Configuration options for the Gateway agent type

Updated 4 months ago by admin

The Agent Configuration screen allows you to create or modify agent profiles for Gateway agents. Selecting a Gateway agent profile from the list will allow you to configure the profile.

To see the different Agent Configuration profiles attached to your account, visit your USS Dashboard and click ProductsWeb SecurityAgent Configuration.

Changes made to an agent profile can take up to 15 minutes to propagate to active Windows agents. You can force a configuration update using the Update Config option within the agent software itself.

Settings

Profile name

A friendly name for the profile to make it easier to manage.

Gateway Control Panel Password

This password secures access to the Web UI on the gateway server. This password is automatically generated when the profile is created but can be changed.

Tag web requests with

The Tag to assign to this agent. Tags are used to identify the agent in Filter Rules. Select a tag to use, or choose No Selection if a tag is not required.

Tag Captive/Guest Portal requests with

The Tag to assign to traffic when the gateway is used as a transparent proxy e.g. with Captive or Guest portal. Tags are used to identify the traffic in Filter Rules. Select a tag to use or No Selection if a tag is not required.

Outbound ports

The agent will connect to the Web Security cloud service on ports 1344 & 1345 or 80 & 443. Select the preferred ports here and they will be tried first. If a connection is not established, the agent will try the remaining ports.

Fail open if Outbound Ports are unreachable

If enabled, the agent will provide unfiltered access if for any reason the Web Security cloud service ports are inaccessible. If not enabled, web access will be blocked until the cloud service becomes available again.

X-Forwarded-For

Determines how the proxy will handle the X-Forwarded-For header. The default option is to remove it completely.

TLS/SSL Interception

SSL Interception will require the installation of the USS Gateway root CA certificate for correct operation.

TLS/SSL Intercept on direct proxy connections

Force TLS/SSL decryption and filtering on direct connections to the proxy on port 8080 e.g. via browser configuration or WPAD.

TLS/SSL Intercept on transparent proxy (Captive/Guest Portal) connections

Force TLS/SSL decryption and filtering on transparently proxied connections e.g. Captive/Guest portal, WCCP, gateway mode.

Disabling SSL Intercept will still allow logging and filtering of the HTTPS site at the domain level. You can also selectively bypass SSL filtering using a Bypass Pattern. Disabling SSL interception will limit the visibility and filtering capability of the gateway.

Bypass Categories

The Bypass Categories section contains a list of available categories, created in the Bypass section of the Web Security product. Bypass categories provide a way for the gateway to trust particular network resources, so that matching traffic does not get filtered by the Web Security cloud service. A number of pre-defined categories are provided as a starting point for common services.

Selecting a category will apply all the bypasses in that category to all the gateways assigned this configuration profile. Furthermore, unless a source IP/CIDR is supported by a bypass type, then the bypass will apply to all connections made to the proxy.

Captive / Guest Portal

The Captive and Guest Portals provide an easy way to handle Bring Your Own Device (BYOD) and Guest (Anonymous) browsing and form an important part of deployment.

In a BYOD scenario, the device (smartphone, tablet, laptop, etc) is owned by the employee and as such the IT department typically has no control over the configuration, nor do they want to get involved in changing it. In a Guest scenario, such as public Internet access area, the device is not owned by the company operating the network, the user of the device does not have any credentials and the IT department has no control over the configuration of the device. The Captive or Guest Portal provides a zero-configuration method to allow the device to join the network and browse the web securely, whilst still enforcing the correct policy for the staff member or generic policy for guest users.

There are two types of portal available: Captive and Guest.

Only one portal can be active per USS Gateway at any one time.

Captive Portal

The Captive Portal present a login page which requires a valid Active Directory username and password to proceed.

The logo, title, welcome text, acceptance checkbox and terms of service link can all be customised.

Guest Portal

The Guest Portal presents a splash screen which requires acceptance in order to proceed. No authentication is required.

The title and welcome text can be customised. The logo, acceptance checkbox text and terms of service link are all inherited from the Captive Portal settings.

Deploying a Captive or Guest Portal

  1. Enable the Captive or GuestPortal in the Configuration Profile.
  2. Decide whether you require SSL/TLS Interception for the Captive/Guest Portal.
  3. Modify your DHCP server to issue the IP address of any of the configured network interfaces as the default gateway for the BYOD device.
  4. Re-join the BYOD device to the network so that it obtains a new DHCP lease and the correct default gateway.
This is important as Android, iOS and Windows WiFi connections will attempt to launch a Captive/Guest Portal automatically using a special HTTP link to trigger a browsing session.
  1. If SSL/TLS Intercept is enabled for the Captive/Guest Portal, install the SSL Certificate by clicking on the "install this certificate" link on the Captive / Guest portal page or by distributing the certificate via MDM to client devices.
  • It is possible to selectively bypass SSL/TLS Interception for source IP addresses (devices) and destination domains
  • It is possible to have SSL/TLS Interception on for direct proxy connections and off for Captive/Guest Portal
  1. If SSL/TLS Intercept is disabled for the Captive/Guest Portal, it is essential that the device is disconnected and reconnected to the WiFi network after changing its gateway IP address. HTTPS sites will not work until a session is established via step 4 above.

Gateway Anti-Malware

A valid license for the Gateway Anti-malware product is required to configure this feature. Contact your service provider for more information.
It is highly recommended that you enable TLS/SSL Interception in this configuration profile in order to scan both HTTP and HTTPS requests for malware, otherwise HTTPS requests cannot be scanned.
Once enabled, malware scanning is applied to all connections made to the gateway proxy unless the request has been matched by a bypass pattern, in which case it may not be scanned, depending on the Bypass Type in use.

Enable Gateway Anti-Malware scanning

Check this box to enable the feature on the gateway's that are configured to use this configuration profile.

Use Block Template

Select a Web Security template to use if malware is detected.

Ignore Media Content

Check this box to ignore content that cannot be scanned such as streaming video and audio.

Maximum scan size (Mb)

The maximum file size that will be scanned for malware.

Decreasing this value can allow malware to pass through without filtering and increasing this value will increase the system memory requirements as the file has to be stored in memory prior to scanning. Take care when altering this value.

Image Analysis

A valid license for the Image Analysis product is required to configure this feature. Contact your service provider for more information.
It is highly recommended that you enable TLS/SSL Interception in this configuration profile in order to scan images server over HTTP and HTTPS.

Enable image filtering

Check this box to enable the feature on the gateway's that are configured to use this configuration profile.

Sensitivity level

This option controls how aggressive the image scanner should be when trying to detect adult content.

Low

Only block images that are very likely to contain adult content (most accurate, less blocked).

Average

Block images that are very likely or moderately likely to contain adult content.

High

Block any images that are suspected of containing adult content (less accurate, more blocked)

Image analysis accuracy varies based on the size and quality of the image. Thumbnails will likely be allowed but the larger versions blocked. Best practice is to use this feature alongside other filter rules for a comprehensive security policy.

The Image Scanner will assign a percentage score to each image that it scans which indicates a "certainty" that the image contains adult material. Changing the "Sensitivity level" adjusts the score at which the image is blocked. A "Low" sensitivity setting means the scanner won't block unless it is very certain that the image contains adult content. The end result is that fewer images will be blocked but the accuracy should be better. A "High" sensitivity setting means the scanner will block more because it will block even if it only suspects the image may contain adult content. The end result is that more images will be blocked but the accuracy will be reduced.

Example screenshot of the Image Scanner in action, with suspect images replaced by a safe symbol.

Maximum Image Size

The maximum filesize of an image to scan.

Decreasing this value can allow adult image content to pass through without filtering and increasing this value will increase the system memory requirements as the file has to be stored in memory prior to scanning. Take care when altering this value.

Advanced

Seek advice from your service provider if you are unsure as to what these options are for

Service hostname

This is determined by the region chosen for the Web Security service.

Unsupported Protocols

This determines what the proxy should do if it encounters a non HTTP/S protocol. The default is to Deny, as any other protocols cannot be filtered and may pose a security risk.


How did we do?