Settings

This section includes 8 sub-sections, where different settings are organized according to subjects. Each sub-section is collapsible by clicking the header.

General

System Name

Define a meaningful name to the entire system (whether multi machine or single machine). Used in various places for display purposes mainly (also used in alerts).

Enable Audio

Enable or disable audio at the system level. If audio is disabled, then no remote browsers will support audio in any sessions. If audio is enabled, then audio is available throughout the system.

Allow Direct IP Address

Since navigating to IP addresses is considered un-common by regular users, IP addresses are blocked by default. This setting controls the use of direct IP address access in the Shield system. When IP addresses are allowed, they will be handled according to the default Access Policy (e.g., if the default value is Shield, then any site accessed via its IP address will be shielded as well).

Enable Caching

Enable or disable web caching. When caching is enabled, content such as files, images and web pages is stored on the proxy thus improving the performance and user experience. Enabled by default.

Enable Periodic Health Checks

Enable or disable periodic tests. When enabled, Shield runs internal tests, periodically, to identify problematic areas in the system. These tests a partial set of the pre-installation checks and are performed as a background process. The periodic tests are executed according to the defined frequency (see below).

Periodic Health Checks Frequency (min)

Define the frequency of running the periodic tests, in minutes.

Slow Network Message Interval (ms)

When the network is slow, and a site takes a long time to load, the user will see a matching message. Define the time interval to show the Slow Network message to the user (in ms). If this interval is reached and the site was not loaded, the message is displayed. To disable this message from showing - update the value to be 0.

Enable Tech-Preview Features

Shield includes some features that are defined in Tech-Preview mode. These features may change between Shield versions. To enable tech-preview features in the Admin Console, set to Yes.

PAC File

Upload the PAC File

Select a PAC file to upload to Shield. The date/time of the last uploaded PAC file is displayed in the admin.

The PAC file will be available on the Shield Web-Service component running on any Management Node. To configure the end-user browser to use the PAC file, set the Automatic Configuration Script field to http://<ProxyHostname>/default.pac

Upload PAC file

Download the PAC File

Select the Download option to download the default PAC file locally. Make changes to the PAC file that are needed to meet specific environment requirements and then upload the new PAC file using the steps detailed above.

SSL

Administration Console FQDN

The Fully Qualified Domain Name. Mandatory for creating the Administration Console SSL certificate. Once this field is populated and the info is saved, a matching certificate is created in the background.

Note

This certificate is based upon either the default Shield certificate, or upon the custom CA certificate (if one was uploaded by the user).

Custom CA Password

Set the custom Certification Authority password (if required).

Upload Custom CA Public Key

Upload custom Certification Authority public key. Used with the private key. Both keys are used to sign all SSL certificates in the system.

Upload Custom CA Private Key

Upload custom Certification Authority private key. Used with the public key. Both keys are used to sign all SSL certificates in the system.

Upload Custom Trust Certificate

Upload custom trusted certificate. This certificate is verified and then added to the Certification Authority certificates.

Note

Both single certificates and certificate chains are supported.

Restore Shield Default Certificates

Select this option to delete all existing certificates and restore Shield default certificates.

Logs

Remote Browser Log Level

Define the logging level for the Browser component.

Broker Log Level

Define the logging level for the Broker component.

ICAP Log Level

Define the logging level for the ICAP component.

CDR Dispatcher Log Level

Define the logging level for the CDR Dispatcher component.

CDR Controller Log Level

Define the logging level for the CDR Controller component.

Collector Log Level

Define the logging level for the Collector component.

External Syslog Host

Define the external syslog host name, to send all logs to external system. If empty, this option is ignored. Multiple servers may be defined - enter several IP addresses, seperated by a comma (“,”). Same data will be sent to all hosts.

External Syslog Port

Define the external syslog port. Default value is 514. Need to specify a port only if other than default.

Categories

Enable Categories

Enable or disable the categories use in Shield. Enabled by default to support the Intelligent Isolation mode. When set to No, all categories and related policies are disregarded. In this case only domain policies are active.

Suspected Domains Action

When categories are enabled, each domain is checked whether it is safe or considered suspected of being unsecured.

When a suspected (unsecured/malicious) site is found, there are 4 available actions that can be performed:

  • Block - access to this site is completely denied.
  • Read-Only - user receives a warning message about the suspected site and may open it in read-only mode.
  • Warning - user receives a warning message about the suspected site, but access is allowed (after confirming the message).
  • Notification - user is notified about the suspected site.

Note

When the Categories are enabled and the Block Suspected Domains is set to Yes, and a user browses to a domain which is identified as a suspected site, this domain will be blocked. This is true even if this domain is defined in the policies table explicitly.

Internal Cache Duration (h)

The categories are cached and saved in Shield for this defined duration. Used to improve performance and reduce domains loading time.

Files and Sanitization

These settings control how the CDR service processes uploaded and downloaded files via Ericom Shield.

Preview File Size Limit (MB)

Define the maximum file size that can be previewed.

Download File Size Limit (MB)

Define the maximum file size that can be downloaded.

Upload File Size Limit (MB)

Define the maximum file size that can be uploaded.

File Sanitization Provider

Select the desired CDR provider. The supported providers are: Votiro (default) and Check Point SandBlast. Upon selection, the sub-section below may be expanded to view and update the related providers settings.

Votiro (Default)

Primary File Sanitization URL

Set the URL to be used for this CDR solution. https://api.votiro.com/v3 is the cloud-based CDR solution that is provided for the initial evaluation period. The cloud-based CDR solution can only be used for evaluation. Once the new Shield license is applied, the cloud-based CDR will no longer accept incoming CDR requests. Install the internal Votiro (included with Shield) as described here and update the URL as described in the installation instructions.

Secondary File Sanitization URL (Optional)

Define a secondary URL for CDR. Optional, for high availability purposes. Set it to the secondary CDR server (if one exists).

Sanitize Office Files

Set if MS Office files should be sanitized.

Sanitize PDF Files

Set if PDF files should be sanitized.

Sanitize Image Files

Set if Image files should be sanitized.

Sanitize CAD Files

Set if CAD files should be sanitized.

Sanitize Email Files

Set if email files should be extracted and sanitized.

Sanitize Archived Files

Set if Archived files (e.g. zip,7z) should be extracted and sanitized.

Antivirus Scan

Set if files should be checked by multi-scan the Anti-Virus engine.

Block Password Protected Office Files

Set if password protected Office files should be blocked or downloaded without sanitization.

Block Password Protected PDF Files

Set if password protected PDF files should be blocked or downloaded without sanitization.

Block Unsupported Files

Set if unsupported files types should be blocked or downloaded without sanitization.

Block Unknown Files

Set if unknown files should be blocked or downloaded without sanitization.

Block Binary Files

Set if binary files should be blocked or downloaded without sanitization.

Block Script Files

Set if script files should be blocked or downloaded without sanitization.

Block Fake Files

Set if fake files should be blocked or downloaded without sanitization.

Block Equation OLE Object

Set if OLE Objects should be blocked or downloaded without sanitization.

Note

Password protected files are blocked by default (download is disabled). However, if password protected files are allowed (Office & PDF), these files cannot currently be sanitized and will therefore be downloaded without sanitization.

Note

If one of these Votiro related settings is updated in the Admin Console, it should also be updated manually in the PasswordPolicy.xml (located on the CDR server under C:\Program Files\Votiro\SDS Web Service\Policy.)

Check Point SandBlast

Primary File Sanitization URL

Set the URL to be used for this CDR solution.

Secondary File Sanitization URL (Optional)

Define a secondary URL for CDR. Optional, for high availability purposes. Set it to the secondary CDR server (if one exists).

Activation Key

This provider requires an activation key in order to connect and use the CDR cloud-based solution. Enter the key provided by Check Point to use this CDR solution.

DNS

Primary Internal DNS Address

Define a primary internal DNS server address, to be used for Shield infrastructure (AD, authentication, etc.).

Secondary Internal DNS Address

Define a secondary internal DNS server address, to be used for Shield infrastructure (AD, authentication, etc.).

Primary External DNS Address

Define a primary external DNS server address, to be used by the Browsers Farm. This could be the same server as the internal one, depends on deployment scheme.

Secondary External DNS Address

Define a secondary external DNS server address, to be used by the Browsers Farm. This could be the same server as the internal one, depends on deployment scheme.

Note

In a multi machine system, make sure that internal DNS addresses point to the management node/s (where Shield infrastructure is located) and external DNS addresses point to the browsers farm node/s.

Proxy & Integration

Set Client IP In Header

Define if the originating Client IP address should be included in the header or not. Some external proxies and domains require this information.

Set XFF In Header

Define if the XFF should be included in the header or not. XFF (X-Forward-For) is another method of identifying the originating Client IP address. Some external proxies and domains require this information.

Set User In Header

Define if the authenticated username should be included in the header or not. Some external proxies and domains require this information.

Note

The above mentioned settings include 3 possible values: Set, Forward & Remove. Set - if this value is selected, then the specific input (Client IP/XFF/Username) is included in the header. Forward - forward the header as it was, unchanged. Remove - if the header includes Client IP/XFF/Username in it, it will be explicitly removed.

Note

Some security services, e.g., google reCAPTCHA, will not work unless Client IP and XFF are SET in the header.

Enable Redirection Mode

Enable Shield to work in Redirection Mode (when required, per system deployment)

Note

Redirection Mode is relevant per system deployment. In this mode, requests are redirected from the gateway to Shield, without passing through the built-in Shield proxy.

Remain Within Shield Boundary

Relevant to Redirection Mode - define whether Shield session redirected links should be shielded as well, or not. When enabled, all links opened from a Shield session will be opened as Shield sessions as well, regardless of the existing proxy definitions.

Route All Connections Via Browsers Farm

Define if ALL traffic will be passed to the Browsers Farm or not. When enabled, all traffic (including whitelisted domains and allowed applications) is passed via to the Browsers Farm (via the Ext-Proxy). When disabled, whitelisted domains will go directly from the Shield-Core Server (AuthProxy) to the internet.

Use Upstream Proxy

Enable the use of an upstream proxy. Disabled by default. When an upstream proxy is used, use this setting to allow Shield to connect to it. Setting it to Yes will open the Upstream Proxy Configuration sub-section, that include following fields:

Upstream Proxy Address

Populate this field with the upstream proxy address to connect to. This field is mandatory if the upstream proxy is enabled.

Upstream Proxy port

Populate this field with the upstream proxy port to connect to. If not populated, the default port of 3128 will be used.

Upstream Proxy Username

If the upstream proxy requires credentials, populate this field with the username. Make sure to update the password field as well.

Upstream Proxy Password

If the upstream proxy requires credentials, populate this field with the password. Make sure to update the username field as well.

Use Client Certificate Authentication

Enable the use of a client certificate authentication, when one is required by an upstream proxy. Disabled by default. If enabled, make sure to upload the certificate public and private keys.

Upload Client Certificate Public Key

Select and upload the client certificate public key (.crt file). Make sure to upload the private key as well.

Upload Client Certificate Private Key

Select and upload the client certificate private key (.key file). Make sure to upload the public key as well.

Bypass Upstream Proxy For Listed Functionality

When using upstream proxy in the system, some internal functionalities may malfunction when trying to connect via the upstream proxy. At other times it is simply redundant and may cause system overhead. The functionalities are File Sanitization, Email Alerts & Post Alerts. When set to Yes, Shield will connect directly to the relevant servers (File Sanitization server, email etc.) and not via the upstream proxy.

Content Isolation

Allow Resources

Allow requests that are identified as resources (not HTML pages) to be opened not via Shield (whitelisted). To block resources requests - set to No (in this case, if a page includes resources, they will not be displayed).

Allow Non Get Requests

Allow non HTTP Get requests (whitelisted). To block non HTTP Get requests - set to No.

Allow FTP

Allow requests that are identified as File Transfer Protocol (FTP) to be opened not via Shield (whitelisted). In this case, files will not be sanitized. To block FTP requests, set to No.

Allow Potential Phishing Detection

Enable the potential phishing detection mechanism that is included in Shield. When allowed - sites are monitored for phishing activies. To disable - set to No.

Potential Phishing Detection Action

When a potential phishing site is found, there are 4 available actions that can be performed:

  • Block - access to this site is completely denied.
  • Read-Only - user receives a warning message about the potential risk of this site and may open it in read-only mode.
  • Warning - user receives a warning message about the potential risk of this site, but access is allowed (after confirming the message).
  • Notification - user is notified about the potential risk of this site.

Note

When the potential phishing mechanism is enabled, and a user browses to a domain which is identified as potential phishing site - this domain will be handled according to the defined action (block/read-only/warning). This is true even if this domain is defined in the policies table explicitly. All connections marked as potential phishing sites will appear in the Connections report with the phishing reference in the Matched Reason column, including the action (Block/Read-Only/Warning/Notification).

End User Options

Allow End User Shield Indicator

Define whether a visual indicator is displayed when using Shield browser. When set to Yes, a default string/icon (⭐ ) appears in the tab name, prior to the domain name.

This default string can be modified via the translation strings (STR_END_USER_INDICATOR). For more details, go here.

Allow End User To Send Feedback

Allow end user to send feedback about a specific website. Set to Yes - the right click menu will include the Send Feedback option. All related feedback settings (channels etc.) are defined in the Alerts section.

Allow End User To Pause Shield

Allow end user to pause Shield, thus temporarily whitelist the domain. Set to Yes - the right click menu will include the Pause Shield & Reload option. Valid according to the duration setting (see below). When the user selects this option, the page is reloaded, this time in white mode. For Production - set to No (more secure).

Pause Shield Session Duration (min)

The duration to keep a domain whitelisted when end user chose to pause Shield and reload (relevant for a specific domain only).

Dynamic Nodes

Note

This is a Tech-Preview feature. This sub-section will be visible only if the Enable Tech-Preview Features is set to Yes.

Enable Dynamic Nodes

Enable the use of the dynamic nodes in the system. When set to Yes, connections will be done via the URL detailed below.

Dynamic Nodes Farm URL

Define the URL of the dynamic nodes webserver. Must be populated if the Enable Dynamic Nodes is set to Yes.