symantec web gateway 5.1: getting started guide · pdf filesymantec web gateway 5.1 getting...

Symantec™ Web Gateway 5.1

Getting Started Guide

Symantec Web Gateway 5.1 Getting Started GuideThe software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version: 5.1

PN: 21268574

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1


Chapter 1 Introducing Symantec Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

About Symantec Web Gateway .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5What's new .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6What you can do with Symantec Web Gateway .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Where to get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2 Planning for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Preinstallation checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15About Symantec Web Gateway network configurations .... . . . . . . . . . . . . . . . . . . . 16About the Symantec Web Gateway operating modes .... . . . . . . . . . . . . . . . . . . . . . . . 18Port connections for typical network configurations .... . . . . . . . . . . . . . . . . . . . . . . . 18Diagrams of typical network configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Ports and settings that Symantec Web Gateway uses ... . . . . . . . . . . . . . . . . . . . . . . . 28Connections, ports, and indicators on the Symantec Web Gateway

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 3 Installing Symantec Web Gateway appliances . . . . . . . . . . . . . 37

Installing Symantec Web Gateway .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Installing the Symantec Web Gateway appliance into a rack .... . . . . . . . . . . . . 39Configuring a computer to access Symantec Web Gateway for

installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Running the setup wizard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Post-installation tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Accessing the Web GUI .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Connecting Symantec Web Gateway to your network .... . . . . . . . . . . . . . . . . . . . . . . 47About ensuring Internet connectivity if Symantec Web Gateway is

disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Testing the bypass mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Specifying internal networks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Enabling URL filtering, Internet program monitoring, and other

features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Creating static routes for the inline network configuration .... . . . . . . . . . . . . . . 54Specifying a mail server for alerts and reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Contents

Specifying internal email and external proxy servers for reportaccuracy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Testing Symantec Web Gateway for successful blocking ormonitoring .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Testing Symantec Web Gateway Threat Center connectivity ... . . . . . . . . . . . . . 56

Chapter 4 Installing Symantec Web Gateway virtualedition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

About Symantec Web Gateway Virtual Edition .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Installing Symantec Web Gateway Virtual Edition .... . . . . . . . . . . . . . . . . . . . . . . . . . . 60System requirements for Symantec Web Gateway Virtual

Edition .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64About configuring the VMware virtual switch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65About adding the VMware LAN Network virtual switches ... . . . . . . . . . . . . . . . . . 66

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Contents4

Introducing Symantec WebGateway

This chapter includes the following topics:

■ About Symantec Web Gateway

■ What's new

■ What you can do with Symantec Web Gateway

■ Where to get more information

About Symantec Web GatewaySymantec Web Gateway is an innovative Web security gateway appliance thatprotects organizations against Web threats, which include malicious URLs,spyware, botnets, viruses, and other types of malware. Symantec Web Gatewayprovides controls for Web content and Internet applications. Backed by theSymantec Global Intelligence Network, Symantec Web Gateway is built on ascalable platform that quickly and simultaneously scans for malware andinappropriate Web content. Symantec Web Gateway helps organizations tomaintain critical uptime and employee productivity by blocking attacks.

Symantec Web Gateway contains the following key features:

■ Fast protection at the Web gateway across multiple protocols for inbound andoutbound web traffic

■ Protection against malware threats on all Web file transfer channels

■ Ability to inspect for, detect, and block active and dormant botnets

■ URL filtering with flexible policy controls and in-depth reporting (the URLfiltering license is required)

1Chapter

■ Advanced application control capabilities with ability to monitor and controlusage by end-users spanning multiple applications

■ Detection of compromised endpoints by network fingerprinting and behavioralmodeling

■ Comprehensive Web reporting and alerting

■ Flexible policy controls, which allow policy creation on Web-based criteriaand control over of how policies are applied across an organization

■ SSL-encrypted network traffic monitoring for URL content filtering,blacklisted-domain matching, and malware

■ Adaptability to deploy as an appliance or as a virtual machine on VMwareESX/ESXi 4.1/4.0

■ Integration with Symantec Data Loss Prevention to discover, monitor, andprotect confidential data

Symantec Web Gateway provides the following key benefits:

■ Symantec AntiVirus Engine, the winner of over 40 consecutive VB100 Awardssince 1999Insight is a Symantec reputation-based technology that can flag probablemalware not previously known to Symantec.

■ Highly scalable technology to meet the needs of any size organization withoutadded latency, which ensures minimal affect on user browsing performance

■ The Symantec Global Intelligence Network, which continuously collects dataand provides the data to Symantec Web GatewayThe Symantec Global Intelligence Network encompasses some of the mostextensive sources of Internet threat data in the world. Symantec Web Gatewayuses this threat data to offer comprehensive and up-to-date protection againstthe latest threats.

What's newTable 1-1 describes the major new features or enhancements in Symantec WebGateway 5.1.

Introducing Symantec Web GatewayWhat's new

6

Table 1-1 What's new in Symantec Web Gateway

DescriptionNew feature or enhancement

Symantec Web Gateway uses Symantec’s RuleSpaceWeb Categorization Solution (Symantec RuleSpace) toclassify URL filtering categories. Symantec RuleSpacehas several new URL categories and classes and makesURL filtering more effective than the previous URLfiltering database.

Effective URL filtering

You can configure Symantec Web Gateway to detectembedded URLs.

Embedded URL detection

Symantec Web Gateway lets you capture traffic on yournetwork. The captured information helps youtroubleshoot any issues that are related to networktraffic.

Network traffic capture

Symantec Web Gateway transfers user name toSymantec Data Loss Prevention server, when a userposts a message or uploads a file over HTTPS. You canview the user name on the Custom Reports page.

User name authenticationthrough Symantec Data LossPrevention server

What you can do with Symantec Web GatewayTable 1-2 describes what you can do with Symantec Web Gateway.

Table 1-2 What you can do with Symantec Web Gateway

DescriptionTasks

Symantec Web Gateway detects and blocks malware fromWeb sites and Internet downloads. Symantec Web Gatewaymust be installed in the inline network configuration or asa proxy server to block downloads.

Protect computers fromspyware, botnets, and viruses

You can configure Symantec Web Gateway to preventpeer-to-peer sharing, streaming media, games, and otherInternet applications from accessing the Internet.

Block selected Internetapplications by category

Symantec Web Gateway can block individual Web sites orcategories of Web sites. To block Web sites by category, youmust have the URL filtering license.

Block select Web sites

7Introducing Symantec Web GatewayWhat you can do with Symantec Web Gateway

Table 1-2 What you can do with Symantec Web Gateway (continued)

DescriptionTasks

You can display reports on a wide range of statistics.Available reports include most accessed Web sites, mostactive users, infected clients, most common malware,network attacks, and infection sources. Click a statistic ina report to get more information about that user, computer,Web site, category, and so on.

Display reports

Symantec Web Gateway can issue alerts for attacks,infections, and system events. Symantec Web Gatewaytransmits alerts by email, syslog, or SNMP.

Configure alerts

Symantec Web Gateway can automatically block inboundand outbound Internet access for infected computers toprevent malware from spreading.

Quarantine infectedcomputers

Symantec Web Gateway can pass outbound Web trafficthrough Symantec Data Loss Prevention to protect yourcompany's data assets. You must have a separate SymantecData Loss Prevention appliance.

Integrate with SymantecData Loss Prevention

Symantec Web Gateway can monitor SSL-encrypted Internettraffic for malware or pass the encrypted traffic to SymantecData Loss Prevention. You must have a separate SymantecData Loss Prevention appliance to analyze SSL-encryptedtraffic for data loss.

Inspect SSL-encryptedInternet traffic

Where to get more informationTable 1-3 provides sources where you can get more information about SymantecWeb Gateway.

Table 1-3 More information about Symantec Web Gateway

Description and locationSource

The Symantec Web Gateway documentation set consists of thefollowing materials:

■ Symantec Web Gateway Implementation Guide

■ Symantec Web Gateway Getting Started Guide

■ Symantec Web Gateway Release Notes

Documentation

Introducing Symantec Web GatewayWhere to get more information

8

Table 1-3 More information about Symantec Web Gateway (continued)

Description and locationSource

Symantec Web Gateway includes a comprehensive Help system.Product Helpsystem

Visit the following Symantec Web sites for more information aboutSymantec Web Gateway:

■ Knowledge base articles

Articles to help you troubleshoot issues with Symantec WebGateway

www.symantec.com/business/support/index?page=landing&key=58161

■ SymConnect Forum

Users post the questions that other users and Symantec TechnicalSupport answer

www.symantec.com/connect/security/forums/web-gateway

■ Product alerts

Subscribe to late-breaking news about new releases and hot issues

http://www.symantec.com/business/support/index?page=content&key=58161&channel=ALERTS

■ English PDF documentation

All available .pdf document for Symantec Web Gateway in English

www.symantec.com/business/support/index?page=content&key=58161&channel=DOCUMENTATION

■ Technical Support

Contact information and downloads

www.symantec.com/enterprise/support

■ Licensing

Information about how to register, activate, and manage existinglicense

https://licensing.symantec.com/acctmgmt/index.jsp

■ Virus encyclopedia

Information about all known threats; information about hoaxesand access to white papers about threats

www.symantec.com/business/security_response/index.jsp

■ Documentation about data loss prevention

Information about how to configure and use Symantec Data LossPrevention

See theSymantecDataLossPreventionAdministrationGuide, whichavailable with the download of the Symantec Data Loss Preventionsoftware.

Symantec Website

9Introducing Symantec Web GatewayWhere to get more information

http://www.symantec.com/business/support/index?page=landing&key=58161

http://www.symantec.com/connect/security/forums/web-gateway



http://www.symantec.com/business/support/index?page=content&key=58161&channel=DOCUMENTATION

http://www.symantec.com/business/support/index?page=content&key=58161&channel=DOCUMENTATION

www.symantec.com/enterprise/support

https://www.symantec.com/licensing/els/help/en/help.html

http://www.symantec.com/business/security_response/index.jsp

Introducing Symantec Web GatewayWhere to get more information

10

Planning for installation


■ Preinstallation checklist

■ System requirements

■ About Symantec Web Gateway network configurations

■ About the Symantec Web Gateway operating modes

■ Port connections for typical network configurations

■ Diagrams of typical network configurations

■ Ports and settings that Symantec Web Gateway uses

■ Connections, ports, and indicators on the Symantec Web Gateway appliance

Preinstallation checklistTable 2-1 contains the decisions that you should make and the items that youshould have on hand before you install Symantec Web Gateway.

Table 2-1 Preinstallation checklist

DescriptionItem

Ensure that you have met all of the systemrequirements.

See “System requirements” on page 15.

Review the system requirements.

The use of the Symantec Web Gateway proxy dictateswhich operating modes you can use and requires youto use the management port.

Determine if you intend to use theSymantec Web Gateway proxy.

2Chapter

Table 2-1 Preinstallation checklist (continued)

DescriptionItem

The manner in which you connect to your networkaffects its capabilities.

See “About Symantec Web Gateway networkconfigurations” on page 16.

See “Port connections for typical networkconfigurations” on page 18.

See “Diagrams of typical network configurations”on page 21.

Determine how you want to installSymantec Web Gateway in yournetwork.

The operating modes let you either monitor Internettraffic or monitor traffic and block traffic.

See “About the Symantec Web Gateway operatingmodes” on page 18.

Determine which operating modeyou intend to use.

Ensure that the necessary ports are open in yourfirewall and other network devices to allow SymantecWeb Gateway to function properly.

See “Ports and settings that Symantec Web Gatewayuses” on page 28.

Configure your firewall to allowtraffic from Symantec WebGateway.

Connect a computer to the management port onSymantec Web Gateway to initially configure it. Anycomputer and operating system works for thispurpose. This computer must have a supported Webbrowser to access the Web GUI.

See “Connections, ports, and indicators on theSymantec Web Gateway appliance” on page 34.

See “System requirements” on page 15.

Have a computer with an Ethernetport for initial setup.

(Required for physical applianceonly.)

Decide on an administrator name and password foraccess to the Web GUI. The primary administratorcan create additional administrator accounts foraccess to the Web GUI.

Decide on an administrator username and password.

Specify an email address in the setup wizard.Symantec Web Gateway sends alerts and reports tothis email address. If you click the ForgotPassword?link on the Logon page, and Symantec Web Gatewaysends a new password to this address.

Decide on an email address.

Planning for installationPreinstallation checklist

12


DescriptionItem

A Symantec license file typically has the extension.slf. When you register your software license,Symantec emails you a license file. Put the license filein a location that is accessible from the computer onwhich you plan to run the setup wizard. Symantecprovides a two week grace period with Symantec WebGateway functionality if you run the setup wizardwithout a license.

The following types of licenses are available forSymantec Web Gateway:

■ Symantec Web Gateway license file

The Symantec Web Gateway license enablesSymantec Web Gateway to detect spyware, viruses,botnet infections, enforce application control, andenable Insight reputation-based security.

■ URL filtering license file

In addition to the features in the Symantec WebGateway license, the URL filtering license lets youmonitor or block access to Web pages based oncategorization.

Have your license file in anaccessible location.

13Planning for installationPreinstallation checklist


DescriptionItem

Determine if you intend to use a single IP address ortwo IP addresses.

With one IP address, you can use a static address oryou can rely on DHCP. Symantec recommends thatyou use a static IP address.

The two IP address configuration is recommended ifyou plan to connect Symantec Web Gateway in theinline network configuration. Symantec Web Gatewayrequires two IP addresses if you intend to installSymantec Web Gateway in a proxy configuration. TheIP addresses must be static and in different subnets.

In the two IP address configuration, Symantec WebGateway uses one IP address for communication withthe Web GUI through the management port. SymantecWeb Gateway uses the other IP address forcommunication with the user. For example, SymantecWeb Gateway uses this IP address to send the end userblocking pages and authentication requests. The twoIP addresses must be on different networks.

To specify a static IP address for Symantec WebGateway, obtain an IP address in your network thatis not in use by another computer.

You need the following network settings for a staticIP address:

■ IP address

■ Subnet mask

■ Default gateway

■ Primary DNS

■ Secondary DNS (optional)

■ DNS suffix (optional)

Know your IP address and relatednetwork settings for the SymantecWeb Gateway appliance.

Planning for installationPreinstallation checklist

14


DescriptionItem

An external proxy is not required for Symantec WebGateway to function. However, if Symantec WebGateway uses an external proxy or users access theInternet through an external proxy, you must specifythe following information:

■ Proxy IP address and port for Symantec WebGateway to use for Internet access

The external proxy must permit access to theInternet without the need for authentication.

■ HTTP proxy ports that users use to access theInternet

Know your external proxyinformation.

(Optional)

If you intend to use DNS, you must provide a DNSaddress. Optionally, you can provide a second DNSaddress and a DNS suffix.

Know your DNS IP address andsuffix.

(Optional)

You must specify your internal subnets in SymantecWeb Gateway after you run the setup wizard.

See “Post-installation tasks” on page 44.

Have a list of your internal subnets.

You need up to four normal and up to two crossoverEthernet cables. The number of cables that you needdepends on your network configuration and thenumber of LAN and WAN ports on the appliance.Crossover Ethernet cables are included with yourappliance. The Ethernet cables should have the typicalRJ-45 (8P8C) jacks.

See “Port connections for typical networkconfigurations” on page 18.

See “Diagrams of typical network configurations”on page 21.

Have up to five normal and twocrossover Ethernet cables.

After you complete the preinstallation checklist, you can proceed with theinstallation.

See “Installing Symantec Web Gateway” on page 38.

System requirementsTable 2-2 lists the supported system requirements.

15Planning for installationSystem requirements

Table 2-2 Symantec Web Gateway system requirements

DescriptionRequirement

You can run this release of Symantec Web Gateway on any of thefollowing appliance models:

■ Symantec Web Gateway model 8490


■ Symantec Web Gateway 84V (virtual edition)

Appliance

The following are the Web browser requirements:

■ Computer that you use to access the Symantec Web GatewayWeb GUI:

■ Microsoft Internet Explorer 9/8/7/6

■ Mozilla Firefox 14/13/12

■ Client computers:

■ Microsoft Internet Explorer 9/8/7/6

■ Mozilla Firefox 14/13/12

In most cases, Symantec Web Gateway does not require changesto any user software including the Web browser. However, if youconfigure Active Directory integration to use NTLM 401authentication (only used in inline or tap network configurations),you may have to change the Web browser configuration on usercomputers. This change prevents an authentication pop-up window.You may also have to change the Web browser configuration onuser computers if you use the Symantec Web Gateway proxy.

Web browser

See “System requirements for Symantec Web Gateway Virtual Edition” on page 64.

AboutSymantecWebGatewaynetworkconfigurationsSymantec Web Gateway offers a variety of ways that you can set up the productin your network. After you determine the network configuration that you wantto use, you can determine the operating mode that best suits your needs.

See “About the Symantec Web Gateway operating modes” on page 18.

Table 2-3 describes the ways to connect Symantec Web Gateway to your network.

Planning for installationAbout Symantec Web Gateway network configurations

16

Table 2-3 Symantec Web Gateway network configurations

DescriptionNetworkconfiguration

Blocks Web sites and phone-home attempts but cannot block filetransfers.

The port span/tap configuration may be easier to set up becauseit only requires one connection to your LAN. This configurationis useful as an initial test of Symantec Web Gateway.

See Figure 2-7 on page 28.

Port span/tap

Blocks file transfers, Web sites, and phone-home attempts.

Inline configuration requires more network connections thanport span/tap.


Inline

Only analyzes the proxy traffic that is explicitly proxied toSymantec Web Gateway proxy.

This means that Symantec Web Gateway can only analyze HTTP,HTTPS, FTP, and SOCKS Internet traffic. This configurationrequires changes in your network to ensure that users' browsersuse the Symantec Web Gateway proxy to access the Internet.


Proxy

A combination of both the inline network configuration and theproxy network configuration.

Symantec Web Gateway can explicitly analyze both the proxytraffic and native traffic that pass through the WAN/LAN ports.


Inline + proxy

Works the same as the inline configuration and the inline + proxyconfiguration but this configuration contains a second set of LANand WAN ports.

In an inline configuration, Symantec Web Gateway supports bothof the LAN ports and WAN ports. In an inline + proxyconfiguration, Symantec Web Gateway only supports proxyfunction on LAN1 and WAN1 ports.

Symantec Web Gateway only supports dual homing on the 8490appliance.


Inline and inline +proxy dual homing

17Planning for installationAbout Symantec Web Gateway network configurations

See “Port connections for typical network configurations” on page 18.

About the Symantec Web Gateway operating modesThe mode that you choose defines Symantec Web Gateway's default behavior.You can override the default settings when you configure policies.

Table 2-4 describes the modes that are available for Symantec Web Gateway.

Table 2-4 Symantec Web Gateway operating modes

DescriptionMode

Based on the network configuration, Symantec Web Gatewaycan block Web sites, phone-home attempts, and file downloads.When in blocking mode, Symantec Web Gateway also providesthe same reports on user activity as it does in monitoring mode.You must install Symantec Web Gateway in the inline networkconfiguration to block file transfers.

See “About Symantec Web Gateway network configurations”on page 16.

Blocking

Symantec Web Gateway does not block any Internet traffic, butit provides reports on user activity. This mode can be useful asan initial test of Symantec Web Gateway.

Monitoring

Port connections for typical network configurationsTable 2-5 describes the port connections for typical network configurations.

See “Diagrams of typical network configurations” on page 21.

Note:You may need to use a crossover Ethernet cable for the connection from theSymantec Web Gateway LAN port to the LAN switch.

See “About ensuring Internet connectivity if Symantec Web Gateway is disabled”on page 48.

Planning for installationAbout the Symantec Web Gateway operating modes

18

Table 2-5 Port connections for typical network configurations

ConnectWAN to

ConnectLAN to

ConnectMonitor to

ConnectManagementto


Not usedPort on yourLAN switch(optional)

Network tapor a port onyour LANswitch that isset to spanmode(required)

Port on yourLAN switch(required)

Simple port span/tapnetwork configuration.

Port span/tap

Not usedPort on yourLAN switch(required)

Not usedPort on asubnetseparatefrom the LANport subnet(required)

Single leg proxyconfiguration.

Symantec Web Gateway onlyinspects traffic directed tothe Web Gateway proxyports.

Proxy mode

Internetfirewall LANport(required)


Not usedPort on asubnetseparatefrom the LANport subnet(required)

Symantec Web Gateway is intransparent bridge operationand explicit proxy is enabledon the LAN and WAN ports.All traffic directed to theappliance is analyzed. Notethat Dual Homing, availableon some models, is notprovided for proxy services.Proxy services are onlyprovided over theLAN1/WAN1 ports, even ifdual homing is enabled.Inline traffic is still inspectedand forwarded overLAN2/WAN2 if Dual Homingis enabled.

Inline + Proxy mode

19Planning for installationPort connections for typical network configurations

Table 2-5 Port connections for typical network configurations (continued)

ConnectWAN to

ConnectLAN to

ConnectMonitor to

ConnectManagementto





Simple inline networkconfiguration. If a proxyexists in the network, it isconnected to the firewall.

Note: When Symantec WebGateway service is disabled,you can access the SymantecWeb Gateway Web GUI fromthe Management port only.

Simple inline with noproxy or the proxy is atthe firewall




You can connect twoSymantec Web Gatewayappliances to two firewallsas part of a high-availabilityenvironment. You canconfigure the firewalls inactive/active failover oractive-standby failover. Youshould configure theSymantec Web Gatewayappliances identically exceptfor the network settings.

Inline with two firewallsand two Symantec WebGateway appliances


Port on theproxy(required)


If your proxy server isconnected to the corporateLAN rather than the firewall,install Symantec WebGateway between thecorporate LAN and the proxyserver.

Inline with one NICexternal proxy that isconnected to SymantecWeb Gateway

Planning for installationPort connections for typical network configurations

20

Table 2-5 Port connections for typical network configurations (continued)

ConnectWAN to

ConnectLAN to

ConnectMonitor to

ConnectManagementto


Port on yourlayer 3switch;connectWAN2 to aseparatelayer 3 switch(required)

Port on theproxy;connectLAN2 to theproxy also(required)


For greater throughput onthe proxy server, you canconnect a single SymantecWeb Gateway appliance withtwo LAN and two WAN portsto a proxy server. You canalso connect a singleSymantec Web Gatewayappliance with two LAN andtwo WAN ports to two proxyservers.

Inline with two NICexternal proxies thatare connected twice todual-homed SymantecWeb Gateway

Port on theproxy(required)



The proxy server isconnected to the firewall andSymantec Web Gateway.

Inline with two NICexternal proxies thatare connected toSymantec Web Gatewayand to the firewall

Not usedNot usedNot usedPort on yourLAN switch(required)

An appliance that isconfigured to manage otherappliances is called a CentralIntelligence Unit.

Central IntelligenceUnit

Diagrams of typical network configurationsThe following are diagrams of typical network configurations.


21Planning for installationDiagrams of typical network configurations

Figure 2-1 Simple inline or inline + proxy network configuration

Internet

InternetFirewall

CorporateLAN

LAN Port

Protected Computers

NetworkMgmt PC

SymantecWeb Gateway

CrossoverCable

ManagementPort

WAN Port

Planning for installationDiagrams of typical network configurations

22

Figure 2-2 Inline with two firewalls, two external proxies, and two SymantecWeb Gateway appliances

Internet

InternetFirewallor NAT

CorporateLAN

Protected Computers

NetworkManagement PC

SymantecWeb Gateway

CrossoverCable

ManagementPort

LAN Port

ProxyServer

ProxyServer

LAN Port ManagementPort

CrossoverCable


SymantecWeb Gateway WAN PortWAN Port


Figure 2-3 Inline with dual-homed Symantec Web Gateway inline

Internet


Layer 3 Switch(Router)

Protected Computers

SymantecWeb Gateway

CrossoverCables

LAN1Port

ProxyServer

WAN1Port

ManagementPort

WAN2Port

LAN2Port

Layer 3 Switch(Router)

Protected Computers

NetworkMgmt. PC


24

Figure 2-4 Symantec Web Gateway configured as a proxy

InternetInternetFirewallor NAT

CorporateLAN

Protected Computers

NetworkMgmt PC

Management Port

LAN Port

Symantec WebGateway


Figure 2-5 Inline Symantec Web Gateway with an external proxy serverconnected to firewall


CorporateLAN

Protected Computers

NetworkMgmt PC

SymantecWeb Gateway

CrossoverCable

Management Port

WAN Port

LAN Port

ExternalProxyServer


26

Figure 2-6 Inline with an external proxy server


CorporateLAN

Protected Computers

NetworkMgmt PC Symantec Web Gateway

CrossoverCable

Management Port

LAN Port

WAN Port

ExternalProxyServer


Figure 2-7 Simple port span/tap network configuration

Internet

InternetFirewall

LAN DeviceMonitor Port

Span/TapPort

Monitored ComputersNetworkMgmt PC

Symantec WebGateway

Management Port

Ports and settings that SymantecWeb Gateway usesPorts and URLs used for communications are useful in preparation of firewall forSymantec Web Gateway installation or troubleshooting communication problems.

Table 2-6 describes the ports that Symantec Web Gateway uses.

Table 2-6 Symantec Web Gateway ports and settings

DescriptionToFromPort(Protocol)

URL

Delivers theSMTPnotifications ofalert conditions.

User-definedSMTP mailservers

SymantecWebGateway

TCP/25 (SMTP)<hostname/IP>

(Optional)Performsexternal DNSlookups, ifconfigured.

User-definedDNS servers

SymantecWebGateway

UDP/53 (DNS)<hostname/IP>

Planning for installationPorts and settings that Symantec Web Gateway uses

28

Table 2-6 Symantec Web Gateway ports and settings (continued)


URL

Supplies theantivirusdefinitionsdownloads.

SymantecLiveUpdateservers

SymantecWebGateway

TCP/80 (HTTP)liveupdate.symantec.com

liveupdate.symantecliveupdate.com

RetrievesNetwork TimeProtocol datafrom one ormore Timeservers.

User-definedNTP servers

SymantecWebGateway

UDP/123 (NTP)<hostname/IP>

pool.ntp.org (default)

(Optional)Provides theSimple NetworkManagementProtocol (SNMP)trap and alerts,if configured.

User-definedSNMP servers

SymantecWebGateway

UDP/161(SNMPv3)

<hostname/IP>

(Optional)Retrieves LDAPUserinformationfrom ActiveDirectory server,if configured.

ActiveDirectoryservers

SymantecWebGateway

TCP/389(domaincontroller ) orTCP/3268(Global Catalog)

<hostname/IP>

29Planning for installationPorts and settings that Symantec Web Gateway uses



URL

This portenables thefollowing:

■ SymantecWeb Gatewaysoftwareupdatedownloads,botnetsignatures,and otherupdates.

■ SymantecTechnicalSupport mayuse this portfor remotesystemdiagnosis.

SymantecThreat centerservers

SymantecWebGateway

TCP/443(HTTP)

threatcenter.symantec.com

This portreceives thereputationcontent that isrelated to theInsightcomponent andapplies therelevantInsight-basedpolicies.

SymantecInsightReputationServer

SymantecWebGateway

TCP/443(HTTP)

mi5-shasta-rrs.symantec.com

(Optional) PollsSymantec WebGateway for itsstatus and data.

SymantecWeb Gateway

CentralIntelligenceUnit (CIU)

TCP/443(Proprietary)

<hostname/IP>


30



URL

(Optional)Retrievesupdates toconfigurationoptions fromCIU.

CIUSymantecWebGateway


<hostname/IP>

(Optional)Deliversmalware alertsor system alertsto remote syslog,if configured.

User-definedsyslog servers

SymantecWebGateway

UDP/514(Syslog)

<hostname/IP>

(Optional)Forwards auditsuccess entriesfrom thesecurity log ofthe domaincontroller toSymantec WebGateway, whichpermitsSymantec WebGateway toapply filteringpolicies based onLDAP.

dc interfaceSymantecWebGateway


<IP Address, as configuredin dcinterface.txt>

(Optional)Symantec WebGateway toauthenticate enduser clients.

SymantecWeb Gateway

Endpointcomputer

TCP/20200<401 authentication port>

(Optional) Usedto communicatewith theSymantec WebPrevent server.

SymantecWeb Preventcommunicationchannel

SymantecWebGateway

ICAP/1344<Symantec Web Preventcommunication channel>


Note:<hostname/IP> denotes the configuration that you provide based upon yourlocal network architecture and your implementation plan for Symantec WebGateway

Table 2-7 describes the proxy settings that Symantec Web Gateway uses.

Table 2-7 Symantec Web Gateway proxy settings

DescriptionToFromPortSettings

You can enableSymantec WebGateway proxyas SOCKS proxyfor TCP and forUDP networktraffic such asHTTP and FTP.Symantec WebGatewaysupports thefollowing SOCKSversion 5. Thedefault port is1080, and youcan modify asper yournetworkconfiguration.

Symantec WebGateway

Web browserclient

1080SOCKS Settings

The proxylistens for FTPtraffic at theport that youspecify. Thedefault port is8021,and youcan modify asper yournetworkconfiguration.

Symantec WebGateway

FTP client8021FTP Settings


32

Table 2-7 Symantec Web Gateway proxy settings (continued)

DescriptionToFromPortSettings

The proxylistens forHTTP/S trafficfrom the userWeb browser atthe specifiedports. Thedefault port is8080, and youcan modify asper yournetworkconfiguration.

These ports canonly be used forthe HTTP/Sproxy.

Symantec WebGateway

Web browserclient

8080HTTP/S ProxySettings

The SymantecWeb Gatewayproxy listens forSSL traffic at theport that youspecify. If youenable theinternal HTTP/Sproxy, the SSLport must bedifferent thanthe HTTP/Sports. Thedefault port is8443, and youcan modify asper yournetworkconfiguration.

Symantec WebGateway

Web browserclient

8443SSL DeepInspectionSettings


Connections, ports, and indicators on the SymantecWeb Gateway appliance

The connections and ports on the back of the appliance that you need to configureSymantec Web Gateway are labeled. Connections that are not labeled are notfunctional or are not supported. Two solid (not blinking) LEDs indicate bypassmode is enabled.

Table 2-8 explains the connections and ports on Symantec Web Gatewayappliances.

Table 2-8 Connections and ports on Symantec Web Gateway appliances

DescriptionConnection or port

You can use this port to attach a keyboard to use for thecommand line interface.

The Symantec Web Gateway appliance models that support aUSB keyboard are listed below:

■ Symantec Web Gateway model 8450 Rev 1 or later

You can view the revision of the Web Gateway model 8450on the System Status page.


USB ports

Connect the serial port to another computer to access the SerialConsole character-based interface.

See “Port connections for typical network configurations”on page 18.

Serial port

Depending on how you deploy Symantec Web Gateway, youmay connect the LAN port to your LAN switch.

LAN Ethernet port

Depending on how you deploy Symantec Web Gateway, youmay connect the WAN port to your firewall.

WAN Ethernet port

Connect the management port to your LAN switch.

The management port must have access to the following:

■ Domain Name Server (DNS)

■ Access to the required Internet services

See “Ports and settings that Symantec Web Gateway uses”on page 28.

■ Domain controller (for authentication)


Management (Mgmt)Ethernet port

Planning for installationConnections, ports, and indicators on the Symantec Web Gateway appliance

34

Table 2-8 Connections and ports on Symantec Web Gateway appliances(continued)

DescriptionConnection or port

If you deploy Symantec Web Gateway in a port span/tapnetwork configuration, connect the monitor port to the networktap or a port on your LAN switch that is set to span mode.


Monitor Ethernet port

You can use this connection to attach a keyboard to use for thecommand line interface.

The Symantec Web Gateway appliance models that support aUSB keyboard are listed below:

■ Symantec Web Gateway model 8450 Rev 1 or later

You can view the revision of the Web Gateway model 8450on the System Status page.


Keyboard

This connection is not functional.Mouse

This connection provides power to the appliance. Yourappliance may have an extra, redundant power connection.

Power

35Planning for installationConnections, ports, and indicators on the Symantec Web Gateway appliance

Planning for installationConnections, ports, and indicators on the Symantec Web Gateway appliance

36

Installing Symantec WebGateway appliances


■ Installing Symantec Web Gateway

■ Installing the Symantec Web Gateway appliance into a rack

■ Configuring a computer to access Symantec Web Gateway for installation

■ Running the setup wizard

■ Post-installation tasks

■ Accessing the Web GUI

■ Connecting Symantec Web Gateway to your network

■ About ensuring Internet connectivity if Symantec Web Gateway is disabled

■ Testing the bypass mode

■ Specifying internal networks

■ Enabling URL filtering, Internet program monitoring, and other features

■ Creating static routes for the inline network configuration

■ Specifying a mail server for alerts and reports

■ Specifying internal email and external proxy servers for report accuracy

■ Testing Symantec Web Gateway for successful blocking or monitoring

■ Testing Symantec Web Gateway Threat Center connectivity

3Chapter

Installing Symantec Web GatewayBefore you install Symantec Web Gateway, ensure that you complete all of theitems on the preinstallation checklist.

See “Preinstallation checklist” on page 11.

Table 3-1 describes the steps to install and initially configure Symantec WebGateway.

Table 3-1 Steps to install Symantec Web Gateway

DescriptionActionStep

Mount the Symantec Web Gatewayappliance into a rack, but do notconnect the Ethernet cables yet.

See “Installing the Symantec WebGateway appliance into a rack”on page 39.

Mount the appliance.Step 1

You use a directly connected computerto initially configure Symantec WebGateway.

See “Configuring a computer to accessSymantec Web Gateway forinstallation” on page 39.

Configure and connect acomputer to Symantec WebGateway for initialinstallation.

Step 2

You specify the primary administrativeuser, network configuration, and initialsettings for Symantec Web Gateway inthe setup wizard.

See “Running the setup wizard”on page 40.

Run the setup wizard.Step 3

When you finish the installation, perform the post-installation tasks to ensurethat you properly configure and test Symantec Web Gateway.


Installing Symantec Web Gateway appliancesInstalling Symantec Web Gateway

38

Installing the SymantecWeb Gateway appliance intoa rack

You can mount the Symantec Web Gateway appliance into a 19-inch (483mm)rack. If you do not have a rack, the Symantec Web Gateway appliance can rest ona stable surface.

After you install the appliance into a rack, configure a computer to access thesetup wizard next. But do not connect the Ethernet cables yet.

See “Configuring a computer to access Symantec Web Gateway for installation”on page 39.

To install the Symantec Web Gateway appliance into a rack

1 Attach the included rails to the appliance.

2 Install the appliance in a 19-inch (483mm) rack.

3 Connect the power cord to the appliance and then to a power supply.

4 If your appliance came with two power cords, connect the second power cord.

Configuring a computer to access Symantec WebGateway for installation

You must connect a computer to the management port to initially set up SymantecWeb Gateway. You must also configure the IP address and netmask of thatcomputer.

After you install Symantec Web Gateway, you can access it from a browser on anycomputer in your network. You can also disconnect the computer from themanagement port and reconfigure the network settings as desired.

The exact method to use to configure the computer network settings depends onthe operating system. For example, on Windows XP, access NetworkConnectionson the Control Panel. Access the properties of the Local Area Connection andthen access the properties of Internet Protocol (TCP/IP).

For more information about how to configure your computer network settings,see your operating system documentation.

After you configure a computer to access Symantec Web Gateway for installation,run the setup wizard.

See “Running the setup wizard” on page 40.

39Installing Symantec Web Gateway appliancesInstalling the Symantec Web Gateway appliance into a rack

To configure a computer to access Symantec Web Gateway for installation

1 Copy the license file to the local hard drive on the computer.

2 Access the network configuration settings on the computer.

3 Set the IP address of the computer to the following address:

192.168.254.253

4 Set the subnet mask of the computer to the following address:

255.255.255.0

You do not have to configure any other network settings such as defaultgateway or DNS.

5 Save the settings.

6 Connect an Ethernet cable from this computer to the management port onthe back of the Symantec Web Gateway appliance.

Running the setup wizardAfter you physically install Symantec Web Gateway and connect a computer tothe management port, you can run the setup wizard. This procedure describeshow to configure an appliance as a Web Gateway, not as a Central IntelligenceUnit.

When installation completes the Symantec Web Gateway services restart. Theappliance does not restart.

To run the setup wizard

1 Press the power button on the front of the Symantec Web Gateway appliance.

The appliance takes several minutes to start.

2 On the computer that is connected to the management port, start a Webbrowser and go to the following URL:

http://192.168.254.254

The setup wizard automatically appears the first time that you install theproduct.

3 On the Welcome panel, click Next.

4 On the License Agreement panel, read the license agreement, check the boxindicating that you accept the terms of the agreement, and then click Accept.

5 On the Install License panel, do the following tasks:

■ In the Company Name box, type the name of your organization.

Installing Symantec Web Gateway appliancesRunning the setup wizard

40

■ Click Browse and locate your license file.

■ Click Next.

If you do not install a license now, there is a two week grace period. Duringthis time the product runs as if the Symantec Web Gateway license wereinstalled.

6 On the Select Server Type panel, click Web Gateway, and then click Next.

You can only change the server type in the setup wizard. You cannot changeit in the Web GUI after the setup wizard finishes.

7 On the User Information panel, specify the following information about theprimary Web GUI system user:

Type a login name for the primary Web GUIadministrator. Use ASCII characters only. The loginname is case sensitive.

Login Name

Type a password for the primary Web GUIadministrator.

Password

Type the password again to verify its accuracy.Reenter password

Optionally, you can type a description for the currentuser account. This description appears on the EditUserpage.

Description

(Optional)

Type a complete email address such [email protected]. Symantec Web Gatewaysends alerts and reports to this email address. If youclick the Forgot Password? link on the login page, anew password is sent to this address.

Email Address

8 Click Next.

9 On the Server Information panel, specify the following information:

Type a descriptive name for Symantec Web Gatewaywith ASCII characters. The server name can includespaces. The server name is not used for network accessto Symantec Web Gateway. It appears in reports andalerts. If you use a Central Intelligence Unit to managemultiple Symantec Web Gateway appliances, this nameidentifies each Symantec Web Gateway appliance.

Name

41Installing Symantec Web Gateway appliancesRunning the setup wizard

Select one of the following default operating modeoptions:

■ MonitoringClick this option if you only want to view reportson user malware activity but not block malware.

■ BlockingClick this option if you want to block inbound andoutbound malware for user computers at your site.You can also view reports on malware activity. Youcan override these default operating modes withcustom policies.

Symantec recommends that you do not use Blockingmode, if you use the Inline configuration and youdo not have static routes configured.

See “About the Symantec Web Gateway operatingmodes” on page 18.

Select one of the following network configurations:

■ Port span/tap■ Inline■ Proxy■ Inline + Proxy

See “About Symantec Web Gateway networkconfigurations” on page 16.

Mode

Installing Symantec Web Gateway appliancesRunning the setup wizard

42

Do the following tasks:

■ To specify one IP address for the Web GUI and aseparate IP address for the monitoring and blockingcapabilities of Symantec Web Gateway, checkEnableseparatemanagementandinlinenetworks.

■ Specify if you want to use Automatic (DHCP)resolution or if you want to manually specify IPaddresses. Symantec Web Gateway does not supportDHCP when you enable separate management andinline networks.

■ If you did not check Enable separatemanagementand inline networks, specify the ManagementNetwork Settings.

Specify the IP address and related network settingsfor the Web GUI, monitoring capabilities, andblocking capabilities.

■ If you checked Enable separate management andinline networks, specify the following settings:

■ Management Network SettingsSpecify the IP address and related networksettings for the Web GUI.

The use of DHCP is disabled.

■ Inline Network SettingsSpecify the IP address and related networksettings for the monitoring and blockingcapabilities.

■ DNS SettingsYou can specify up to two IP addresses. You canoptionally also specify a DNS suffix.

Network Settings

Specify the following external proxy settings:

■ Check Use proxy for Web Gateway securecommunications (SSL) with Symantec ThreatCenter if you intend to have Symantec WebGateway to use an external proxy to communicatewith Symantec Threat Center. Also specify theproxy IP address and port.

■ Check Analyze ports used by proxy if you wantSymantec Web Gateway to inspect the externalproxy traffic from clients. Also specify the HTTPproxy port/port range and the FTP port.

Proxy Settings

(Optional, if you intend to useexternal proxies)

43Installing Symantec Web Gateway appliancesRunning the setup wizard

Click the drop-down list and select your time zone.

The time zone settings do not apply if you useSymantec Web Gateway as a proxy.

Time Zone Setting

10 Click Finish.

11 The Symantec Web Gateway service restarts.

See “Preinstallation checklist” on page 11.

See “Installing Symantec Web Gateway” on page 38.

Post-installation tasksAfter you install the appliance and run the setup wizard, perform the followingpost-installation tasks to ensure that you properly configure and test SymantecWeb Gateway.

Table 3-2 Post-installation tasks

DescriptionTaskStep

If you selected the inline networking configuration.,disconnect the Ethernet cable from the managementport and connect it to the LAN port on Symantec WebGateway. You do not need to switch to the LAN portif you use the two IP configuration.

If Symantec Web Gateway is in bypass mode in thisconfiguration, leave the Ethernet cable connected tothe management port to access the Web GUI.

With all other configurations, leave the Ethernet cableconnected to the management port. In allconfigurations, keep the other end of the cableconnected to your computer.

Reconnect theEthernet cable, ifrequired.

Step 1

Installing Symantec Web Gateway appliancesPost-installation tasks

44

Table 3-2 Post-installation tasks (continued)

DescriptionTaskStep

On the computer that is connected to the managementport, set the IP address to an IP address that is on thesame network as the new IP address that you specifiedfor Symantec Web Gateway.

Also, set the subnet mask to match the Symantec WebGateway IP address.

This process is similar to the process to access thesetup wizard, except that you do not use the192.168.254.253 IP address.

See “Configuring a computer to access Symantec WebGateway for installation” on page 39.

ConfigureSymantec WebGateway to be ableto access the WebGUI from a Webbrowser throughyour network.

Step 2

Access the Web GUI to test Symantec Web Gatewayand to perform post-installation configurations.

See “Accessing the Web GUI” on page 46.

Access the WebGUI.

Step 3

After you access the Web GUI, you can connectSymantec Web Gateway to your network.

See “Connecting Symantec Web Gateway to yournetwork” on page 47.

ConnectingSymantec WebGateway to yournetwork.

Step 4

If you configure Symantec Web Gateway for the inlineconfiguration, test to ensure that the bypass modeoperates properly.

See “About ensuring Internet connectivity ifSymantec Web Gateway is disabled” on page 48.

See “Testing the bypass mode” on page 50.

Test bypass mode.

(Inlineconfiguration only)

Step 5

When you specify your internal networks, SymantecWeb Gateway knows which networks are internal andwhich are external.

See “Specifying internal networks” on page 51.

Specify yourinternal networks.

Step 6

Configure the following features:

■ Enable Insight reputation-based security

■ Enable application control

■ Enable content filtering

■ Enable record browse view times

See “Enabling URL filtering, Internet programmonitoring, and other features” on page 52.

Enable key filteringand monitoringfeatures.

Step 7

45Installing Symantec Web Gateway appliancesPost-installation tasks

Table 3-2 Post-installation tasks (continued)

DescriptionTaskStep

If you plan to connect Symantec Web Gateway in theinline network configuration, specify static routes.

See “Creating static routes for the inline networkconfiguration” on page 54.

Create static routes,if needed.

(Inlineconfigurationsonly)

Step 8

You should specify your servers and external proxiesso that they appear in your alerts and reports.

See “Specifying a mail server for alerts and reports”on page 55.

See “Specifying internal email and external proxyservers for report accuracy” on page 55.

Specify servers andproxies for reportsand alerts.

Step 9

Test Symantec Web Gateway to ensure that it blocksand monitors Web traffic as you intend it. Also testthe connection to the Threat Center.

See “Testing Symantec Web Gateway for successfulblocking or monitoring” on page 55.

See “Testing Symantec Web Gateway Threat Centerconnectivity” on page 56.

Test Symantec WebGateway.

Step 10

Accessing the Web GUIYou can use the Web GUI to configure Symantec Web Gateway. Access the WebGUI from a Web browser on any computer in the LAN that is connected toSymantec Web Gateway.

Installing Symantec Web Gateway appliancesAccessing the Web GUI

46

To access the Web GUI

1 On the computer in the LAN connected to Symantec Web Gateway, start aWeb browser.

2 In the Web browser, type the following:

http://IP address

Where IP address is the address that you specified for the Symantec WebGateway appliance in the setup wizard.

For example, if the IP address that you specified for the appliance is192.168.42.24, go to the following URL:

http://192.168.42.24

3 For certain Web browsers, you may need to configure a certificate securityexception to access the Web GUI.

Typically, this step is only required at the first login per computer per session.

Connecting Symantec Web Gateway to your networkAfter you complete the setup wizard, connect Symantec Web Gateway to yournetwork based on the network configuration and operating mode that youconfigured during installation. Symantec recommends that you make theconnections while the Symantec Web Gateway service is disabled. This way youcan test that the bypass mode works while the service is disabled. Symantec WebGateway only supports bypass mode for inline configurations.

To connect Symantec Web Gateway to your network

1 In the Web GUI, click Administration > Configuration > Operating Mode,uncheck Service Enabled to disable Symantec Web Gateway, and then clickSave.

When you disable the service, Symantec Web Gateway is in bypass mode.

See “About ensuring Internet connectivity if Symantec Web Gateway isdisabled” on page 48.

You can check the Symantec Web Gateway service status at Administration> Configuration > Operating Mode.

2 Disconnect your computer from the management port of the Symantec WebGateway appliance.

You can set the TCP/IP configuration of the computer as desired and redeployit as needed in your network.

47Installing Symantec Web Gateway appliancesConnecting Symantec Web Gateway to your network

3 Connect the LAN, WAN, and management ports as required for the networkconfiguration and mode that you configured.


4 With Symantec Web Gateway service disabled, try to access the Internet froma computer in the LAN.

You should be able to access the Internet. The bypass LEDs on the back of theSymantec Web Gateway appliance should be on.

See “Connections, ports, and indicators on the Symantec Web Gatewayappliance” on page 34.

5 In the Web GUI, click Administration > Configuration > Operating Mode,and then check Service Enabled to enable Symantec Web Gateway.


About ensuring Internet connectivity if SymantecWebGateway is disabled

When you configure the appliance in the inline network configuration, theappliance enters bypass mode if it cannot function or is turned off. In bypassmode, Symantec Web Gateway routes Internet traffic through the LAN port andthe WAN port, but no monitoring or blocking occurs.

Note: In the bypass mode, the Ethernet cables on the LAN port and the WAN portare interconnected. You must ensure that the total length of the interconnectedcables does not exceed the maximum Ethernet cable length. The Ethernet cablelength, per ANSI/TIA/EIA cabling standards, is 100m for Cat5e and Cat6.

For more information on the Ethernet cable length, refer the ANSI/TIA/EIA cablingstandards.

Symantec Web Gateway Virtual Edition does not have a bypass mode. For SymantecWeb Gateway Virtual Edition with inline configurations, network traffic is haltedwhen the service is disabled or the physical host computer is turned off.

Table 3-3 explains the differences between the hardware bypass mode and softwarebypass mode.

Installing Symantec Web Gateway appliancesAbout ensuring Internet connectivity if Symantec Web Gateway is disabled

48

Table 3-3 Symantec Web Gateway bypass modes

Software bypass modeHardware bypass mode

If the Symantec Web Gateway appliance isturned on and the Symantec Web Gatewayservice is disabled, it is called Softwarebypass.

If the Symantec Web Gateway appliance isturned off, it is called Hardware bypass.

Software bypass does not generates reportsfor scanning, monitoring, and blocking.

Hardware bypass does not generate anyreports for scanning, monitoring, andblocking.

The WAN port and LAN port are disabled.Traffic still flows through the LAN port andWAN port unimpeded.

The WAN, LAN, management port, andmonitoring ports are disabled. But trafficstill flows through the LAN port and WANport unimpeded.

For bypass mode to function properly, ensure that you use the proper type ofEthernet cables to connect to the LAN. Two solid LEDs on the back of the SymantecWeb Gateway appliances indicate bypass mode is on.

See “Connections, ports, and indicators on the Symantec Web Gateway appliance”on page 34.

Note: If you connect the wrong type of Ethernet cable from Symantec Web Gatewayto the LAN, Internet connectivity is blocked when Symantec Web Gateway isdisabled or off. In bypass mode, Symantec Web Gateway works the same as if youwere using a crossover Ethernet cable.

In the inline network configuration, you may need to connect a crossover Ethernetcable between the LAN port on Symantec Web Gateway and the main LAN switch.One or two crossover cables are included with Symantec Web Gateway, dependingon the number of LAN ports on your appliance. Most Ethernet cables arestraight-through cables.

Table 3-4 describes the cable options for LAN port.

49Installing Symantec Web Gateway appliancesAbout ensuring Internet connectivity if Symantec Web Gateway is disabled

Table 3-4 Connecting the LAN cable in the inline network configuration

Cable options for Symantec Web Gateway LAN portLANauto sensingbehavior

You can connect either a straight-through or a crossoverEthernet cable from the LAN port on Symantec WebGateway to the main LAN switch. However, Symantecrecommends that you install the type of cable that isrecommended in the following row. If the LAN switch isunintentionally turned off, auto sensing may not function.

The LAN switch that isconnected to Symantec WebGateway has auto sensingthat detects the cable typeand adjusts to properly routenetwork traffic.

You must connect the correct type of Ethernet cable toensure that bypass mode works.

The type of cable to use depends on the cable that wasconnected between the WAN and LAN before you installedSymantec Web Gateway, as follows:

■ If the Ethernet cable between the WAN and LAN was astraight-through cable, connect a crossover Ethernetcable to the Symantec Web Gateway LAN port.

■ If the Ethernet cable between the WAN and LAN was acrossover cable, connect a straight-through Ethernetcable to the Symantec Web Gateway LAN port.

In all cases, connect a straight-through Ethernet cable fromthe WAN to the WAN port on Symantec Web Gateway.

The LAN switch that isconnected to Symantec WebGateway does not have autosensing and automaticcorrection for the Ethernetcable type.

If you configure Symantec Web Gateway in the port span/tap networkconfiguration and the appliance is turned off or disabled, Internet traffic passesunchanged. In the port span/tap network configuration, the appliance never blocksInternet traffic if it is turned off or disabled. Always use a straight-throughEthernet cable to connect the appliance to the network tap or port that isconfigured in span mode.

See “Testing the bypass mode” on page 50.

Testing the bypass modeWhen you configure the appliance in the inline network configuration, theappliance enters bypass mode if it cannot function or is turned off. In bypassmode, Internet traffic is routed through the LAN port and the WAN port, but nomonitoring or blocking occurs. For bypass mode to function properly, ensure thatyou use the proper type of Ethernet cables to connect to the LAN. LEDs on theback of the Symantec Web Gateway appliances indicate bypass mode if it is notturned off.

Installing Symantec Web Gateway appliancesTesting the bypass mode

50

Note: In the bypass mode, the Ethernet cables on the LAN port and the WAN portare interconnected. You must ensure that the total length of the interconnectedcables does not exceed the maximum Ethernet cable length. The Ethernet cablelength, per ANSI/TIA/EIA cabling standards, is 100m for Cat5e and Cat6.

For more information on the Ethernet cable length, refer the ANSI/TIA/EIA cablingstandards.

To test the bypass mode

1 In the Web GUI, click Administration > Configuration > Operating Mode,and then uncheck Service Enabled to disable Symantec Web Gateway.

When you disable the service, Symantec Web Gateway is in bypass mode.

See “About ensuring Internet connectivity if Symantec Web Gateway isdisabled” on page 48.

2 With Symantec Web Gateway service disabled, try to access the Internet froma computer in the LAN.

You should be able to access the Internet. The bypass LEDs on the back of theSymantec Web Gateway appliance should be on but not blinking.

See “Connections, ports, and indicators on the Symantec Web Gatewayappliance” on page 34.

3 Click Administration > Configuration > Operating Mode, and then checkService Enabled to enable Symantec Web Gateway.

4 Test Symantec Web Gateway to ensure that it functions properly.

See “Testing Symantec Web Gateway for successful blocking or monitoring”on page 55.

Specifying internal networksWhen you define your internal networks, you specify which computers are partof your network and which computers belong to the world outside. Thisspecification lets Symantec Web Gateway correctly identify computers withmalware infections, versus potential attacks from outside the network.

To specify internal networks

1 In the Web GUI, click Administration > Configuration > Network.

2 Check ApplyStaticRoutes to InternalNetworks if the following conditionsapply, and then click Save and ignore the rest of this procedure:

■ You have configured static routes.

51Installing Symantec Web Gateway appliancesSpecifying internal networks

■ Your internal networks are the same as or more than the static routes.

See “Creating static routes for the inline network configuration” on page 54.

3 Under Internal Network Configuration, click Add a Network.

Normally, do not check Define internal network as addresses not in thefollowing list. That setting is for special cases of when you install SymantecWeb Gateway in front of an external proxy.

4 In Subnet, type the IP address of your internal subnet.

For example, if your internal computers are in the range 10.42.24.0 to10.42.24.255, type 10.42.24.0.

5 In Netmask, type the netmask for the subnet.

For example, if your internal computers are in the range 10.42.24.0 to10.42.24.255, type 255.255.255.0.

Symantec Web Gateway supports the wide subnets also known as supernets.If portions of your network are in a contiguous wide range, it is not necessaryto have multiple separate internal network entries for each range. A singlewide range is sufficient.

6 Optionally, in Description, type a description of the internal network.

7 If your internal network has computers in separate network ranges, specifyadditional networks.

8 Click Save.

Enabling URL filtering, Internet programmonitoring,and other features

You must enable some features of Symantec Web Gateway for them to function.Alternatively, you can disable the features that you do not use to improve SymantecWeb Gateway performance.

To enable URL filtering, Internet program monitoring, and other features

1 In the Web GUI, click Administration > Configuration > Modules.

2 Check the appropriate box to enable the following features:

Allow, monitor, or block the programs that accessthe Internet. Configure application controlpolicies on the Edit Policy page. This feature isincluded in the Symantec Web Gateway license.

Enable Application Control

Installing Symantec Web Gateway appliancesEnabling URL filtering, Internet program monitoring, and other features

52

If you have the URL filtering license, you canenable URL filtering. Configure URL filteringpolicies on the Edit Policy page.

Enable Content Filter

Symantec Web Gateway detects embedded URLs.Detect Embedded URLs

If you check BypassWhitelist forContentFilter,you disable the internal whitelist and your customwhitelist. The Web pages in those whitelists thatSymantec Web Gateway normally ignores aresubject to monitoring and blocking. This featurerequires the URL filtering license.

The internal whitelist contains the domain namesfor definition updates and software updates ofantivirus vendors and software vendors. Due tosecurity concerns, Symantec cannot publish thecontents of the internal whitelist.

Symantec recommends that you not bypass thewhitelist for content filter.

Bypass Whitelist for Content Filter

Symantec Web Gateway records the approximateamount of time that each user views Web sites.This feature requires the URL filtering license.

The following settings are available for thismodule:

■ ThresholdWeb browsing activity under this value is notrecorded. The default is 5 minutes.

■ SensitivityIf Symantec Web Gateway detects no Webbrowsing activity after this time has elapsed,it stops tabulating the browse time. SymantecWeb Gateway ignores or records the browsetime depending on the Threshold value. Thedefault is 3 minutes.

Record browse time

Symantec Web Gateway can block, monitor,ignore, or allow access to files and other sourcesof malware based on reputation-based security.Insight is a Symantec technology that can flagprobable malware not previously known toSymantec.

Insight

53Installing Symantec Web Gateway appliancesEnabling URL filtering, Internet program monitoring, and other features

3 Click Save.

Creating static routes for the inline networkconfiguration

You must use static routes if you plan to connect Symantec Web Gateway in theinline network configuration. You must configure a static route to each internalsubnet beyond the main switch. Whenever you add an additional subnet, you mustadd a static route to Symantec Web Gateway. If you do not add a static route whenyou add a subnet, users on that subnet may see the following error message: "Pagenot found."

Note: You do not have to configure static routes in the Web GUI if you deploySymantec Web Gateway in the port span/tap network configuration. SymantecWeb Gateway only requires static routes for the inline network configurations.

A static route is a path to an internal subnet through an intermediate switch. Inthe inline network configuration, you connect the LAN port on Symantec WebGateway to a main switch. If that switch connects to another subnet, you mustconfigure a static route for each subnet beyond the switch that is connected toSymantec Web Gateway.

To create static routes for the inline network configuration

1 In the Web GUI, click Administration > Configuration > Network.

2 Click Add a Static Route.

3 In Destination, type the IP address of the subnet.

For example, if computers on the network have IP addresses in the range10.10.20.0 to 10.10.20.255, type 10.10.20.0.

4 In Netmask, type the netmask for the subnet.

For example, if you specified a destination of 10.10.20.0, type 255.255.255.0.

5 In Gateway, type the IP address of the router or switch.

The gateway is the IP address of the router, such as 10.10.20.100.

6 Add additional static routes for each internal subnet.

7 Click Save.

Installing Symantec Web Gateway appliancesCreating static routes for the inline network configuration

54

Specifying a mail server for alerts and reportsYou can provide settings for an alternate mail server in case your default mailserver fails to send reports and alerts to administrators.

To specify a mail server for alerts and reports

1 In the Web GUI, click Administration > Configuration > Email.

2 Specify your own mail server IP address, port, and email address from whichemail should appear to be from.

The mail server that you specify must support the SMTP email protocol.

3 Uncheck Requires Authorization if the server does not requireauthentication.

This server does not require authentication.

4 Click Save.

Specifying internal email and external proxy serversfor report accuracy

Because of their special roles, you must specify internal email and external proxyservers to ensure that report results are accurate.

To specify internal email and external proxy servers for report accuracy

1 In the Web GUI, click Administration > Configuration > Servers.

2 Click Add a server.

3 Specify the server parameters.

4 Click Save.

Testing Symantec Web Gateway for successfulblocking or monitoring

Symantec has a Web site that you can use to test that Symantec Web Gatewayblocks or monitors network data.

55Installing Symantec Web Gateway appliancesSpecifying a mail server for alerts and reports

To test Symantec Web Gateway for successful blocking or monitoring

1 Start a Web browser on a computer in the LAN that is connected to SymantecWeb Gateway.

2 On the Internet, go to the following URL:

www.symantec.com

The Symantec Web site should display normally without any block messages.

3 On the Internet, go to the following URL:

testwebgateway.com/test/bltest.htm

Blocking mode or monitoring mode should be indicated as follows:

If you configure Symantec Web Gateway in blocking mode,a block page appears in your Web browser. If the block pagedoes not appear, Symantec Web Gateway is not correctlyconfigured to block access to spyware.

Blocking mode

If you configure Symantec Web Gateway in monitoringmode, the test page appears in your Web browser. To checkfor successful monitoring, find the computer in the WebGUI reports. The report should show that the computeraccessed a malware page.

If the Web GUI does not indicate that the computer accesseda malware page, Symantec Web Gateway is not correctlyconfigured to monitor access to spyware.

Monitoring mode

See “About the Symantec Web Gateway operating modes” on page 18.

Testing Symantec Web Gateway Threat Centerconnectivity

You can check the connection from Symantec Web Gateway to the Threat Centerin the Web GUI. If Symantec Web Gateway can connect to the Threat Center, thenit can also download database updates and software updates.

Installing Symantec Web Gateway appliancesTesting Symantec Web Gateway Threat Center connectivity

56


http://testwebgateway.com/test/bltest.htm

To test Symantec Web Gateway Threat Center in the Web GUI

1 In the Symantec Web Gateway Web GUI, click Administration >Configuration > Network.

2 Beside TestConnectiontoSymantecThreatCenter, click Test. The followingmessage appears when the test connection is successful:

Connection to Symantec Threat Center from Appliance Serial No. (ApplianceID) is successful.

57Installing Symantec Web Gateway appliancesTesting Symantec Web Gateway Threat Center connectivity

Installing Symantec Web Gateway appliancesTesting Symantec Web Gateway Threat Center connectivity

58

Installing Symantec WebGateway virtual edition


■ About Symantec Web Gateway Virtual Edition

■ Installing Symantec Web Gateway Virtual Edition

■ System requirements for Symantec Web Gateway Virtual Edition

■ About configuring the VMware virtual switch

■ About adding the VMware LAN Network virtual switches

About Symantec Web Gateway Virtual EditionSymantec Web Gateway Virtual Edition runs as a virtual machine on VMware sothat you can run Symantec Web Gateway on the hardware and operating systemof your choice.

Table 4-1 describes some considerations about Symantec Web GatewayVirtualEdition.

4Chapter

Table 4-1 Symantec Web Gateway Virtual Edition usage notes

DetailsConsideration

You can install Symantec Web Gateway Virtual Edition inany of the following network configurations:

■ Inline

This configuration is supported but not recommended.

■ Proxy

■ Inline + proxy

■ Port span/tap

■ Central Intelligence Unit


All network configurationsare supported.

Symantec Web Gateway Virtual Edition does not have abypass mode like the Symantec Web Gateway appliances.For Symantec Web Gateway Virtual Edition, in an inlinenetwork configuration, network traffic is halted when theservice is disabled or the physical host computer is turnedoff.


See “About ensuring Internet connectivity if Symantec WebGateway is disabled” on page 48.

The bypass mode isunsupported.

You must connect the computers that you want to accessthe Web GUI to the Ethernet port that is assigned to theManagement network.

Connecting managementcomputers to theManagement network.

Symantec does not support restoring from a VMwaresnapshot. Use the instructions in this guide to installSymantec Web Gateway Virtual Edition.

The VMware snapshot isunsupported.

See “Installing Symantec Web Gateway Virtual Edition” on page 60.

Installing Symantec Web Gateway Virtual EditionTable 4-2 describes the steps to install Symantec Web Gateway Virtual Edition.

Installing Symantec Web Gateway virtual editionInstalling Symantec Web Gateway Virtual Edition

60

Table 4-2 Steps to install Symantec Web Gateway Virtual Edition


Ensure that you have a supported version of VMware and thatthe virtual machine is provisioned appropriately.

See “System requirements for Symantec Web Gateway VirtualEdition” on page 64.

Review system requirements.Step 1

If you purchase a license for Symantec Web Gateway, you candownload the Virtual image files from the Symantec File Connectsite.

To access Symantec File connect, on the Internet, go to thefollowing URL:

https://fileconnect.symantec.com/

If you have not yet purchased a license, you can download theVirtual image files from our product Trialware site.

To access the Symantec Web Gateway Trialware site, on theInternet, go to the following URL:

http://www.symantec.com/business/products/trialware.jsp?pcid=pcat_security&pvid=web_gateway_1

Ensure that you put all of the virtual image files in the samedirectory.

Download the Virtual imagefiles.

Step 2

Do the following tasks to prepare your virtual machine:

■ Add the VMware LAN network virtual switches and configuretheir port properties. Each Symantec Web Gateway port thatyou use (management, WAN, LAN, and monitor) requires oneunique virtual switch.

See “About adding the VMware LAN Network virtual switches”on page 66.

■ Configure the default VMware virtual switch.

See “About configuring the VMware virtual switch”on page 65.

Prepare your host.Step 3

61Installing Symantec Web Gateway virtual editionInstalling Symantec Web Gateway Virtual Edition

https://fileconnect.symantec.com/



Table 4-2 Steps to install Symantec Web Gateway Virtual Edition (continued)


Deploy the OVF template that you downloaded in Step 2 on aVMware ESX/ESXi Server. If you use ESX version 4.1, when youdownload the template, you may be asked to choose thin diskprovisioning or thick disk provisioning. Symantec Web Gatewayrecommends that you use thick disk provisioning.

An OVF template is a virtual machine that includes the softwarethat you plan to run on the computer. You can deploy the OVFtemplate with a vSphere client on a different computer than thecomputer that hosts your ESX/ESXi Server.

Symantec Web Gateway only supports the deployment of anunaltered OVF template file. Symantec Web Gateway does notsupport the creation of an OVF template from the Symantec WebGateway template.

The OVF deployment takes about 10 minutes. When it completes,the new computer appears in your inventory. You may want toconfigure your guest computer to restart when the host computerrestarts.

Deploy the OVF template.Step 4

You can set the memory reservation in vSphere in the Resources> Memory > Reservation settings.

See “System requirements for Symantec Web Gateway VirtualEdition” on page 64.

Reserve memory for theSymantec Web Gatewayvirtual appliance.

Step 5

Installing Symantec Web Gateway virtual editionInstalling Symantec Web Gateway Virtual Edition

62

Table 4-2 Steps to install Symantec Web Gateway Virtual Edition (continued)


To configure the virtual network adapters, do all of the followingtasks:

■ In the vSphere client, edit the following setting:

Symantec_Web_Gateway_VMimage_5.1.0.xxx_Linux_ENwhere x.x..x is the Symantec Web Gateway version releasenumber.

■ Configure the network adapters with the following namesand network connections:

■ Adapter 1 Management - Management network

■ Adapter 2 WAN - WAN network

■ Adapter 3 LAN - LAN network

■ Adapter 4 Monitor - Span/tap network

Note: Depending on your deployment, not all of these settingsmay apply.


After you configure your virtual network adapters, verify invSphere that they are properly configured.

Configure virtual networkadapters.

Step 6

Physically connect the actual network adapters to the ESX/ESXihost computer.

See “Connections, ports, and indicators on the Symantec WebGateway appliance” on page 34.


See “Diagrams of typical network configurations” on page 21.

Physically connect thenetwork adapters as youwould for a non-virtualdeployment.

Step 7

In the vSphere client, turn on the following:

Symantec_Web_Gateway_VMimage_5.0.0.xxx_Linux_EN

where x.x..x is the Symantec Web Gateway version releasenumber.

You must connect the computer that you to access the Web GUIto the Ethernet port that is assigned to the Management network.

Start the virtual computer.Step 8

Run the Symantec Web Gateway setup wizard as you would fora non-virtual installation.

See “Running the setup wizard” on page 40.

Run the setup wizard.Step 9

63Installing Symantec Web Gateway virtual editionInstalling Symantec Web Gateway Virtual Edition

For more information about how to perform the tasks or navigate to the settingsthat are described in Table 4-2, consult your vSphere documentation.

System requirements for Symantec Web GatewayVirtual Edition

Table 4-3 lists the system requirements for Symantec Web Gateway Virtual Edition.

Table 4-3 System requirements for Symantec Web Gateway Virtual Edition

Minimum for production environmentRequirement

90 GB (thick provisioned format)Disk space

The memory requirement is based on your networkconfiguration mode, as follows:

■ Port span/tap mode: 4 GB

■ Inline mode: 4 GB

■ Proxy mode: 8 GB

■ Inline + proxy mode: 8 GB

■ CIU mode: 4 GB

Memory

2CPUs

Table 4-4 lists the system requires for the host.

Table 4-4 System requirements for the ESX/ESXi host


ESX version 4.0 or 4.1

ESXi version 4.0, 4.1, or 5.0

VMware ESX Server orVMware ESXi Server

64-bitCPU type

2CPUs (includesHyper-Threading)

1.8 GHzCPU speed

EnabledHardware virtualization

120 GBDisk space

Installing Symantec Web Gateway virtual editionSystem requirements for Symantec Web Gateway Virtual Edition

64

Table 4-4 System requirements for the ESX/ESXi host (continued)


The memory requirement is based on your networkconfiguration mode, as follows:

■ Port span/tap mode: 4 GB

■ Inline mode: 4 GB

■ Proxy mode: 8 GB

■ Inline + proxy mode: 8 GB

■ CIU mode: 4 GB

Memory

The NIC requirement is based on your networkconfiguration mode, as follows:

■ Port span/tab mode: 2

■ Inline mode: 3

■ Proxy mode: 2

■ Inline + proxy mode: 3

■ CIU mode: 1

Physical NICs

Refer to your VMware documentation for VMware system requirements.

About configuring the VMware virtual switchESX/ESXi installations automatically create a default virtual switch, which iscalled the VM Network. You must configure the VM Network virtual switch networkproperties for Symantec Web Gateway Virtual Edition to function properly.

Table 4-5 describes how you should configure the VM Network port properties invSphere.

Table 4-5 VM Network virtual switch property values

ValueProperty

Virtual MachineConnection Type

Leave as isVLAN ID

AcceptPromiscuous Mode

NoFailback

NoNotify Switches

For any property that Table 4-5 does not specify, use the default value.

65Installing Symantec Web Gateway virtual editionAbout configuring the VMware virtual switch

For more information about how to configure port properties, refer to your vSpheredocumentation.

After you configure the VMware virtual switch, map the virtual switches to yournetwork the same as you would for a non-virtual installation.


About adding the VMware LAN Network virtualswitches

You must create VMware LAN Network virtual switches for each Symantec WebGateway network port that you intend to use based on your deployment option.After you create the switch, you can configure the certain properties. Create theLAN Network virtual switch on your ESX/ESXi system to connect to your networkbased on the Symantec Web Gateway network configuration guidelines.


If you want to build the LAN Network virtual switch to map to the Symantec WebGateway interface, create a virtual switch and select the appropriate ESX/ESXiinterface for your device.

Installing Symantec Web Gateway virtual editionAbout adding the VMware LAN Network virtual switches

66

Figure 4-1 Suggested Network virtual switch configuration

Virtual SymantecWeb Gateway

LANPort

WANPort

ManagementPort

Virtual Switches

VMWare ESX

MonitorPort

Network Adapters1 2 3 4

Table 4-6 describes the values that you should use in vSphere when you create aLAN Network virtual switch.

Table 4-6 VMware LAN Network virtual switch property values

ValueProperty

Virtual MachineConnection Type

Leave as isVLAN ID

AcceptPromiscuous Mode

NoFailback

NoNotify Switches

For any property that Table 4-6, does not specify, use any value.

For more information about how to add a VMware LAN Network virtual switchand configure port property settings, refer to your vSphere documentation.

67Installing Symantec Web Gateway virtual editionAbout adding the VMware LAN Network virtual switches

After you configure the VMware LAN virtual switch, map the virtual switches toyour network the same as you would for a non-virtual installation.


Installing Symantec Web Gateway virtual editionAbout adding the VMware LAN Network virtual switches

68

Aalerts 55antivirus 5appliance

connections and ports 34mounting into a rack 39supported models 15

application controlcontrolling access 52

Bblocking mode

about 18installing 40testing 55

browse time 52browser, Web. See Web browserbypass mode

about 48LED indicators 34testing 50

CCentral Intelligence Unit

installing 40port connections 18

crossover cable 18, 48

Ddocumentation, product 8dual homing network configuration

about 16diagram 21

Eemail server 55ESX/ESXi. See virtualizationEthernet cables 48Ethernet ports 18external proxy 11, 55

GGlobal Intelligence Network 5

Hhelp 8

Iinline + proxy network configuration

about 16diagram 21installing 40

inline network configurationabout 16creating static routes 54diagram 21ensuring Internet connectivity 48installing 40port connections 18

installationpost-installation tasks 44preinstallation checklist 11running setup wizard 40Symantec Web Gateway 38Symantec Web Gateway Virtual Edition 60

internal networks 51Internet applications

controlling access 52IP addresses 45

LLAN Ethernet port 18, 34license 11LiveUpdate 28

Mmanagement port 18, 34mgmt port. See Management portmodes, operating. See operating modesmonitor port 18, 34

Index

monitoring modeabout 18installing 40testing 55

Nnetwork configurations

about 16diagrams 21port connections 18virtualization, supported 59

networks, internal 51new features 6

Ooperating modes 18OVF template 60

Pport span/tap network configuration

about 16diagram 21ensuring Internet connectivity 48installing 40port connections 18

portsappliance 18, 34, 48connecting the appliance 47used by Symantec Web Gateway 28

post-installation tasks 44preinstallation checklist 11proxy network configuration

about 16installing 40

Rrack, mounting appliance 39reports

specifying mail server for 55specifying proxy servers 55

Sserial port 34setup wizard

initial installation 40SMTP 55span. See port span/tap

SSL Deep InspectionURL and port 28

static routes 51, 54Symantec Domain Controller Interface

URL and port 28Symantec Threat Center

testing connectivity 56URL and port 28

Symantec Web Gatewayaccessing the Web GUI 46configuring computer access to 39ports and URLs 28proxy settings 28testing

blocking and monitoring 55bypass mode 50Threat Center connectivity 56

Symantec Web Gateway proxydiagram 21

Symantec Web Gateway Virtual Edition. Seevirtualization

system requirements 15system users

specifying 41

Ttap. See port span/taptests. See Symantec Web Gateway: testingthird-party proxy server. See external proxyThreat Center

testing connectivity 56URL and port 28

threats 5

UURL filtering

enabling 52URLs, Symantec Web Gateway 28USB ports 34

Vvirtual edition. See virtualizationvirtual network adapters 60virtualization

about 59adding LAN network virtual switches 66configuring the virtual switch 65installing 60

Index70

virtualization (continued)network virtual switch configuration 66supported network configurations 59system requirements 64

virus. See antivirusVMware

adding LAN network virtual switches 66configuring the virtual switch 65snapshot 59system requirements 64

vSphere. See virtualization

WWAN Ethernet port 18, 34Web 2.0 5Web browser

system requirements 15Web GUI 46whitelist 52

71Index

symantec web gateway 5.1: getting started guide · pdf filesymantec web gateway 5.1 getting...

Documents