LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Web Filter (R3000)

Where do I send a feature request for a LevelBlue Marshal product?

Charles Creegan — Sun, 01 Mar 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
MailMarshal SPE
WebMarshal

Question:

Where do I send a feature request for a LevelBlue Marshal product?

Procedure:

If you want to request a new feature or you want to suggest an improvement for any product, you can contact Technical Support. You can also enquire through your account manager or reseller.

End-of-Life for Web Filter and WFR

Charles — Thu, 26 Sep 2019 17:08:18 GMT

This article applies to:

Trustwave Web Filter (WF)
Trustwave Web Filtering and Reporting Suite (WFR)

Information:

As previously communicated, Trustwave Web Filter and WFR reached End-of-Life on September 1, 2019.

Patches and database updates are no longer provided for these products.

Customers can move to other Trustwave web filtering products:

WebMarshal (premises Windows software)
Secure Web Gateway Cloud (managed cloud service)

Note that the Trustwave Security Reporter (SR) continues to be supported as a standalone device. However SR that was included in WFR is no longer supported.

Web Filter Block Page Flow (Invisible Mode)

Andrew Davies — Fri, 10 Mar 2017 15:34:08 GMT

This article applies to:

Web Filter
Web Filter and Reporter

Question:

How does the Web Filter serves a block page to a client in Invisible Mode?

Reply:

The Client sends a request to a web site, which is also received by the Web Filter.
The Web Filter sends a TCP reset to both the Client and the web site, so that the Client doesn't keep requesting the web site, and the web site doesn't keep trying to serve to the Client.
The Web Filter then sends an HTTP 302 Redirect to the Client.
The Client issues an HTTP GET https://<ip_address>:81/block.cgi to the Web Filter.
The Web Filter serves the Client the block page.

HTTPS Filtering and Block Pages

Denton Diederich — Mon, 30 Jan 2017 11:04:47 GMT

This article applies to:

R3000 All Versions

Question:

Why don't I get a block page when I am trying to access a blocked https site?

Reply:

Because of the nature of https connections it's often times not possible to send a block page to the end user after an HTTPS connection has been made with the website. The browser will not honor a TCP redirect from a secure website (the https site) to an unsecured website (the block page). The block page is only successfully delivered if the filter is able to send the redirect before the browser complete the TCP handshake with the website.

Instead of the Web Filter block page you will see an error message which will vary depending on the browser type.

Notes:

X-Strike Blocking Custom Block Page

Denton Diederich — Wed, 21 Dec 2016 16:32:44 GMT

This article applies to:

WF & WFR
version 5.1.05+

Question:

Can a user being blocked via X-Strike Blocking be sent to a Custom Block Page URL

Reply:

NO, it will need to be the ‘Default “Alternative” Locked Block Page’ option or else an Internal ‘Custom URL’ block page.

System>X-Strike Blocking, Configuration tab, and Specify a Redirect URL

Notes:

If a public website is entered as a redirect URL, then the web site in question will automatically be excluded from the filter and not be logged.

Web Filtering and Reporting (WFR) Hardware Support Matrix

Charles — Thu, 15 Dec 2016 12:57:44 GMT

This article applies to:

R3000
WFR/WF/SR

Question:

Where can I find the current Trustwave Web Filtering and Reporting Hardware Support Matrix?

Information:

The current Trustwave Web Filtering and Reporting Hardware Support Matrix can be found in the attachment below.

This information was last updated in December 2016.

Enabling SSH Password Authentication (Opening the Shell)

Andrew Davies — Tue, 13 Dec 2016 15:48:33 GMT

This article applies to:

Web Filter

Question:

How do I enable SSH password authentication for connection to a WebFilter server?

Procedure:

NOTE: In order to complete the following procedure, you must contact Trustwave Support and open a case to obtain the password needed in step 5.

PART I – Shut Down and Connect a Keyboard and Monitor

Bring the system down: Navigate to System > Control and click ShutDown
Click the ShutDown button to power off the system.
Connect a monitor to the VGA port and the keyboard to a USB or PS/2 port on the back of the system:

PART II – Single User Mode

Power up the system by pressing and holding the green check mark key (located on the LCD panel on the front of the chassis) for three seconds.
On the GNU GRUB screen press p to bring up the password dialog box, and enter in the password.

NOTE: Please contact Trustwave Support and open a case to obtain the password.
Press e to edit the entry.
Use the up arrow and down arrow keys to select the line that starts with ‘kernel’ and press e to edit the line.
At the end of this line, press the spacebar to put in a space and type the word single and then press enter

You should now be back to the previous screen. Press b to boot into single-user mode.

PART III – Enable SSH Password Authentication

At the prompt, type the command nano /etc/ssh/sshd_config
Use the arrow keys to find the line that says PermitRootLogin*, and change it to yes

*Note: this entry does not exist on all systems. If it is not present, skip to the next step.
Use the arrow keys to find the line that says PasswordAuthentication, and change it to yes
To save, press Ctrl+x, then press y, and hit enter
Restart sshd by running the command /etc/init.d/sshd restart
You will see “Starting sshd” set to OK.
Press Ctrl+d to boot the system back up into multiuser mode.

It will run through all of its checks, and bring you back to your logon screen.

Part IV - Test the Connection

Open a terminal window or start a PuTTY session to verify that SSH is enabled from a device on the same network (not the filter). You can download PuTTY from http://www.putty.org/
Enter SSH [Filter IP] (for example, SSH 10.10.10.11 ). When prompted to continue connecting, type yes.
Enter any user name. If you are prompted for a password, then SSH has been successfully enabled.
Repeat steps 1-4 to remove the monitor and keyboard, if necessary.

Alert Email: shadow.logs Pending

Denton Diederich — Wed, 28 Sep 2016 10:31:19 GMT

This article applies to:

R3000
Web Filter 300/500/700
WFR 350/550

Question:

Alert Email: The hourly health check detects "shadow.log pending"!

This alert email represents an urgent issue and customers should contact Trustwave Support ASAP.

Reply

If the Web Filter is sending you an alert email stating that there are shadow.logs pending, it means that traffic log transfers to your Security Reporter or external FTP server are failing, if you have a WFR or combo box where reporting is on the same hardware then call tech support now, some how the logs are not rotating to the reporter side.

Background: When a traffic log (shadow.log) transfer from the Filter fails, it keeps a copy of the log on its hard drive and attempts to send it again on the next log transfer session. This will continue until the log is successfully transmitted. Logs are transferred at the top of every hour. If transfer failures continue to happen, the logs that fail to transfer will begin to build up, and this alert will be sent if 4 or more logs are failing to be sent. The filter will also show "failed" in Reporting>configuration>logs section.

Troubleshooting a stand alone Reporter: First verify if the reporter IP is responding to pings? if you ftp logs to a third-party-server verify if that server pings?

If the pings fail, please troubleshoot the reason why or call support, so we may log in and look.

There are a few possible causes for this error. From the Web Filter GUI, go to the Reporting tab, and choose Report Configuration from the left. Make sure that it is not trying to export to a device you do not have. Also, verify that the addresses are correct in the settings for your export targets. If everything looks ok, then click the "Log" tab and then the "View Log" button in order to see the FTP transfer logs.

If there are connection errors shown, then check your network connections to the export targets (Reporter or FTP server, which ever is appropriate), as well as the status of these target devices (Reporter or FTP server, whichever is appropriate). If there are no visible error, but the PUT commands never seem to complete successfully, then the target device (Reporter or FTP server, whichever is appropriate) may be full. If the full target device is an Enterprise Reporter, contact Technical Support in order to resolve the issue.

Can I report on bandwidth per website?

Andrew Davies — Fri, 01 Jul 2016 13:37:00 GMT

This article applies to:

SR implementations reporting on Web Filter Data

Question:

How do I run a report on bandwidth per website?

Response:

Reporting on bandwidth per website is not available when reporting on Web Filter data. This function is only possible with an SWG/SR implementation.

Web Filter is not designed to report on the amount of bandwidth that was used. Web Filter can only report based on the information that is in the real time log.

The bandwidth category in the configuration of the Web Filter is referencing sites that are bandwidth intensive. If you are having issues with load on your network, you can block the bandwidth category to limit sites that are known to use large amounts of bandwidth.

For the SWG/SR implementation, instructions on how to report on bandwidth are available in the User Guide.

RMA Replacement Checklist - WF/WFR/SR

Andrew Davies — Thu, 11 Feb 2016 16:05:20 GMT

This article applies to:

WF - All Versions
WFR - All Versions
SR- All Versions

Question:

What do I need to know when I receive my RMA replacement?
What do I need to do to set up a RMA replacement device?

Procedure:

When you receive your replacement device, you will need to take a few additional steps in order for your device to be fully functional. These steps are briefly covered in this article. For more details see the Appliance Install Guide for your product version.

General Procedure:

Connect to your Appliance with an external monitor and keyboard, or connect via a console cable. You should be able to see output on your screen that shows a login prompt.
At the login prompt, enter menu
At the password prompt, type the password associated with the menu user. This will be included with the replacement documentation (you can also contact TAC).
Press 2 to select the Quick start setup process. This will prompt for credentials. You can use the same password as above.
From the quick start menu, configure the following information.
- Filtering mode (see Notes below)
- Configure Network Interface LAN 1
- Configure Network Interface LAN 2
- Configure Default Gateway
- Configure DNS Servers
- Configure Host name
- Set Time Zone and Regional settings
- (For WFR or SR only) Configure the setup wizard user

Complete the wizard and follow any additional prompts to finalize your configuration.

WFR and SR Setup Wizard User:

The setup wizard user is used exclusively for the SR component. This user must be defined to update to the latest releases. On a WFR, the SR must be configured, as without the SR configuration the WFR will create a backlog of real time logs that cannot be processed.

The wizard user is a temporary account this is used strictly for creating the SR Global admin. The wizard username and password will be changed after you log in and create the SR user.

After you have defined the setup wizard user, log in to the SR or WFR with https://[ip address of appliance]:8443/ (The port may be different on older appliances, so refer to the Appliance Install Guide or User Guide for your appliance version.)

Notes:

To keep things simple, Trustwave recommends that you replicate your pre-RMA configuration as closely as possible to ensure that you recover to the same state before your RMA request.
The most common modes of filtering are ‘invisible’ and ‘Bridge Mode’. If you intend to filter via a port mirror, select invisible mode.
If you are registering a new replacement unit and wish to use the same hostname, contact Trustwave TAC to ensure that there are no duplicates in the registration database. Trustwave can remove the older appliance record from the database to allow you to pick the same hostname.

Determining why an appliance is not responding to ping

Andrew Davies — Thu, 11 Feb 2016 14:05:08 GMT

This article applies to:

WF - All Versions
WFR - All Versions
SR - All Versions

Question:

Why is my appliance not responding to ping requests?
Troubleshooting networking before declaring a hardware failure

Procedure:

A device not responding to a ping request is often a symptom of a network configuration issue. It could also be caused by a hardware fault. Before starting to process an RMA for hardware fault, it is important to determine whether the security appliance hardware is truly the culprit.

Log into the appliance with the default setup user credentials. (Contact support for this information.)
- Press 1 to enter the "display status" and confirm that your network settings are correct. Make a note of the gateway setting because this will be needed for additional testing.
Plug a laptop into the same physical switch as the Appliance and try pinging the IP of the appliance. If you are still not getting a response, try pinging the Gateway.
- If you get a response when pinging the IP on the same switch, then this is a routing issue.
- If you can still not ping the gateway, then this is a network configuration issue. This will need to be addressed before support can provide additional assistance. If you can ping the gateway, then proceed with Step 3.
Plug a laptop into the same User Interface management port on the switch. This is the interface that is also used when logging into the web browser. On the WF, this is defined in System > Network > LAN Settings. If you are looking at the back of the appliance, the ports are numbered from left to right: LAN1 on the left side, and LAN2 on the right.
- Try pinging the gateway you noted from Step 1. If you are not getting a response then this points to an issue with the port. Try using a different port and repeat steps 2 and 3. If you do get a response then contact support for additional assistance.

Networking tips

Here are some other basic networking tips to help you along the way.

Verify that the appliance is in the expected VLAN.
Try different network cables.
Check the LED indicators on the NICs to determine what type of traffic is being seen over the network. LED colors may have different meaning depending on the NIC manufacturer but here is a general rule of thumb for most modern day NICs.
- No light - No connection
- Solid Green - Link established
- Flashing Green - Indication that data is being sent/received
- Orange or Red - Errors with NIC or Network

Notes:

Even if you believe nothing has changed on the network, Trustwave cannot process an RMA until these steps have been completed. This is because all devices on a network can be a point of failure. Hardware ages and various components will go bad over time. Basic tests as described will help you to avoid the unnecessary costs and delays from returning a working appliance when the issue was elsewhere in the network.

Blocking the Teamviewer Client using the WF or WFR

Andrew Davies — Wed, 03 Feb 2016 18:03:41 GMT

This article applies to:

WF - All Versions
WFR - All Versions

Question:

How do I block Teamviewer software on the web filter?

Procedure:

Web Filter is a TCP based filter, so it is only able to block TCP packets. The filter can block navigation to the teamviewer.com website since the connection is made over TCP. However, the Teamviewer client also uses UDP. Any UDP based application is out of scope of the filter's design.

To block applications that use UDP traffic you can control application installation via user policies, or block the UDP packets from the application on the firewall. Another option is to combine Web Filter with other Trustwave products which are capable of filtering UDP traffic.

Diagnosing UDP Ports To Block:

The procedure below is a suggested starting point to help you determine the ports in use. You may need to experiment to use the procedure in your network environment.

Run Wireshark on a workstation that has a connection to teamviewer. This workstation should be inside your network.
Have the connecting host from outside of the network provide their IP address (they can determine this by navigating to whatismyip.com). You can use the IP address as a filter in Wireshark to see only the traffic to this IP using the following filter:

ip.addr==[external address] && udp

For example:

ip.addr==203.0.113.1 && udp
If the connection is local, use the internal IP to filter.
You should be able to deduce from the output which packets are generated by Teamviewer. On the packet details pane you will see an entry similar to:

User Datagram Protocol, Src Port: mapper-ws-ethd (3986), Dst Port:56869 (56869)
Blocking the non-ephemeral port at the firewall should stop the teamviewer traffic. However, if teamviewer changes the UDP port, you will need to run the same test and continue this process until no connections are established.

Notes:

You can use this same procedure to try stopping connections from other UDP based applications.

Blocking web traffic over QUIC (Quick UDP Internet Connections) protocol

Andrew Davies — Tue, 19 Jan 2016 17:29:25 GMT

This article applies to:

Web Filter - all versions
WFR - all versions

Question:

Can the Web Filter block connections over the QUIC (Quick UDP Internet Connections) protocol developed by Google?

Information:

Web Filter is not able to block connections over the QUIC protocol. QUIC uses UDP over ports 80 and 443. The Web Filter does not block UDP traffic.

Recommended Actions:

The recommended fix is to block outbound UDP on ports 80 and 443 at the firewall/UTM level.
It is possible to disable QUIC in Chrome. Navigate to chrome://flags and disable the setting for "Experimental QUIC protocol".
As of Chrome version 43, the ability to disable QUIC has been added to Windows Group Policy (GPO) templates (Software\Policies\Chromium\QuicAllowed). You can see a full set of supported policies at: http://www.chromium.org/administrators/policy-list-3

Correcting a Certificate Revoked issue for the web interface

Andrew Davies — Tue, 19 Jan 2016 14:27:14 GMT

This article applies to:

Web Filter - All Versions
WFR - All Versions

Question:

How can I access the web interface if the TLS/SSL Certificate for the site is revoked?

Procedure:

Part 1:

Open the Java Control Panel and select the Advanced tab.
Locate the options for Certificate Revocation checks. Temporarily change the settings. Note that different versions of Java have different wording. The wording below is correct at version 8, update 66.
- Set Perform signed code certificate revocation checks on to "Do not check (not recommended)"
- Set Perform TLS certificate revocation checks on to "Do not check (not recommended)"

Remember to go back to the recommended setting "All certificates in the chain of trust" after you have generated your new certificate.

At this stage, you should have access to the product web interface.

Part 2:

From the User Interface:

Navigate to System > Authentication > Enable/Disable. Make sure this option is enabled.
- If the option was not enabled, enabling it will take 2-3 minutes as some of the Tomcat services will be restarted.
Once the setting is enabled, select Authentication > Authentication SSL certificate > Download/View Certificate
- Confirm that the certificate is invalid. Invalidity is most often caused by hostname mismatches, or an expired SSL certificate. If either applies to you, then you will want to delete the certificate via this tab.
Create a new self-signed certificate: Authentication > Authentication SSL certificate > Self Signed Certificate > Create Self Signed Certificate.

During the above changes, services are being restarted to load the configuration. If you see an error message, a service may still be in the process of being restarted. Wait a short time and try again.

Part 3:

After the certificate has been created:

Test by setting authentication back to disable ( Authentication > Authentication Enable/Disable > Set to disable (only applies if system is used for authentication).
Remember to change the two Java certificate revocation check settings to the recommended setting "All certificates in the chain of trust"

Notes:

Additional information can be found in article Q12600.

Secure Connection Failed when connecting to SR or WF web UI using Firefox 39

Andrew Davies — Mon, 20 Jul 2015 18:05:27 GMT

This article applies to:

WFR 5.1.30 and older
WF 5.1.30 and older
SR 5.1.30 and older

Symptoms:

Mozilla Firefox 39 and later versions will not connect to the web GUI of WF or SR
After upgrading to the newest version of Firefox, you are unable to connect to the GUI
Error message: SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.

Cause:

This issue is caused by a combination of SSL cipher configuration on the device and enhanced security requirements in new versions of Firefox.

This problem will be resolved in a future patch to the WF and SR appliance software.

Workaround:

To temporarily fix the issue in Firefox, you can manually disable the ciphers using the following steps:

Open Firefox. In the address bar enter about:config
Click the button I'll be careful, I promise!
In the search box, enter ssl3
Double click on these two ciphers listings to disable use (they are normally the top two listed)
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
The disabled items should display in boldface with a value of false, as shown below:

Note:

It is also possible to disable the ciphers on the appliance, which resolves the issue for all users. Contact Support for assistance. To disable the ciphers, Support will require remote (ssh) access to the device experiencing the issue.

Database Category listing

Andrew Davies — Thu, 16 Jul 2015 18:45:29 GMT

This article applies to:

WF - All Versions
WFR - All Versions

Question:

What is the current category listing?
What are the short names and full names of categories?

Procedure:

The easy way to determine the short name for a category is to left click on the category and select library details. This will display the long name and short name relationship.

The listing in this article shows the default categories as of the date when the article was updated. To learn more about the purpose of each category, see the Content Categories Spec Sheet.

Adult Content:

Child Pornography - KDPORN
Explicit Art - EXART
Obscene/Tasteless - OBSC
Pornography/Adult Content - GPORN
R Rated - RRATED

Bandwidth:

Image Servers & Image Search Engines - IMAGES
Internet Radio - IRADIO
March Madness Streaming - MMDSTRM
Olympic Streaming - OLMSTRM
Peer-to-peer/File Sharing - PR2PR
Video Sharing - VIDSHAR
VoIP - VOIP
Web Based Storage - WSTORE

Streaming Media:

Flash Video - FLV
Generic Streaming Media - GSTREAM
QuickTime Video - QTV
Real Time Streaming Protocol - RTSP
Windows Media Video - WMV

Business/Investments:

Employment - EMPL
Financial Institution - FINAN
General Business - GENBUS
Online Trading/Brokerage - TRADING
Real Estate - ESTATE

Community/Organizations:

Community/Organizations - COMORG
Local Community - LCOMM

Education:

Education - EDUCAT
Educational Games - EDUGAM
Online Classes - ONLCLS
Reference - REFERE

Entertainment:

Art - ART
Comics - COMICS
Entertainment - GENTER
Gambling - GAMB
Humor - HUMOR
Kids - GKIDS
Movies & Television - MOVTEL
Music Appreciation - MUSAPP
Online Greeting Cards - GRTCRD
Restaurant/Dining - RESTAUR
Theater - THEATR

Games:

Games - GGAMES
Games Patterns - GAMPTRN

Government/Law/Politics:

Government - GOVT
Legal - LEGAL
Military Appreciation - MILAPP
Military Official - MILOFL
Political Opinion - POLTIC

Health/Fitness:

Fitness - FITNS
Health/Medical - HEALTH
Holistic - HOLSTC
Self Help - GSELF

Illegal/Questionable:

Criminal Skills - GCRIMI
Dubious/Unsavory - DUBIUS
Hate & Discrimination - HATE
Illegal Drugs - DRUGS
School Cheating - EDUCHT
Terrorist/Militant/Extremist - TERROR

Information Technology:

Dynamic DNS Services - DYNDNS
Freeware/Shareware - FREEWAR
Information Technology - INTECH
Internet Service Provider - ISP
Portals - PORTALS
Search Engines - SE
Web Based Newsgroups - WNEWS

Internet Communication:

Chat - CHAT
Message Boards - MESBRD
Online Communities - ONLCOM
Translation Services - TRANSRV
Web Based Email - WEMAIL
Web Logs/Personal Pages - WEBLOG
Web-Based Productivity Apps - WEBPROD

Instant Messaging (IM):

Generic IM - IMGEN
Google Chat - IMGCHAT
Google Talk - IMGTALK
ICQ & AIM - ICQAIM
IRC - IMIRC
Meebo - IMMEEBO
My Space IM - IMMYSP
PoPo - IMPOPO
QQ - IMQQ
ToToMoMo - IMTOMO
WangWang - IMWWNG
Windows Live Messenger - IMMSN
Yahoo IM - IMYAHOO

Internet Productivity:

Adware - ADWARE
Banner/Web Ads - BANNER
Fantasy Sports - FANSPRT
Free Hosts - FREEHST
Web Hosts - WEB_HST

Remote Access:

Generic Remote Access - REM_ACC
GoToMyPC - GO2MYPC
Remote Desktop - RMTDESK
Secure Shell - SSH
Virtual Network Computing - VNC
pcAnywhere - PCANYWH

Internet/Intranet Misc:

Domain Landing - DOMAINL
Edge Content Servers/Infrastructure - EDGECON
Invalid Web Pages - INVD_PG
Reviewed/Miscellaneous - RE_MISC

News/Reports:

March Madness News - MMDNEWS
News - GNEWS
Olympic News - OLMNEWS
Sports - SPORTS
Weather/Traffic - TRAFIC

Religion/Beliefs:

Paranormal - PARNML
Religion - RELIG

Security:

Bad Reputation Domains - BADREP
BotNet - BOTNET
Hacking - HACK
Malicious Code/Virus - MALCOD
Phishing - PHISHIN
Spyware - SPYWARE
Web-based Proxies/Anonymizers - PROXY

Shopping:

Online Auction - AUCTION
Shopping - SHOP

Society/Lifestyles:

Alcohol - ALCO
Animals/Pets - ANIMALS
Books & Literature/Writings - BNL
Dating/Personals - DATE
Fashion - FASHN
Lifestyle & Culture - LIFE
Recreation - RECREA
Self Defense - SELFDE
Social Opinion - SOCOPN
Tobacco - TOBACCO
Weapons - WEAPN

Travel/Events:

Tickets - TICKET
Travel - TRAVEL
Vehicles - AUTO

Notes:

This listing is subject to change at any time (although the core categories are very unlikely to change). If you notice that a short name does not match, ensure your installation has the latest library updates.

Allowing or Blocking YouTube Access

Andrew Davies — Mon, 06 Jul 2015 18:01:23 GMT

This article applies to:

Web Filter (R3000), including WFR

Question:

How can I allow or block YouTube access for specific users?

Comments:

IP addresses should not be added to custom URL categories with YouTube sites. This is because YouTube shares the same certificate across multiple services. IP addresses listed in a custom URL category for Google or YouTube sites must be removed or inconsistent filtering results will occur.

Procedure:

Follow these steps to address issues with YouTube access:

Add a Custom Category for access

From the main Web Filter window select Library > Category Groups > Custom Categories.
Select the group that you have created for YouTube.
Choose URLs.
In the Edit Wildcard URL List pane, type *.googlevideo.com and then click Add.
Ensure *googlevideo.com is highlighted, click Apply, and then click Reload Library.

You may also want to checking whether the following domains are also listed in the custom category:

*.googlevideo.com
*.ytimg.com
*.youtube-nocookie.com
*.youtube.com

Note: Reloading the library could take up to 10 minutes.

Allow Profile access

If you are still unable to view YouTube videos, check the following:

In the main Web Filter window, navigate to Policy > IP or Policy > LDAP (depending on the type of policy in use).
Select a group that you want to allow to play YouTube Videos.
Navigate to Group Profile > Custom Categories (or Profile > Custom Categories when LDAP is in use).
Select the group that you have created for YouTube, set it to ALLOW, and then click Apply.

Repeat the above steps for each group that is allowed to play YouTube videos.

Check Custom Categories

If users are still unable to view YouTube after the above steps are completed, it is highly likely that IP addresses are listed in a custom category.

Perform a library lookup on googlevideo.com, ytimg.com, youtube-nocookie.com, youtube.com and google.com.
Remove any IP addresses that have been added to a custom category and then retest.

If you are still having issues or see an excessive number of individual IPs listed, contact Trustwave for additional assistance. See contact details at the end of this article.

User not filtered properly

Brian Abildgaard — Thu, 02 Jul 2015 11:42:56 GMT

This article applies to:

Web Filter

Question:

Requests from a user are not being filtered as expected. What are the steps to troubleshoot this situation?

Procedure:

Run an active profile lookup on the IP that is not being filtered properly and note what Group they are currently being filtered under.

Groups:

Is the user in the expected group?

If the user EXISTS in the expected group:
- On the ruleset in the active profile lookup, confirm that the site in question is set to the appropriate level:
  - Block: Site will be blocked unless an allow exists which will take precedence.
  - Allow: Should always take precedence.
  - Pass: Does nothing other than allows the traffic to pass. If the site is in multiple categories and one is set to block, the site would then be blocked.
If the user IS NOT in the expected group:

LDAP:

Is the user being filtered via LDAP?
- If so, confirm that the system in question has the authenticat program running.
- You can check by looking in the windows Task Manager and searching for an instance of Authenticat.
- You can also check (if installed via a service) if the program is running as a service.
  - Run services.msc (windows key + R) and search for the M86 Authenticator service
- Are multiple instances of the M86 authenticator running? Multiple instances can cause inconsistent filtering results, because all instances will attempt to bind to the same port, but only one instance can bind at a time.
  - Multiple instances can be caused by GPO or batch files.
Is the Domain marked as inactive?
- If the domain was recently rebooted, you may need to re-activate the domain.
- If you experience errors when attempting to activate the domain, contact Trustwave TAC.

Enforcing Google Safe Search Over SSL When Using Invisible Mode

Andrew Davies — Thu, 07 May 2015 18:23:31 GMT

This article applies to:

R3000
Web Filter (WF, WFR)

Question:

Can Web Filter enforce safe-search for SSL-based Google search and Youtube in invisible mode?

Information:

No, the filter cannot enforce safe-search for Google search or YouTube in invisible mode. You can read more about why in article Q13898.

Workaround

There is a DNS workaround that can be put into place. You can read the official answer from Google here under option 3.

To enforce safe search, update the DNS configuration for your network. Set the DNS entries for www.google.com and any other Google ccTLD subdomains to a CNAME entry for forcesafesearch.google.com This will enforce encrypted safe-search on your entire network for any Google searches.

A similar process can be followed to enforce Safety Mode for videos on YouTube. To enforce Safety Mode on Youtube set the DNS entries for www.youtube.com and any other Google ccTLD subdomains to a CNAME entry for forcesafesearch.google.com. This will enforce Safety Mode for YouTube videos.

Add multiple users to the Certificate management using a text file

William Martino — Thu, 08 Jan 2015 11:37:52 GMT

This article applies to:

WFR 5.0.20 (Synced as a Source to a Web Filter in Mobile Mode)

WF 5.0.20 (Configured in Mobile Mode)

Question:

How can I add multiple users to the Certificate management under IP group profiles?

Information:

You can use the format listed below to add multiple users to the Certificate management using a text file:

Name,Email,Profile,Privatekey password

Example :

John Doe,johndoe@xyz.com,MobileUser,johndoe_xyz

Use the Import Users options on the bottom of this window to import your text file.

Notes:

*The private key password needs to be at least 8 characters long while containing numbers and special characters.

*MobileUser is the name given to the IP profile to distinguish Mobile users for this article. Certificates can be added to any IP Profile .

Inline Filtering and Google Services

Charles — Thu, 11 Sep 2014 15:50:09 GMT

This article applies to:

Web Filter and WFR versions 5.1.00 and above
Inline filtering configured (available in Bridge, Router, or Firewall mode)

Symptoms:

Some Google services do not work when inline filtering is configured.
Affected services can include Chromebook login, Gmail, and Google Drive.

Information:

Google secure (HTTPS) sites are configured in a way that does not work with inline HTTPS inspection as performed by the Web Filter.

Resolution:

To resolve this issue it is necessary to deploy a PAC file (Proxy Auto-Configuration) that directs traffic appropriately.

Deployment of this solution requires system access to the Web Filter software.

To arrange for this deployment please contact Trustwave Support.

How to block, or un-block, a site

Charles — Sun, 07 Sep 2014 15:24:58 GMT

This article applies to:

Web Filter
WFR
R3000

Question:

How to block, or un-block, a site

Reply

If you want us to review a URL to determine if we categorized it correctly, please send it to wfrsupport@trustwave.com.

We also encourage you to submit URLs that are not currently categorized in our library database.

To block a web site on the R3000 Internet filter:

Perform a Library Lookup:
1. From the filter GUI, click on the “Library” button at the top of the screen.
2. Click on “Library Lookup” in the left-side menu
3. Type the complete URL (including the http:// header) into the URL field
4. Click Lookup. If the URL in question in already in a category, you can either block that specific category or place the URL into a custom created category.
To add a URL to an existing category:
1. Click on the “Library” button at the top of the screen.
2. Click on the “+” symbol next to the “8e6 Supplied Categories” link on the left side of the screen. This will expand the list of our categories.
3. Click on the specific category.
4. Click on “URL”
5. Type the URL into the URL field. Be sure to include the proper header information (http://).
6. Click on “Add”
To add a URL to a custom category:
1. Click on the “Library” button at the top of the screen.
2. Click on “Custom Category”
3. Click on “Add Category”
4. Type in the description and short name of your category and click “Apply”.
5. Click on “Custom Category”
6. Click on “Refresh”
7. Click on your newly added category
8. Click on “URLs”
9. Type the URL into the URL field. Be sure to include the proper header information (http://)
10. Click on “Add”
Reload the Library:
1. Click on the “Library” button at the top of the screen.
2. Click on “Library Update” on the left side of the screen.
3. Click on “Reload Library” at the bottom right side of the screen
Modify your Group settings to block the new category
1. Click on the “Group” button at the top of the screen
2. Click on either Global Group or the specific group that you wish to modify
3. For global group – click on Rules and choose which categories should be blocked. Include the new category that you just created or just added the site to and this site will now be blocked. Some web sites are particularly difficult to block because they utilize many—and sometimes obscure—URLs For example: www.myspace.com browseusers.myspace.com a.myspace.com j.myspace.com
  
  You can effectively block all permutations of "myspace.com" using wildcards. First, create a custom category. Then add the wildcard version of the URL (e.g. "*.myspace.com") to your custom category. Go to your Global Group Profile and/or IP Group Profile and move your custom category to the "Blocked" list. Be sure to "Apply" your changes and "Reload Library."

To un-block a web site on the Internet filter:

Perform a Library Lookup:
1. From the GUI, click on the “Library” button at the top of the screen.
2. Click on “Library Lookup” in the left-side menu
3. Type the complete URL (including the http:// header) into the URL field
4. You will see of categories in which the URL is a member of
Removing the URL from the library:
1. Simply click on the URL line item in the search return window and click on the Remove button
2. Click on Reload Library Please do not hesitate to contact our technical support staff for further assistance on this matter.

This article was previously published as:: 8e6 KB 276537

URL is not categorized correctly

Charles — Sun, 07 Sep 2014 15:24:03 GMT

This article applies to:

Enterprise Filter

Question:

URL is not categorized correctly

Information:

Trustwave strives to keep accurate site categorizations. Since everyone has differing Internet access standards, occasionally you may find a site you feel should be categorized differently than it is. To submit a Web site that you would like us to review, you can use the Submit a site form.

You are also welcome to send your library queries directly to our library department by writing to wfrsupport@Trustwave.com.

If you have emailed us with a link to a site you feel should be blocked, our Site Review Team will process the request, usually within one business day. If the site is found to meet the definition for addition to one of our categories as described in the category listing, then the site will be categorized and included in the daily updates within three business days-and very often the next day.

Notes:

If you are not the filter administrator and you are being blocked from a site you feel you should have access to, please contact your system administrator or ISP, which ever is appropriate. They have the ability to permit you access to any blocked site. We do not administer the filter. If you are the filter administrator and like to re-categorize it locally, please contact Trustwave Technical Support team for further assistance.

Youtube video setup

Angel Berrios — Thu, 05 Dec 2013 12:07:25 GMT

This article applies to:

Web Filter 5.1.05.x

Question:

How do I get Youtube videos to work with a video playback error?

Procedure:

The following URLs need to be allowed either in a Custom Category or Exception URL for the user:

*.youtube.com

*.ytimg.com

*.youtube-nocookie.com

As of November 25th, 2013:

*.googlevideo.com

Instructions:

1) Log in to the Web Filter

2) go to Library > Custom Category

3) Click on the custom category you have for Youtube or Allow and then > URL

4) Add the URL's listed above to the list as wildcards, hit apply action after every add then reload library when they are all done. (Library Reload will take 5+ minutes)

5) Go to Policy > User group > Profile > Custom Category and make sure that the appropriate category is set to Allow.

6) Repeat these steps for every user group you wish to have Youtube access.

If you have further questions, do not hesitate to contact WFR Support.

Where can I find Hardware/Power Specifications for the WF and WFR Series?

Charles Creegan — Wed, 17 Jul 2013 19:56:39 GMT

This article applies to:

Web Filter (WF) appliances
Web Filtering and Reporting Suite (WFR) appliances

Question:

Where can I find Hardware/Power Specifications for the WF Series?
Where can I find Hardware/Power Specifications for the WFR Series?

Information:

For the Web Filter, please see the WF Hardware Specifications matrix.

For the WFR, please see the WFR Hardware Specifications matrix.

Note:

These documents refer to the hardware currently shipping as of the revision date on each document.