Difference: HowToConfigureCensorNetForInlineModeISPEnvironment ( vs. 1)

CensorNet has the capability to operate as a transparent intercept proxy and therefore can be used in ISP environments to block categories of web sites. The following article describes how to configure CensorNet for this type of operation:

The article assumes you have a fresh install of the latest version of CensorNet Professional.

1) Make sure you are on the latest stable maintenance release (1.6.10 at the time of writing this article). Login as root and type setup then choose Perform System Upgrade and follow the prompts.

2) Before configuring for inline mode you should download a local copy of the URL database. You can request a download here: http://www.censornet.com/licensing/csrv.php.

3) You will need two network cards in the server. To configure inline mode log in as root and type setup and then go to Network Configuration and choose Change Mode. Select inline. When it has reconfigured, you must set the IP address again under Network Configuration. This will be your IP for logging in and managing CensorNet. After you have set the network please be aware it can take up to 30 seconds for the bridge to start passing traffic, so don't be alarmed if you plug it in to your network and you can't connect to CensorNet straight away.

4) When configured in inline mode CensorNet creates a bridge between the two network cards. All traffic passing over the bridge will be inspected and if it is destined for port 80 or 443 it will be intercepted by CensorNet. Typically, the CensorNet server should be placed as follows:

[Internet]<-->[router/gateway]<-->[CensorNet]<-->[core switch]

5) After switching to inline mode you should configure the CensorNet proxy for your environment.

• Turn off user authentication - Go to System -> Configuration -> User Authentication and change it to "none"

• Change Workstation Identification - Go to System -> Configuration -> Workstation Identification and change it to "IP mode".

In inline mode you will only have one policy (unless you configure additional policies based on IP or Hostname) - the default policy. This will be applied to all requests. Go to Policies -> Manage Policy and click Default Policy.

• Scroll down to Dynamic Sites and change it to "URL database overrides real-time detection".

• Scroll down a bit further to Content Classifier table. Select here the categories of site you want to block, e.g. Child Pornography, Pornography, etc. Set as many as the other categories you can to allow as this will speed up performance. Try not to have many on Ignore if you can help it.

• Scroll down a bit further and set the Active Image Control to "off"

• Scroll down a bit further and click Update Policy.

6) By default in inline mode, CensorNet filters SSL web sites. You probably don't want it to do this as it requires a certificate to be installed in the client browser, so login as root and type nano /etc/network/interfaces. Do a search (Ctrl+W) for 443 and it should take you to a line which contains a firewall rule. Move to the start of this line and put a # to comment it out. Then save and exit with Ctrl+X then Y then Enter. You'll need to restart the network by typing: ifdown br0; ifup br0 or rebooting the CensorNet server. Now it will not intercept SSL sites.

7) When using CensorNet in Inline mode it is not possible to have user authentication. You can however configure user identification using RemoteWorker or Active Directory Agent helper tools.

8) For high availability you can use a "fail open network card" or you can configure WCCP. Please contact us for more information.

-- TimLloyd - 08 Mar 2010