Security

Setting up CyberPatrol on Border Manager 3.x

Ron Nutter shows you how to install and use CyberPatrol, an access-control application that lets you set up "blocking rules," which reference a third-party NLM to determine if a Web site meets certain criteria.


If you’ve been using Border Manager for very long, you know all about access rules. Access rules let you control which Web sites your users can visit. You can put a blocking rule in place to specify that, unless an explicit allowance has been made, users can’t visit a site that isn’t covered by an access rule. However, suppose that you want to avoid being so restrictive—but you’re still concerned about employees using the Internet for personal reasons. Well, there is another answer: CyberPatrol.

With CyberPatrol, you can set up a blocking rule that will reference a third-party NLM (which you load onto your server) to determine if a site fits certain criteria. If the site fails to meet those criteria, access to that site is blocked. The CyberPatrol NLM will connect periodically to the CyberPatrol Internet site and download an updated database. The NLM refers to this database when it decides if a site should be blocked. Although you can perform this type of content filtering on your own, doing so would consume a lot of your valuable time.

In this Daily Drill Down, we’ll show you how to install and use CyberPatrol.
The CyberPatrol license that you receive with Border Manager is a 45-day evaluation license (not 90 days, as listed in the documentation). At the end of the evaluation period, you have two choices: Either purchase a subscription to the CyberPatrol service or work with a database that will become increasingly out of date as each day passes. The subscription cost runs from $250 for a Border Manager 5-user installation to $6,995 for a Border Manager 5,000-user installation. For more information on this product, you can reach CyberPatrol at 800-828-2608 or visit the CyberPatrol Web site .
Installing CyberPatrol
Most of the work involved in getting CyberPatrol on your Border Manager server was done during the Border Manager installation. You’ll find the installation program for CyberPatrol in the SYS:ETC\CPFILTER directory. Run the CP_SETUP.EXE program to begin the installation process. You’ll see a Welcome window that displays a short version of the CyberPatrol license agreement. Click the Proceed button to continue with the installation process. When you see the Installation Notes window (which reads like the license agreement that we’ve all become accustomed to reading), click Proceed.

Now, you should see the Novell SYS: Volume window, which prompts you to enter the drive letter that’s mapped to the SYS: volume of the Border Manager server onto which you want CyberPatrol installed. This step is tricky: Type the drive letter only (for example, G) and don’t put a colon or anything else on that line. If you enter anything other than the drive letter, you’ll see an error window, and the setup program will terminate.

After you enter the appropriate drive letter for your system, click Proceed. A gas gauge-like display will appear and advise you of the status of the file-copy process. When the process completes, the Installation Complete! window will instruct you to type the following line at the server command prompt on the Border Manager server:
load SYS:\ETC\CPFILTER\CPFILTER.NLM

After clicking Proceed, you’ll see the CyberPatrol Registration Form window. For the purposes of this drill down, we’ll set up CyberPatrol and use the evaluation license that’s included with Border Manager.

Click the Download CyberNOT List button to request a download of the latest available list. A Register window will appear, telling you that the CP-PROXY.NLM will download the list sometime within the next hour. Since we haven’t loaded the CPFILTER.NLM yet, the download process should occur shortly after the NLM is loaded. Click OK to close the Register window. Then, click Save Settings to close the CyberPatrol Registration Form. An error window will appear and tell you that you need to register the program. Click No to close the Register error window.

At this point, you need to establish an Rconsole session to your Border Manager server and load CPFILTER.NLM. The installation process doesn’t add a load cpfliter line automatically to the server’s AUTOEXEC.NCF file. You have to add it in order to load CyberPatrol automatically each time that the Border Manager server starts. After you place that line in your AUTOEXEC.NCF file, you’ll see a message telling you that CyberPatrol is loading during server startup. Once you’ve loaded CPFILTER.NLM, two messages will appear on the server console window. The first message indicates that CP-Proxy is in DEMO mode and will stop working in 45 days. The second message gives you the file number that’s being downloaded from CyberPatrol. (You’ll see a follow-up message when this download is complete.)

If you selected the Block Sports And Leisure categories option on the CyberPatrol Registration Form, you’ll see an additional Downloading file number message as this file downloads. It’s pretty much a case of wait and see during the file download process. A total of four files will be downloaded. At that point, a series of messages will appear indicating that the databases for CyberPatrol are being created and opened. Finally, you’ll see a message that a connection is being established to the Border Manager Proxy Server. (Although the message mentions an IntraNetWare server, you’ll see the same message if you’re installing CyberPatrol on a NetWare 5.x server.) At this point, you can terminate the Rconsole session to your Border Manager server and open NWAdmin to finish the CyberPatrol setup.

Configuring CyberPatrol
You’ll finish configuring CyberPatrol with NWAdmin. Since CyberPatrol is licensed to the server upon which Border Manager is installed, you must establish the access rules on the Border Manager server NDS object. Double-click on the server object representing the server that runs Border Manager and double-click the Border Manager Access Rules button. When the Border Manager Access Rules window appears, go to the Rules toolbar and click on the box that appears to be made up of dots. You’ll see the Access Rule Definition window.

At this point, click the Access Type drop-down arrow and click URL. Then, select the Specified option in the Destination area of the Access Rule Definition window. Click the browse button (the small one with three dots on it), and a URL Specifications window will appear. Click the Specify URLs drop-down arrow to open two list boxes: Select From Microsystems CyberNOT and Select From Microsystems CyberYES. We’ll start by determining the types of sites that we want to block. Highlight and click the CyberNOT option to reveal a list of site categories. Click the types of sites that you want to block and click OK to finish the creation process for this rule. When you see the Access Rule Definition window, select the option Enable Rule Hit Logging; it will allow you to identify those users who are surfing the Net when they should be working.

Third-party Filter should now appear in the Specified box. Click OK to submit this rule to ACLCHECK.NLM. If you have an Rconsole session to the server that runs Border Manager, you should see the message Waiting for timestamp synchronization of ACLCHECK.NLM, followed by ACLCHECK.NLM is reading rules from NDS and ACLCHECK.NLM read xrules from NDS (where x is the number of rules). When you see the last message, it means that the rule you just created is now active.

The CyberYES list takes a little more positive approach in managing the sites that users can access. Subject categories include Oceans & Space, School Work, and Parents & Teachers, among others. Follow the same steps that you used to create the CyberNOT list—the only difference is that you’re creating a rule that allows access to “good” categories. The newly created rule should be active within a couple of minutes.

Troubleshooting CyberPatrol
Despite all the precautions that you take, users still may be able to access objectionable sites. For example, it’s possible that the site in question may be pulled from the browser’s local cache. Follow the instructions for the browser that you’re using and delete the local cache of that workstation. Exit and restart the browser to see if you can access the site. If you can, you may want to force a manual update of the current CyberPatrol database. (To do so, click the Update Database option in the CyberPatrol Registration program; then, unload and reload CPFILTER.NLM.) If you can still display the site, consider establishing a special rule to block this site. Then, visit the CyberPatrol Web site to request that this site be reviewed for inclusion in the next database update.

If you notice an error while CPFILTER.NLM attempts to download the latest site database list, your first step is to ping 199.103.160.102. (It’s the IP address for the site where you download the new database to your Border Manager server.) If you can’t ping this address, try pinging another external address to make sure that the connection to your ISP is functional. If your server doesn’t pass the test of pinging the site, type unload IPFLT.NLM and repeat the process to see if the IP filters are blocking the pinging process and getting to the CyberPatrol site. If you can open the site now, create a filter exception for port 674 to allow CyberPatrol to download the updated category lists.

If you continue to have problems, you may want to rerun the Registration program and verify that the primary IP address to be used for the CyberPatrol site is set to 199.103.160.102. If you can’t identify the cause of your problem, you may have to rerun the CyberPatrol setup program, CP_SETUP.EXE. If you’ve registered your copy of CyberPatrol, this last step will delete the registration file, and you’ll need to call the CyberPatrol registration number to get your copy reregistered.

When you apply a Border Manager service pack, you may receive the error message CP-Proxy has expired or is not registered when you restart the server. If you see this message, rerun the CP_SETUP.EXE program. You shouldn’t have to restart the Border Manager server.

If you start experiencing multiple abends that involve CPFILTER.NLM, check Novell’s Web site for updates to Border Manager service packs or the CyberPatrol NLMs. If sites are not being blocked but appear on the CyberNOT list, check to see if the site appears on the current CyberNOT list by going to CyberPatrol’s CyberNOT page and entering that site’s DNS name.

Conclusion
As you can see, configuring and using CyberPatrol is very straightforward. The nice thing is that you have 45 days to see how using CyberPatrol lessens your workload and gets back some of your precious Internet bandwidth.

Ronald Nutter is a senior systems engineer in Lexington, KY. He's an MCSE, Novell Master CNE, and Compaq ASE. Ron has worked with networks ranging in size from single servers to multiserver/multi-OS setups, including NetWare, Windows NT, AS/400, 3090, and UNIX. He's also the help desk editor for Network World. If you’d like to contact Ron, send him an e-mail . (Because of the large volume of e-mail that he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox