to create this certificate authority. |
| Certificate Authority |
Provides several options for performing activities that are related to a certificate authority.
The file with information about the certificate chain can be a file that you created and stored in the file system before. In this case, the file will contain information about the following:
When importing a certificate chain file, you must make sure that it only contains information about the intermediate certificate authorities. All other information must be removed from the file. Otherwise the import will fail.
|
| Send certificate chain |
When selected, the appliance sends information on the chain of certificates and certificate authorities that were involved in the process of validating a certificate with this certificate to its clients. To retrieve this information, you must include the certificate chain when using the option for importing a certificate authority. The appliance sends the certificate that is configured here as a server to its clients. The certificate is therefore also referred to as the server certificate. The server certificate is considered to exist on level 0. When a certificate authority signs this certificate to validate it, it is done on level 1. When an additional certificate authority validates the first certificate authority, it is done on level 2. With each additional certificate authority that is involved, the level increases by one. |
| Certificate chain |
Provides information on a certificate chain. After importing a certificate authority file with information about the certificate chain, the information appears in this field. |
| Use custom domain key |
When selected, a key is sent with the certificate that you have configured on your own. This key is used for sending certificates throughout the domain of a Web Gateway appliance. |
| Custom domain key |
Provides the following options for handling a custom domain key
|
| Digest |
Provides information on a certificate chain After importing a certificate authority file with information about the certificate chain, the information appears in this field. |
| RSA server key size | Limits the size of the key file for a certificate |
| Certificates that are signed by the CA are valid for | Limits the time (in days) that a certificate signed by the certificate authority configured here is valid. |
| Client cipher list | Specifies a string of Open SSL symbols used for decrypting client data. |
| Include OCSP responder URL | When selected, a URL for sending responses to OCSP queries is included in the Authority Information Access (AIA) field of the certificate to enable the retrieval of information about revoked certificates. |
| SSL session cache TTL | Limits the time (in seconds) that SSL session parameters are stored in the cache. |
| Perform insecure renegotations | When selected, Web Gateway renegotiates the parameters for the SSL-secured communication even if this is insecure to do. |
| Send empty plain-text fragment | When selected, an empty plain-text fragment is sent with the certificate to the clients. |
| Allow legacy signatures in the handshake | When selected, legacy signatures are allowed in the initial handshake. |
| SSL protocol version |
Selects the version of the protocol that the SSL scanning module follows when dealing with handshakes.
Use the SSL option for compatibility reasons only. |
SSL Client Context without CA settings
The SSL Client Context without CA settings are used to configure the sending of certificates with no information about the certificate authority to the clients of a Web Gateway appliance.
Define SSL Client Context (Without Certificate Authority)
Settings for sending a certificate to the clients with no information about the certificate authority
Define SSL Client Context (Without Certificate Authority)
| Option | Definition |
|---|---|
| Select server certificate by host or IP |
Provides a list of certificates that are sent to the clients and the host systems that they have been retrieved from. A host system is identified by a host name or an IP address. The certificates are sent from an appliance in its role as a server to the clients. The certificates are therefore referred to as server certificates. |
| SSL Scanner functionality applies only to client connection | When selected, traffic is only processed using the SSL scanning functions on the connection from an appliance to its clients. |
| Client cipher list | Specifies a string of Open SSL symbols used for decrypting client data. |
| SSL session cache TTL | Limits the time (in seconds) that SSL session parameters are stored in the cache. |
| Perform insecure renegotations | When selected, Web Gateway renegotiates the parameters for the SSL-secured communication even if this is insecure to do. |
| Send empty plain-text fragment | When selected, an empty plain-text fragment is sent with the certificate to the clients. |
| SSL protocol version |
Selects the version of the protocol that the SSL Scanner module follows when dealing with handshakes. TLS 1.3 — When selected, TLS (Transport Layer Security) version 1.3 is used. TLS 1.2, TLS 1.1, or TLS 1.0 — The selected TLS version is used. SSL 3.0 — When selected, SSL version 3.0 is used. Use the SSL option for compatibility reasons only. |
Select server certificate by host or IP — List entry
| Option | Definition |
|---|---|
| Host | Specifies the host name or IP address of the host system that a certificate is retrieved from. |
| Server Certificate |
Provides information on the certificate that is currently sent from an appliance in its role as a server to its clients. When adding an entry for a new certificate to the list, you can generate or import the certificate. Options for performing these activities are provided in the window for adding a list entry under Server Certificate.
The file with information about the certificate chain can be a file that you created and stored in the file system before. In this case, the file will contain information about the following:
When importing a certificate chain file, you must make sure that it only contains information about the intermediate certificate authorities. All other information must be removed from the file. Otherwise the import will fail.
|
| HSM | Provides information on a Hardware Security Module that is used to protect the certificate information. |
| Certificate chain | Provides information on the chain of certificates and certificate authorities that were involved in the validation of the certificate that is sent to the clients. |
| Comment | Provides a plain-text comment on a certificate. |
SSL Scanner settings
The SSL Scanner settings are used for configuring the way certificates are verified and content inspection is enabled for SSL-secured web traffic, which is also known as HTTPS traffic.
They apply to traffic that is going on between Web Gateway and a web server when Web Gateway runs as a proxy that receives traffic from its clients, filters it according to the rules of your web security policy, and forwards it to web servers depending on the filtering results.
Enable SSL Scanner
Settings for configuring certificate verification or the enabling of content inspection.
Enable SSL Scanner
| Option | Definition |
|---|---|
| SSL scanner function |
Selects the function that is performed by the SSL Scanner module.
|
| SSL protocol version |
The module follows the selected protocol version when web objects are transmitted in SSL-secured communication.
Use the SSL option for compatibility reasons only. |
| Server cipher list |
Provides a list with strings of Open SSL symbols that are known as ciphers and used to decrypt server data for you to select from. The HTTP Scanner module can use different types of ciphers for decryption when it performs default certificate verification or verifies certificates from web servers that do not support the EDH (Ephemeral Diffie-Hellman) method. Ciphers for use in decrypting client data are selected as part of the SSL Client Context with CA and SSL Client Context wihout CA settings. You can select different types of ciphers here as well. This means that you can configure the use of ciphers differently depending on whether they are used for traffic going on between Web Gateway and web servers or between Web Gateway and its clients. If a client only supports older types of ciphers that could not be used in communication with a web server that uses newer types to ensure stronger encryption, you can select these stronger ciphers here for traffic coming in from and going to the web server. For the client traffic, you can select weaker ciphers when configuring the client settings. |
| SSL session cache TTL | Limits the time (in seconds) for keeping the parameter values of a session in SSL-secured communication stored in the cache to the specified value. |
| Allow handshake and renegotiation with servers that do not implement RFC 5746 | When selected, the SSL Scanner module performs these activities also in communication with web servers that fail to comply with the specified standard. |
| Send empty plain text fragment | When selected, this fragment is sent in the communication. |
| Allow legacy signatures in the handshake | When selected, legacy signatures are accepted in the communication. |
Allow Alternative Handshakes
Settings for handshakes in SSL-secured communication that use alternative parameter values
Allow Alternative Handshakes
| Option | Definition |
|---|---|
| Use alternative handshake settings after handshake failure | When selected, the SSL Scanner module uses alternative parameter values after the first attempt to perform a handshake in SSL-secured communication has failed. |
| SSL protocol version |
Selects the version of the protocol the SSL Scanner module follows when it performs an alternative handshake.
Use the SSL option for compatibility reasons only. |
| Server cipher list |
Specifies a string of Open SSL symbols used for decrypting server data. The SSL Scanner module uses different strings for default certificate verification and for verifying certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. |
| Send empty plaintext fragment | When selected, this fragment is sent in the communication. |
| Allow legacy signatures in the handshake | When selected, legacy signatures are accepted in the communication |
| Include indication that previous handshake failed | d When selected, a failure of the previous handshake is indicated. |
TIE Filter settings
The TIE Filter settings are used for configuring the TIE Filter module, which is involved in the process of exchanging information between Web Gateway and a TIE server.
Stream Detector settings
The Stream Detector settings are used to configure the module that calculates the probability for web objects that they are streaming media.
Streaming Detector
Setting for the module that calculates streaming media probabilities
Streaming Detector
| Option | Definition |
|---|---|
| Minimal probability | Sets the probability (in percent, specified by a number from 0 to 100) that is sufficient for a web object to be considered as streaming media. |
Time Quota settings
The Time Quota settings are used for configuring the module that handles time quota management.
Time Quota per Day, Week, Month, and Session Time
Settings for time quotas.
When a time unit or the session time is selected, the heading of the next section reads accordingly.
Time Quota per Day, Week, Month, and Session Time
| Option | Definition |
|---|---|
| Time quota per day (week, month) | When selected, the quota that is configured in the next section applies to the selected time unit. |
| Session time | When selected, the quota that is configured in the next section applies to the session time. |
Hours and Minutes for . . .
Settings for time quotas that apply to the selected time unit or the session time.
The heading of this section varies according to what you selected in the preceding section.
For example, if you selected Time quota per week, the heading reads Hours and Minutes for Time Quota per Week.
Hours and Minutes for . . .
| Option | Definition |
|---|---|
| Hours | Sets the allowed hours per day, week, month, or for the session time. |
| Minutes | Sets the allowed minutes per day, week, month, or for the session time |
Actual Configured Time Quota
Displays the configured time quotas.
Actual Configured Time Quota
| Option | Definition |
|---|---|
| Time quota per day (week, month) | Shows the allowed time per day, week, or month. |
| Session time | Shows the allowed session time. |
URL Filter settings
The URL Filter settings are used for configuring the URL Filter module, which handles activities related to URL filtering on a Web Gateway appliance.
Instances of the URL Filter settings include the following:
- Default settings — Default settings.
These settings are used when working with the default rule set for URL filtering. This rule set is named Default and nested within the URL Filtering rule set.
- Special URL Filtering Group settings — Settings used when working with the nested Special URL Filtering Group rule set.
Extended List
Settings for extended lists.
Extended List
| Option | Definition |
|---|---|
| Use the extended list | Provides a list for selecting an extended list. |
| Add | Opens the Add List window for adding an extended list. |
| Edit | Opens the Edit List (Extended List) window for editing the selected extended list. |
Rating Settings
Settings for retrieving rating information on URLs based on categories and reputation scores.
Rating Settings
| Option | Definition |
|---|---|
| Search the CGI parameters for rating |
When selected, CGI parameters are included in the search for information. CGI (Common Gateway Interface) parameters in a URL trigger scripts or programs when the URL is accessed. Information on CGIs is considered when categorizing a URL. |
| Search for and rate embedded URLs |
When selected, embedded URLs are included in the search for information and rated. Information on an embedded URL is considered when categorizing the embedding URL. Searching for embedded URLs can impact performance. |
| Do a forward DNS lookup to rate URLs |
When selected, a DNS lookup is performed for a URL that no relevant information has been found for. The IP address that was looked up is used for another search. |
| Do a backward DNS lookup for unrated IP-based URLs |
When selected, a backward DNS lookup, based on its IP address, is performed for a URL that no relevant information has been found for. The host name that was looked up is used for another search. |
| Use the built-in keyword list | When selected, the built-in keyword list is included in the search. |
| Disable local GTI database | When selected, no information about web reputation and categories is retrieved from the local Global Threat Intelligence database. |
| Use online GTI web reputation and categorization services if local rating yields no result | When selected, information on URL categories and reputation scores is only retrieved from the Global Threat Intelligence service if the search in the internal database yielded no results. |
| Use default server for online GTI web reputation and categorization services |
When selected, the appliance connects to the default server for retrieving information on URL categories and reputation scores from the Global Threat Intelligence system.
Format: <domain name> or <IPv4 address> or <IPv4 address mapped to IPv6 address> Regular IPv6 addresses cannot be specified here.
Allowed range: 1–65535 |
| Enable the Dynamic Content Classifier if GTI web categorization yields no result | When selected, the Dynamic Content Classifier is involved in the URL filtering process if a search performed by the Global Threat Intelligence service yielded no results. |
Advanced Settings
Advanced settings for the URL Filter module
Advanced Settings
| Option | Definition |
|---|---|
| Treat connection problems to the cloud as errors |
When selected, problems arising on the connection from the appliance to the Global Threat Intelligence server are logged as errors. Properties for error handling are set and eventually rules from an Error Handler rule set are executed. |
| Do a backward DNS lookup also for private addresses |
When selected, private IP addresses are included in the backward DNS lookup. Excluding these addresses from the lookup leads to an increase in performance for URL filtering. This option is disabled by default. The lookup includes the following types of addresses:
|
Proxy Settings
| Option | Definition |
|---|---|
| Use upstream proxy | When selected, the appliance uses a proxy for connecting to the Global Threat Intelligence server on which lookups for URL category information, also known as “in-the-cloud” lookups, can be performed. |
| IP or name of the proxy | Specifies the IP address or host name of the proxy. |
| Port of the proxy | Specifies the number of the port on the proxy that listens for lookup requests from the appliance. |
| User name | Specifies a user name for the appliance when logging on to the proxy. |
| Password | Sets a password for an appliance. |
| Set | Opens a window for setting a password. |
| Connect to GTI cloud via host name also when a proxy is configured | When selected, Web Gateway connects to a cloud service for performing GTI lookups using the host name of the server where the cloud service resides, regardless of whether a proxy is also configured. |
| Try to bypass the proxy if unreachable | When selected, Web Gateway tries to bypass a proxy that has been set up if this proxy cannot be reached. |
| Trust server certificate |
When selected, a certificate sent under HTTPS by a cloud service for performing GTI lookups is trusted on Web Gateway.
|
| Provide client certificate |
When selected, Web Gateway provides a certificate when connecting as a client under HTTPS to a cloud service for performing GTI lookups.
|
Logging
| Option | Definition |
|---|---|
| Enable logging |
When selected, URL filtering activities are logged on the appliance. If this option is not selected, the following logging options are grayed out. |
| Log level |
Provides a list for selecting the log level. Log levels are as follows:
|
| (Log area) |
Provides a set of options for including different areas of URL filtering activities into the logging.
|
| Connection count (maximum) |
Limits the number of connections that can be active at the same time. Maximum number of connections by default: 4 |
| Request timeout |
Limits the time between retries of requests on a connection. Maximum time by default: 2000 ms |
| Request attempts |
Limits the number of retries. Maximum number of retries: 3 |
Troubleshooting
Settings for troubleshooting issues with URL filtering.
Air-Gap Mode Setting
| Option | Definition |
|---|---|
| Automatic air-gap mode |
An automatic air-gap mode can be enabled for connections from a Web Gateway appliance to a Global Threat Intelligence (GTI) server when issues impacting response time arise. Enabling this mode prevents increased response times on GTI server connections from creating overload issues elsewhere, for example, on the anti-malware or the proxy working queue. Traffic resulting from queries sent to and received from the GTI server is reduced in air-gap mode to the minimum that is required to monitor response times in order to recognize a return to normal. When a return to normal is recognized, the automatic air-gap mode is disabled. What is considered a normal response time here can be configured. While the automatic air-gap mode is enabled, information about URL categories and reputation scores can still be retrieved from the local database on Web Gateway. Monitoring functions can be enabled with or without the automatic air-gap mode. The following can be selected for the automatic air-gap mode:
This option is selected by default.
When these connections are monitored, issues impacting response time are logged like this:
Default values are configured for the threshold and the time intervals. You can modify these values to adapt them to your network conditions.
The configured threshold and time intervals are then evaluated for both enabling the air-gap mode and logging warnings and information messages. |
| Maximum average delay threshold |
Sets a threshold value that marks the acceptable maximum average response time (in ms) on connections to a GTI server. Default: 250 ms |
| Retention time enable air gap |
Sets the time interval (in seconds) over which the average response time on GTI server connections must exceed the configured threshold before a warning message is logged and the automatic air-gap mode is enabled if available and activated. Default: 10 seconds |
| Retention time disable air gap |
Sets the time interval (in seconds) over which the average response time on GTI server connections must fall below the configured threshold before a back-to-normal message is logged and the automatic air-gap mode is disabled if previously enabled. Default: 120 seconds |
| Probing rate if enable |
Sets the percentage of requests for web access submitted by users for which queries are sent to a GTI server to a minimal value that applies when the automatic air-gap mode is enabled. Keeping a minimal amount of traffic on the connections to the GTI server is required to monitor this traffic in order to recognize when response times return to normal, so the automatic air-gap mode can be disabled. Default: 1 % |
Volume Quota settings
The Volume Quota settings are used for configuring the module that handles volume quota management.
Volume Quota per Day, Week, and Month
Settings for volume quotas.
When a time unit or the session time is selected, the heading of the next section reads accordingly
Volume Quota per Day, Week, and Month
| Option | Definition |
|---|---|
| Volume quota per day (week, month) | When selected, the quota that is configured in the next section applies to the selected time unit. |
| Session time | When selected, the quota that is configured in the next section applies to the session time |
Volume for . . .
Settings for volume quotas that apply to the selected time unit or the session time.
The heading of this section varies according to what you selected in the preceding section.
For example, if you selected Volume quota per week, the heading reads Volume for Volume Quota per Week
Volume for . . .
| Option | Definition |
|---|---|
| GiB | Specifies the number of GiB that are allowed as volume. |
| MiB | Specifies the number of MiB that are allowed as volume. |
Actual Configured Volume Quota
Displays the configured volume quotas.
Actual Configured Volume Quota
| Option | Definition |
|---|---|
| Volume quota per day (week, month) | Shows the allowed volume per day, week, or month. |
| Session time | Shows the allowed session time. |