Don't connect left SNIFF ethernet interface unless want immediate blocking. Default policy is to block Child and Adult PORN and Web Proxies (based on pattern match). The easiest way to get box up and running without worrying about unwanted blocking is to not connect SNIFF port and only connect/configure the RIGHT-hand management interface.
setup switch monitor port (aka SPAN port in Cisco jargon). Great reference on monitor port setup for various switch vendors located on WireShark Switch Reference (http://wiki.wireshark.org/SwitchReference). Important: the R3000 only requires TX to be monitored.
Insure R3000 management IP address has firewall access for direct outbound HTTPS/SSL communication.
leave 1.2.3.4/32 IP address on 8e6 SNIFF port. The left-hand interface on 8e6 R3000 is setup by default for sniff/monitor/sense. It does not need a routable IP and we recommend to leave default 1.2.3.x/32 in place.
use FQDN for R3000 hostname. This is a linux-based appliance. For various reasons, be sure to only assign FQDN for hostname (ie. host.domain.com). If you read this after the fact and have already activated your appliance, you'll need to contact 8e6 support to request change of hostname value in their activation database. Only change R3000 hostname AFTER you receive response from support that new FQDN hostname has been added/changed. The R3000 hostname change will require a system reboot (one of only a few things that require this).
use explicit IP address for NTP server(s). The 8e6 interface will accept hostname value for NTP server but won't use it.
setup email alerts. R3000 GUI://System tab/Alerts (requires "SMTP Server" preference as well). Be sure to use test feature to validate operation.
setup Range_to_Detect. R3000 "Pattern Blocking" requires this setup correctly (ie. insure R3000 only seeing "outbound" traffic). Use any subnet that includes you local networks (ie. use 10.0.0.0/8 even if you're running 10.11.0.0/16 for simplicity). The key: your relevant subnets should be listed in BOTH (a) source detect, and (b) destination exclude.
update block page options. R3000 GUI:/System tab/Control/Block Page Authentication. Suggest only "Override Account" be selected for initial deployment.
update customization options. R3000 GUI:/System tab/Customization/Common Customizations. Decide YES/NO on email link on block page. Select NO for copyright.
- enable Pattern Blocking. R3000 GUI:/System tab/Control/Filter. This is required to log/monitor IM and P2P communication. In addition, Pattern Blocking will block various web proxy communication.
validate MODE operation. R3000 GUI:/System tab/Mode/Operation Mode. Validate box in "Invisible" mode and that LAN1 is sense, LAN2 is "Block Page Device". This means LAN2 will issue the block page redirect (in addition to being interface for management and authentication).
validate Block Page Delivery. R3000 GUI:/System tab/Mode/Operation Mode. If LAN2 IP must pass through firewall to communicate with end-user workstations, enable "send block page via ARP lookup". If no firewall present, "Send block page to specified host MAC" -- typically that of default gateway of appliance.
connect SENSE interface. when ready for 8e6 R3000 to filter web traffic, connect SENSE interface. Keep in mind this is fastest (and most efficient) way to "disable" the R3000 filter.
test block operation. within browser of your choice, open Test 8e6 R3000 Filter (ie. 'test.8e6.com' URL is pre-populated in the Adult Pornography category -- block by default).
ways to disable R3000 filtering. Three ways to temporarily disable R3000 filtering: (a) disconnect R3000 SENSE interface, (b) disable physical switch port connected to R3000 sense interface, and (c) disable "local filtering" in 8e6 R3000 GUI:/System tab/Control/Filter.
8e6 knowledge base. A good resource: 8e6 Support KB
install 8e6 Watch Dog client. Install this on permanent workstation inside organization. This automated service does two primary things: (a) simulates end-user browser attempts to validate R3000 filter operation, and (b) communicates directly with 8e6 appliances to test operation. All events are logged and email alerts can be configured for notification of issues. Check 8e6 Software Updates
HTTPS secure ports listed at following: 8e6 HTTPS Secure Ports
Insure R3000 Proxy Protections by reviewing 8e6 Proxy Protection
- 8e6 Mobile documentation found in Appendix E of R3000 Admin Guide
follow steps for R3000 network filter above with caveats detailed below.
only use ONE interface. The sense interface (ie. LAN1) is not used for R3000 MOBILE setup (ie. no bypass operation). Assign routable IP address to LAN2.
R3000 Mobile appliance must be publically available. Thus, LAN2 must either have (a) a private IP with static NAT to public IP (hosted by firewall), or (b) a public IP.
R3000 Mobile appliance placed on firewall DMZ with controlled access from both public and internal communication.
firewall must allow inbound https/443 and http/81 to public IP of R3000 Mobile. The same R3000 outbound rules listed in previous section still required.
firewall must allow R3000 Mobile to send logs to Enterprise Reporter. As of today, this is FTP (future: likely HTTPS).
Mobile client end-user software generated from 8e6 Mobile Deployment Kit (available from CD in box -- latest available from 8e6 Support). Always a good idea to check for latest.
Generation of end-user Mobile installer requires providing IP address of 8e6 Mobile appliance.
Microsoft VISTA requires 8e6 Mobile software release v2.0.10 or higher.
Mobile client pulls latest profile from R3000 Mobile appliance at either (a) client reboot, or (b) R3000 client resynchronization interval.
8e6 profile features not available with MOBILE client: Minimum Filtering Level, Time Profile, Override Account, Exception URL, NT/LDAP Authentication, and the Warn filter setting.
8e6 MOBILE default block page of port #81 may be a concern (ie. many hotels, wireless access points, etc may only allow "standard" http/https ports). If true, you'll need to setup CUSTOM block page for MOBILE users. This custom block page should be hosted on public web server -- running on standard port #80. There are a couple different ways to make this happen with caveats depending on whether using R3000 synchronization feature or not. The typical best solution: Appendix C of R3000 Admin Guide.
