Guidelines to configuring the network and system to enforce Symantec Web Security usage
|Article:TECH79832|||||Created: 2002-01-02|||||Updated: 2010-08-24|||||Article URL http://www.symantec.com/docs/TECH79832|
This page describes general guidelines to configure the network and system to enforce Symantec Web Security usage.
To ensure clients on your network use Symantec Web Security go the following sections starting with the first. Skip any section that does not apply.
- General guidelines
- Browser configuration
- To lock the Preferences Settings in Microsoft® Internet Explorer 3.x/4.x/5.x/6.x for Windows 9x
- To lock the Preference Settings in Netscape 3.x/4.x for Windows®
Do not enforce all blocks using the IP address of the Symantec Web Security server. Consider blocking traffic at your firewall or router. Some suggestions:
- Block all outbound traffic destined for port 80 and port 443 from your network. This blocks most web and SSL encrypted web traffic.
- Block all outbound traffic bound for port 21 on the external Internet. This blocks most FTP traffic.
Note: SWS cannot scan nonbrowser-based FTP.
- Block all outbound traffic bound for port 1080, the default Socks port for most external proxy servers.
- Block all outbound traffic bound for ports 22 and 23, potential SSH encrypted servers. SSH or secure shell can be used to encapsulate proxy traffic in a secure "tunnel" through your network.
Externally configure browsers to prevent users from modifying settings by locking the browsers. Use the appropriate section:
To lock the Preferences Settings in Microsoft Internet Explorer 3.x/4.x/5.x/6.x for Windows 9x
- Exit all open programs.
- Click Start > Shutdown.
- Select Restart in MS-DOS mode, and then click OK. The computer restarts in MS-DOS mode.
- Type the following command, then press Enter:
- Type the following command to rename the file and then press Enter:
ren inetcpl.cpl inetcpl.old
- Type Exit, and then press Enter. Windows restarts.
- To unlock the Preference Settings in Microsoft Internet Explorer 3.x/4.x/5.x for Windows, repeat the previous steps, except rename the file from inetcpl.old back to inetcpl.cpl.
- Roll out the browser settings for Windows NT/2000 through policies.
- Internet Explorer v5.0 and newer does not support connections through a web proxy in FTP Folder view. For additional information, read the Microsoft Knowledge Base Article - 217888 How to Install and Use FTP Folders
An alternative to updating each client is to use the Microsoft Internet Explorer Administration Kit to create a custom installer with settings in place.
A policy set in Active directory can also be applied as a group policy to all or a part of your user base, ensuring that proxy settings are set and locked down. Consult Microsoft for details.
Update to the latest version of the Netscape browser. You can download the browser using the URL:
Netscape's Free Software Upgrade
Configure the client's browser proxy settings to the I-Gear proxy server. For assistance, please read How to configure Web browser settings for all clients that access Symantec Web Security for help on configuring Symantec Web Security clients.
To lock the Preference Settings in Netscape 3.x/4.x for Windows
- Make sure the Netscape browser is closed.
- Open Windows Explorer and navigate to:
If you are running Windows 3.x, the location of the Netscape\Program folder may be different.
For newer versions of Netscape, consult the installation documentation on configuration of Preference settings.
- Rename the file PrefUI32.dll to PrefUI32.old.
This makes the Preference setting under the Edit menu unavailable.
- For Windows 3.x rename PrefUI16.dll to PrefUI16.old
- To unlock the Preference settings, rename the PrefUIxx.old to the original name.
Article URL http://www.symantec.com/docs/TECH79832