Installation and Setup

SurfinCheck is comprised of two main components:

• SurfinCheck Server
• SurfinConsole

SurfinCheck Server

The SurfinCheck Server is the component that provides protection based on the corporate security policy. It should be installed on a gateway machine since it will serve as a proxy for the client browsers. After installation, all client browsers should be configured to use SurfinCheck Server as an HTTP Proxy.

Depending on your license, Several SurfinCheck Servers may be installed, all operating from a single Corporate Security Policy and each servicing a different set of users.

SurfinCheck Server has a minimal user interface that consists of a chronological list of errors registered in real time. To setup and configure SurfinCheck, or to access the complete log of security activities, use the SurfinConsole.

SurfinConsole

The SurfinConsole is your Security Management Console. It is preferable to install SurfinConsole on a separate machine (so as not to reduce performance due to SurfinCheck Server load). SurfinConsole is the User Interface component through which the Corporate Security Policy is set, users and groups are defined, and reports are generated.

System Requirements

SurfinCheck Server

• Pentium processor and above
• 32Mb RAM
• Windows NT 4.x
• 8 Mb of disk space
• Windows network-client for Microsoft Networks
• Windows network-file sharing for Microsoft Networks

SurfinConsole

• Pentium processor and above
• 16Mb RAM (32Mb RAM recommended)
• Windows 95 or NT 4.x
• 1 Mb of disk space
• Windows network-client for Microsoft Networks

Before Installing SurfinCheck

Before installing SurfinCheck it is recommended that you plan your setup, as described in the previous chapter. This will ensure that you setup SurfinCheck so that it suites the specific needs of your organization.

In addition, make sure you:

• Designate a machine for the SurfinCheck server. This should be a NT 4.0 gateway machine. It is preferable that this machine not be an end-user workstation.
• Designate a machine for the SurfinConsole. It is highly recommended not to use the same machine as the SurfinCheck Server machine. If possible, select a second machine that will be used as the Security Management Console for the organization.
• Write down the IP address and the MS network host names of the above two machines. You may need this information during setup.

Installing SurfinCheck

Installing SurfinCheck Server

1. Run the installation program (setup.exe) on the machine you designated as the SurfinCheck Server.
2. Make sure SurfinCheck Server is selected in the Components window.
   
   
3. If you are installing a single SurfinCheck server, press Yes when the following dialog box appears (this SurfinCheck Server will be referred to from now on as the Primary Server.) If you are installing a second SurfinCheck Server, press No.
   
   

The program will install all the necessary components for SurfinCheck Server.

Note: As part of installation, SurfinCheck Server is added to the Startup folder so that it is automatically invoked upon boot-up of the machine. It is important to keep this configuration so that in the event of a system failure on the gateway machine, SurfinCheck will automatically be brought up as the operating system recovers.

Next, you will install the SurfinConsole, as described below.

Installing SurfinConsole

1. Run the installation program (setup.exe) again on the machine you designated as the SurfinConsole and follow the instructions on screen.
2. Select the SurfinConsole option in the Components window.
3. Follow the installation screens. You will be asked to provide the host name and other information you prepared in the preliminary steps of SurfinCheck Server installation.
   
   The program will install all the necessary components for SurfinConsole.
4. The installation of both SurfinCheck components is now complete. Next you should define groups and users, as described in the next section.

Registering SurfinCheck

To register SurfinCheck:

1. Invoke the SurfinCheck Sever and click the Register button. The following window is displayed.
   
   
2. Type in the information required. If you are registering an evaluation copy, you can get a serial number and key from your reseller or from Finjan Software.
   
   If you purchased additional licenses, re-enter the new license and key number.

Defining Groups and Users

In order to implement a security policy for your organization, you must define all users that will be protected by SurfinCheck Server.

If you need to set up specific security policies for different departments or groups of users within your organization, you should first define those groups. If you do not need any group-specific policies, skip the next section and go to Defining Users.

Note: You can add multiple users using an IP range. This allows you to add many users at once (instead of one by one) by specifying a range of IP addresses. All IP addresses within that range will then be subject to the security policy you define. Creating an IP range also enables you to handle dynamic allocation of IP addresses-since every IP allocated within the range will be subject to the same policy.

See Chapter 4, Defining the Security Policy, for detailed information on defining a security policy settings for specific groups.

Defining Groups

Defining a group enables you to set a specific security policy for a group of users. Once you define the group, you should add individual users beneath that group.

Note that you can also define multiple users using an IP range. See the next section for details.

To define a Group:

1. In the SurfinConsole toolbar, click the Users & Groups icon. The Users and Groups Window appears.
2. From the Users Tree Box, select the Corp group.
3. Click Add. The Add New User Dialog Box appears.
4. Click the Group radio button.
5. Enter the name of the Group in the Group name field. The name can contain any alphanumeric character, underscores or periods.
6. Click OK to accept your entry. The new group is added to the User Tree Box. Next, you should add users beneath the group.

Note: You can create multiple levels of groups and subgroups, as in the example above.

To Remove a Group

All Users have to be deleted before you delete their group name.

1. From the Users Tree Box, select the group you wish to remove.
2. Click Remove. The Remove User Message Box appears.
3. Check that the group shown, is the group you want to delete.
4. Click Yes to confirm removal.

Defining Users

In order to implement a security policy for your organization, you must define all users that will be protected by SurfinCheck Server. This is done through the SurfinConsole.

Note: If you need to define a specific security policy for different departments or groups of users within your organization, you should first define groups (see previous section) and only then add users within the groups.

To define users:

1. Select the Groups and Users icon in the SurfinConsole toolbar.
2. In the Groups and Users window, select the parent Group (i.e. Corp).
3. Click Add. The Add new user Dialog Box appears.
   
   
4. Click the User radio button.
5. Enter the User Name in the User name Text Box. The name can contain any alphanumeric character, underscores or periods.
6. Enter the full IP Address of the user's computer.
7. Click OK to accept your entry.
8. Repeat the above process for all users in the organization.

Defining Users Using an IP Range

You can add multiple users using an IP Range. This can help you also to handle a dynamic allocation of IP addresses.

Note, however, that any user having an IP address within the specified range will be subject to the same security policy. A user that is within the IP range cannot be added again to a different group.

To add users using an IP range:

1. In the Users and Groups window, select the parent group.
2. Press the Add button.
3. In the Add User window, check the Range radio button.
   
   
4. Type in a Range name and fill in the From and To IP ranges.
5. Press OK. The new IP Range group is added to the User Tree box.

Setting Up Client Machines

Once you complete installation of SurfinCheck and have defined users and groups, you should configure all browsers on end-user machines to use SurfinCheck as a proxy server for HTTP requests.

Configuring Microsoft Internet Explorer

1. Choose Options from the View menu.
2. Select the Connection tab.
3. For a manual proxy setup:
   Check the "Connect through a proxy server" option and press the Setting button. In the HTTP section, type the address and port number of the SurfinCheck server.
   
   For an automatic proxy setup (available in Explorer 4.0 only):
   Press the "Automatic Configuration" button and then enter the location of a proxy configuration file. The configuration file should set the SurfinCheck machine as the HTTP proxy.
4. Press OK to close the form.
5. Clear the cache of the browser and restart the Explorer.
   (Select View->Options and choose the Navigation tab. Press the Clear History button, and press OK.)

Configuring Netscape Navigator 3.0

1. Choose Network Preferences from the Options menu.
2. Select the Proxies tab.
3. For a manual proxy setup:
   Select the "Manual Proxy Configuration" option and press the View button. In the HTTP field, type the address and port number of the SurfinCheck server.
   
   For an automatic proxy setup:
   Select the "Automatic Proxy Configuration" option and enter the location of a proxy configuration file in the adjacent edit field. (The configuration file should set the SurfinCheck machine as the HTTP proxy.)
4. Press OK to close the form.
5. Clear the cache of the browser and restart Netscape.
   (Select Options->Network Preferences and choose the Cache tab. Press the two Clear buttons, and press OK.)

Configuring Netscape Navigator 4.0

1. Choose the Preferences command from the Edit menu.
2. Expand the Advanced category on the left side of the window.
3. Select the Proxies sub category.
4. For a manual proxy setup:
   Select the "Manual proxy configuration" option and press the View button. In the HTTP field, type the address and port number of the SurfinCheck server.
   
   For an automatic proxy setup:
   Select the "Automatic proxy configuration" option and enter the location of a proxy configuration file in the adjacent edit field. (The configuration file should set the SurfinCheck machine as the HTTP proxy.)

Configuring Other Java-Enabled Browsers

For any other Java-enabled browser, configure the browser to use the SurfinCheck server as the proxy server, clear the cache of the browser, and restart it.

Testing Your Security Policy

At this point your setup is complete, and it is recommended that you now test your security policy for two types of applets-one that should be allowed into the network and one that should be blocked.

Open a client browser and access the installation test page: http://www.finjan.com/SurfinGateTest/

Test an Allowed Applet

From the SurfinGate Test page, select the link of the Allowed Applet. This page contains a 'benevolent' applet that does not access the file system, the network, nor does it load any executable. By default, this applet should be allowed into the system.

If your setup is correct and you did not modify SurfinCheck's default settings, then when you access this page, the applet should be displayed in the browser without any messages.

Test a 'Blocked' Applet

Proceed to Step 2 by pressing the link of the Blocked Applet. This page contains an e-mail applet that attempts to send
e-mail from the user's desktop. SurfinCheck's default policy specifies that this type of applet should be blocked.

If your setup is correct, then SurfinCheck should block the e-mail applet, and you should see a message notifying you about the blocked applet.

You can also invoke the SurfinConsole and view its log (click the Log icon) to examine the applet events that took place.