ClarkConnect Administration Manual Revised: January, 2008
http://www.clarkconnect.com
ClarkConnect Administration Manual
Table of Contents Introduction...................................................................................................................................... 8 Welcome...................................................................................................................................... 8 Features...................................................................................................................................... 8 What's New.................................................................................................................................. 9 Comparing Software Editions...................................................................................................... 9 System Requirements...................................................................................................................... 9 Overview...................................................................................................................................... 9 Network Cards............................................................................................................................. 9 PCI Network Cards................................................................................................................. 9 ISA Network Cards................................................................................................................ 10 Wireless Network Cards........................................................................................................ 10 Internet Connection................................................................................................................... 10 Cable Modems...................................................................................................................... 10 DSL and PPPoE.................................................................................................................... 10 Wireless................................................................................................................................ 10 ISDN..................................................................................................................................... 10 Links.......................................................................................................................................... 10 Compatibility................................................................................................................................... 10 Overview.................................................................................................................................... 10 Vendors..................................................................................................................................... 11 Recommended...................................................................................................................... 11 Not Recommended............................................................................................................... 11 RAID Compatibility..................................................................................................................... 11 RAID Support................................................................................................................................. 11 Overview.................................................................................................................................... 11 Software RAID...................................................................................................................... 12 Hardware RAID..................................................................................................................... 12 Links.......................................................................................................................................... 12 Installation...................................................................................................................................... 13 Starting the Install...................................................................................................................... 13 Installation CD....................................................................................................................... 13 Starting the Installation.......................................................................................................... 13 Configuration Options................................................................................................................ 13 Selecting Your Server Type.................................................................................................. 13 Selecting Your Network Connection Type............................................................................. 13 Selecting Your Network Card Drivers.................................................................................... 13 Configuring Your Network..................................................................................................... 14 Configuring Your Network - PPPoE....................................................................................... 14 Configuring Your LAN IP Address......................................................................................... 14 Selecting Your Hostname - Password - Timezone................................................................ 15 Selecting Your Hard Disk Partitioning Settings...................................................................... 15 Selecting Your Software........................................................................................................ 15 Configure Partitioning and RAID................................................................................................ 16 Overview............................................................................................................................... 16 Select Advanced Partitioning................................................................................................. 16 Using the Disk Druid Partition Tool........................................................................................ 16 Example: Software RAID 1.................................................................................................... 16 Testing Software RAID.......................................................................................................... 18 Links...................................................................................................................................... 18 Troubleshooting......................................................................................................................... 18 Page 2 of 214
ClarkConnect Administration Manual Overview............................................................................................................................... Network Configuration.................................................................................................................... Overview.................................................................................................................................... Configuration............................................................................................................................. Network................................................................................................................................. Interfaces.............................................................................................................................. Accessing Login Prompt............................................................................................................ LAN Configuration.......................................................................................................................... Overview.................................................................................................................................... Network Settings................................................................................................................... Windows 95/98.......................................................................................................................... Step 1 - Control Panel........................................................................................................... Step 2 - IP Address............................................................................................................... Step 3 - Gateway Settings..................................................................................................... Step 4 - DNS Settings........................................................................................................... Windows 2000........................................................................................................................... Step 1 - Network Connections............................................................................................... Step 2 - Configuring TCP/IP.................................................................................................. Windows XP.............................................................................................................................. Step 1 - Control Panel........................................................................................................... Step 2 - Select IP Properties................................................................................................. Step 3 - IP Address............................................................................................................... Step 4 - DNS Settings........................................................................................................... Web-based Administration............................................................................................................. Overview.................................................................................................................................... Access....................................................................................................................................... Certificate Warning................................................................................................................ Username and Password...................................................................................................... Technical Notes.................................................................................................................... Help........................................................................................................................................... Next Step................................................................................................................................... System Registration....................................................................................................................... Overview.................................................................................................................................... System Activation...................................................................................................................... Create an Online Account..................................................................................................... Complete Registration Wizard............................................................................................... Software Modules........................................................................................................................... Overview.................................................................................................................................... Finding a Module....................................................................................................................... Installing a Module..................................................................................................................... Software Modules via Apt............................................................................................................... Overview.................................................................................................................................... Finding a Module....................................................................................................................... Installing a Module..................................................................................................................... Troubleshooting......................................................................................................................... Network Settings............................................................................................................................ Bandwidth.................................................................................................................................. Overview............................................................................................................................... Services................................................................................................................................ How It Works......................................................................................................................... Configuration......................................................................................................................... Units - kbit/s, kbps, Mbps and Other Confusing Notation...................................................... Links......................................................................................................................................
18 18 18 19 19 20 20 20 20 21 21 21 22 23 23 24 24 26 28 28 29 30 30 30 30 31 31 31 31 31 32 32 32 32 32 32 33 33 33 33 33 33 34 34 35 35 35 35 36 36 36 37 37
Page 3 of 214
ClarkConnect Administration Manual DHCP Server............................................................................................................................. Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Common Errors..................................................................................................................... Links...................................................................................................................................... Hosts and DNS Server............................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... Tips and Tricks...................................................................................................................... Links...................................................................................................................................... IP Settings................................................................................................................................. Overview............................................................................................................................... Configuration......................................................................................................................... Configuration from the Console............................................................................................. Troubleshooting.................................................................................................................... Multi-WAN................................................................................................................................. Overview............................................................................................................................... Network Tools....................................................................................................................... UPnP..................................................................................................................................... Wireless Card Configuration.................................................................................................. Firewall........................................................................................................................................... 1 to 1 NAT................................................................................................................................. Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Advanced................................................................................................................................... Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Links...................................................................................................................................... DMZ........................................................................................................................................... Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Links...................................................................................................................................... Group Manager.......................................................................................................................... Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Incoming.................................................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... Outgoing.................................................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... Troubleshooting.................................................................................................................... Links...................................................................................................................................... Peer-to-Peer.............................................................................................................................. Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Troubleshooting....................................................................................................................
37 37 38 38 40 40 40 40 40 40 40 41 41 41 42 43 44 44 47 48 48 50 50 50 50 50 52 52 52 52 52 52 52 52 53 53 54 54 54 54 55 55 55 56 56 56 58 58 58 58 58 58 58
Page 4 of 214
ClarkConnect Administration Manual Links...................................................................................................................................... Port Forwarding......................................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... Troubleshooting.................................................................................................................... Security.......................................................................................................................................... Intrusion Detection..................................................................................................................... Overview............................................................................................................................... Services................................................................................................................................ Configuration......................................................................................................................... Links...................................................................................................................................... Intrusion Prevention................................................................................................................... Overview............................................................................................................................... Services................................................................................................................................ Configuration......................................................................................................................... Troubleshooting.................................................................................................................... Links...................................................................................................................................... Account Manager........................................................................................................................... Users......................................................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... Tips and Tricks...................................................................................................................... Links...................................................................................................................................... Groups....................................................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... System Tools.................................................................................................................................. Backup and Restore.................................................................................................................. Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Troubleshooting.................................................................................................................... Date........................................................................................................................................... Overview............................................................................................................................... Configuration......................................................................................................................... Encrypted File Systems............................................................................................................. Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Troubleshooting.................................................................................................................... Links...................................................................................................................................... Language................................................................................................................................... Overview............................................................................................................................... Running Services....................................................................................................................... Overview............................................................................................................................... Shutdown and Restart............................................................................................................... Overview............................................................................................................................... E-Mail Notification/Alert (SMTP Relay)...................................................................................... Overview............................................................................................................................... Installation............................................................................................................................. Configuration......................................................................................................................... Test Relay............................................................................................................................. Examples..............................................................................................................................
59 59 59 59 60 60 60 60 61 61 61 61 61 61 61 62 62 62 62 62 63 64 64 64 64 64 65 65 65 65 65 66 66 66 66 67 67 67 67 68 69 69 69 69 69 69 69 69 69 70 70 71 71
Page 5 of 214
ClarkConnect Administration Manual Links...................................................................................................................................... 72 SSL Certificate Manager............................................................................................................ 72 Overview............................................................................................................................... 72 Installation............................................................................................................................. 73 Configuration......................................................................................................................... 73 Troubleshooting.................................................................................................................... 86 Links...................................................................................................................................... 87 Webconfig............................................................................................................................. 87 Modules.......................................................................................................................................... 87 Database................................................................................................................................... 87 MySQL.................................................................................................................................. 87 Email.......................................................................................................................................... 88 Antispam............................................................................................................................... 88 Antispam - Quarantine.......................................................................................................... 90 Antispam - Training............................................................................................................... 91 Antivirus................................................................................................................................ 92 Aliases.................................................................................................................................. 93 Mail Archive........................................................................................................................... 95 Mail Filters (Greylisting)....................................................................................................... 102 Maildrop.............................................................................................................................. 104 POP and IMAP.................................................................................................................... 105 Mail Server - SMTP............................................................................................................. 109 Webmail.............................................................................................................................. 114 File Services............................................................................................................................ 115 Flexshare............................................................................................................................ 115 FTP Server.......................................................................................................................... 128 Windows-Samba................................................................................................................. 129 LAN Backup and Recovery................................................................................................. 132 Printing.................................................................................................................................... 160 Print Server......................................................................................................................... 160 Web Proxy............................................................................................................................... 161 Access Control.................................................................................................................... 161 Banner Ad and Pop-up Blocker........................................................................................... 166 Content Filter....................................................................................................................... 167 Web Proxy........................................................................................................................... 170 Groupware............................................................................................................................... 174 Groupware Configuration.................................................................................................... 174 VPN......................................................................................................................................... 193 PPTP................................................................................................................................... 193 IPsec................................................................................................................................... 198 Entertainment.......................................................................................................................... 201 Photo Gallery...................................................................................................................... 201 Web......................................................................................................................................... 202 Web Server......................................................................................................................... 202 Reports......................................................................................................................................... 207 Current Status.......................................................................................................................... 207 Overview............................................................................................................................. 207 Dashboard............................................................................................................................... 207 Overview.................................................................................................................................. 207 Intrusion Detection................................................................................................................... 207 Overview............................................................................................................................. 207 Logs......................................................................................................................................... 207 Overview............................................................................................................................. 207 Page 6 of 214
ClarkConnect Administration Manual SMTP Mail............................................................................................................................... Overview............................................................................................................................. Statistics.................................................................................................................................. Overview............................................................................................................................. Installation........................................................................................................................... Statistics.............................................................................................................................. Links.................................................................................................................................... Web Proxy............................................................................................................................... Overview............................................................................................................................. Report Types....................................................................................................................... Web Server.............................................................................................................................. Overview............................................................................................................................. Installation........................................................................................................................... Configuration....................................................................................................................... Links....................................................................................................................................
208 208 208 208 208 208 209 209 209 210 214 214 214 214 214
Page 7 of 214
ClarkConnect Administration Manual
Introduction Welcome Thank you for choosing ClarkConnect. ClarkConnect is a server Operating System (OS) that provides enterprise-level network security and application services to the Small/Medium-sized Business (SMB) market. It protects against incoming threats, enables your organization to enforce outgoing policy and increases productivity through integration of services
Configuration using an easy-to-use web interface for the helps keep the required knowledge of Linux to a minimum. You should, however, have at least a working knowledge of basic network concepts in order to make optimal use of the installation wizard. This document describes how to install and configure your ClarkConnect server/gateway. The following are required: ● x86 based hardware for the server ● a DSL or cable modem Internet connection ● a small network
Features The following features are included in ClarkConnect: ● ● ● ● ●
Web-based manager Auto software updates Stateful firewall Multi-WAN support Intrusion detection
● ● ● ● ●
Peer-to-peer manager Internal DHCP server Caching DNS server RAID support Multi-processor support Page 8 of 214
ClarkConnect Administration Manual ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Intrusion prevention 1-to-1 NAT support DMZ support Egress blocking support PPTP & IPSec VPN Managed/Dynamic VPN Dynamic DNS Groupware/Collaboration Flexshares SMTP server Antispam (Dual) Antivirus POP and IMAP servers Webmail Banner ad blocking Web proxy Content filtering Bandwidth manager
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Web server (HTTP) PHP support MySQL support SSL certificate manager SSL support (HTTPS) FTP server Mail Archive Encrypted Volumes Print sharing (CUPS) File sharing (SAMBA) LAN/server backup Health monitoring/alerts Daily security audit Active OSS community Developer API SOAP support Linux 2.6 kernel Technical support
What's New Release notes are available http://www.clarkconnect.com/help/release_notes.
Comparing Software Editions A comparison chart of available ClarkConnect editions is available at: http://www.clarkconnect.com/info/compare.php
System Requirements Overview General hardware requirements and recommendations are listed at: http://www.clarkconnect.com/info/requirements.php.
Network Cards PCI Network Cards Generally, Linux does a good job at auto-detecting hardware. Most mass-market PCI network cards are supported. Refer to Red Hat Hardware Compatibility List (https://hardware.redhat.com/?pagename=hcl&view=advsearch#form) to check the compatibility of your network card. If you see your network card listed for an older version of Red Hat, then the card is almost certainly also supported in more recent versions. If you plan on buying new network cards for ClarkConnect and have two spare PCI slots, then save yourself some time and select the network cards that are designated 100% compatible.
Page 9 of 214
ClarkConnect Administration Manual
ISA Network Cards Do you only have ISA slots available or older ISA network cards around? You can still install the ClarkConnect software, but it will take some extra work to get the network cards working. You may have to edit the driver configuration file.
Wireless Network Cards Though wireless card drivers are included in ClarkConnect, we cannot guarantee compatibility. For this reason, wireless network cards are not recommended. Instead, we suggest purchasing a dedicated wireless router for your network.
Internet Connection ClarkConnect supports most DSL (including PPPoE) and cable modem broadband Internet connections. We do not expect to add support for ISDN or satellite broadband at present. However, if you have had success with getting Linux working on such a system, then please let us know. We want to hear from you!
Cable Modems Most cable modem Internet service providers will include a standard Ethernet card and external modem to enable your high-speed Internet connection. The days of proprietary software and logins are mostly behind us, so you should be able to set up ClarkConnect without too much tinkering. However, some cable modem providers may still have some quirks. Fortunately, Vladimir Vuksan has put together a great resource of Cable Modem Providers. If you are having trouble getting ClarkConnect to work with your cable ISP, check http://tldp.org/HOWTO/Cable-Modem for some troubleshooting tips.
DSL and PPPoE During the ClarkConnect installation process, you will be asked which type of DSL service you use - PPPoE or Standard. These are mutually exclusive implementations, so you will need to select the correct type during installation. It is very important to know how your Internet service provider configures your network. If you are not sure, ask the ISP's technical support staff before you begin.
Wireless The software supports wireless networks. Make sure you select a supported wireless card.
ISDN We do not support ISDN Internet service providers.
Links ●
RAID support and compatibility
Compatibility Overview ClarkConnect 4.x is based on Red Hat Enterprise Linux 4. For the most part, hardware that is
Page 10 of 214
ClarkConnect Administration Manual compatible with Enterprise Linux will be compatible with ClarkConnect. For checking compatibility, check the online Red Hat Compatibility Guide - Version 4. Keep in mind, there are many other hardware products that are compatible -- the list is not exhaustive. Here are some tips when selecting hardware: ● Avoid the latest technologies and chipsets. This will reduce the likelihood of compatibility issues and the possible reliability issues that might come with unproven hardware. ● Avoid desktop systems. You may save a few hundred dollars on a desktop system, but they are more likely to fail when used as a server/gateway. In case you missed the previous bullet point, avoid desktop systems.
●
Check the vendors web site for Linux compatibility. If you can purchase ServerXYZ with a version of Red Hat Enterprise Linux pre-installed, then the system is very likely compatible with ClarkConnect.
Vendors When it comes to Linux support, some hardware vendors are better than others.
Recommended The following vendors ship servers with Linux pre-installed and have a good record when it comes to driver support. You should still check the Red Hat Compatibility Guide - Version 4, especially on any new models. ● Dell servers (not desktops') ● HP servers ● IBM servers
Not Recommended The following vendors have a poor track record for Linux support. ● Supermicro ● Promise ● Dell Optiplex desktops
RAID Compatibility See RAID Support.
RAID Support Overview Both software and hardware RAID are supported in ClarkConnect. If you plan on implementing hardware RAID, please read the section below regarding supported hardware. Before you decide to purchase an expensive hardware RAID controller card, consider the following passage from the experts at O'Reilly. "Software RAID has unfortunately fallen victim to a FUD (fear, uncertainty, doubt) campaign in the system administrator community. I can’t count the number of system administrators whom I’ve heard completely disparage all forms of software RAID, irrespective of platform. Many of these same people have admittedly not used software RAID in several years, if at all. Why the stigma? Page 11 of 214
ClarkConnect Administration Manual Well, there are a couple of reasons. For one, when software RAID first saw the light of day, computers were still slow and expensive (at least by today’s standards). Offloading a highperformance task like RAID I/O onto a CPU that was likely already heavily overused meant that performing fundamental tasks such as file operations required a tremendous amount of CPU overhead. (...) But today, even multiprocessor systems are both inexpensive and common." The rest of the passage is available online in the sample chapter: Managing RAID on Linux from O'Reilly. The book is an excellent resource and highly recommended!
Software RAID You can implement software RAID in ClarkConnect by selecting the Advanced Partitioning option during the installation wizard and then following the detailed instructions in the Red Hat 9 User Guide: ● Partitioning Your System ● Software RAID Configuration
Hardware RAID Some hardware RAID controller cards are not true hardware controller cards. They are simple IDE controllers with BIOS and drivers to do software RAID. If redundancy is your primary concern, then software RAID will serve you better than a quasi-hardware RAID card. To quote (again) from the Managing RAID on Linux book from O'Reilly: "The low-end (RAID) controllers are, in essence, software RAID controllers because they rely on the operating system to handle RAID operations and because they store array configuration information on individual component disk. The real value of the controller is in the extra ATA channels." Supported hardware RAID cards: ● Adaptec SCSI - 200x, 21xx, 22xx, 27xx, 28xx, 29xx, 32xx, 34xx, 39xx, 54xx ● Adaptec IDE - 2400A ● 3ware IDE - Escalade 3W 5xxx/6xxx/7xxx Non-supported, but may work: ● Check the Serial ATA (SATA) on Linux web site Non-supported and not recommended: ● Most Promise hardware, notably FastTrak100 TX and FastTrak TX2000 ● Adaptec ATA RAID 12xx As a rule of thumb, if a hardware card is under USD $150, then it is probably not true hardware RAID (and therefore likely not supported).
Links ●
Serial ATA (SATA) Technical Guide
Page 12 of 214
ClarkConnect Administration Manual
Installation Starting the Install Installation CD A bootable CD drive is required to install the ClarkConnect software. The rest of the software is installed from the CD-ROM or directly over your high-speed Internet connection.
Starting the Installation The contents of all your hard disks on the target computer will be completely erased. ● If necessary, change your BIOS settings to run bootable CDs ● Insert the ClarkConnect CD ● Turn on your target computer ● Follow the installation wizard
Configuration Options Selecting Your Server Type ClarkConnect now supports standalone server mode. This mode is used to create a server on a local area network (behind an existing firewall). Only one network card is required. Gateway Mode allows your system to act as a firewall and server on your local network and at least two network cards. If you have two or more network cards installed in the server and want to protect your local network against threats originating from the Internet, then select gateway mode.
Selecting Your Network Connection Type If you are installing with a CD-ROM, you will need to select the type of Internet connection you have (DSL, DSL/PPPoE, Cable).
Selecting Your Network Card Drivers You will need to manually configure your network card settings if the installer does not automatically detect the driver. Most ISA-based network cards may also require the I/O and IRQ
Page 13 of 214
ClarkConnect Administration Manual settings for the driver. See the Linux Ethernet HOWTO and ISA Network Cards for some tips and tricks.
Configuring Your Network Unless your Internet Service Provider (ISP) provides a static IP address, it is recommended that you use Dynamic IP Configuration. If your ISP assigns a static IP you will need to enter the individual TCP/IP settings as provided by your ISP. Make sure you have these settings available during the installation process.
Configuring Your Network - PPPoE ClarkConnect supports PPPoE DSL connections. Add the username and password provided by your ISP on this screen. For brain dead ISPs, you may also need to specify DNS servers.
Configuring Your LAN IP Address If you are installing ClarkConnect as a gateway, you must specify the network settings for your local area network. The LAN hostname can be used instead of the IP address for many network tools. For instance, you will be able to access the web-based administration tool at https://
:81 in your web browser.
Page 14 of 214
ClarkConnect Administration Manual
Selecting Your Hostname - Password - Timezone The next few screens will ask for your system name, system password and time zone. Do not forget your system password!
Selecting Your Hard Disk Partitioning Settings If you would like to specify your own partition scheme, then you should select "yes" on the "Select Partition Type" screen. The Advanced Partitioning screen will appear in the second stage of the installation process... don't panic!
Selecting Your Software Select the software components to install on your system. Not all the modules (including AppleTalk and Junkbuster) are shown here - don't panic. With the ClarkConnect web-based configuration, you can add other modules at any time.
Page 15 of 214
ClarkConnect Administration Manual
Configure Partitioning and RAID Overview For some installations, you may want to define a custom partition scheme instead of using the default. Typically, custom partitioning is required for: ● Software RAID ● Creating a separate /home partition ● Data redundancy with DRBD
Select Advanced Partitioning If you do not wish to use the default partitioning scheme on your system, then select advanced partitioning in the installation wizard (see screenshot).The tool for creating partitions will appear at a later stage in the installer. Continue with the rest of the installation wizard after selecting the partition type on this screen.
Using the Disk Druid Partition Tool When the installer displays a disk partitioning setup page, select the Disk Druid option on this screen. The documentation for this partitioning tool is available here: ● Disk Druid Documentation
Example: Software RAID 1 Using software RAID is a common way to protect against a hard disk failure. Here is a step-by-step Page 16 of 214
ClarkConnect Administration Manual guide to implement Software RAID 1 on regular IDE hard disks.
Preparing the Hardware For software RAID 1, you need two hard disks. Since the RAID partitions on both the hard disks must be of equal size, it is a good idea to use two hard disks with (roughly) the same storage capacity. In our example, we are using two IDE disks on two different disk controllers. These hard disks are detected in Linux as: ● /dev/hda ● /dev/hdc
Deleting Existing Partitions Some hard disks may have partitions already defined. These existing partitions (if any) must first be deleted. ● Use the tab key to move to the main window (one tab after highlighting the Back button) ● Use the up/down arrows to select a partition ● Use the tab key to highlight the Delete button and hit return ● Repeat until all partitions are deleted
Creating the Swap Partition After all the partitions are deleted, we can start our RAID configuration. First, we are going to start with the swap memory partitions. Putting swap memory on a software RAID partition is not recommended. For this reason, simply create swap partitions on both hard disks. ● Tab to the New button and hit return ● Tab down to File System Type and select swap ● Tab to Allowable Drives and mark only hda and take the mark off of hdc. ● Tab down to Size (MB) and type in the size of your RAM in megabytes (MB) ● Tab down to OK and hit return. Repeat the same process, but this time mark hdc as an allowable drive and take the mark off of hda.
Creating RAID Partitions The boot partition (/boot) is where we are going to start with our RAID solution. ● Tab to the New button and hit return ● Tab down to File System Type and select software raid ● Tab to Allowable Drives and mark only hda and take the mark off of hdc. ● Tab down to Size (MB) and type in 100 ● Tab down to OK and hit return. Repeat the same process, but this time mark hdc as an allowable drive and take the mark off of hda. Now that we have two identical 100 MB partitions on both disks, we can create the software RAID disk: ● Tab to the RAID button and hit return ● Type in /boot in the Mount Point field ● Tab to RAID Level and select RAID1 ● Tab to RAID Members and make sure the two partitions created earlier are selected This example creates the /boot partition. Go through the same process for the root partition (/) and optionally any other partition that you want to create (/home, /var, etc.).
Page 17 of 214
ClarkConnect Administration Manual
Configuring the Boot Loader We are almost done with the software RAID configuration. Next, the installation wizard will ask for the boot loader settings. ● Select Grub as your boot loader ● Disable the boot password (unless you really need it) If have trouble booting up your system with Grub, you can use the Lilo boot loader as an alternative. However, you will need to type the following on the first installation screen: linux lilo. If the secondary disk fails (/dev/hdc), then the system will still be bootable. If the primary disk fails (/dev/hda), then your system will not boot. In order to make the secondary disk bootable as well, run the following command: # grub-install /dev/hdc
Or: # grub-install --recheck /dev/hdc
Testing Software RAID If you would like to sanity check your RAID system, then: ● Power down the machine ● Unplug the data connector from the drive (just unplugging the power is going to make the BIOS unhappy and the system will not be bootable) ● Power up the machine
Links ● ●
Software RAID Howto Old Red Hat Installation Guide
Troubleshooting Overview There are thousands of pieces of hardware and related drivers available for use in the PC world. The advantage: consumer choice. The disadvantage: hardware compatibility issues are common. There are several debug screens in the installer that can help when an installation fails. Use the Alt-FX key combination to view: ● Alt-F1: main install screen ● Alt-F2: command line (not always available) ● Alt-F3: general log ● Alt-F4: driver log ● Alt-F5: hard disk / CD log
Network Configuration Overview When you start the system for the first time, you will be taken to a login screen for the network console tool. The purpose of this console tool is to configure your network settings. After you login with your system password, you will see a screen similar to the one shown below. Page 18 of 214
ClarkConnect Administration Manual
Once your network is up and running, open a web browser on any desktop or laptop. You can then use the web-based administration tool to configure other applications in ClarkConnect.
Configuration Network Mode The ClarkConnect system can run in four modes: ● Standalone Mode - No firewall - for a standalone server without a firewall (1 network card) ● Standalone Mode - for a standalone server with a firewall (1 network card) ● Gateway - for connecting your LAN to the Internet (2 network cards) ● DMZ - for connection a LAN and DMZ to the Internet (3 network cards)
Page 19 of 214
ClarkConnect Administration Manual
Hostname A hostname is the full name of your system. If you have your own domain, you can use a hostname like gateway.example.com, mail.example.com, etc. If you do not have your own domain then make one up, for instance: gateway.lan, mail.lan. The hostname does require at least one period (.).
Name/DNS Servers On DHCP and DSL/PPPoE connections, the DNS servers will be configured automatically. In these two types of connections there is no reason to set your DNS servers. Users with static IP addresses should use the DNS servers provided by your Internet Service Provider (ISP).
Interfaces The network interface section of the console tool lets you configure the roles and settings of each network card on the system. More information is provided in the IP Settings section of the user guide.
Accessing Login Prompt If you are an advanced user and would like to access the standard login prompt, hit Alt-F2 on your keyboard. To return to ClarkConnect console, hit Alt-F7 (Alt-F1 for versions 4.0 or earlier).
LAN Configuration Overview All of the computers and devices on your network should have Internet addresses between 192.168.x.2 and 192.168.x.254. When you are configuring your network, you have two choices: Page 20 of 214
ClarkConnect Administration Manual ● ●
Manually set the IP address to a specific number (static IP) or Allow ClarkConnect to automatically set the client IP address (via the DHCP server).
If you configure devices with static IP addresses, make sure you only use an address between 192.168.1.2 - 192.168.1.99. ClarkConnect includes a caching DNS server, but you can use this as your Internet Service Provider's DNS servers if you wish.
Network Settings Feature Default ClarkConnect IP Address Available static IPs Addresses used by DHCP DNS Servers
Description 192.168.1.1 192.168.1.2 - 192.168.1.99 192.168.1.100 - 192.168.1.254 192.168.1.1 and/or your ISP's DNS servers
Windows 95/98 To set up networking in the Windows 95/98 environment...
Step 1 - Control Panel Click on the Start button, then follow the menu to Settings Control Panel Double-click on the Network icon to bring up a window that will look similar to the screenshot ● Select TCP/IP and click on the Properties button. ● ●
Page 21 of 214
ClarkConnect Administration Manual
Step 2 - IP Address On the IP Address tab, you can select Obtain an IP address automatically and ClarkConnect will automatically assign an IP address for you. Alternatively, you can choose Specify an IP address (as shown in the screenshot). Make sure you pick an address between 192.168.1.2 to 192.168.1.99. The subnet mask is always 255.255.255.0.
Page 22 of 214
ClarkConnect Administration Manual
Step 3 - Gateway Settings Click on the Gateway tab. If you decided to let ClarkConnect assign your IP address automatically, then there is no need to add an Installed Gateway. Your ClarkConnect software will automatically handle this for you. If you decided to specify your IP address, then you will need to add 192.168.1.1 to the list of installed gateways (as shown).
Step 4 - DNS Settings If you decided to let the ClarkConnect assign your IP address automatically, then you can select Disable DNS. ClarkConnect will automatically configure these settings. If you decided to specify your IP address, then you will need to add 192.168.1.1 to the DNS Server Search Order list (as shown). You should also add a host name and then add "lan" as the domain. If you prefer to bypass the ClarkConnect DNS cache, you can add the DNS servers given by your Internet service provider.
Page 23 of 214
ClarkConnect Administration Manual
Windows 2000 To set up networking in the Windows 2000 environment...
Step 1 - Network Connections Click on the Start button, then follow the menu to Settings
Network and Dial-up Connections
Right-click on the Local Connection icon and go to properties.
Page 24 of 214
ClarkConnect Administration Manual
If the Local Area Connection Properties does have Internet Protocol (TCP/IP) go to Step 2 Configuring TCP/IP. If the Local Area Connection Properties does not have Internet Protocol (TCP/IP), you will need to install it using the Install button.
The "Select Network Component Type" dialog box will appear.
Page 25 of 214
ClarkConnect Administration Manual
Select "Protocol" and click on Add. The enumeration of the protocols will take a minute or so. ● Select "Microsoft" from the left panel and select Internet Protocol (TCP/IP) from the right panel. ● Click the OK button. ●
Step 2 - Configuring TCP/IP You can configure the TCP/IP properties by clicking on the properties button in the Local Area Connection dialog box.
Page 26 of 214
ClarkConnect Administration Manual
Select "Obtain and IP address automatically" and ClarkConnect will automatically assign an IP address for you.
Alternatively, you can choose "Use the following IP address:" and enter the IP address, subnet mask, default gateway and DNS server addresses. If you have more than three DNS servers, use the advanced button at the bottom of the dialog box to specify the addresses and the order in which they are used.
Page 27 of 214
ClarkConnect Administration Manual
Windows XP To set up networking in the Windows XP environment:
Step 1 - Control Panel ● ● ●
Click on the Start button, then follow the menu to Settings Double-click on the Network Connections Right click on Local Area Connection and go to Properties
Control Panel
Page 28 of 214
ClarkConnect Administration Manual
Step 2 - Select IP Properties Select TCP/IP and click on the Properties button.
Page 29 of 214
ClarkConnect Administration Manual
Step 3 - IP Address On the IP Address tab, you can select Obtain an IP address automatically and ClarkConnect will automatically assign an IP address for you. Alternatively, you can choose Specify an IP address (as shown in the screenshot). Make sure you pick an address between 192.168.1.2 to 192.168.1.99. The subnet mask is always 255.255.255.0.
Step 4 - DNS Settings If you decided to let the ClarkConnect assign your IP address automatically, then you can select Disable DNS. ClarkConnect will automatically configure these settings. If you decided to specify your IP address, then you will need to add 192.168.1.1 to the DNS Server Search Order list (as shown). You should also add a host name and then add "lan" as the domain. If you prefer to bypass the ClarkConnect DNS cache, you can add the DNS servers given by your Internet service provider.
Web-based Administration Overview Once you have your network up and running with the network configuration tool, you can configure Page 30 of 214
ClarkConnect Administration Manual all other ClarkConnect features from the web browser of any desktop or laptop computer.
Access To access the ClarkConnect web-based administration tool, type the following into your web browser: https://IP_Address:81 for example: https://192.168.1.1:81 The IP address that you need to use was selected during installation. If you do not remember this information, you can always connect a keyboard and monitor to the system and check the network configuration tool.
Certificate Warning You will see a warning about your security certificate (see adjacent screenshot). Click on the appropriate button to ignore the message. Your connection is still secure and encrypted, but your server certificate is not official. A valid certificate costs over $100 a year to maintain and is not necessary in this situation.
Username and Password You will then see a login prompt (see adjacent screenshot). Login with the username root and your system password.
Technical Notes Please note the following about the web-based administration tool: ● it uses the encrypted protocol (https instead of http) ● it runs on a non-standard port (the :81 appended to the web page address) so that it does not interfere with an existing web server
Help Every configuration page in the web-based administration tool includes a web link to the user guide. If you ever need more information on a particular page, simply click on the link (see screenshot below).
Page 31 of 214
ClarkConnect Administration Manual
Next Step After logging in, registering your system should be your first task.
System Registration Overview ClarkConnect is much more than a collection of software packages to perform gateway and server functionality. A distributed network infrastructure (ClarkConnect Gateway Services) provides, among other things: ● Gateway Services account interface - online demo ● Software updates via FTP and APT ● DNS and dynamic DNS services ● Content filter updates ● Intrusion detection and prevention updates ● Remote port and system monitoring ● Security audits ● Remote backup/restore (Q1 2008)
System Activation Create an Online Account If you do not yet have a ClarkConnect online account, you can create one here. It is quick, painless and free!
Complete Registration Wizard With your online account information in hand, you are now ready to register your ClarkConnect system. ● Login to your system via the Webconfig UI ● Click on Services Register Register System in the menu ● In the first step in the wizard, enter your online account username and password The next step in the registration process (see screenshot) is important -- especially for upgrades and re-installs. Make sure you select the right option.
Page 32 of 214
ClarkConnect Administration Manual
Software Modules Overview Software modules can be installed via the are offered via the web-based administration tool. For users who prefer command line interfaces, you can find more information on the suite of apt tools here.
Finding a Module The web-based administration tool lists all available modules under the Services Software Install Modules in the menu (see screenshot). This page displays the list of available modules that can be installed on your ClarkConnect system.
Installing a Module Select the module you wish to install, and hit 'Go'. Installing a module may take some time, depending on the size of the package, dependencies, your connection speed and the load/number of connections on the apt-get repository server. Please be patient! Once complete, you will see an additional navigation link under the appropriate heading. For example, if you were installing DMZ and 1:1 NAT firewall module, you will find the configuration pages under the Network Firewall in the menu.
Software Modules via Apt Overview For users who prefer the command line environment over the web-based interface, the apt suite tools provide a way to search and install modules. The following table summarizes the most commonly used commands; detailed information follows. Page 33 of 214
ClarkConnect Administration Manual
Finding a Module A complete listing of all packages in the apt-get repository can be found by using the following command: Command
Description
apt-get update apt-get upgrade apt-get dist-upgrade apt-get install apt-cache search search term
for updating the latest list of available software packages for installing all the available updates for your current installation for installing updates after a ClarkConnect upgrade for downloading and installing software packages for searching for software packages
You can narrow your search by specifying a search term. For example, if you wanted to find packages relating to the Postfix SMTP mail server, you could issue the following command: The response would include all packages containing the search string 'postfix':
Installing a Module The following example would install the advanced firewall rule set from ClarkConnect. The result would be something similar to the following screenshot.
Page 34 of 214
ClarkConnect Administration Manual
Troubleshooting Do not forget to run apt-get update before you start using the suite of apt tools. If you do not run this command first, you may find yourself using obsolete software package information.
Network Settings Bandwidth Overview Bandwidth
Information
Description
Manages bandwidth through the gateway.
Package Name
cc-bandwidth
Configuration Page
Network
IP Settings
Bandwidth
The bandwidth manager is used to shape or prioritize incoming and outgoing network traffic. You Page 35 of 214
ClarkConnect Administration Manual can limit and prioritize bandwidth based on IP address, IP address ranges, port, and port ranges.
Services The Bandwidth Monitor service provides hourly bandwidth measurements from our remote system monitors. The service is an excellent tool for monitoring your Internet Service Provider's (ISP) quality of service. This service will monitor your downstream rate, the rate at which you can receive data from an external source (download speed).
How It Works The bandwidth manager is designed to guarantee a certain speed for either an IP address and/or port on your LAN (or DMZ). The bandwidth manager does not manage traffic to the ClarkConnect box itself. To demonstrate how the system works, lets go through a scenario with a voice-over-IP (VoIP) server. We have: ● a 1000 kbit/s upload and download connection to the Internet ● a voice-over-IP (VoIP) server at 192.168.1.80 on our local network ● enabled a bandwidth rule that reserves 500 kbit/s upload and download for the VoIP server In our example, the network is at first completely congested with web downloads. The VoIP server is idle, so the full 1000 kbit/s is used for the web downloads. In other words, the web downloads are allowed to "borrow" the bandwidth we have reserved for the VoIP server. Someone in the office then makes an outbound 4-person conference call via the voice-over-IP server. The conference call requires 300 kbit/s and the bandwidth manager will go into action. The lower priority web downloads will get slowed from the maximum 1000 kbit/s to 700 kbit/s. The higher priority conference call will receive its required 300 kbit/s.
Configuration Bandwidth Rules A bandwidth management rule contains the following six parameters.
Nickname The first parameter is an optional nickname you can use to easily identify the rule. Valid nicknames can contain alphanumeric characters (A-z0-9) and optional dashes '-' or underscores '_". Spaces are not allowed.
IP Address/Range The IP address parameter can contain: ● A single IP address ● A IP address range ● nothing If this field is left blank, then the bandwidth rule will be used by all IP addresses will. IP ranges can be specified using network and netmask, for example: 192.168.0.1/255.255.255.0 or 192.168.0.1/24.
Port/Range The port parameter is used to apply a bandwidth rule to a particular service. For instance, you can limit web traffic by specifying port 80. If the port is left empty, then all ports will be affected. You may also specify a colon-delimited port range. For instance, 5000:5010 would impact all the ports Page 36 of 214
ClarkConnect Administration Manual between 5000 and 5010.
Priority Priority provides a mechanism to prioritize traffic when all bandwidth rules are at capacity. Higher priority traffic will be given preference over lower priority traffic. There are 7 priority levels, 1 - 7, where 1 is the highest priority. By default, traffic that is not matched by a bandwidth rule will be assigned the lowest priority.
Upload The upload rate in kilobits per second. If left empty, the upload rate will be unlimited.
Download The download rate in kilobits per second. If left empty, the download rate will be unlimited. Note: If both upload and download are left empty, then the rule will be invalid.
Peer-to-Peer Bandwidth Rules In order to manage peer-to-peer traffic, make sure you have the Peer-to-Peer module installed. Configuring bandwidth control for peer-to-peer is similar to creating a regular bandwidth rule. However, you need to specify the peer-to-peer network instead of the IP address and port.
Units - kbit/s, kbps, Mbps and Other Confusing Notation Depending on where you are and who you are talking too, there are different measurement units used for bandwidth. Here are some tips to help with converting from one unit to another -capitalization is important:
Unit kilobits per second kilobytes per second megabits per second megabytes per second
Alternatives kbps kBps Mbps Mbps
kbit/s kbytes/s Mbit/s Mbytes/s
kb/s kB/s Mb/s MB/s
Conversion tips: ● Mega is 1000 times larger than kilo ● A byte is 8 times larger than a bit Examples: ● 1 Megabit per second is approximately 1000 kilobits per second ● 1 Megabyte per second is approximately 8000 kilobits per second
Links ● ●
Linux Advanced Routing and Traffic Control HTB Queueing
DHCP Server Overview DHCP Server
Information Page 37 of 214
ClarkConnect Administration Manual Description
DHCP server for dynamically assigning IP addresses.
Package Name
cc-dnsmasq
Configuration Page
Network
IP Settings
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows hosts on a network to request and be assigned IP addresses. This service eliminates the need to manually configure new hosts that join your network.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Global Settings Status You can enable and disable the DHCP server at any time.
Authoritative Unless you are running more than one DHCP on your network, enable Authoritative mode. When this is enabled, then DHCP requests on unknown leases from unknown hosts will not be ignored. This will be the case when a foreign laptop is plugged into your network.
Domain Name The server can auto-configure the default domain name for systems using DHCP on your network. You can either use a registered domain (for example: example.com) or you can simply make one up (for example: lan). Example: ● A desktop system on your local network has a system name scooter and uses DHCP. ● The domain name specified in the DHCP server is example.com. ● On startup, the desktop system appends example.com to its system name. Its full hostname would become scooter.example.com.
Subnet Configuration In a typical installation, the DHCP server is configured on all LAN interfaces. To add/edit DHCP settings for a particular network interface, click on the appropriate add/edit button. The following screenshot highlights the button for adding DHCP settings for the eth1 network interface.
Network, Netmask and Broadcast
Page 38 of 214
ClarkConnect Administration Manual The network, netmask and broadcast are automatically detected. In almost all circumstances, you want to use these detected default values.
IP Ranges Keep a range of IP addresses available for systems and services that require static addresses. For instance, VPN and some types of network printers require static IP addresses. In a typical local area network, the first 99 IP addresses are set aside for static addresses while the remaining addresses from 100 to 254 are set aside for the systems using the DHCP server. Adjust these settings to suit your needs and your network.
DNS Address The server can auto-configure the DNS settings for systems using DHCP on your network. By default, the IP address of the caching DNS server on your ClarkConnect system is used. You should change this setting if you want to use an alternate DNS server.
WINS Address If you have a Microsoft Windows Internet Naming Service (WINS) server on your network, you can provide the IP address to all Windows computers on your network. This will allow Windows systems to access resources via Network Neighborhood. You can enter the LAN IP address of your ClarkConnect system here if you have enabled the WINS server on ClarkConnect.
Active and Static Leases A list of systems that are actively using the DHCP server is shown in the Active Leases table. If you would like to make a DHCP lease for a particular system permanent, you can click on the appropriate Add button in this list. In the screenshot below, the button to add 192.168.2.212/Scooter as a static lease is shown.
Page 39 of 214
ClarkConnect Administration Manual
Common Errors ● ●
You should only have one (1) DHCP server per network. Enabling DHCP on your Internet connection is not a good idea.
Links ●
Dnsmasq Documentation
Hosts and DNS Server Overview Hosts and DNS Server
Information
Description
Hosts file and local DNS server configuration.
Package Name
cc-dnsmasq
Configuration Page
Network
IP Settings
Hosts and DNS Server
Hosts (/etc/hosts) is a simple text file that associates IP addresses with hostnames. If you have the caching DNS server installed, all the entries in the hosts file will be made available.
Configuration A host is defined as any system with an IP address -- desktop, laptop, printer, media device, etc. Each host can have a hostname, along with any number of aliases. For example, you could add a hostname for a file server on your network with the following settings: ● IP Address: 192.168.1.10 ● Hostname: fileserver.example.com After adding the hostname, you are given an opportunity to add additional aliases (or hostnames) for the given host. If we were using the file server as a backup server, we could add backup.example.com to the list of aliases.
Tips and Tricks You may have noticed that a default alias is added whenever you add a hostname. For example, adding the hostname fileserver.example.com will also add the default alias fileserver. This alias can be used as a shortcut on your network. How? If you use the ClarkConnect DHCP server, you can specify a default domain name. Staying with our example, our default domain name should be set to example.com. Any system using DHCP could then access other systems on the network using the alias (fileserver) instead of the full hostname (fileserver.example.com).
Links ●
Dnsmasq Page 40 of 214
ClarkConnect Administration Manual
IP Settings Overview IP Settings
Information
Description
IP, hostname and DNS settings.
Package Name
cc-network
Configuration Page
Network
IP Settings
IP Settings
A configuration page for configuring your network cards, hostname and DNS servers.
Configuration Linux will auto-detect most PCI-based network cards. Older ISA cards may require setting parameters for the IRQ and IO. You may also need to disable plug-and-play features on the card. Please check Red Hat's Hardware Compatibility Lists to see what settings may be required for your brand of network card.
Network Roles When configuring a network interface, the first thing you need to consider is the network role. Will this network card be used to connect to the Internet, for a local network, for a network with just server systems? The following network roles are supported in ClarkConnect and are described in further detail in the next sections: ● External - network interface with direct or indirect access to the Internet ● LAN - local area network ● Hot LAN - local area network for untrusted systems ● DMZ - de-militarized zone for a public network On a standalone system, your network card should be configured with an external role, not a LAN role.
External The external role provides a connection to the Internet. On a ClarkConnect system configured as a gateway, the external role is for your Internet connection. On a ClarkConnect system configured in standalone mode, the external role is for connecting to your local area network. With the Office and Enterprise Editions, you can have more than one external interface configured for load balancing and automatic failover. See the Multi-WAN section of the user guide for details. Gateway Setting -- If you have a static IP address, it is important to make sure the gateway configuration setting is correct. If the gateway setting is missing or invalid, your system will be unable to reach the Internet. On most networks, the gateway IP address will be on the same network as your external IP address. For example, an external IP address of 10.22.22.22 will typically have a gateway at 10.22.22.1 or 10.22.22.254. In some circumstances, the gateway will not be on the same network. You will see a warning message about this unusual gateway configuration.
Page 41 of 214
ClarkConnect Administration Manual
LAN The LAN (local area network) role provides network connectivity for your desktops, laptops and other network devices. LANs should be configured with an IP address range of 192.168.x.x or 10.x.x.x. For example, you can configure your ClarkConnect LAN interface with the following: ● IP: 192.168.1.1 ● Netmask: 255.255.255.0 All systems on your LAN would have IP addresses in the range of 192.168.1.2 to 192.168.1.254.
Hot LAN Hot LAN (or "Hotspot Mode") allows you to create a separate LAN network for untrusted systems. Typically, a Hot LAN is used for: ● Servers open to the Internet (web server, mail server) ● Guest networks ● Wireless networks A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN. As an example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in the meeting room could access the Internet and each other, but not the LAN used by employees. The Port Forwarding page in the web-based administration is used to forward ports to both LANs and Hot LANs. Only one Hot LAN is permitted.
DMZ In ClarkConnect, a DMZ interface is for managing a block of public Internet IP addresses. If you do not have a block of public IP addresses, then use the Hot LAN role. A typical DMZ setup looks like: ● WAN: An IP addresses for connecting to the Internet ● LAN: A private network on 192.168.x.x ● DMZ: A block of Internet IPs (e.g from 216.138.245.17 to 216.138.245.31) The web-based administration tool has a DMZ Configuration tool to managed the DMZ network.
Virtual IPs ClarkConnect supports virtual IPs. To add a virtual IP address, click on the link to configure a virtual IP address and add specify the IP Address and Netmask. You will also need to create advanced firewall rules if the virtual IP is on the Internet.
Configuration from the Console You can access network configuration tools from the Administration Console tool. All other configuration is done remotely via a web browser -- the console is only used to change or configure your network information. The console can be accessed from a monitor and keyboard attached the server.
Page 42 of 214
ClarkConnect Administration Manual
Troubleshooting The two network cables coming from your box may need to be swapped. If you are having a hard time connecting to the Internet, make sure you try swapping the cables. In most installs, the network cards and IP settings will work straight out of the box. However, getting the network up the first time can be an exercise in frustration on some installs. Issues include; ● Network cards that are not auto-detected ● Invalid networks settings (username, password, default gateway) ● Finicky cable/DSL modems that cache network card hardware information Here are some helpful advanced tools and tips to diagnose a network issue. After booting the system, hit Alt-F2 to get to a login prompt. Login with your username root and your password. The following tools will show detailed diagnostic data on your network cards. ● mii-tool displays link status and speed ● ethtool eth0 displays links status, speed, and many other stats - not all cards support this tool ● ifconfig eth0 displays IP settings on eth0
Page 43 of 214
ClarkConnect Administration Manual
Multi-WAN Overview MultiWAN
Information
Description
Support for multiple connections to the Internet.
Package Name
cc-multiwan
Configuration Page
Network
IP Settings
Multi-WAN
The multi-WAN feature in ClarkConnect allows you to connect your system to multiple Internet connections. ClarkConnect multi-WAN not only provides load balancing, but also automatic failover.
Installation If you did not select this module to be included during the installation process, you must first install the module.
How It Works ClarkConnect multi-WAN has the following features: ● auto-failover ● load balanced Page 44 of 214
ClarkConnect Administration Manual ●
round-robin based on user-defined weights (see configuration section)
To give you an example of how multi-WAN works, imagine two 1 Mbit/s DSL lines with two users on the local network. With every new connection to a server on the Internet, the multi-WAN system alternates WAN interfaces. User A could be downloading a large file through WAN #1, while User B is making a voice-over-IP (VoIP) telephone call on WAN #2. With some applications, the download speed for the multi-WAN system can use the full 2 Mbit/s available. For example, downloading a large file from a peer-to-peer network will use the bandwidth from both WAN connections simultaneously. This is possible since the peer-to-peer technology uses many different Internet "peers" for downloading. At the other end of the spectrum, consider the case of downloading a large file from a web site. In this case, only a single WAN connection is used -- 1 Mbit/s maximum. Bandwidth aggregation (combining multiple WAN interfaces to look like a single WAN interface) is not possible without help for your ISP since both ends of an Internet connection must be configured.
Configuration Enable/Disable When multi-WAN is enabled, all active WAN interfaces are used to connect to the Internet. When multi-WAN is disabled, the first active WAN interface is the only network used to connect to the Internet.
Weights Multi-WAN weights are used to load balance outbound Internet traffic. By default, all WAN interfaces are given a weight of one. This default configuration means the network traffic will be (roughly) evenly split amongst the different WAN connections. In one of the typical multi-WAN configurations, a second broadband connection is used for backup. This second connection is often a low-cost and low-bandwidth connection. In this case, you would want to set the weight on your high-bandwidth connection to 3 or 4, while leaving your lowcost/low-end connection with a weight of 1.
Source Based Routes In some situations, you may want a system on your local area network (LAN) to always use a particular WAN interface. The screenshot below displays the configuration for two scenarios: ● Sending network traffic for the 216.138.245.16/28 block of Internet IPs out the eth0 WAN. ● Sending network traffic from a voice-over-IP (VoIP) server on the LAN at 192.168.1.100 out the eth1 WAN.
Page 45 of 214
ClarkConnect Administration Manual
Destination Port Rules In some situations, you may want to send network traffic for a specific port from your LAN out a particular WAN interface. The screenshot below displays the configuration for always sending DNS traffic (port 53) out the eth0 WAN network.
Destination port rules only apply to connections originating on your LAN. These rules do not apply to traffic originating from the ClarkConnect system itself
Routing Policies Some Internet service providers (ISPs) will not allow traffic from source addresses they do not recognize as their own. The following scenarios will give you a good idea of common issues faced in a multi-WAN environment. In the examples, we assume two connections, but the same issues crop up with three or more connections.
DNS Servers The DNS servers configured on the ClarkConnect system will be provided by one or both ISPs. In our example, we are going to assume that ISP #1 provides the DNS servers. If a DNS request from your network goes out the ISP #2 connection, it might get blocked by ISP #1. Result: DNS requests will only succeed on ISP #1. Solution -- Use DNS servers that are accessible from any network. If your ISPs do not provide such DNS servers, then we recommend using OpenDNS. Note: your DHCP/DSL network configuration settings should have the Automatic DNS Servers checkbox unchecked - see screenshot.
DMZ Networks and 1-to-1 NAT If you have a range of extra IP addresses provided by ISP #1, you may need to explicitly send Page 46 of 214
ClarkConnect Administration Manual traffic from these extra IPs out the ISP #1 connection. ISP #2 may drop the packets. Solution -- Use a Source Based Route for your DMZ network.
Links ●
Linux Advanced Routing and Traffic Control
Network Tools Overview Network Tools
Information
Description
Tools to monitor and diagnose the network.
Package Name
cc-nettools
Configuration Page
Network
IP Settings
Network Tools
Provides basic networking tools to help diagnose network problems.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Connection Monitor The connection monitor shows real-time information on connections going in and out of the ClarkConnect system. This tool can be useful when diagnosing issues on your local network (for example, finding a computer with a virus). ● Protocol -- the Internet protocol used by the connection ● Expires -- the time in hours remaining before the connection expires ● Source -- the source IP address ● Destination -- the destination IP address ● Status -- the status of the connection ● Port -- the source port and destination port ● Service -- the service associated with the destination port (if known)
Routing Table The routing table provides technical information on the active routes on the system.
Protocol Statistics Detailed technical information on the underlying TCP/IP network.
Links ●
Linux Advanced Routing and Traffic Control
Page 47 of 214
ClarkConnect Administration Manual
UPnP Overview UPnP
Information
Description
Universal plug and play software.
Package Name
linuxigd
Configuration Page
N/A
UPnP should only be used on a home or trusted network. Avoid using this software on office, school other other untrusted networks. See note below. There are many opponents against UPnP. However, we feel that Open Source is all about giving people choices, and letting intelligent people make intelligent decisions about its use. A lot of us really need this daemon, and can live with the consequences because we are simply connecting a home network to the internet through one IP. UPnP version 1.0 is inherently flawed. What appears to have happened is that in Microsoft's first UPnP implementation they weren't concerned with security or any advanced controls. Simply all they wanted was connectivity. So we are stuck with this for now. The UPnP server, by itself, does no security checking. If it receives a UPnP request to add a portmapping for some IP address inside the firewall, it just does it. Theoretically this could open up ports on some other system.
Wireless Card Configuration Overview Wireless Networking
Information
Description
Wireless network card settings.
Package Name
cc-wireless
Configuration Page
Network
IP Settings
Wireless
ClarkConnect includes support for wireless network cards.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Supported Hardware Many wireless network cards work out of the box in Linux (see Links section below). However, we only officially support the following: ● PCI: Netgear 11Mbps 802.11b Wireless PCI Card (MA311) ● ISA-to-PCMCIA bridge: All models ● PCI-to-PCMCIA bridge: Buffalo Tech WLI-PCI-OP ● PCMCIA: Orinoco Silver and Gold 802.11b PCMCIA Page 48 of 214
ClarkConnect Administration Manual
From the Orinoco site: "For PCs with an ISA slot, the ORiNOCO ISA adapter is strongly advised." In other words, only purchase the PCI card if your system is PCI-only.
PCMCIA Settings
If you use a PCMCIA (laptop) card, you may need to change some of the settings. PCIC Driver
There are a few different types of hardware drivers (PCIC drivers) available for PCMCIA. Consult your hardware's user guide or online support to determine your settings. For the Orinoco PCMCIA cards, use i82365 PCIC Options and Core Options
Some PCMCIA hardware drivers require special options. In most cases, you can leave the PCIC Options and Core Options blank. Consult your hardware's user guide or online support if the system is unable to detect your card. For the Orinoco PCMCIA cards, you may need to use i365_base=0x3e2 for PCIC Options (leave Core Options blank).
Network Settings
The network configuration for a wireless card is done just like any other network card. However, the following extra wireless-only options are required. ESSID
The ESSID is a nickname to give your wireless network. In the screenshot, the name Woburn Wireless is used. When configuring other wireless devices on your network, make sure you use Page 49 of 214
ClarkConnect Administration Manual the same ESSID. Mode
The wireless card can run in a number of different modes. The most common are Ad-Hoc and Master/Access Point. From the list of officially supported wireless cards, only Ad-Hoc mode is supported. For un-official wireless cards, you may be able to run the card in other modes. Secret Key
The Secret Key is used to encrypt your network traffic. The Orinoco Silver card requires a 5character (40-bit) key prefixed with 's:' - e.g. s:abcde. This must match the settings for other wireless devices on your network.
MAC Address Filtering
For added security, you can allow only certain network MAC addresses on your wireless network.
Links ● ● ●
Seattle Wireless Linux Wireless LAN Howto WLAN Adapter Chipset Directory
Firewall 1 to 1 NAT Overview 1-to-1 NAT Firewall
Information
Description
Configuration tool for 1-to-1 NAT.
Package Name
cc-firewall-dmz
Configuration Page
Network
Firewall
1-to-1 NAT
1-to-1 NAT maps a real Internet IP to an IP on your local area network (LAN).
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration You can map 1-to-1 NAT IPs in one of two ways: ● With no firewall at all Page 50 of 214
ClarkConnect Administration Manual ●
With selective ports open
1-to-1 NAT - No Firewall Some protocols can be finicky behind firewalls. In this case you want to configure 1-to-1 NAT with no firewall (make sure you firewall/secure the target LAN system some other way!). In the screenshot below: ● 216.138.245.23 is mapped to a LAN machine at 192.168.2.2 ● no firewall is enabled.
1-to-1 NAT - Selective Ports Open In the screenshot below: ● 216.138.245.23 is mapped to an LAN machine at 192.168.2.2 ● only port 22 (SSH) and port 80 (web) are accessible
1-to-1 NAT - With MultiWAN As of ClarkConnect 4.0 it is now possible to utilize 1-to-1 NAT with a MultiWAN configuration. The configuration remains mostly the same with the addition of an Interface drop-down box containing a list of configured MultiWAN network interfaces.1-to-1 NAT with MultiWAN support is only available in the 4.x Edition. Each 1-to-1 NAT rule must be assigned to an external MultiWAN interface as shown by example below:
Page 51 of 214
ClarkConnect Administration Manual
Advanced Overview Advanced Firewall
Information
Description
Configuration tool advanced firewall rules.
Package Name
cc-firewall-advanced
Configuration Page
Network
Firewall
Advanced
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration The advanced firewall tool can be used to create special firewall rules. For instance, you can use this tool to allow connections to the web-based administration from the Internet -- but only from a particular IP address. You can find some examples in the advanced firewall tips and tricks documentation.An invalid advanced rule will cause the firewall to go into a lock-down mode -- all other firewall rules will not be active in this mode.
Links ●
Netfilter/Iptables Home Page
DMZ Overview DMZ Firewall
Information
Description
Configuration tool for DMZ-based firewalls.
Package Name
cc-firewall-dmz
Configuration Page
Network
Firewall
DMZ
The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third network card is used exclusively for the DMZ network. ● If you are configuring a few extra public IPs (not a whole network), then go to the 1-to-1 NAT section of the User Guide. ● If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate Hot LANs in the IP Settings section of the User Guide.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Page 52 of 214
ClarkConnect Administration Manual
Configuration Network Configuration Before you can use the DMZ firewall configuration, you need to configure one of your network cards with the DMZ role. In our example, we used the IP Settings tool to configure a third network card (eth2) with the following: ● Role: DMZ ● IP Address: 216.138.245.17 ● Netmask: 255.255.255.240 ● Network: 216.138.245.16/28 All the systems connected to this third network card can then be configured with an IP address in the 216.138.245.18 to 216.138.245.30 range.
Incoming Connections By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the exception of the ping protocol). You can permit connections to systems on the DMZ by allowing: ● all ports and protocols to a single public IP ● all ports and protocols to the whole network of public IPs ● a specific port and protocol to a single public IP In the screenshot below, both 216.138.245.27 and 216.138.245.28 are not firewalled at all, while 216.138.245.26 can only be accessed via TCP port 2000.
Pinhole Connections (DMZ-to-LAN) In some situations, you may want to allow particular network traffic from your DMZ to your LAN -- a pinhole rule. In our example, we have a document management system running on port 2401 on the LAN (at IP address 192.168.2.2). We want to allow a web server in our DMZ to access this document management system and we create a pinhole rule to do it (see screenshot).
Links ●
Definition
Page 53 of 214
ClarkConnect Administration Manual
Group Manager Overview Firewall Groups
Information
Description
A tool to group together firewall rules.
Package Name
cc-firewall
Configuration Page
Network
Firewall
Group Manager
The Group Manager makes it easy to categorize and manage related Firewall rules. All rules not assigned to a group will be listed at the top of the page. You can change the rules Nickname or assign it to a new or existing group by clicking on Edit.
Installation This module is part of the base Firewall package which is always installed.
Configuration There are three sections to the Group Manager page. ● Individual rule listing (rules that are not assigned to a group) ● Group listing ● Group manager, useful for enabling/disabling or deleting an entire group
Assigning Rules to Groups To assign a rule to a group, click on the rule's Edit button. This will bring up the rule editor dialog which looks like the following screen-shot:
The top of the edit dialog shows the fields of the firewall rule; the protocol, address, port, and parameter (optional, contains extended information). This is displayed to help you identify the rule. Below this information, you can enter a new or edit an existing Nickname to help identify the rule's purpose. To the right you may assign this rule to an existing group using the drop-down, or add it to a new group by entering the desired name in the input box below. Click on confirm to save your changes.
Removing a Rule From a Group To remove a rule from a group, click on the rule's Edit button. You will see the group name in the Page 54 of 214
ClarkConnect Administration Manual drop-down box. Change this to "Remove from group" and then click on Confirm. If there are no more rules in any given group, the group will no longer show up in the group drop-down list.
Group Management At the very bottom of the Group Manager page you can enable/disable or delete a group. Simply click on the appropriate button. Deleting a group will delete all member firewall rules. If you want to remove just the group, remove each rule from the group manually.
Incoming Overview Firewall Incoming
Information
Description
Tool for configuring incoming connections on the firewall.
Package Name
cc-firewall
Configuration Page
Network
Firewall
Incoming
Configuration Allow Incoming Connections If you want to run a server on your ClarkConnect system, you must open the appropriate port on the firewall to allow access to users on the Internet. For instance, if you are running the web server and secure web server, make sure port 80 and 443 are open. Unlike other firewalls you do not need to open a port on the incoming page if you're forwarding the the port to an internal server on your LAN or on your DMZ. You can also open up ports to allow for remote management of your ClarkConnect system. For example, you can open up port 22 to allow for SSH access and port 81 to give access to Webconfig. Select Firewall Incoming in the web-based administration tool. There are three ways to add an incoming firewall rule: ● select a standard service in the Standard Services drop down ● input a single port number in the Port Number box. ● input multiple consecutive ports in a port range in the Port Range box.
Page 55 of 214
ClarkConnect Administration Manual
Block Internet Hosts If you want to block a remote site from accessing your ClarkConnect system, add the IP address or network to the block list. This is typically used to unwanted connections from . If you want to block web sites from your users, the Content Filter is a more effective solution.
Outgoing Overview Firewall Outgoing
Information
Description
Tool for blocking or allowing (depending on mode) outgoing connections on your network.
Package Name
cc-firewall
Configuration Page
Network
Firewall
Outgoing
Configuration From the Firewall Outgoing page, you can block or allow certain kinds of traffic from leaving your network depending on the mode/policy. As of ClarkConnect 4.0, it is now possible to reverse the meaning of rules created from the Firewall Outgoing page. The language used in the following documentation has been altered to reflect this change. Users of older ClarkConnect versions can only allow all outgoing traffic by default and then selectively block certain hosts and services. See Choose an Outgoing Mode below for more details. This module is useful for blocking/allowing instant messaging, chat, peer-to-peer music downloads, and more. You have two ways to block/allow traffic: ● by destination port/service ● by destination IP address/domain Note: If you want to block peer-to-peer file sharing programs like Kazaa and Limewire, you will also want to check the Peer-to-Peer section of the user guide.
Choose an Outgoing Mode As of ClarkConnect 4.0, you can toggle the outgoing traffic mode or policy. All previous versions of ClarkConnect allowed all outgoing traffic by default, only providing the administrator with the ability to specifically block certain hosts or services. With ClarkConnect 4.0 and above, it is possible to block all outgoing traffic by default and only open or allow certain destination domains, ports/services to be contacted.
Page 56 of 214
ClarkConnect Administration Manual
Note: These are the two Outgoing Traffic policies available as of ClarkConnect 4.0.
Outgoing Traffic - By Port/Service Destination Ports prevents/allows a connection on a particular port/service. For instance, adding port 80 (web) disables/enables web-surfing for your entire local network.
Outgoing Traffic - By Host/Destination Destination Domains allows you to block/allow certain networks and sites. For instance, if your Outgoing Mode is set to allow all outgoing traffic, blocking windowsupdate.microsoft.com blocks Windows from connecting to the windows update site. Keep in mind, some sites use multiple servers to handle network traffic and are not easily blocked. If you block destinations with the firewall bear in mind that users of the proxy may not be blocked. If you require proxy users to be blocked, your best option is to block the destinations using the DansGuardian Content Filter Module.
As of ClarkConnect 4.0, the Block/Allow by Destination form has changed slightly. The standard services drop-down box has been removed and merged into the Destination Ports form illustrated above.
Page 57 of 214
ClarkConnect Administration Manual
Troubleshooting Links Peer-to-Peer Overview Peer-to-Peer
Information
Description
A tool to block peer-to-peer traffic.
Package Name
cc-firewall-p2p
Configuration Page
Network
Firewall
Peer-to-Peer
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration The following applications can be blocked and/or throttled: ● eDonkey, eMule, Kademlia ● KaZaA, FastTrack ● Gnutella ● Direct Connect ● BitTorrent, extended BT ● AppleJuice ● WinMX ● SoulSeek ● Ares, AresLite For some protocols, the peer-to-peer blocker will only halt the initial connection to other systems. In other words, a system that is already connected to a peer-to-peer network will not get blocked. If you are sanity checking this tool, please disconnect the peer-to-peer client.
Troubleshooting The world of peer-to-peer networks is fast paced and constantly changing. If you find that your peer-to-peer software is not getting blocked, then feel free to post your feedback on the online forums: Page 58 of 214
ClarkConnect Administration Manual ●
Online Forums - Bandwidth
Links ●
IPP2P Web Site
Port Forwarding Overview Port Forwarding
Information
Description
Tool for forwarding ports to systems on your local network.
Package Name
cc-firewall
Configuration Page
Network
Firewall
Port Forwarding
Configuration If you run servers behind your ClarkConnect gateway, you can use the Port Forwarding page to forward ports to a system on your local area network. In the example below, two port forwarding rules are configured: ● A web server (port 80) is running on the LAN at 192.168.4.10 ● SSH (port 22) is also running on 192.168.4.10. Since port 22 is already used on the gateway, we specify an alternate port (2222). We then configure our SSH client to use port 2222 to connect directly to 192.168.4.10 from the Internet.
Page 59 of 214
ClarkConnect Administration Manual
Troubleshooting
In order for port forwarding to work properly. the target system on your local network must have the default gateway set to ClarkConnect system. In the adjacent screenshot, the configuration for a Windows system is shown. The default gateway in this case is 192.168.1.1 (the IP address of the ClarkConnect system).
Security Intrusion Detection Overview Intrusion Detection
Information
Description
An advanced intrusion detection system.
Package Name
cc-snort
Configuration Page
Page Network
Security
Intrusion Detection
The intrusion detection package is included with ClarkConnect to make users more aware of some of the daily hostile traffic that can pass by your Internet connection. The software is able to detect and report unusual network traffic including attempted break-ins, trojans/viruses on your network, and port scans. Page 60 of 214
ClarkConnect Administration Manual
Services New exploits are discovered everyday. The intrusion detection software maintains a uses a list of 2000+ rules. You can receive automatic updates by subscribing to the Intrusion Detection Updates service.
Configuration The intrusion detection system includes a daily report. Do not panic when you see alerts in this daily report. In fact, it would be quite unusual not to see anything reported. Hostile traffic is a normal part of today's Internet and it is one of the reasons firewalls are necessary. You can find more information about the report here. Intrusion detection does require some horsepower. If you find your system sluggish, you might want to consider disabling the software.
Security and Policy Rules There are two different types of rules for the intrusion detection system. The Security rules detect issues related to overall system security, while Policy rules detect issues related to your organization's Internet usage policies. For example, the chat policy rules will detect instant messaging traffic that goes through your ClarkConnect system.
Links ● ● ●
Intrusion Detection Reports Sourcefire website Snort Intrusion Detection website
Intrusion Prevention Overview Intrusion Prevention
Information
Description
An advanced intrusion prevention system.
Package Name
cc-snortsam
Configuration Page
Page Network
Security
Intrusion Prevention
The intrusion prevention system blocks suspected attackers from your system.
Services New exploits are discovered everyday. The intrusion detection software maintains and uses a list of 2000+ rules. You can receive automatic updates by subscribing to the Intrusion Detection Updates service.
Configuration The Intrusion Prevention system displays a list of IP addresses that have been blocked due to inappropriate network traffic.
Page 61 of 214
ClarkConnect Administration Manual
Description SID The SID corresponds to the Intrusion Detection ID that triggered the block. This is a hyper-link that can be followed to reveal more information about the specific conditions that were matched.
Blocked IP This is the IP address that triggered the block. If this IP address should not be blocked, you can add it to a "don't block" list by clicking on Whitelist under Action.
Date / Time The date/time fields show when the block occurred.
Time Remaining The remaining block time is listed last. The IP address will be unblocked when this reaches 0.
Action A blocked host can be added to a Whitelist so it will not be blocked in the future. You can also remove a blocked host using Delete.
Whitelist If there are IP addresses in your Whitelist they will be listed below the Active Block List. You can delete an entry by choosing Delete under Action.
Troubleshooting If you find the snortsam software taking a long time to startup on your system, make sure the DNS Servers configured for your ClarkConnect system are working properly.
Links ● ●
SSH Brute Force Attack FTP Brute Force Attack
Account Manager Users Overview User Manager
Information
Description
Tool to add and manage users on the system.
Package Name
cc-users
Configuration Page
Account Manager
Keywords
LDAP
All Accounts
Users
Page 62 of 214
ClarkConnect Administration Manual The user manager page allows you to add, delete and manage users on the system.
Configuration User Overview The first thing you will see on the user manager page is a summary of existing users. This summary includes the username, name and the enabled options for each user. Depending on the platform/version you are using, you may see a dialog box indicating how many mailbox accounts are in use and how many are available. The Enterprise Edition allows you to purchase additional mailbox licenses to increase the number of users who have can send/receive mail on the server.
In the screenshot shown, user tim has access to all the available services while user veruca only has access to e-mail and the file server.
User Information Every user must have the following information configured: ● Username - a username (lowercase only) ● First name - the user's first name ● Last name - the user's last name ● Password and Verify - a password Depending on your ClarkConnect version, you may also see additional fields, for example telephone number, address, title, etc.
User Options The following options are available in the user configuration. Note: the option will not appear if the related software is not installed on the system. File Server Folder - grant access to home directory on the File Server FTP Server - grant FTP Server access Mailbox - grant Mail Server - SMTP access PPTP Server - grant PPTP VPN access Proxy Server - grant Web Proxy access Web Server - grant Web access for Flexshare Shell Access | If an administrator needs to enable Secure SHell (SSH) access for a user's account, Page 63 of 214
ClarkConnect Administration Manual this needs to be done at the command line in versions 4.0 and later. See the "Tips and Tricks" section below for more information.
Tips and Tricks Secure Shell (SSH) Secure Shell (SSH) access option was removed in 4.0 as a security precaution. Most users do not need SSH access, and yet, many end-users would select all options, not knowing the risks. To enable SSH access for a user, login as root and type:
Links ●
Aliases
Groups Overview Group Manager
Information
Description
Tool to add and manage groups on the system.
Package Name
cc-users
Configuration Page
Account Manager
All Accounts
Groups
The group manager page allows you to add, delete and manage groups on the system.
Configuration The first thing you will see on the group manager page is a summary of existing groups.
Use the "Add Group" form below the summary of existing groups to add a new group.
Page 64 of 214
ClarkConnect Administration Manual Once you have added a new group, or if you click on the "Edit" link next to an existing group, a new form will appear providing information specific to the group you created/edited.
Use this form to make changes to the users belonging to the group and/or to change the description of the group name.
System Tools Backup and Restore Overview Backup and Restore
Information
Description
A simple backup and restore tool for configuration files.
Package Name
cc-backuprestore
Configuration Page
System
Settings
Backup/Restore
The backup/restore feature lets you take a snapshot of all the configuration files and save them to a separate system for safe keeping. If a ClarkConnect system needs to be restored, you can reinstall the ClarkConnect system and then restore all the configuration settings from the backup.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration The backup/restore tool saves all the configuration information available through the web-based interface: ● Usernames and passwords (4.0 or higher) ● Network configuration ● Firewall configuration ● Software configuration (for example, content filter) The backup/restore settings tool does not save user data, logs or mailboxes. Use the LAN/Backup and Recovery tool for backing up data. Page 65 of 214
ClarkConnect Administration Manual If you have installed third party applications on your system, you will need to take extra steps to save configuration data.
Troubleshooting During the restore procedure, the original network settings will be restored, but not activated. Consider this scenario: ● The system settings on a live ClarkConnect gateway have been saved. ● Due to a hard disk failure, ClarkConnect was temporarily replaced with a basic router. ● ClarkConnect is re-installed on another server while connected to your LAN. ● The restore procedure is then used on the newly installed ClarkConnect system. The network settings are now in limbo. The restored network configuration is expecting to be connected as a gateway, but the system is temporarily running as a standalone system on your LAN. In this scenario, you will either need to put the system back into its role as a gateway, or, reconfigure the network.
Date Overview Date
Information
Description
Tool to set the date, time and timezone.
Package Name
cc-webconfig
Configuration Page
System
Settings
Date
The date configuration tool allows you to select your time zone as well as enable/disable automatic time synchronization.
Configuration Time Zone It is important to have the correct time zone configured on your system. Some software (notably, mail server software) depends on this information for proper time handling.
Time Synchronization Keeping your system time accurate is recommended, so we suggest having the automatic time update enabled.
Page 66 of 214
ClarkConnect Administration Manual
Encrypted File Systems Overview Encrypted File System
Information
Description
Encrypted file system manager.
Package Name
cc-dmcrypt
Configuration Page
System
Settings
Encrypted File System
The encrypted volume module allows the creation of encrypted volumes that can be used to protect confidential data from unauthorized access in the event the server is physically removed from the premise or a portable mass storage device is lost/stolen while in transit. Data is stored in an encrypted format when a volume has not been mounted. Mounting a volume requires the password. With a strong password, gaining access to the decrypted data (i.e. usable information) is impossible in the event the volume is unmounted. A volume is unmounted whenever a server is restarted (i.e. a shutdown, loss of power etc.) and must be mounted by an administrator having both Webconfig access and the volume password. It is important to note that this module does not provide protection against unauthorized access to data when a volume is mounted (i.e. the state the volume would normally be in during every day use). This module does not replace the need to maintain software updates, use of a properly configured firewall, IDS/IPS etc.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Adding an Encrypted Volume Any number of encrypted volumes can be created on the server - either on the local hard disk or an external mass storage devices. Volumes created on the local disk reside in parallel with other system/user data. By contrast, volumes created on unmounted devices (i.e. a USB attached hard disk) fill the entire physical disk size...formatting any/all data that may be on an existing file-system.
Page 67 of 214
ClarkConnect Administration Manual
Volume Name A unique name that describes the volume (i.e. ArchivedMail, ExternalUSB etc.)
Mount Point The location the volume will be accessible. By default, the mount point is created in /mnt/dmcrypt/
Storage Device The physical device location.
Size The size (in MB) of the encrypted volume. Keep in mind, encrypted volumes have an encryption overhead approximately equal to 1-5% of the total defined size of the volume.
Password The password required to mount the encrypted volume.
Verify Password Re-enter the password to verify.
Troubleshooting What if I forget my password? In a word: don't. If you forget a volume encryption password, there is absolutely no way to recover the data.
How can I auto-mount my encrypted volumes on bootup? You cannot...this would defeat the purpose of creating an encrypted volume.
Page 68 of 214
ClarkConnect Administration Manual
Links ●
DM-Crypt Project Home Page
Language Overview Language
Information
Description
Tool to set the language and locale.
Package Name
cc-webconfig
Configuration Page
System
Settings
Language
You can change the language used by ClarkConnect from this configuration page.
Running Services Overview Running Services
Information
Description
A tool to view and manage services running on the system.
Package Name
cc-webconfig
Configuration Page
System
Settings
Running Services
This configuration page gives you a bird's eye view of the services (also known as "daemons") on your system.
Shutdown and Restart Overview Shutdown and Restart
Information
Description
A shutdown and restart tool for your system.
Package Name
cc-webconfig
Configuration Page
System
Settings
Shutdown/Restart
A tool to shutdown or restart your system.
E-Mail Notification/Alert (SMTP Relay) Overview SMTP Relay/Notification
Information
Description
Allows applications to send reports, alerts, notifications etc. via email through the configured SMTP relay without having a local Page 69 of 214
ClarkConnect Administration Manual Mail Transport Agent (MTA). Package Name
cc-mailer
Configuration Page
System
Keywords
Swift
Settings
SMTP Relay
Installation This module is installed only when a module dependent on the Mailer class is installed. To install manually, run: # apt-get update # apt-get install cc-mailer
Configuration
Configuration of the SMTP relay is access under System
Tools
SMTP Relay.
SMTP Host The hostname of the SMTP server to connect to.
Port The port to used to send the initial connection request on. SMTP usually uses port 25.
SSL/TLS Encryption protocol to use when connecting to the host server.
Username A valid username to authenticate to the server.
Password A valid password to authenticate to the server.
Page 70 of 214
ClarkConnect Administration Manual
Test Relay Once you have decided on the SMTP server to relay through and obtained and entered the settings necessary, it is time to test the relay to ensure e-mails can get through. Click on the Test Settings link. A form will be displayed requiring the input of a valid e-mail address. Enter an address that you can easily verify receipt of the test message that will be sent. Click on the Send Test E-mail once you have entered the recipient of the test e-mail. If a successful connection and authentication (if required) is made, you will receive a notification that the test was successful. If the connection could not be made or if authentication using the settings provided failed, you need to go back and check your settings for correctness and update before repeating the test. You should also verify that receipt of the test e-mail that is sent to the address specified, especially in the cases where you're using localhost as the SMTP hostname. You may find the test is successful, but you never receive the test message. In this case, the message could be queued on the local server and unable to deliver - usually because an ISP is blocking SMTP traffic.
Examples Local SMTP Server If you are running a local SMTP service on the same server, you can leave the default in place (ie. port 25 at "localhost"). Keep in mind, this assumes that your local mail server is either: ● a) relaying directly and your ISP does not filter/block SMTP (port 25) traffic ● b) relaying through your ISP's SMTP servers ● c) configured to relay through an alternative (possibly non-standard port) relay service
ClarkConnect's ASP AV/AS SMTP Relay If the system you are configuring is subscribed to ClarkConnect's ASP Antivirus and/or Antispam service, you can use Point Clark Networks' SMTP server to relay though, bypassing any filtering (blocking) on the part of your ISP.
Field SMTP Host Port SSL/TLS Username Password
Value antivirus.pointclark.com 2525 None
Google Mail (Gmail) With a valid Gmail account, one can easily setup the ClarkConnect's 'Mailer' module to relay through Google's SMTP server. Here is an example for a user with a Gmail account of "[email protected]".
Field SMTP Host
Value smtp.gmail.com Page 71 of 214
ClarkConnect Administration Manual
Port SSL/TLS Username Password
465 TLS [email protected] *****
Links ●
SwiftMailer
SSL Certificate Manager Overview SSL Certificate
Information
Description
Allows the creation, signing, renewal and revocation of SSL certificates for implementing cryptography using SSL (v2/v3) and TLS (v1) protocols.
Package Name
cc-ssl
Configuration Page
System
Settings
SSL Certificate Manager
SSL certificates are the de-facto standard for encrypting information sent over a network and can also be used to provide authentication, as in the case of SMIME email signature signing. This module provides an administrator with the ability to create a Certificate Authority (CA) which can then be installed as a trusted CA on any operating system, browser or mail client in order to encrypt/decrypt (and/or sign emails) communications between two computers. Creating your own CA and using it to sign certificates is termed "self-signing". Self-signing of certificates is as secure as purchasing signed SSL certificates from a Trusted CA like Thawte or Verisign, where prices range from $US 50-300 per year. Self-signing is extremely convenient (and cost effective!) if you are providing access to known users (ie. employees, clients, vendors etc.). It is less convenient than a Trusted CA when dealing with unknown users such as website visitors using a browser to access your online store using HTTPS (HTTP over SSL), since the user will be prompted by their browser to trust the certificate that is presented to them. The SSL Certificate Manager module can also create Certificate Signing Request (CSR) certificates. The contents of a typical CSR certificate are shown below:
A CSR is an unsigned copy of your certificate which can then be sent to a Trusted CA to be signed. The CSR will be used by the Trusted CA to generate your signed x509 SSL certificate (CRT). The Trusted CA sends back the signed certificate which may look similar to the CSR, but Page 72 of 214
ClarkConnect Administration Manual is not.
Whether your CRT was self-signed or signed by a Trusted CA, it now represents the public part of a public/private key (certificate) pair. The private half of the key (usually ending in .key or -key. pem) was generated automatically during the CSR creation and should never be sent across an untrusted network (i.e. the Internet). Unless this key was intended to secure another server, it should not be moved from its directory of origin (/etc/ssl/private).
Installation This module is installed by default and should not be un-installed. SSL certificates are used by the Webconfig User Interface.
Configuration Creating a Certificate Authority A Certificate Authority (or CA) is a trusted entity which issues digital certificates for use in cryptography and/or authentication. When dealing with unknown persons, you will probably want to use a commercial CA which is in business to provide a service - verifying an individual or organization is who they say they are, usually by way of a domain name or email address. The SSL Certificate Manager module allows you to create your own CA that one can then use to sign and validate certificates. You can have users download and import this CA to validate certificates presented to them. A common and cost-effective use of a self-signed certificate is the SSL certificate that encryptions communications in the Webconfig User Interface. The module will force you to create a CA prior to allowing the creation of certificates requests, signed certificates or PKCS12 files. The form to create the CA is presented when no CA is found on the server (in the /etc/ssl directory) and is shown in a screenshot below. A brief description and suggested defaults is provided in the following sections.
Page 73 of 214
ClarkConnect Administration Manual
Key Size This is the RSA key length. 1024b (default) is a good compromise between security and speed. Anything below 1024b can theoretically be cracked by brute force techniques. Note, this is the RSA key size and will not impact, for example, the encryption strength of a web browsing session (typically 128b, but could be 40b or 256b) that is dictated by the capabilities/settings of both the client web-browser and server.
Common Name The common name in the certificate authority can be anything. Generally speaking, you will want this to be descriptive of the purpose of the certificate as a trusted root certificate. An example might be Point Clark Networks Root Certificate Authority.
Organization Name Typically the company name or person responsible for the CA. Example - Point Clark Networks Ltd.
Organization Unit In larger organizations, the organization unit might be a department within the company, such as IT Department.
City The organization's city - for example, Toronto.
State/Province The organization's state or province - for example, Ontario or ON. Leave blank if this does not apply. Page 74 of 214
ClarkConnect Administration Manual
Country The organization's country - for example, Canada. The module will automatically convert the country to the 2-letter ISO-3166 country code.
E-mail The e-mail address of the person responsible for the CA within the organization - for example, [email protected].
Creating a Certificate Request or Signed Certificate Once a Certificate Authority has been created on your server, you will see a summary of the CA and any certificates you have created. If you have only just created your CA, you obviously won't have any signed certificates or PKCS12 files and your summary will look similar to the screenshot below.
Use the form below the three summary tables as illustrated above to create either a certificate request or signed certificate. For those new to SSL and encryption, it may not be immediately obvious as to the difference.
Certificate Request The certificate request is a pre-cursor to creating a signed certificate. It represents the public half of the private/public key pair used in RSA encryption. All signed certificates originate from a certificate request. A certificate request does not have an expiry date associated with it, but does have all the other fields associated with a signed certificate (common name, organization name etc.). A certificate request is cannot be used in cryptography and must be signed (usually from a trusted CA for an annual fee) in order to be useful.
Signed Certificate As the name implies, this is a public certificate (the public half of the RSA private/key pair) that has been signed (verified) by a Certificate Authority (CA). The CA's service to the certificate holder and to anyone viewing the certificate is as a 3rd party validation as to the authenticity of the certificate owner. For example, if the certificate is to be used on an encrypted website (HTTPS), the CA will take measures to verify the owner of the domain against the certificate request being presented to be signed. A signed certificate has both a not-valid before and non-valid after timestamps that was attached to the certificate when the CA signed the request. Page 75 of 214
ClarkConnect Administration Manual
Creating a Certificate Request If you have determined a need for a trusted CA to sign a certificate request, you can use the Webconfig UI to generate the key. Select the purpose for the certificate (web/FTP encryption or email signing/encryption) and your RSA key size (1024b recommended) and select Use Trusted CA (fees may apply) option from the Signing Authority field. Complete the other fields as they apply (see troubleshooting below) and click Create.
Notice how the Term field disappears when you selected Use a Trusted CA option - this is by design, since certificate requests do not store expiry dates.
Creating a Signed Certificate Selecting the Self-Sign option will use the CA you created during the initializing of the SSL module to sign a certificate request that is temporarily created during the creation process. In the example below, we sign our own certificate whose intended use will be to sign e-mail originating from "Joe Developer" at Point Clark Networks.
Page 76 of 214
ClarkConnect Administration Manual
Two differences to note from the creation of a certificate request example above. First, there is an additional Term field - this field indicates the expiry date from the date of creation. For convenience, some users may want to set this to 25 years (essentially no expiry), but lesser terms may be desired for some applications. Second, additional fields named Import Password for PKCS12 and Verify Password for PKCS12 are visible. The Personal Information Exchange Syntax Standard (also called PKCS12) file is a convenient format to install certificates onto client machines for use in validating e-mail signatures. The file is protected with a password since the PKCS12 file contains both the private and public keys associated with the SSL signed certificate.
Importing a Signed Certificate from a Trusted CA In order to import a signed certificate from a trusted CA, you first need a Certificate Request. If you haven't made one already follow the steps [#Creating_a_Certificate_Request here]. Certificate requests (also known as unsigned certificates) will be listed in the Unsigned Certificates as shown in the screenshot below.
This request needs to be downloaded and sent (typically via e-mail or a web form) to a Trusted CA. Click on the View link to view the contents of the certificate, including the part a Trusted CA requires.
Page 77 of 214
ClarkConnect Administration Manual
At this point, you have two options to download the certificate request. First, use the Download link to save the entire PEM file to your local machine. The second option is to simply select the PEM Contents text starting from and ending (and including) the tag with your mouse, and "cutand-paste" this into an e-mail to be sent to a Trusted CA or a web form for submittal. Once you receive the signed certificate back from the Trusted CA (a process that make take up to 48 hours), return to the SSL Webconfig page, click on View again, and this time, select Import Signed Certificate from the available Actions. A web form will be displayed allowing you to "paste" the certificate contents.
Page 78 of 214
ClarkConnect Administration Manual
Once "copied-and-pasted" into the form, click Save. Your certificate is now imported and ready for use.
Creating, Importing & Installing a Personal Information Exchange Syntax Standard File (PKCS12) The Personal Information Exchange Syntax Standard (or PKCS12) file is an industry standard format for storing or transporting a user's private keys, certificates or other secret information. The PKCS12 file format is used with the SSL module in ClarkConnect's Webconfig to password-protect and relate a private key tied to an e-mail address with a certificate authority in order to sign and/or encrypt e-mail.
Creating a PKCS12 File A PCKS12 file is created automatically when a self-signed certificate is created with the Purpose/Use is set to Sign/Encrypt E-mail. See section Creating a Signed Certificate for information related to the fields/settings to create the PKCS12 in parallel with a self-signed certificate.
To create a PKCS12 file, you should already have a signed certificate under management with the appropriate e-mail that will match the user's signature (ie. e-mail address). The screenshot below shows one certificate (Joe Developer's) - in addition to the root CA - for the purpose of signing Page 79 of 214
ClarkConnect Administration Manual Joe's e-mail ([email protected]). To start the PKCS12 creation, click on the View link next to the certificate. Details of the certificate along with several actions which can be executed on the signed certificate will be displayed, similar to below.
If you do not see the Create PKCS12 option, it is because it already exists on the system. Return to the main menu and look under the PKCS12 Files table. Since the certificate already exists, you only need to provide the password and verification that will be used to secure the PKCS12 file.
Page 80 of 214
ClarkConnect Administration Manual Clicking on the "Create" button will create the PKCS12 file using the password supplied and list it for download under the PKCS12 section. See the next sub-section for information on downloading and installing the file to your computer.
Importing a PKCS12 File Provided you have been successful in creating a PKCS12 file, you should see thes files listed under the PKCS12 Files table. You can delete these files at any time, with the knowledge that the file can be re-created with a new password, if necessary, at any time. Since the PKCS12 file is specific to a user, once provided to the user, there is no need to keep the file on the server, except for purposes of backup. The screenshot below shows the PKCS12 summary, containing one file for Joe Developer. Assuming we are Joe Developer or Joe's IT administrator, we will now go through the steps to import (download) the PKCS12 file and install it.
Click on the Download link next to the PKCS12 you wish to download to your local machine (computer). Depending on your OS and browser, you will see a dialog box similar to the one shown below.
If access is from the machine where the file will be installed, you can choose the "Open With" which uses the PFXFile binary in Windows. If you will be e-mailing or making the file available to download via alternative ways (ie. FTP), you'll need to "Save to Disk" to save a copy of the Page 81 of 214
ClarkConnect Administration Manual PKCS12 file locally. Installing on Thunderbird | If you use Mozilla's Thunderbird e-mail client, you need to use the "Save to File" option and import into the client in a separate step (see below).
Installing a PKCS12 File Examples have been provided for installing PKCS12 files into two of the more popular mail clients, Thunderbird and Outlook/Outlook Express. Thunderbird
Before starting, make sure you have downloaded or received your PKCS12 file and saved it to your local machine. If you have not yet done this, see instructions provided in the above sections. Open the Thunderbird mail client and click on Tools Account Settings. Click on the Security summary under your account. You should see a form similar to the screenshot provided below.
Click on View Certificates under the Certificates section. Under the Your Certificates tab, click on Import. Use the file manager dialog pop-up to select the PKCS12 file you saved to your computer earlier. At this point, you may be prompted to created a master password for the security device. Choose a password you can remember but also difficult for anyone to guess. You will need to use this password each time you close and re-open Thunderbird to send a signed or encrypted e-mail. You will then be prompted for the password for the PKCS12 file you are about to import. This is the
Page 82 of 214
ClarkConnect Administration Manual password that was used during the creation of the PKCS12 using the ClarkConnect SSL Manager module. You should now see your certificate installed under Your Certificates.
You're not quite done - note how the Purposes field indicates Issuer Not Trusted. What you did not see happen transparently when installing the PKCS12 file is the import of a trusted CA under the Authorities section. You need to explicitly confirm what purpose Your Certificate can be used for. Click on the Authorities tab and scroll down until you find the Certificate Authority that was used to sign the certificate used to create the PKCS12 file. When you find your CA in the list, click once to highlight it and then click on the Edit button. A pop-up dialog box will be displayed as shown below.
Place a check mark in each checkbox, and click OK. Go back to the Your Certificates - you should now see the message Issuer Not Trusted has been replaced with Client, Server, Sign, Encrypt. Close the Certificate Manager dialog window and click on either of the Select buttons in the Digital Signing or Encryption sections. You will be prompted to select a certificate from a drop down box which will likely just have the one certificate you installed. Select it, and click OK. Close the Account Settings dialog window by clicking OK. Page 83 of 214
ClarkConnect Administration Manual
Congratulations - you can now sign e-mail and receive encrypted e-mail if senders use your public key to encrypt the message. Outlook/Outlook Express
Outlook and Outlook Express uses the Windows OS certificate manager to perform message signing and encryption/decryption. The following help section describes how to install a PKCS12 file onto Microsoft's XP platform. Click on Start Content.
Control Panel and select Internet Options from the menu system. Select the
Working in the Certificate dialog box pop-up, select the Personal tab and click on the Import button. An Import Wizard will start up, taking you the process in steps. Click Next to continue. Click on the Browse button and find the PKCS12 file that you saved to your system. Note, you may have to the default file type from X509 to Personal Information Exchange to see the proper extensions. Click Next to continue. The wizard will then ask you for the password. Enter the password you used in the ClarkConnect SSL Manager module when creating the PKCS12 file. It's also a good idea to check off both check boxes for additional security.
Page 84 of 214
ClarkConnect Administration Manual
Keep the default location to store the certificate - Personal Store. Click Next to continue. Click Finish to complete the PKCS12 install. Unlike Thunderbird, Microsoft automatically enabled the uses for the certificate. Page 85 of 214
ClarkConnect Administration Manual
Congratulations - you can now sign e-mail with Outlook and receive encrypted communications from people using your public key.
Renewing a Certificate Certificates that have been self-signed by the locally created Certificate Authority can be renewed at any time. Click on the View link, followed by the Renew button under the action options. A form similar to the one below will allow you to select the term to extend the original certificate in addition to re-issuing a new PKCS12 file with password.
When renewing a certificate that was not self-signed, a new certificate request will be created which can then be sent to a Trusted CA for signing and subsequent import.
Troubleshooting There are really only two fields in the certificate generation process that can get you into trouble Common Name and E-mail. These fields are explained below in relation to the two typical applications of SSL certificates (web and email).
Web/FTP Common Name Field For websites or FTP, the Common Name field must match exactly the domain name of the site.
E-mail Field Typically, this field would be the e-mail address of the web master or some alias referring back to support.
Example Website URL: https://secure.clarkconnect.com/webapp/ Common Name = secure.clarkconnect.com E-mail = [email protected]
E-mail Signing/Encryption Common Name The common name is typically the full name of the individual.
Page 86 of 214
ClarkConnect Administration Manual
E-mail Field This field must match exactly the e-mail address of the sender who intends to include a signed signature and/or receive encrypted communications.
Example E-mail Address of Sender: [email protected] Common Name = Joe Developer E-mail = [email protected]
Links ● ● ● ●
OpenSSL Public Key Cryptography CA Cert Certificate Authorities
Webconfig Overview Webconfig
Information
Description
Webconfig settings.
Package Name
cc-webconfig
Configuration Page
System
Settings
Webconfig
The Webconfig settings page allows you to change the look and feel of the web-based interface.
Configuration A variety of templates are available for the web-based administration tool; select the one that most appeals to you.
Modules Database MySQL Overview Database
Information
Description
MySQL relational database.
Package Name
cc-mysql
Configuration Page
Software
Database
MySQL Setup
The Webconfig UI for MySQL provides login configuration/management to the phpMyAdmin web Page 87 of 214
ClarkConnect Administration Manual interface...a separate UI that allows full control over your MySQL databases.
Installation If you did not select this module to be included during the installation process, you must first install the module.
myPhpAdmin Once you have set the database master password, you can login to the phpMyAdmin administration interface. Use: Username: root Password: Where is the database password.
Links ● ●
MySQL home page phpMyAdmin home page
Email Antispam Overview Antispam
Information
Description
Antispam for mail servers.
Package Name
cc-spamassassin
Configuration Page
Software
Mail
Antispam
The antispam software works in conjunction with your mail server. The software identifies spam using a wide range of algorithms on e-mail headers and body text. ClarkConnect also includes greylisting and additional blacklists -- both are effective tools that can be used to detect spam.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Discard Policy (Block Policy)
Page 88 of 214
ClarkConnect Administration Manual If you want to discard spam before it reaches mailboxes, you can configure the mail discard policy. For example, you can discard spam marked with high probability (or higher) by using this tool.
Subject Tag
● ● ●
Use Subject Tag - enable/disable e-mail subject tag when e-mail is marked as spam Subject Tag Threshold - spam score required to trigger a change in the e-mail subject Subject Tag - the subject tag to use when e-mail is marked as spam
A subject tag can be added to messages marked as spam. For instance a spam message with the subject "Premier Invest0r Rep0rt" will be transformed into "[SPAM] Premier Invest0r Rep0rt". This feature makes it easy for end users to identify and filter spam.
Image Processing (OCR) Enabling Image Processing will improve the spam identification rate for spam messages containing images. Using OCR (Optical Character Recognition), antispam engine will convert images to text and perform analysis on the word content of the image.
White and Black Lists
● ●
White List - a list of e-mail addresses that should never be marked as spam Black List - a list of e-mail addresses that should always be marked as spam
The antispam engine includes both white and black lists. The white list is used to mark e-mail addresses that send non-spam, while the black list is used to mark e-mail addresses that are known spam. Among others, newsletters and legitimate e-commerce e-mail can sometimes be marked as spam. The e-mail addresses for these messages can be added to the white list to prevent the message from becoming marked as spam. E-mail addresses in the white and black lists can use the * wildcard character to match any characters. For instance, *@example.com and *.gov will mark all e-mail from the example.com and .gov domains.
Page 89 of 214
ClarkConnect Administration Manual
Improving Effectiveness Spam Training You can improve the effectiveness of the antispam engine by following training the antispam engine.
Greylisting and Blacklists ClarkConnect also includes Mail Filters (Greylisting) and additional blacklists -- both are effective tools that can be used to detect spam.
Links ●
SpamAssassin website
Antispam - Quarantine Overview Antispam - Quarantine
Information
Description
Antispam for mail servers.
Package Name
cc-dspam
Configuration Page
Software
Mail
Antispam - Dspam
The Dspam antispam system tracks e-mail by mailbox. In other words, the antispam system bases its decisions on individual spam databases for each user on the system.
Installation If you did not select this module to be included during the installation process, you must first install the module. Since the Dspam antispam solution requires specific details about mailboxes and aliases, the software is not available on systems configured as a mail gateway. For example, a message destined to [email protected] forwarded to an Exchange server may end up in Mary and David's mailbox. It is not possible for the Dspam system to determine this information in mail gateway mode.
Configuration Signature Location The antispam system tracks important elements and statistics on every e-mail message that you receive. This information is then stored as a "signature" -- basically a unique identification number. To train the antispam system (see next section), this signature must be included in an e-mail. You can track these signatures either in the body of the message, or in the message header. Headers ● advantage: does not clutter the body of e-mail messages ● disadvantage: message must be forwarded as an attachment to train the antispam system Body ● advantage: message can be forwarded (no attachment) to train the antispam system Page 90 of 214
ClarkConnect Administration Manual ●
disadvantage: spam signature clutters the body of e-mail messages
Subject Tag Select the subject tag used to mark any messaged deemed to be spam.
Improving Effectiveness - Spam Training You can improve the effectiveness of the antispam engine by training the spam engine.
Links ●
Dspam
Antispam - Training Overview You can improve the effectiveness of the antispam systems on your ClarkConnect system by identifying: ● Messages that were spam, but not identified as such ● Messages that were innocent, but identified as spam (false positive) With a week or two of diligent training with these messages, you can expect to see a more effective antispam engine.
Installation At least one of the antispam engines must be installed on your system. ● SpamAssassin ● Dspam
Training There are two ways to train the antispam systems on your ClarkConnect system: webmail and mail-forwarding.
Webmail Training the antispam system via webmail is simple and more effective. Simply select the messages that you wish to process and press either the Report as Spam or Report as Innocent buttons (see screenshot). You will then be shown a confirmation message before the actual processing takes place.
Page 91 of 214
ClarkConnect Administration Manual
E-mail Forwarding Training via e-mail forwarding is available in version 4.1 or later. Training via e-mail forwarding is not as effective since information is lost when you forward a message. If you decide to use this method, there are two e-mail addresses used for training: ● [email protected] -- e-mail address for messages incorrectly identified as spam ● [email protected] -- e-mail address for spam that was not identified as such In order to use this style of spam training, messages must be forwarded as an attachment (see screenshot).
Links ●
Dspam
Antivirus Overview Antivirus
Information
Description
Antivirus for mail servers.
Package Name
cc-clamav
Configuration Page
Software
Mail
Antivirus
The antivirus system scans mail messages as they pass through your mail server.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Page 92 of 214
ClarkConnect Administration Manual
Configuration Mail Policies When configuring the antivirus system, you must make some mail policy decisions. There are three types of policies available: ● Bounce bounce the e-mail ● Discard - silently discard the e-mail ● Pass Through - send e-mail with warning (original sent as an attachment) Virus Detected Policy
When a virus is detected, you can choose to either discard the message, or pass the message through. We recommend discard mode for most installations. Banned File Extension Policy
The antivirus software not only performs virus scanning, but also manages file attachment policies. Certain types of file attachments are prone to viruses. The ability to block attachments by file extension is another layer of security for your mail system.
Banned File Extensions Select the file extensions that you wish to ban from going through your mail system. Both internal and external mail are checked.
Links ●
ClamAV web site
Aliases Overview Aliases
Information
Description
Mail server aliases tool.
Package Name
cc-postfix
Configuration Page
Software
Mail
Aliases
Mail aliases allow you to route extra e-mail addresses (for instance sales@, info@, etc) to one or more e-mail addresses. This tool can also be used to create mail distribution lists - for example, [email protected] can be used to send e-mail to all users on the system.
Installation If you did not select this module to be included during the installation process, you must first install the module. Page 93 of 214
ClarkConnect Administration Manual
Configuration Add Mode When you first click on the "Mail Aliases" navigation link, current aliases set up by domain will be displayed (along with Edit and Delete options) and a form below this list provides the fields required to add a new alias. In other words, you are in "add mode".
As an example, if you wanted to create an email alias mapping veruca.salt to a user that you had created on the system named 'veruca', enter "veruca.salt" in the "Alias" field and select "veruca" from the "Available" mail accounts list, then click "Add". There is no limit to how many mailbox accounts an aliased name can be sent to. For example, if you wanted all three people to receive all email sent to the address "[email protected]", you could add the alias "sales" and select the three users on the "Available" list. Multiple users can be selected by holding down the "Control" key on your keyboard while clicking on the user in the list.
Edit Mode To enter "edit mode", you must have at least one alias present. Click on the "Edit" link next the alias you wish to edit. The form below will now display which of the available recipient's are set-up as aliased (highlighted) and which are not (listed as available but not highlighted). Select/deselect amongst the available recipient names using the "Control" key and your mouse and click "Update" to save your settings.
Add External E-mail (Mail Forwarding) Mail forwarding to another address/server can be done by addint the e-mail address to the External E-mail field and clicking on the "Add" link, as shown in the screenshot below.
Page 94 of 214
ClarkConnect Administration Manual
Troubleshooting If you are working with multiple domains on your system (i.e. virtual domains are being used), make sure to select the correct domain from the drop down list prior to starting your edits.
Links ●
Adding users to the server
Mail Archive Overview Aliases
Information
Description
Mail archival system for mail servers.
Package Name
cc-archive
Configuration Page
Software
Mail
Archive
The Mail Archival System logs all incoming and outgoing e-mail passing through the gateway to a central database. This module can be used to meet regulatory compliance or assist an organization to enforce internal policies for e-mail use in the workplace.
Installation If you did not select this module to be included during the installation process, you must first install the module. This module is only available for ClarkConnect Office/Enterprise Edition, 4.2 and above.
Page 95 of 214
ClarkConnect Administration Manual
Configuration On first configuring the mail archiver after installation, a warning will be displayed prompting the user to initialize the database. This is perfectly normal and should be done before continuing.
A table containing three form tabs is displayed as indicated in the screenshot above. ● Mail Archive Settings - General configuration settings ● Current Statistics - Data and actions relating to the current database ● Search Statistics - Data and actions relating to the search database An explanation of the difference between the Current and Search databases will be explained below.
E-mail Archive Settings Activation and configuration of the email archive system can be done via the "Mail Archive Settings" tab. The section below explains each setting in details. Archive [Enable/Disable]
Enables or disables the archiving of email passing through the SMTP server. Policy
Allows an administrator to archive all email passing through the server or restrict (exempt) certain users, as required. Set this to "All messages" to archive email for every user. Select "Filter messages" to configure a filter to archive only some users email.
Page 96 of 214
ClarkConnect Administration Manual Configure (Policy)
A configure link will be displayed when "Filter messages" is selected as the policy. Click on this link to 'fine tune' which users' email should be archived. Discard Attachments
The "Discard Attachments" drop down option is only available when the "Policy" is set to "All messages" - otherwise, discarding of attachments is done in the 'Configure' page. To save on storage space (and assuming attachments are not required to be archived either by corporate policy or law), select "Always". Otherwise, select a level in which attachments should be discarded (i.e. "Never", > 1MB etc.). Files which are identical but attached to different e-mails as attachments only consume the size of the file, not N x the size of the file, where N is the number of emails going through the archive system with the same attachment. Auto Archive
Auto archive controls the movement of archive data from the "Current" database to an archived file. This allows the email archive to be easily moved from the server to a storage medium (for example, another server, a USB Mass Storage Device, a tape drive etc.) for safe storage. All emails that have been archived to this file can be retrieved and searched at a later date, if required. Use this field to provide consistent archive files for a give period (i.e. weekly or monthly) or of a certain size (i.e. a DVD etc.). Encrypt Archives
The transition of data from the database to a dump file can be encrypted to prevent unauthorized access. This can be extremely important (and may be required by law) if e-mails contain confidential information. AES Encryption Password
The password used to encrypt the archive file if "Encrypt Archives" is set to "Yes". By default, this password must be at least 12 characters and contain both upper and lower case letters and at least 1 number. Twelve characters was chosen as a length to ensure the security of the encrypted
Page 97 of 214
ClarkConnect Administration Manual file. If a smaller password is desired, you can override this setting in the /etc/archive.conf file by setting the 'encrypt-password-length' parameter.
Searching the Database Archives Current vs. Search Database The mail archive operates using two databases. The 'Current' database is used to retrieve and store new messages arriving from the SMTP (mail) server. The 'Search' database is a transient database - its contents can be deleted and replaced with data corresponding to the search requirements and space of the drive. The dual-database system is designed for maximum scalability. A single database could quickly become of such enormous size that an administrator would be continually adding drive storage space to accommodate the email archives. By giving the user the ability to take certain sized (or certain periods of time) snapshots from the current database and allowing one or more to be loaded to the 'Search' database, searching for past emails can be done quickly and efficiently without the overhead of hundreds of GB of disk space. Think of the search database as a 'sandbox', where archives can be dumped, searched and then removed (reset).
The Current Database The current database contains all archived emails since the last file archive was performed. A file archive can either be performed manually or can occur automatically if the Auto Archive setting is enabled and triggered. Performing a Search
To view how many emails and the approximate size of the archive in the 'Current' database, click on the Current Statistics tab.
Click on the Search button. A new form will be displayed allowing you to enter your search criteria.
Page 98 of 214
ClarkConnect Administration Manual
Using the add links you can customize your search using a maximum of five (5) criteria using either AND or OR logic (Match all vs. Match any). The results from your search will be displayed in the results table below.
The Search Database The Search Database will normally be empty until at least one file-based mail archive restore is performed (or if data from a prior search still in the database). Remember, the Search Database is designed to be reset often so that you can work with datasets that will scale with the everincreasing demands of archived e-mails. To restore a file-based archive, click on the Restore Archive button.
All prior restores will be listed in the Archives table. Rows with a green status mean the link is intact (archive exists on the server). Rows with a red status icon indicate the link is broken. If you need to restore from a file whose status is red (broken link), you will need to use Flexshare and the storage device where the archive was moved to in order to re-establish the link. Simply click on the Restore button to start a restore to the Search database. Once complete, you can Search the database as normal.
Page 99 of 214
ClarkConnect Administration Manual
Performing a Search
To navigate to the Search Database, go to the Mail Archive page and click on the Search Statistics tab. If there is data that you wish to search in the database (given the statistics you may find that there is data, but you do not remember which file archive it originates from - in this case, it is advised to reset the database and start again), click the Search button. A search form will be displayed - the same as occurs when you are searching the Current Database. You can toggle between searching the Current and Search databases by selecting the appropriate radio button in the search form. Enter your search criteria and click Search. Any hits (results) will be displayed in the table below. Resetting the Search Database
Since the Search Database is simply a MySQL database created by the import of one more archive files, it is perfectly safe to Reset the search database to reinitialize the database. You may want to reset the search database to make make searching the database faster or because searching an entire index (i.e. mail archive over several years) becomes too large a dataset for your existing hard disk.
Viewing/Restoring E-mails Once an e-mail has been found using a search procedure, click on the View link next to the e-mail of interest. A new page will be displayed containing the email body contents. Original Header
It is sometime of interest to view the original e-mail header. This information is stored in the archive database and can be viewed by clicking on the Original Header link (a '+' icon). The screen capture below displays an e-mail view with the headers expanded.
Page 100 of 214
ClarkConnect Administration Manual
Sending
To resend the email (either to the original recipient or a separate user), click on the Resend Email link. A new form will appear allowing you to resend the email. Resending the e-mail uses the SMTP relay module...make sure it has been configured correctly to send outgoing mail through your local mail server or your ISP.
Admin (root) account vs. Users Account The mail archives (both current and search databases) can be searched by the system administrator (logged in under the 'root' account) or by users. To give users access to the archive, use the System Administration ACL to grant access to specific users to the Mail Archive module. When logged in as 'root', all emails will be returned from a search query. However, when logged in as a 'user' system administrator, only email that has been sent to or by the user will be returned from a search query. In other words, users can view/restore mail that was sent or received by them, but no one else.
Advanced Users Accessing the Database This module makes use of the system MySQL service for the database back-end. The system MySQL server is a 'sandboxed' service running on a non-standard port. To access the database from the command line, you will need to fetch the database password:
Page 101 of 214
ClarkConnect Administration Manual # cat /etc/system/database
password = AAAAAAAAAAAAAAA reports.password = BBBBBBBBBBBBBB zoneminder.password = CCCCCCCCCCCCCCC archive.password = PASSWORD dspam.password = DDDDDDDDDDDDD The email archive database password is keyed on 'archive.password'. Next, you'll need to access the MySQL console in a slightly different manner than the default MySQL server. /usr/share/system-mysql/usr/bin/mysql DBNAME -uUSER -pPASSWORD
Where: DBNAME = archive_current or archive_search USER = archive PASSWORD = the password retrieved from the /etc/system/database file
Troubleshooting What if I forget my password? In a word: don't. If you forget your archive password, there is absolutely no way to recover any email from the encrypted mail archive file.
Links Using Flexshares
Mail Filters (Greylisting) Overview Greylisting
Information
Description
Greylisting and filters for mail servers.
Package Name
cc-filters
Configuration Page
Software
Mail
Filters
Greylisting and mail filters are extra tools to prevent spam from reaching your users' mailboxes.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Page 102 of 214
ClarkConnect Administration Manual
Configuration Greylisting Greylisting can dramatically reduce the amount of spam reaching your mailboxes. When the service is enabled, a mail message that is not recognized will be gently rejected. If the mail message is legitimate, the sending mail server will re-attempt subsequent deliveries and the ClarkConnect server will then accept it. For the most part, spammers do not bother with the second delivery attempt and this results in less spam. The parameters that you can use to fine tune the greylisting engine are described below. Status
State of the greylisting engine. Delay
The amount of time that must pass before a subsequent delivery attempt is allowed. Data Retention Time
The greylisting engine keeps track of both mail servers and sender e-mail addresses for a specified amount of time (default is 35 days). If messages from validated sender or server arrives, the greylisting engine will accept delivery on the first attempt. For example, if [email protected] sends an e-mail to one of your users on a weekly basis, only the very first mail message is delayed. All subsequent messages are delivered automatically since [email protected] has been validated.
Blacklists ClarkConnect provides extra mail blacklists to protect against spam. You can enable or disable this blacklist at any time.
Links ● ●
Postgrey SA-Blacklist
Page 103 of 214
ClarkConnect Administration Manual
Maildrop Overview Maildrop
Information
Description
Fetchmail/maildrop software to fetch mail from external servers.
Package Name
cc-fetchmail
Configuration Page
Software
Mail
Maildrop
The fetchmail package can conveniently retrieve mail from other servers allowing the 'centralization' of e-mail on a single server.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Any number of servers can be added to the maildrop list using the "Add Maildrop Entry" form. The interval polling time can be configured from 1 minute up to 3 hours.
Field Server Protocol Username Password Local User Keep on Server Active
Description The server name. For example, gmail.com. The server protocol. Currently, POP3, IMAP and APOP protcols are supported. If you do not know the protocol, you can have the system autodetect by selecting 'auto'. This is the username on the source server. This is the password on the source server. This is the username of a mail account configured to receive mail on the server you are configuring. Enable this checkbox to leave a copy of the mail on the server. Enable this checkbox to start polling the remote server for mail to fetch.
As with any other POP3 or IMAP connection, your username and password for the mail account on the destination mail server will be passed in clear text.
Troubleshooting Have a look at the system logs if you are having problems. The fetchmail daemon logs to /var/log/maillog. Ignore any entries you see similar to: Server CommonName mismatch: localhost.localdomain != mail.pointclark.net Page 104 of 214
ClarkConnect Administration Manual
This entry is a result of fetchmail attempting to use SSL for authentication.
Links ●
Fetchmail Home Page
POP and IMAP Overview POP and IMAP
Information
Description
Mail access for desktop mail clients.
Package Name
cc-cyrus
Configuration Page
Software
Mail
POP and IMAP
ClarkConnect provides both POP and IMAP servers for providing mail delivery to desktop clients.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Server Configuration Mail Server Protocols
The mail server supports four different protocols (see screenshot): ● IMAP ● Secure IMAP ● POP ● Secure POP
Page 105 of 214
ClarkConnect Administration Manual
We strongly suggest using the secure protocols if possible. Keep in mind, you will need to generate an SSL Certificate to enable the secure protocol. Push E-mail
Some mail clients support the push e-mail feature (also known as the IMAP Idle feature). With this feature enabled on both the server and client, e-mail will appear in your mailbox as soon as it arrives. This feature is most useful on wireless and hand held devices. The following mail clients are known to support push e-mail (IMAP Idle): ● Thunderbird - Many platforms ● Chattermail - Palm Treo ● FlexMail - Windows Mobile
Mail Client Configuration Secure POP - Mozilla Thunderbird
If you are using Mozilla's Thunderbird, click on "Tools Account Settings", then select "Server Settings" from the navigation bar. Ensure the "Use secure connection (SSL)" checkbox is enabled.
Page 106 of 214
ClarkConnect Administration Manual
Secure POP - MS Outlook/Outlook Express
For Outlook and Outlook Express, click on "Tools configure and click on the Properties button.
Accounts", select the account you wish to
Page 107 of 214
ClarkConnect Administration Manual
Next, click on the "Advanced" tab, and ensure the "This server requires a secure connection (SSL)" checkbox is enabled.
Page 108 of 214
ClarkConnect Administration Manual Secure POP - Other Mail Clients
For other mail clients, similar set-up/configuration will exist. Please refer to documentation for your mail client for specific instructions.
Troubleshooting Do not forget to open up firewall ports for e-mail. You only need to open the POP or IMAP ports if you plan on picking up your mail from outside your local network. The default ports are listed below: ● POP - 110 ● Secure POP - 995 ● IMAP - 143 ● Secure IMAP - 993
Links ● ● ● ●
Dovecot Secure IMAP Server Setting up a Mail Server - SMTP Adding Users Adding incoming firewall rules
Mail Server - SMTP Overview Mail Server - SMTP
Information
Description
SMTP/MTA mail server.
Package Name
cc-postfix
Configuration Page
Software
Mail
SMTP Mail Server
You can manage your own mail server. There are a number of reasons this might be advantageous: ● Ability to have a customized user and domain name - ie. [email protected] ● Mailboxes limited only by hard disk storage capacity and your own administration settings ● Alias support - i.e. [email protected] can be sent to [email protected] and [email protected] ● No waiting around for new users to be added ● Custom antispam control ● Antivirus support ● Privacy ● Full control
Services Point Clark Networks provides an MX backup service for mail servers. Please visit the Gateway Services page for details.
Installation If you did not select this module to be included during the installation process, you must first install the module. Page 109 of 214
ClarkConnect Administration Manual
Configuration SMTP Mail Configuration General Settings
The Hostname does not have to be related to the e-mail domains that you host. It can be ANY valid Internet name for your machine. For example, you may wish to have a dedicated mail server on your network. In this case, you might want to name this machine mail.yourdomain.com. This would be the Hostname you would enter. The Primary Domain field indicates the domain name this server will act as an SMTP/Mail server for. If you have a single domain name that you receive mail for, enter the domain here. If SMTP Authentication field is set to on, any client attempting to send mail through the server will require a username/password before accepting mail for delivery. The Maximum Message Size sets the maximum size of an individual mail message. Most Internet service providers (ISPs) block mail larger than 10 or 20 MB, so do not expect to have larger messages delivered to outside users. Due to the way e-mail systems work, an attached file may be 50% larger once attached. The Catch-All setting can be used to catch mis-addressed e-mail and deliver it to a specific user account. We highly recommend avoiding this feature for the following reasons: ● Your system will scan all messages for viruses and spam instead of bouncing the message right away. This means more system resources (CPU, RAM) are required. ● Your system will attract more spam. Spammers will avoid invalid e-mail addresses, but setting a catch-all user means all e-mail addresses to your domain are valid. SMTP Authentication - Thunderbird
For Mozilla's Thunderbird, click on "Tools Account Settings" and then click on the "Outgoing Server (SMTP)" field. You should see a window similar to the screenshot below.
Page 110 of 214
ClarkConnect Administration Manual
Ensure the "Use name and password" setting is checked and enter the username of the mail account in the username field. The password will be requested by the mail client application on the first attempt to send mail. There will be an option to save it to the "Password Manager" so that you do not have to enter each time you send mail through the server. SMTP Authentication - MS Outlook/Outlook Express
If you are using MS Outlook/Outlook Express, click on "Tools Accounts". Select the account which will use this mail server to send mail and click on the "Properties".
Page 111 of 214
ClarkConnect Administration Manual Make sure the "My server requires authentication" is checked. Click on the "Settings" button to enter the details of your username/password.
Setting the Catch All User to an valid user on the server will pass all mail sent to an "Unknown user" to this account. To bounce mail addressed to an invalid recipient, set to Return to sender. Trusted Networks
A trusted network is a list of networks that are allowed to send mail through the SMTP server. Dynamic IP's should not be added to this list. It is important that you do not make an error with this parameter. The default setting allows any user with a 192.168.x.x address send e-mail through the server. If you use a 10.x.x.x address, you should add 10.0.0.0/8 to the list of trusted networks. Outbound Relay Hosts
Some ISPs will block all traffic on port 25 unless it it destined for their mail servers. In this case, you would want to specify your ISPs mailserver as the Outbound Relay Hosts. In addition, if you are subscribed to the ASP Antivirus service and want to scan your user's outgoing mail, you should enter the following: antivirus.pointclark.com This address points to a cluster of three (or more) mail servers. The change is required since the newer version of Postfix included with ClarkConnect supports only one outbound relay host.
Page 112 of 214
ClarkConnect Administration Manual
Additional Domains Destination Domains
If your company/organization has multiple domains and you wish to receive email sent to any user for any of the domains, enter additional domains to the Destination Domains list. For example, if our primary domain was setup to be "pointclark.net" and we wanted all emails sent to the following registered domains to be valid: ● pointclark.com ● pointclark.org ● clarkconnect.com ● clarkconnect.org we would add the bulleted domain list above to the "Destination" domains list. Virtual Domains
Use the "Virtual Domains" list if you are using ClarkConnect as an SMTP server for multiple clients. By adding to the Virtual Domains list rather than the Destination Domains list, you will have complete control over which user receives mail for a particuliar domain.
Mail Forward Domain List If you are configuring your server as a mail gateway, add the domain name to the "Mail Forward Domain list". If the antispam engine is installed and running on the server, mail will be subject to the spam identification rules you have configured. Similarly, if the antivirus module is installed and running, all mail for the domains will be scanned before passing the mail on to the destination server. ● Follow the link for more information on Configuring an Antivirus and Antispam Gateway.
Troubleshooting Firewall Do not forget to open up firewall ports for your e-mail server: port 25 on the firewall configuration page.
ISP Blocking Some ISPs are known to block SMTP (port 25) traffic to residential broadband connections in an attempt to cut down on SPAM originating from their network. If you think your configuration is setup correctly and you suspect your ISP is blocking SMTP traffic, try a port scan.
Virtual Domains If you are using the server to provide mail service to multiple domains (virtual domains), it is advisable to set up all domains on the system as virtual and enter a false domain (ie. placeholder.com) in the "Primary Domain" field. Otherwise, all users would have access to the domain listed in the primary domain field.
Links ● ● ● ●
Setting up a POP/IMAP server Postfix Documentation Adding incoming firewall rules Setting up your Mail Server - Flash Tutorial Series] Page 113 of 214
ClarkConnect Administration Manual
Webmail Overview Webmail
Information
Description
Web-based mail system.
Package Name
cc-horde
Configuration Page
Software
Mail
Webmail
A web-based e-mail solution ideal for allowing users 'on the road' and without a mail client to access mail on the server using any computer connected to the Internet.
Installation If you did not select this module to be included during the installation process, you must first install the module. This module is described as the "Web Access Module" under Webconfig's "Software Modules" list.
Accessing Webmail The webmail system runs on port 83 on the HTTPS protocol. To access the system type https://192.168.1.1:83/ or https://yourdomain.com:83/ ● If webmail access is required from the Internet, please allow connections to port 83 (webmail) on the firewall . ● Web-based mail requires the IMAP server to be running. ● Users will receive a pop-up warning in their web browser similar to that shown below. This is normal and does not diminish the fact that the connection is encrypted and secure. If desired, you can customize and manage the secure certificate using the SSL Certificate Manager. ●
Page 114 of 214
ClarkConnect Administration Manual
Vacation / Auto-Reply The webmail system includes a vacation / auto-reply system. To access this feature: ● Login to your webmail account ● Click on Mail Filters in the menu ● Select the Vacation filter
Links ● ●
Horde Web Site Adding incoming firewall rules
File Services Flexshare Overview Flexshare
Information
Description
A file collaboration utility.
Package Name
cc-flexshare
Configuration Page
Software
File Services
Flexshare
Flexshare is a flexible and secure collaboration utility which integrates four of the most common methods of accessing files or content: ● Web (HTTP/HTTPS) ● FTP (FTP/FTPS) Page 115 of 214
ClarkConnect Administration Manual ● ●
File Shares (Samba) E-mail (SMTP/MIME/SMIME)
It is an extremely powerful and versatile tool that has many uses. The example below (a hypothetical engineering consulting firm Eng-123 and its client OEM-XYZ) describes a Flexshare and a typical working environment. A Flexshare might be defined on a server owned by Eng-123 after successfully bidding on an engineering project for OEM-XYZ. CAD files (engineering drawings) associated with the project's design are centrally located on the server and should be accessed only by the users included in Eng-12's engineering group. The file-sharing (Samba) Flexshare definition is used to allow restricted access to this directory from the Local Area Network (LAN) or over Virtual Private Network (VPN) tunnels in the event engineers work remotely. By adding Flexshare's FTPS (secure FTP) access and configured to require a username/password for read-only permission, the project manager of OEM-XYZ can have access to the drawings at any time from anywhere on the Internet. The increase in productivity by allowing real-time access to the CAD drawings keeps the project on track and negates having to e-mail CAD files which are often large and not ideal for e-mail transfers. In the event Eng-123 and OEM-XYZ want to track schedule 'snapshots' of an OpenOffice Calc document or notes on the design phase in PDF format, Eng-123's administrator configures Flexshare's email upload access. Both companies can now send signed/encrypted emails to a single email address where the attachment (a .ods or .pdf file extension in this case) is automatically stripped from the email and stored on the server. These same files can then be accessed by web, FTP or file share and provides the added benefit of having a historical view of the entire project. Nearing the completion of the project, OEM-XYZ's sales/marketing team make a request to have an assortment of images created from the CAD software's rendering engine from 3D wire-frame. Flexshare's web access, set-up with unrestricted access, gives the sales team the images they need to begin pre-selling - with just a browser and a URL provided. The above illustrates just one possible use of Flexshares. Much simpler Flexshare's can be created for every-day tasks common to any small business such as hosting and updating a website, creating user-restricted file shares or using e-mail as a simple file transfer utility.
Installation If you did not select this module to be included during the installation process, you must first install the module. You will also need to install one or more of the following modules to enable functionality for the following services: ● Web access - cc-httpd ● FTP access - cc-proftpd ● File access - cc-smbd ● E-mail upload - cc-postfix, cc-cyrus
Page 116 of 214
ClarkConnect Administration Manual
Configuration Share Overview Once the system user has been updated with the password provided, you will be presented with the Flexshare Overview.
The first table lists the shares you have currently defined, allowing you to quickly view which access methods are enabled in addition to overall Flexshare status (either enabled or disabled). You can Edit, Delete and Toggle the status of each Flexshare using the Action links in the right hand column. Of course, if no Flexshares are defined, the Action links will not be visible. The second table allows you to define (create) a new Flexshare. See Creating a New Flexshare below.
Creating a New Flexshare To define a new Flexshare, fill out the Name and Description fields and select a Unix group to represent the share owner in the Add a new Flexshare form. A Flexshare template will be created (with no access and disabled by default). The Editing a Flexshare form will be displayed, allowing you to customize the share options and enable access options.
Editing a Flexshare You can make edits/changes to any defined Flexshare at any time. A newly created Flexshare will have no access points enabled, so you will want to configure at least one service (Web, FTP, Filesharing or E-mail) to take advantage of the share you have created. To begin editing a Flexshare, you'll need to select which access point you want to modify.
Page 117 of 214
ClarkConnect Administration Manual
Select the appropriate tab and use the help sections below to guide you through each type of access point and the options that are available. Changes will take place immediately upon clicking the Update button if the share is enabled. Web
Configuring Flexshare's Web access enables anyone (or authorized users only) to use a webPage 118 of 214
ClarkConnect Administration Manual browser to navigate to a website in order to view content, interact with a dynamic web page (for example - a PHP or CGI enabled online store) or download files from an index listing. One of the most common uses of Web access it to configure a Flexshare to define settings for a company website. The rest of this section will describe the different settings that will modify the behaviour of a Web accessible Flexshare. Enabled
Indicates the current status of the Web Access for a Flexshare. Note, even though the Web Access point is enabled, the overall Flexshare must also be Enabled in order to work. Use the Enabled/Disabled link at the bottom of the form to toggle the status.. Last Modified
A timestamp indicating the last time a change was made to the Web Flexshare configuration. Server Name
The server name (domain name) that will be used to access this Flexshare. If the default ports are being used (ie. 80 for HTTP or 443 for HTTPS), this parameter is locked to the Server Name field defined in the Web Server configuration. If custom ports are used, you can set this parameter to take advantage of Apache's Virtual Host capability. Server URL
This field (actually a hyperlink for convenience) indicates the URL which will be used to access the share. Accessibility
Accessibility allow you to restrict which interfaces incoming requests to the share are allowed from. Setting this field to LAN Only essentially makes your Flexshare accessible from your Intranet only. If set to All, make sure you have added the appropriate incoming firewall rule if the server is the gateway, or forwarded the appropriate port on your firewall. Show Index
If Show Index is set to Yes, browsers will display a listing of all files if there is no index page (ie. index.html, index.php etc.). This is normally only desirable if using the Flexshare as a file access service (similar to FTP). If you are running a website, this option should definately be set to No. Follow Symbolic Links
If Follow Symoblic Links is set to Yes, symbolic links leading to directories outside the document root will followed. Allow Server Sides Includes (SSI)
If Allow Server Side Includes is set to Yes, standard includes will be allowed. By default, execution of code on a SSI will not occur for security reasons. To override this behavior, please Page 119 of 214
ClarkConnect Administration Manual see the Flexshare API. Allow .htaccess Override
If Allow .htaccess Override is set to Yes, the presence of a file named .htaccess will permit users to change specific options inside the web directory. The default and recommended setting for this parameter is No, unless you have advanced knowledge of this Apache directive. Require SSL (HTTPS)
Determines the protocol to use - HTTP or HTTPS. If you have enabled authentication, you are advised to set this to Yes (use HTTPS) since users will be required to provide their username/passwords to authenticate to the server. Using HTTPS ensures this sensitive data is encrypted. Override Default Port
In some cases (for example, an ISP that blocks port 80), you may want to run the server on a nonstandard port. In this case, set this field to Yes and supply a valid port for the service to bind to. Require Authentication
If set to Yes, upon first connecting to the server, a user (ie. web client) will be prompted with a login dialog pop-up where they will enter their username/password. Before gaining access to the Flexshare, the username/password will be confirmed as a valid account on the server. In addition, the user must belong to at least one group that has been given access to the share as defined in the Group Access field (see below). Web Domain (Realm)
Indicates to the person logging in what realm they are attempting to access. The only time the value of this field is displayed in during the authentication process. In the screenshot above, the text "Sales Team Secure Flexshare" is the Web Domain (Realm) entry. Group Access
Displays a list of all user-defined groups on the system (note, not system groups). A user requiring authentication must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order to gain access to the share. Enable PHP
Enables the execution of PHP script on the server. Any file with a .php/php4/php5 extension will be Page 120 of 214
ClarkConnect Administration Manual parsed by the PHP engine rather than by Apache directly. Enable CGI
Similar to the PHP field above, but pertaining to CGI script. CGI script, however, is isolated to the /cgi-bin sub-directory (ie. http://beaker.lan/flexshare/sales/cgi-bin/store). FTP
Configuring Flexshare's FTP access enables anonymous or authorized users only (or both) to use an FTP-client to connect via File Transfer Protocol in order to upload and/or download files to the server. The FTP protocol, while outdated, is still a prominent service today and is particularly useful for handling large files. One of the downsides of the FTP protocol is that it uses separate ports to control data flow and transmit payload data which causes conflicts with firewalls (both server and client side).
Enabled
Indicates the current status of the FTP Access for a Flexshare. Note, even though the FTP Access point is enabled, the overall Flexshare must also be Enabled in order to work. Use the Enabled/Disabled link at the bottom of the form to toggle the status.
Page 121 of 214
ClarkConnect Administration Manual Last Modified
A timestamp indicating the last time a change was made to the FTP Flexshare configuration. Server URL
The FTP URL (or domain name) used to access the service. This parameter is defaults to the Server Name field defined in the ProFTP Server configuration. If you are having difficulty accessing the Flexshare, see the troubleshooting section at the end of this section. Require SSL (FTPS)
Determines the protocol to use - FTP or FTPS. If you have enabled authentication, you are advised to set this to Yes (use FTPS) since users will be required to provide their username/passwords to authenticate to the server. Using FTPS ensures this sensitive data is encrypted. Override Default Port
Flexshare FTP/FTPS uses port 2121/2120 and 2123/2122 as the default ports (see bubble below for an explanation). You can override these standard ports by setting this parameter to Yes and entering the custom ports in the fields that will appear upon changing the override drop-down. Unlike the Apache web-server, the ProFTP FTP-server lacks true virtual host capability, restricting the server domain to a single entry. As a result, the ProFTP server default ports for FTP and FTPS have been set to 2121 and 2123 respectively to allow users/administrators to continue to the default configuration file for FTP for their own custom use (ie. users home directories etc.). Allow Passive (PASV)
Allowing passive connections can improve the experience/usability of FTP access to clients accessing the service outside the local network. However, care must be taken to open or forward appropriate ports to your network for the port range you designate for passive exchange. For more information on Active vs. Passive connections, see the #Links links section below. Require Authentication
If set to Yes, non-anonymous authentication is required. Before gaining access to the FTP Flexshare, the username/password will be confirmed as a valid account on the server. In addition, the user must belong to the group that owns the share. Group Greeting
A greeting that is displayed once when a user authenticates and has access to the FTP Flexshare. Group Access
Depreciated in 4.2 and above Displays a list of all user-defined groups on the system (note, not system groups). A user requiring authentication must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order to gain access to the share. Group Permissions
Depreciated in 4.2 and above Files uploaded via FTP to the server require to constraints: ● Ownership (user and group) Page 122 of 214
ClarkConnect Administration Manual ●
Permissions (user, group and world)
For authenticated connections, the first constraint is satisfied by using the username of the user logged in and the default system group Flexshare. This allows tracking who originally uploaded the folder, yet the generic Flexshare allows anyone who has access to the share to be able to read (and possibly overwrite) the file. The second constraint is dealt with by setting FTP's UMASK directive. This setting is handled by the Group Upload Attributes parameter. Group Upload Attributes
Depreciated in 4.2 and above Allows you to set FTP's UMASK directive, which sets the file permissions on upload. This field consists of three drop-down boxes, each with the same permissions options. ● List 1 - User permissions ● List 2 - Group permissions ● List 3 - World permissions The options contained in each drop-down box contain three characters. The characters are defined as: ● Hyphen - No permissions ● r - Read ● w - Write ● x - Execute Allow Anonymous
Allows anonymous FTP access. Users only have to provide the username anonymous and (usually) their e-mail address to gain access to the share. Use anonymous when you are not providing access to restricted files and you do not want/need to create individual accounts on your server to authenticate against. Anonymous Greeting
Same as Group Greeting except applied to the anonymous login. Anonymous Permissions
Same as Group Permissions except applied to the anonymous login. Anonymous Upload Attributes
Depreciated in 4.2 and above Same as Group Upload Attributes except applied to the anonymous login. File
Page 123 of 214
ClarkConnect Administration Manual Configuring Flexshare's File access (SAMBA) enables public or authorized users only (or both) to connect via file sharing in order to move files from desktop to the server and vice-versa. Enabled
Indicates the current status of the File Access for a Flexshare. Note, even though the File Access point is enabled, the overall Flexshare must also be Enabled in order to work. Use the Enabled/Disabled link at the bottom of the form to toggle the status.. Last Modified
A timestamp indicating the last time a change was made to the File Flexshare configuration. Comment
Allows a comment or description of the fileshare to be displayed to other computer clients accessing the share. Public Access
Set Public Access field to Yes if you want to allow anyone on the Local Area Network (LAN) access to the Flexshare. Group Access
Depreciated in 4.2 and above Displays a list of all user-defined< groups on the system (note, not system groups). A user requiring authentication must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order to gain access to the share. Permissions
The Permissions field determines what type of access group members (or public if set) they have to files on the share. File Write Attributes
If users have write permission to this Flexshare, setting this field will set all files copied to the server with the appropriate permissions. See Group Upload Attributes for information on these settings.
Page 124 of 214
ClarkConnect Administration Manual E-mail
Configuring Flexshare's E-mail access allows the uploading of files to the server. This is accomplished by simply attaching one or more files to the an e-mail and sending it to the corresponding Flexshare e-mail address. To place restrictions on who can upload files, mandatory digital signatures combined with group lists and a separate Access Control List (ACL) are imposed. Enabled
Indicates the current status of the E-Mail Access for a Flexshare. Note, even though the E-Mail Access point is enabled, the overall Flexshare must also be Enabled in order to work. Use the Enabled/Disabled link at the bottom of the form to toggle the status..If disabled, all email sent to the Flexshare will automatically be deleted, regardless of the Save Attachments setting. Last Modified
A timestamp indicating the last time a change was made to the E-mail Flexshare configuration. Email Address
The e-mail address that users will use to upload files to the Flexshare. Save Attachment Path
Possible options are: ● Root Directory - files will be saved to /var/flexshare/shares/FLEXSHARE_NAME ● Mail Sub-Directory - files will be saved to the /mail sub-directory off the root directory ● Specify in Subject Heading - A user can specify the path they would like the file(s) uploaded to by using the format Dir = PATH in their subject, where PATH is the directory path to use
Page 125 of 214
ClarkConnect Administration Manual Write Policy
Allows you to control overwrites if a file already exists. Save Attachments
Setting this field to Require Confirmation keeps messages (and their attachments) in the queue. Any file attachments will only be saved when confirmed. Set this field to Automatically poll at 5 minute intervals to have the server initiate a check for new messages and save the attachments automatically to the server. These files will then be immediately accessible by the other Flexshare access methods. Notify on Receive (e-mail)
If the Save Attachments field is set to Require Confirmation, use the Notify on Receive (email) field to enter a valid e-mail address to send an alert upon receiving new e-mails contains file attachments. Restrict Access
Set this to Yes to match an address to a system user or the ACL. It is highly recommended that the Restrict Access feature is enabled to prevent anonymous file uploads from occurring. Group Access
Depreciated in 4.2 and above Displays a list of all user-defined groups on the system (note, not system groups). A user sending an e-mail with attachment(s) to the Flexshare address must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order for the file(s) to be saved. If it is determined the e-mail sender does not have access to upload files, the e-mail will be deleted. E-mail ACL
Add e-mails to the E-mail ACL (Access Control List) to allow non-system accounts access to upload files to the server via e-mail. Require Signature
Signing e-mail using digital signatures is the only way to verify e-mail is originating from the address it claims to be sent from. Enabling this feature will discard any e-mails and the associated attachments which are not signed. It is a trival task to spoof the From Address contained in an e-mail header. Take advantage of 4.0's SSL Certificate Manager and use signed certificates to validate the sender's address. File Write Attributes
Saved files to the server originating from e-mail attachments will use the permissions set in this field. See Group Upload Attributes for information on these settings.
Page 126 of 214
ClarkConnect Administration Manual
Deleting a Flexshare Deleting a Flexshare that is currently defined can be done from the Overview page. Click on the Delete link next to the share you wish to delete. A form similar to the one shown below will be displayed requesting you to confirm your intention to delete the share. Checking the Delete all files and remove share directory will do exactly that - make sure you no longer need any files in the share directory and all sub-directories or have backups located elsewhere. Use the Disable share function instead of Delete in the event you want to remove share access temporarily but not lose all your configuration settings.
Advanced Configuration Custom Paths In some cases, it is desirable to host a Flexshare in a location other than the default path (/var/flexshare/shares/SHARENAME). For example, a mounted USB Mass Storage Device or an encrypted filesystem. In this case, edit the file /etc/flexshare.conf using an editor or a utility like SCP. The parameter key is named FlexshareDirCustom. The format of the value is name:path. For multiple entries, each definition is separated by the pipe (|) character. The following is a valid entry example: FlexshareDirCustom=Iomega:/mnt/dmcrypt/Iomega|USB:/mnt/usb
The above would provide two additional paths to the drop down list of any Flexshare...The first (Iomega) mounts an Iomega REV drive with an encrypted file-system to the path /mnt/dmcrypt/Iomega. The second is an example of a mounted USB drive at /mnt/usb.
Troubleshooting Firewall Remember to open up appropriate ports on your firewall if your intention is to allow access from outside your network. Some common ports for Flexshare access services are listed below.
FTP Access Going to Home Directory Instead of Flexshare If you have enabled FTP access and require authentication and you find that users are being sent to their home directories instead of the defined Flexshare, the solution is quite simple - the cause quite complex. The problem stems from the fact that ProFTP does not support virtual domains and is attempting to resolve the system hostname in order to determine which configuration to use. If you have an entry Page 127 of 214
ClarkConnect Administration Manual in your /etc/hosts file mapping your system hostname to your internal IP, users logging in from outside the network will experience the problem described above. To fix the problem, use Webconfig and navigate to "Network Hosts and DNS Server". Remove the entry that maps your server hostname to the internal address (ie. 127.x.x.x or 192.168.x.x or 10.x.x.x). Once you have done this, goto the ProFTP configuration and stop and then restart the service.
Access Not all access methods have the same capabilities because of the protocol/design of individual services. The table below illustrates the capabilities of the four access services available to the Flexshares you have created.
Access Method Web FTP
View
Upload
Download
File E-Mail
Default Port(s) 80 (HTTP), 443 (HTTPS) 2121/2120 (FTP), 2123/2122 (FTPS) N/A 25 (SMTP)
Links ● ● ●
ProFTP - List of Directives FTP - Active vs. Passive SAMBA Man Page
FTP Server Overview FTP Server
Information
Description
A full-featured FTP server.
Package Name
cc-proftpd
Configuration Page
Software
File Services
FTP
Configuration The default configuration for ClarkConnect system allows read-only anonymous FTP to the /var/ftp directory and full access to valid user accounts. Advanced configuration of the FTP server can be done in one of two ways: ● Creating and configuring a Flexshare (Version 4.0 and up only) ● Editing the /etc/proftpd.conf configuration file. See the links section below for details.
Page 128 of 214
ClarkConnect Administration Manual
Links ● ● ●
ProFTPd home page List of Directives FileZilla - An Open-Source FTP client for Windows
Windows-Samba Overview File Sharing / Samba
Information
Description
Samba file sharing system for Windows.
Package Name
cc-samba
Configuration Page
Software
File Services
Windows File Sharing
Your ClarkConnect system provides file serving capabilities for a Windows network. Among other tasks, you can use the software for backup file storage, and sharing printers.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Basic Configuration The basic configuration for the Windows/Samba file server is straightforward -- at the very least, you will want to change the Name, Workgroup and Comment. If you are using Windows PCs, you will be able to see your ClarkConnect box through your Network Neighborhood.
Page 129 of 214
ClarkConnect Administration Manual
Name
The name of the system as it appears on Windows Networks. Workgroup
The Windows Network workgroup. If you are configuring your system as the primary domain controller (PDC) then this is also the name of the domain. Comment
The comment is a short description for the system. WINS Server / WINS Support
If you plan on using VPN or have more than two local networks, we strongly recommend that you enable a WINS server on your network. If you already have a WINS server, you can enter the IP address of the server in the WINS Server field. Alternatively, the ClarkConnect system can be configured as a WINS server on your network. Enable the WINS Support option. More information on WINS is available in this Howto.
PDC - Primary Domain Controller If you would like your ClarkConnect system to act as a primary domain controller (PDC), you can configure the settings. You must be using version 4.1 or higher for PDC mode
Page 130 of 214
ClarkConnect Administration Manual
Status
Toggle this field to enable/disable PDC mode. Administrator
Select a user account for PDC administration. This account will be used to add computers systems to the domain. Logon Fields
Review the Samba documentation for configuring the Logon fields.
Common File Shares
● ● ● ● ●
The homes folder contains private user folders. The printers icon will appear if you configure a shared printer. The shared folder is for public file sharing. The website folder contains the files for your web site. The ftpsite folder contains the files for your web site.
Custom File Shares To add custom file shares, use the Flexshare tool.
Page 131 of 214
ClarkConnect Administration Manual
Advanced Configuration For some installations, you may need to fine tune the Windows/Samba file sharing software. Please review the Samba documentation before changing these settings.
Security Type
If you are using ClarkConnect as a PDC, this should be set to Domain, otherwise it should be set to User. If you want to disable user authentication, you can set this option to Share (not recommended). Domain Master
If you do not have a Windows server running on your network, you may want the ClarkConnect system to act as the Domain Master (in other words, the "boss" of the Windows Network). You should also set the OS Level to 50 or higher. Local Master
In most cases, this should be set to Automatic. OS Level
See the Domain Master section.
Troubleshooting Due to a feature in Microsoft networking, you may not see the ClarkConnect system in Network Neighborhood right away; sometimes it takes several minutes to appear. A quick way around this "feature" is to use the Find Computer tool and typing typing the IP address of the System.
LAN Backup and Recovery Overview LAN Information Backup/Reco
Page 132 of 214
ClarkConnect Administration Manual very Description
Client/server backup and recovery.
Package Name
cc-bacula
Configuration Page
Software
File Services
LAN Backup/Recovery
Bacula is a network-based backup program. It allows an administrator to backup, recover and verify data on any number of systems on a local area network (and across VPN tunnels), on a variety of operating systems. Bacula supports various storage media devices, including file, tape, removable HDD.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Supported Media ClarkConnect's implementation of the Bacula backup/restore software is customized to support a limited selection of hardware. ● The server's hard disk - obviously not recommended for server backup ● Iomega REV (35GB and 70GB) with the following interfaces: ● IDE/ATAPI ● USB ● SATA ● USB Mass Storage Device (USB drives, memory sticks etc.) ● Another workstation on the LAN ● DVD (beta)
Configuration
Bacula's Webconfig overview provides links to actions and other reporting or configuration information that might be of interest. A status window displays the latest messages originating from the Bacula Director - the main daemon responsible for orchestrating backups and restores. If you are a novice user and looking to use this module to simply make backups of the server to a supported storage media device, you can do everything you wish with the options listed in the
Page 133 of 214
ClarkConnect Administration Manual Basic section. As you become more familiar with the software you will quickly realize the full potential Bacula offers for complete network disaster recovery implementation. The advanced section provides links to some of the features that you will need in setting up new clients, creating new file sets, configuring schedules etc. The Webconfig utility that provides the Graphical User Interface (GUI) is not the only method of interacting with the Bacula daemons. Bacula has its own, shell-based, console which advanced users will find extremely useful for situations where the GUI does not support a specific feature/function of Bacula. As of version 4.1, this text-based console is accessible via the Advanced Configuration listing under Virtual Console. This manual will describe the features and functionality of the Webconfig GUI that should provide the majority of users with the ability to backup, validate and restore files from any number of client machines on the local area network. For circumstances where it is necessary to access more advanced features, please refer to the Bacula console (or Webconfig's virtual console) and sections of the online Bacula manual.
Basic Configuration Backup Server
This option will begin a wizard which will take the user through backing up the server to an appropriate device. Although a server backup can be done to the local hard disk, this option provides no disaster recovery and only provides a measure of safety against accidental deletion of files by the user/administration. In addition to listing any removable devices like USB MSD or Iomega REV RRD's, an option to backup to a Windows desktop on the LAN is possible. Use this option to provide recovery in the event of a hard disk failure or loss of just the server. Similar to the file option, this does not protect against a disaster that the destruction or loss of both the server and client machine on the LAN (i.e. fire, theft etc.). Backup Client
Kicks off a wizard that will take you through the backup of a client on the LAN. Restore Server
Begin a wizard that will restore a full backup to the server provided you have the bootstrap file (BSR) and physical media containing the volume where the backup was stored to. Restore Client
To restore a client on the LAN that has been backed up to the server, use the WX-Console (for Windows) or B-Console (for Linux/Unix) user interface to restore. Device Controls
Used if you need to mount/unmount or eject removable media.
Page 134 of 214
ClarkConnect Administration Manual Auto-Detect (Storage) Hardware
Use the auto hardware detection link to view possible physical media recognized by the Linux kernel that can be used as a storage medium. Some devices like the Iomega REV drive will automatically be added and configured as a storage device. In this case, Update will be displayed under the Action column should an admin wish to make custom changes. If a device needs userintervention to configure the properties of the device properly, the device will be displayed in the list with Add under the Action column. Click on the Add link to add this medium and then configure it. You do not need to add your main hard disk as a storage device, even though it will be listed in the auto-discovery process. Use the "File" type instead.
Advanced Configuration Global Settings
Enable the "Email on Edit" setting to automatically e-mail a set of your current Bacula configuration files to the admin contact (see "Director Daemon Settings" section below). The configuration files can be saved to the backup medium just as any other file. However, having these files to start with greatly simplifies the recovery process should the files be lost in a hard drive failure or other incident. Having the latest configuration files avoids a sort of 'chicken and the egg' scenario. Use the "Email all files" link to send all current configuration files immediately. You should make sure the mailserver setting is set correctly in the section below prior to attempting to mail out a set of files. Director Daemon Settings
The director is the main Bacula daemon that directs all operations. It acts as the 'go-between' between a client resource and the storage device. Name
The director's name. We recommend adhering to the Bacula's convention of using the system name appended with "-dir". This directive should not require changing after the intial set-up. Address
The director's address. This should be changed to a fully qualified domain name or IP address. It should not be left as the default setting 'localhost' as client machines will fail on backup. Examples of an address or FQDN include: ● 192.168.1.1 ● gateway.lan ● mydomain.com (preferred) Page 135 of 214
ClarkConnect Administration Manual Port
The port the director daemon listens on. By default, port 9101. Password
This is the director's password that is used to authenticate to a client or storage device. Operator e-mail
This address receives notifications for required interactivity - for example, replacing a removal media drive or labeling a tape. Admin e-mail
This address receives all notifications relating to the general 'health' of the system. Mailserver Address
If you do not run an SMTP server on the machine you have installed the Bacula director on, you will need to specify the mail server address in this field (for example, your ISP's mailserver). If you are running an SMTP locally, leave the default setting, 'localhost'. Database Password
Bacula uses a MySql back-end to track and manage files and directories that are backed up or restored. This field will change the password used to access this database. File Daemon Settings
The file daemon is responsible for providing files to the director or receiving files from the director during a backup or recovery, respectively. The file daemon is platform-dependent and needs to be installed, configured and running on each client to be included in the backup/recovery process. Name
The file daemon's name. We recommend adhering to the Bacula's convention of using the system name appended with "-fd". This directive should not require changing after the initial set-up. Port
The port the file daemon listens on. By default, port 9102. Storage Daemon Settings
The storage daemon is responsible for providing files to the director or receiving files from the director during a recovery or backup, respectively. Name
The storage daemon's name. We recommend adhering to the Bacula's convention of using the system name appended with "-sd". This directive should not require changing after the intial set-up. Port
The port the file daemon listens on. By default, port 9103.
Creating and Editing Clients Click on the "Configure Clients" link from the main menu to display and access the edit/add links for clients. A client is simply another computer on your network that you wish to have 'backed-up' Page 136 of 214
ClarkConnect Administration Manual to your storage device.
The screenshot above shows one client (the default server) with a new client about to be created (MP3-Collection-fd). Adding a Client Resource
Select a client nickname (ie. MP3-Collection-fd) and click on the "Add" link. You will be taken directly to the "Edit Client" form to complete the remaining information that is required. The next section describes each of the fields of the client resource exposed via the GUI. Editing a Client Resource
Name
The client's name. We recommend adhering to the Bacula's convention of using the system name appended with "-fd". This directive should not require changing after the intial set-up. Address
The client's address. See the Director's Address for recommended entries. Port
The port the client file daemon listens on. By default, port 9102.
Page 137 of 214
ClarkConnect Administration Manual Password
This is the client's password that the director daemon uses to authenticate. File Retention
Defines the length of time that Bacula will keep File records in the Catalog database. When this time period expires, and if AutoPrune is set to yes Bacula will prune (remove) File records that are older than the specified File Retention period. Note, this affects only records in the catalog database. It does not effect your archive backups. Job Retention
Defines the length of time that Bacula will keep Job records in the Catalog database. When this time period expires, and if AutoPrune is set to yes Bacula will prune (remove) Job records that are older than the specified File Retention period. Auto Prune
If auto prune is set to "Yes" (default), Bacula will prune the files and jobs from the catalog according to the retention times (see above). If disabled, your catalog will continue to grow in size on each backup, since older data will not be removed (pruned). After you add a client, you will need to download the Bacula Client specific for the Operating System (OS) running on the machine. For example, if you are running Windows(TM) XP, you will need to go to SourceForge and install the Win32 for the appropriate version.Note: To determine the version installed on your system, use "rpm -qi cc-bacula". Installing and Configuring the Client Software (File Daemon)
The backup/recovery module allows you to backup multiple client machines on the LAN, across VPN tunnels or over the Internet, although this latter method is highly discouraged as data traffic is not encrypted during backup/restore. The director daemon requires a file daemon to be installed and configured properly on each machine to be backed. The remainder of this section will go through the installation and configuration of a Windows XP, Linux (Mandrake) and Mac OSX install. Before Installing Client Software
Page 138 of 214
ClarkConnect Administration Manual Before you begin to download and install the client software, you'll need to determine what version you need. If you are familiar with command line Linux, you can query the RPM using the "-qi" options. An alternative and simple method is to get your local backup server running, and click on the "Current Status" link. Once the page updates with the current status information, look to the second line to get the version information.Windows XP
Now that we know which version we are looking for (in the case of the above example, version 1.36.2), we need to find the appropriate client download. Bacula is an Open Source Software package developed and maintained on the SourceForge listing - http://sourceforge.net/index.php. A simpler way of searching for the correct packages might be to go directly to the Bacula Home Page and look for the "Current Files" link. This link will take you to the exact location - Bacula on SourceForge.net. Scroll down to the Windows section (Win32), ensure you are looking at your version list (1.36.2 in our example), and click on the "Download winbacula-1.36.2.exe" link to start the download.
Page 139 of 214
ClarkConnect Administration Manual
Depending on where you have your browser set to save downloads, find the file and run the executable by double clicking on the icon. Confirm the first few steps of the install wizard and pause when you are asked to select an install location. You can choose to install in any directory you wish, however, for the purposes of this manual, we are going to assume you create a new directory so that the location appears as "C:\Program Files\Bacula". As you continue on through the installation, two configuration files will be displayed. You will need to edit them according to the information you provided during the setup of the director and client specifically: bacula-fd Director { Name = Director's Name Password = Client's Password }
FileDaemon { Name = Client's Name FDport = 9102 WorkingDirectory = "C:\\Program Files\\Bacula\\working" Pid Directory = "C:\\Program Files\\Bacula\\working" }
Note: WorkingDirectory and Pid Directory may differ from above, depending on the "Destination Folder" selected during install (see above).
Page 140 of 214
ClarkConnect Administration Manual Messages { Name = Standard director = Director's Address = all, !skipped }
bconsole Director { Name = Director's Name DIRport = 9101 (by default Director's Port) address = Director's Address Password = Director's Password }
wx-console Director { Name = Director's Name DIRport = 9101 (by default Director's Port) address = Director's Address Password = Director's Password }
Linux (Mandrake)
Once you have determined the Bacula version installed on your ClarkConnect server (see above), you'll need to download the client packages for your Linux distribution. In this example, we will be installing/configuring the client on Mandrake 10.1 Community Edition. You only need the baculaclient package...not the full install, since the director and storage daemons will be running on ClarkConnect.Having downloaded the RPM, install it on your system (as root).rpm -ivh baculaclient-1.36.1-3.i586.mdk101.rpmPreparing... ########################################### [100%] 1:bacula-client ########################################### [100%]Bacula will install the relevant configuration files in the /etc/bacula directory. You will need to edit the same two files listed in the Windows configuration section above, namely: ● bacula-fd.conf ● bconsole.conf To start the client daemon, type: # /etc/rc.d/init.d/bacula-fd start
Page 141 of 214
ClarkConnect Administration Manual Mac OSX
TODO
Creating and Editing Schedules Scheduling jobs allows backups to be performed automatically without human intervention, provided the storage device is available to be written to. You can create as many schedule definitions as you wish. Once created, the schedule is available to be associated with a job, which will then be run automatically at the specified time(s). Adding a Schedule
To add a schedule, enter a unique schedule name and click 'Add'. A schedule default template will be created and the edit schedule form will be displayed (see Editing a schedule). Editing a Schedule
Each schedule definition can have an unlimited number of 'events' associated with it. An event is a combination of a backup level (Full, Incremental or Differential), a schedule definition (Every Saturday, Monday through Friday etc.) and a time.
Creating and Editing Filesets A fileset instructs the Bacula director what directories and files to backup and which ones to leave alone. Generally speaking, you will probably have at least one unique fileset for each client machine. However, a fileset can be used in any job, for any client backup. This module ships with two default filesets ● Catalog ● Config which are protected. The Catalog fileset can not be edited nor deleted and is responsible for creating a database image of the Bacula catalog and backing up the resultant file. The Config fileset can be edited but can not be deleted. It is responsible for saving important configuration files for the software and services than run on your server. It is recommended that you keep the default file/directory entries and add to this list in the event you add a package with custom edits to a configuration file. Page 142 of 214
ClarkConnect Administration Manual
The fileset list in the screen capture above shows the two default entries in addition to three uniquely named additions, one of which, the user has protected against deletion (the "Home" fileset). Adding a Fileset Resource
Choose a unique name for your fileset that describes the sort of directories/files are reflected. For example, you might name a fileset WinXP-MyDocs for any Windows XP machine on the LAN where you wish to backup the owner's "MyDocuments" contents. You will be taken directly to the "Edit Fileset" form to complete the remaining information that is required. The "Database" checkbox defines whether a backup represents a set of files/directories (off) or the data contained within a database (on). MySQL and PostgreSQL are currently supported.
The next section describes how to edit a fileset in order to achieve the desired backup results. Page 143 of 214
ClarkConnect Administration Manual Editing a Fileset Resource
Filesets structures are extraordinarily flexible in defining directories and files to be backed up, however, this diversity comes at a cost: complexity. In the current Webconfig User Interface, only a fraction of the power of fileset building is exposed. Greater functionality/features will be added in future releases. Advanced users should read the Bacula chapter dedicated to creating fileset resources and may wish to consider editing via CLI to achieve the desired results. The Bacula webconfig UI has two 'modes' to edit filesets - Regular and Database. Regular Fileset
The regular fileset mode allows you to add include and exclude statements in order to define which files you wish to back up and those you do not wish to backup. Any number of include statements are allowed within a fileset definition, but only one exclude. Each include statement can have unique options that work together to describe the files you wish to have backed up. The table below describes the directives supported bia the User Interface (UI). Compression
Use software compression (GZIP). If you are backup up to a device that supports hardware compression, you are advised not to enable software compression. Signature
Compute and store an MD5 or SHA1 signature with each file. Users are strongly advised to use MD5 or SHA1. IgnoreCase
When set to "Ignore", all regular expressions and wildcards will ignore differences based on upper and lower case. Exclude
When set to 'Include', all wild-cards and regular expression matches will include files and directories to be backed up. If the 'Exclude' option is set, matching files and directories will not be selected. Wild
A wild-card string to match files or directories. Wildfile
A wild-card string to match files only. Wilddir
A wild-card string to match directories only. Regex
A regular expression string to match files or directories. Page 144 of 214
ClarkConnect Administration Manual Regexfile
A regular expression string to match files only. Regexdir
A regular expression string to match directories only. Database Fileset
The ClarkConnect LAN backup and recovery module allows you to backup two of the most popular open-source database engines available: ● MySQL ● PostgreSQL
Backing up data stored in an SQL database must be done by 'dumping' the contents of the database to file first. Backing up the files directly would result in data corruption as the content is dynamically being updated. This module simplifies database backup by providing a separate interface when the database is enabled. This flag can only be enabled during the creation of a fileset (see "Adding a Fileset" section above). A typical database backup configuration form is shown below. Name
The Fileset name. Compression
See above. Signature
See above.
Page 145 of 214
ClarkConnect Administration Manual Type
The SQL engine. Currently, MySQL and PostgreSQL are supported. Hostname
The IP address or hostname where the server is located. A database does not have to be running on the localhost in order to be backed up. Database Name
The name of the database Username
A username that has rights to access this database. Leave blank if there is full access to any user. Password
The database password. Leave blank if no password is associated with the database. Port
The port the SQL service is listening on. The default ports for the two supported engines are listed below. ● MySQL - 3306 ● PostgresSQL - 5432
Creating and Editing Jobs Jobs are collections of other resources (ie. a client, a fileset, a storage device etc.) that work tie together to backup (or restore) your data. Jobs can be scheduled to run automatically, removing the need for human intervention (except if you have removable storage device media, of course). By default, ClarkConnect contains two jobs pre-defined ● BackupCatalog - backs up an image of the Bacula MySQL database ● Restore - a restore template The restore template is unique in that Bacula only uses a single restore job which is then modified at run-time for specific recovery operations. This uniqueness is described in more detail in the "Type" section below. Adding a Job Resource
Choose a unique name for your job that describes the action. You will be taken directly to the "Edit Job" form to complete the remaining information that is required.
Page 146 of 214
ClarkConnect Administration Manual Editing a Job Resource
A typical job edit form looks like the screen capture below. The following directives are supported by the Webconfig UI for the Bacula module: Name
A unique name for the job. Type
The job type. Valid options are: Backup Normally, you will have at least one backup for each client machine you backup. You will also have the pre-installed backup for the MySQL catalog. Restore The restore type is restricted (via the Webconfig UI) to a single job definition. Since a restore template is pre-defined, this option will not be available if you add a job if the restore template still exists. Verify Verifies that the information stored in the database (which maps to the actual backup file(s) matches that which resides in the directories at the current time, and reports differences, as evident. Admin Runs an administrative (normally database related) job. See the Bacula manual for more information. Level
The level. Valid options are: Full Includes all files defined with the associated Fileset, regardless of whether or not they have Page 147 of 214
ClarkConnect Administration Manual changed. Differential Includes all files since the last successful full backup. In practice this means that a full restore requires just the last Full and the last Differential backup. Incremental Includes all files since the last successful backup (either Full or Incremental) . As a result, a full restore requires the last Full backup and all successive incrementals. Client
A valid client resource. File Set
A valid file set resource. Schedule
A valid schedule resource. Storage Device
A valid storage device resource. Pool
A valid pool resource. Priority
Permits prioritization of jobs to determine which jobs run first. The higher the integer, the lower the job priority. Create Bootstrap (BSR)
Creates a bootstrap (BSR) file associated with the job, permitting restore without a catalog. Send Admin BSR via E-mail
Send the BSR file to the value in the administration email. Useful in cases where the Bacula database is lost, damaged, corrupt, stolen or otherwise rendered useless, but the backup image exists on the storage daemon or removable media. Sending this file to a Gmail account or other web-based email service provides another option in the event of data loss.
Creating and Editing Pools Pools are collections of volumes where your data is stored. Many installs will use a single (Default) pool. Or, you may wish to create and specify a unique pool for each client or job.
Page 148 of 214
ClarkConnect Administration Manual
Adding a Pool Resource
Choose a unique name for your pool that describes the client or job. You will be taken directly to the "Edit Pool" form to complete the remaining information that is required. Editing a Pool Resource
The following directives are supported by the Webconfig UI for the Bacula module: Name
A unique name for the pool. Type
The pool type. Currently, only backup pools can be configured. Recycle
Specifies the default for recycling Purged Volumes. If a Volume is recycled, all previous data written to that Volume will be overwritten. Auto Prune
If AutoPrune is set to yes, Bacula will automatically apply the Volume Retention period (see below) when a new Volume is needed and no appendable Volumes exist in the Pool. Volume pruning causes expired Jobs (older than the Volume Retention period) to be deleted from the Catalog and permits possible recycling of the Volume. Volume Retention
Defines the length of time job records associated with the Volume will be kept. When this time period expires, and if AutoPrune is set to yes, Bacula will prune (remove) job records that are older than the specified Volume Retention period. Accept any Volume
The directives determines whether any volume will be accepted by the Bacula director to write to during a backup. If it is no only the first writable volume in the Pool will be accepted for writing backup data. Label Format
If the Label Media directive in the storage resource is set to 'Yes', the label format directive must be set and will automatically label the media during a backup with the specified format. For example, a value of "File-", the following volumes will be created: ● File-0001 ● File-0002
Page 149 of 214
ClarkConnect Administration Manual File-0003 ... You can also use variable expansion. For example, all jobs running on Monday with "Weekly${WeekDay}" would result in: ● Weekly-Monday0001 ● Weekly-Monday0002 ● Weekly-Monday0003 ● ... ● ●
Creating and Editing Storage Devices The Bacula Server/LAN backup and recovery module has two defined storage device resources in the configuration files on a default installation: ● File ● Iomega REV removable HDD The "File" device represents the local hard drive of the server Bacula is installed on. This is an easy and efficient means to back up data located on machines on the Local Area Network. You can even backup the server with this configuration, however, it is highly recommended that this file image be synced to a desktop, or better still, burnt to CD/DVD or copied over the Internet (scp tool) to a system outside the LAN. The Iomega REV drive is an ideal backup storage media device for small businesses. The REV is a hard disk drive offering greater storage capacity over CD-ROM and DVD formats. In addition, the drive medium is removable, allowing unlimited storage capacity by adding drive units and having the advantage of being able to move backup data off site in the event of disaster, theft or other event that would result in loss of the storage medium. It is also fast - over 8 times faster than a tape backup solution. The backup and recovery module supports and has been tested using the ATAPI model Iomega REV drive. USB, Firewire, Serial ATA and SCSI can be used, however, manual configuration may be required through direct editing of the Bacula configuration files. If you have a choice, the ATAPI (IDE) model is your best bet. For information on acquiring REV hardware, see the Related Links section below. The module supports the creation of multiple backup definitions so you are not limited the defaults above. Additional file resources can be specified, and these do not necessarily have to be on the LAN. A file resource could be specified that resides on another network. With the proper firewall rules and configuration, a satellite office could backup data to the company headquarters, or vice versa. If you are considering backing up data across a public network (i.e. the Internet), it is important to weigh in on the following fact - Bacula does not currently support data encryption at the time of storage, so any traffic crossing a public network cannot be considered secure. Besides supporting direct to file and the Iomega REV drive, the native Bacula module supports all kinds of tape solutions and tape storage auto-changers. Keep in mind, however, that although the Bacula project supports these devices, the ClarkConnect backup module may not interface with these devices properly. Direct editing of the configuration may be required in addition to using the Bacula text-based UI (bconsole) to backup to tape-based drives. For a list of supported tape drives, see the Bacula hardware support list.
Page 150 of 214
ClarkConnect Administration Manual Adding a Device Resource
Choose a unique name for your storage resource that describes the device. You will be taken directly to the "Edit Device" form to complete the remaining information that is required. Editing a Device Resource
A typical edit configuration form is shown below. The following directives are supported by the Webconfig UI for the Bacula module: Name
A unique name for the storage device. Address
The address where the storage device resides on the network. This field can be a valid IP (internal or external), FQDN or "localhost". Although entering "localhost" correctly describes the location of the storage daemon if running in parallel (ie. the same server) with the director daemon, it is ambiguous
Page 151 of 214
ClarkConnect Administration Manual (and will cause backups to fail) for machines on the Local Area Network. An IP address (ie. 192.168.1.1) or a FQDN should be used. Port
The port the storage daemons listens on. By default, 9103. Password
This is the storage daemon's password that the director will pass to a client for authentication to the storage device. Device or Mountpoint File
Add the full directory path where you would like Bacula to save backup images of your filesets. Iomega REV HDD
Enter in the mount point you created using the "Mount" action (see here). For example, "/mnt/REV". DDS/DLT
Enter the device location. For example, "/dev/nst0". Media Type
A generic descriptor of the type of storage device. Valid selections include: ● File - a local filesystem (HDD, USB memory stick etc.) ● Iomega REV - see here ● DDS - Digital Data Storage device (DDS-1 [2GB], DDS-2 [4GB], DDS-3 [12GB], DDS-4 [20GB]) ● DLT - Digital Linear Tape, a magnetic tape storage device Label Media
If enabled (set to "yes), the device will automatically label blank media. In other words, it will create the backup file to write to without user intervention. For information on how to set the Pool resource label format, click here. If enabled, you must enter a value for the media label format in the Pool Resource. If disabled (set to "no"), you will have to manually label media as required. For information on labeling media using the "Device Actions" feature, click here. Random Access
Devices that have linear access to storage medium (ie. a tape moving across a static head), set to "No". Otherwise, set to "Yes".
Page 152 of 214
ClarkConnect Administration Manual Auto Mount
Set this directive to "Yes" to permit the Bacula daemon to examine the storage media and search for a Bacula labeled volume. Removable Media
Set this directive to "Yes" if the storage device uses media that can be removed from the server (ie. a REV HDD, DAT, USB memory etc.). Always Open
It is recommended that you set the "Always Open" directive to "Yes", making the storage media always available to Bacula. This allows scheduled backups to be run without user intervention. If set to "No", tape media will be rewound at the end of each backup. Maximum Volume Size
Sets a physical limit to the amount of data written to a device media.
Restoring Your Catalog Your catalog (contained in a protected MySQL database) is the central index of your backup. Think of your catalog as being the equivalent of a catalog in a library. Without an up-to-date catalog, recovering your files in the event of a hardware failure or disaster becomes much more difficult. You may have all the data (books) on a backup storage device, but finding a single file without a catalog is a time-consuming operation. As a result of the catalog's importance, the Webconfig utility was designed to give you three common methods of recovering your catalog in the event it destroyed or corrupted: ● Catalog recovery by bootstrap file (BSR) ● Catalog recovery using locally stored image ● Catalog recovery by uploading an image
You will be given the option to choose which method you wish to use from the "Restore Catalog" menu (see screenshot below). A MySQL catalog can become large over time - very large. Depending on the number of clients and files you backup on a regular basis, it is not uncommon to have a catalog that is in excess of 10-20MB in size. As such, method #1 above is the preferred method - backing the data in the catalog database on a regular basis to whatever storage device you are using. The only difference Page 153 of 214
ClarkConnect Administration Manual during recovery, is that you will use a bootstrap file (BSR) instead of using the catalog - a necessity since you don't have the catalog. Using a bootstrap file to re-create your catalog ● ● ● ● ● ● ● ●
Ensure the backup medium containing the latest catalog data is in your storage device Click on the "Restore Catalog" link Select the "I want to use a bootstrap (BSR) file..." option You should have the latest BSR file for the catalog that was e-mailed to the administration user. Retrieve it and save it to your local hard disk. Click on the "Browse" link and select the file you saved in the prior step Click on the "Continue" link A web dialog will be displayed asking you to confirm or cancel Click "Continue". The database import may take several seconds (or minutes if very large) to complete.
Restoring from a local database image
Select the "I want to use a catalog image stored locally..." option and enter the filename including absolute path of the database image. Click on "Continue". Confirm your intention to initialize the database using the data you have in the image. Uploading/restoring a database image
Due to the file size limitations of uploading files combined with the large file size inherent to the Bacula catalog database image, this option is limited in use. It is a convenience for those who have a catalog image mailed to an account (ie. Gmail). However, for any catalog that is larger than 2MB, you would be advised to use an alternative file transfer method (SCP, FTP, WinSCP etc.).
Device Controls
Some devices require actions like ejecting a tape or removable HDD. You can perform these actions through the webconfig utility using the drop-down list of supported actions in the "Device Controls" page. Mount
Mounts a filesystem at a specified mount point.For IDE and SCSI Iomega REV drives, the device location will be auto-discovered - only a mount point needs to be specified.For tape systems, this action will call an internal Bacula mount that ensures the device is available for Bacula to read/write.
Page 154 of 214
ClarkConnect Administration Manual Unmount
Unmounts (or umounts) a device. Unmount and Eject
Same as Unmount, except that the tape or removable media is ejected. Eject
Ejects removable media from the device. Label
Bacula uses labels in order to create volumes that are then associated through the use of pools. This may sound complicated at first, but it is really not. For more information, see the Bacula online manual concerning Pools, Volumes and Labels. Rewind
Issues a rewind command. Only applicable for tapes.
Report
The report page provides a graphical display of job history.
Virtual Console The virtual console gives the administrator the ability to run Bacula commands via the webconfig GUI rather than the Bacula console. The use of AJAX makes this interface seamlessly bridge the Page 155 of 214
ClarkConnect Administration Manual divide between Bacula's console and the PHP webconfig form. Use of this feature should be done with caution and only by those having a solid understanding of the Bacula console commands.
Performing a Backup Under most circumstances, backups will be performed automatically by the Bacula scheduler (provided you have created scheduled backup jobs). However, on occasion or by personal preference, users may wish to manually initiate a backup job.A backup job must be defined as a resource in order to initiate a manual backup. If you have not done so already, you will need to define resources needed by a job definition (ie. FileSet, Pool, StorageDevice etc.), and define a job.
Performing a Recovery Recovering Individual Files
Recovering individual files from a specified date is not currently available through the webconfig User Interface. This functionality is available via the Bacula “bconsole” CLI interface and follow procedures documentation provided on the Bacula website. Alternatively, if the recovered file(s) reside on a client machine (not the ClarkConnect server), users can use the graphical user interface provided by the Bacula client that is available for Linux, Mac and Windows platforms. Recovering from Total Data Loss (aka: Disaster Recovery)
In the event you lose all data on your ClarkConnect server (through hard drive failure, damage, theft etc.) and provided you have data that was backed up to either removable media or to another machine, you will be able to fully restore your system to the state of the last full or differential/incremental backup. The first step in restoring your server is to install the ClarkConnect OS on your new (or repaired) server. Download the latest ClarkConnect ISO matching your previous platform. It is advised (but not required) to stay with your current version until the server is restored to its original state. Register your server to the ClarkConnect Gateway Service network using the I am re-installing an existing system option. For more information on system registration, click here. Once registered, install the Bacula backup/restore module using the webconfig User Interface (UI) on port 81 or via command line:
Page 156 of 214
ClarkConnect Administration Manual # Apt-get update # Apt-get install cc-bacula
Having installed the Bacula module, use the UI and navigate to the LAN Backup/Restore page that will be found under the Software heading. From here, you have three steps to a full restore: ● Upload the original Bacula configuration files ● Restore the Bacula file/directory database image ● Perform a full data restore Uploading Bacula’s Config Files
Although you can include your Bacula’s configuration files in a FileSet to be backed up, this presents another ‘chicken and the egg’ scenario, since the original configuration files are required to perform a restore. The UI presents a simple and reliable way to always have available the latest configuration files by emailing these files as attachments through the General Configuration page. Locate the most recent configuration files and save them to your local computer’s drive. There are four (4) configuration files that will be required: ● bconsole.conf ● bacula-dir.conf ● bacula-fd.conf ● bacula-sd.conf
Click on the General Configuration link. You will see four sections: ● Global Settings ● Director Daemon ● File Daemon ● Storage Daemon Click on the Upload Config Files link under the Director Daemon section. You will see a file upload entry form similar to the screen shot below.
Page 157 of 214
ClarkConnect Administration Manual
Click on the browse link next to the bconsole.conf file. Locate the bconsole.conf file on your local computer, and select ‘OK’.
Repeat the procedure for the bacula-dir.conf file. Once you have both files defined in the corresponding input boxes, click Upload now. Repeat similar procedures as described above for the File Daemon (bacula-fd.conf) and Storage Daemon (bacula-sd.conf) sections. Having uploaded your original configuration files for the Bacula module, are now ready to start the Bacula services. Return to the main Bacula menu and click on the Configure Daemons link. Select Start all services. All four bacula services (director, file, storage and the MySQL server) should now be running. Return to the main menu. Restoring the Bacula Database Image
Your next task is to restore the Bacaul database image. This operation simplifies the final action of recovering data. Your Bacula database can be restored in one of two ways: ● BSR File ● Database dump Follow the instructions provided here for the preferred method. The method you choose will depend on which method you had planned on using. For example, if your configuration was set to email the BSR file of the database image upon creation, this will likely be the method you use. Alternatively, if you have been saving a raw database image to another machine (or even emailing this image to an account), you can upload this image through the Bacula module UI. A Bacula database image (or dump file) can grow to a substantial size. Users are cautioned that emailing this file to an account may not be practical or possible.
Page 158 of 214
ClarkConnect Administration Manual Restoring Data
Now that your configuration files and database image are restored, simply select and run restores on any jobs containing filesets that require restoring on the local server. From the Bacula UI main menu, select Restore. Since your configuration and database have been successfully restored, you can select the Standard Restore form, completing the fields as required. Client
The client to which the files should be restored. This should match the client where the files were backed up from. File Set
The file set that describes the files and directories to be restored. Replace Policy
Allows the user to control whether newer files replace older ones or not. This is only applicable when the Location parameter (below) is left blank. Location
Specifies the location where Bacula should restore the files to. Set this field to a blank (null) entry if you wish to restore files to their original location (caution, make sure your Replace Policy is properly set).
Troubleshooting Logs
Have a look in the system logs if you are having problems. The bacula daemons log to /var/log/bacula. Windows Firewall
Windows XP Personal firewall will block attempts made by the ClarkConnect server to backup a Windows desktop on the LAN. Open port 9102 on the Windows firewall by going to Start Security Center Windows Firewall and clicking on the 'Exceptions' tab. Add port 9102 and click Update. Backup to client on the LAN
This option, available under the Basic settings, allows you to backup the server to a Windows shared directory on the Local Area Network (LAN). The following steps will assist you in Page 159 of 214
ClarkConnect Administration Manual configuring this option. ● Go to Windows Start My Computer ● Click on Shared Documents ● Select File New Folder ● Enter a folder name ● Right click on folder and select Properties ● Click on the Sharing tab ● Enable the Share this folder on the network checkbox ● Enter a share name...for example 'SharedDoc' ● Enable the Allow network users to change my files ● Click on OK If you have Windows firewall enabled, you will need to open a port (189). ● Go to Windows Start Control Panel ● Click on Network and Internet Connections ● Click on Windows Firewall ● Click on the Exceptions tab ● Click on Add Port ● Enter Server Backup in the Name field ● Enter 389 in the Port number field ● Select TCP ● Click on OK In order to test whether you can mount the Windows share, login as root and type: # smbmount '//IP/NAME' MP -o 'username=USER,password=PASS'
where: ● ● ● ● ●
IP = IP address of Windows desktop NAME = your share name, as defined in the steps above MP = mount point on CC (i.e. /var/bacula/mnt/SueLaptop) USER = Windows username PASS = Windows password
Links ● ● ● ●
Bacula Home Page Find an Iomega REV Drive Reseller Iomega REV Drive Home Page Bacula Client Downloads
Printing Print Server Overview Print Server
Information
Description
A print server.
Package Name
cc-cups
Configuration Page
Software
Printing
Print Server
Page 160 of 214
ClarkConnect Administration Manual
ClarkConnect includes the Cups - the Common Unix Printing System - as well as a large set of printer drivers.
Configuration Configuration of the printing system is done using the Cups web interface. You can access this interface via the ClarkConnect web-based interface. As a security precaution, the Cups web interface is only accessible on a trusted (LAN) network. You can not access the web interface from a remote Internet connection.
Supported Printers Not all printers are compatible with Linux. The best resource is the Linux Printing Database. You can find whether or not your printer is supported. If so, then follow the link from the web-based administration tool to add your printer.
Cups and Samba When you configure a new printer with Cups, it will appear as a shared printer in Windows Network Neighborhood (if Samba is installed). However, you will need to restart the Samba service after adding a new printer.
Links ● ●
CUPS Home Page How to make Windows use CUPS IPP
Web Proxy Access Control Overview Web Proxy Access Control
Information
Description
Time and user-based access control for the web proxy.
Package Name
cc-squid-acl
Configuration Page
Software
Proxy and Filtering
Access Control
Time-based Access Control allows an administer to enforce time-of-day web access to users or computers (IP or MAC address) using the web proxy.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Page 161 of 214
ClarkConnect Administration Manual
Configuration Adding Time Periods Time periods define the day of week (i.e. Monday, Tuesday ...) and the time of day (i.e. 12:00 13:00) that an access control rule should apply. Select Add/Edit Time Period from the Webconfig tab menu to: ● display and/or edit a currently defined time period ● add a new time period definition ● delete an existing time period definition Deleting a time period will delete any access control rule that depends on the time period definition being deleted. In the sample screenshot below, we have created two time period definitions. The first defines a lunch break on weekdays between 12:00pm and 1:00pm (13:00). The second covers the entire day over a weekend (Saturday and Sunday).
Adding Access Control Lists An unlimited number of access control list definitions can be created to customize precisely how users or machines on the LAN should be given access to the web via the proxy server. In the example below, a rule to allow all machines on the LAN to have access to the web during the weekend is being created. By specifying an internal IP range of 192.168.1.100 to 192.168.1.255, the IP based identification will apply this rule to all computers on the LAN receiving a DHCP lease in this IP range.
Page 162 of 214
ClarkConnect Administration Manual
Name
A unique name identifying the access control. ACL Type
Sets the ACL rule type - allow or deny. Allow provides web access to the user/computer...Deny forbids web access. Time-of-Day ACL
References a unique time of day rule. The drop down menu will be empty and a link to create a new time period will be displayed if no time definitions have been created. Restriction
Determines whether the ACL rule will apply to the time period defined or all time outside of the time period defined. For example, if you defined a time period name Lunchtime that was defined as 12:00 - 13:00 from Monday to Friday and you wanted a specific rule to apply during the lunch hour, select Within. Conversely, if you wanted a rule to be applied for all hours outside of the lunch period, you would select Outside. Method of Identification
Depending on your proxy configuration, up to three different methods of user/machine identification are possible - username, IP address and MAC address. Username
Username-based authentication is only available if you have User Authentication enabled. Users must provide login credentials and have access to the proxy server (as defined by the User Options configuration). Once logged into a proxy session, ACL rules based on username will apply.
Page 163 of 214
ClarkConnect Administration Manual IP Address
To restrict web access to a particular computer or multiple computers (i.e. a computer lab), IP address based identification can be used. A single IP address or a range of IP addresses (separated by a dash) can be added. Valid entry examples include: ● 192.168.1.100 ● 10.0.0.121 ● 192.168.1.100-192.168.1.150 The IP address represents the address of the machine connecting to the proxy. Since the computer is located on the LAN segment of the network, any IP address or range listed here should be restricted to an internal IP address or range. MAC Address
A MAC address is a unique identifier originating from a computer's network card. MAC addresses can be a good alternative to IP addresses if an administrator does not lock down the network settings of a machine which might allow a savvy user to get around an IP address-based access control rule. A MAC address must be obtained from the machine and is dependent on the OS. Linux
Open up a shell and type: # ifconfig eth0
Where eth0 represents the network (Ethernet) card. The MAC address for the sample sample output below comes after the HWaddr header and is 00:40:63:DA:E7:23:
Windows
To obtain the MAC address under Windows, click on the Start button and select the Run menu option. Enter cmd in the run field. Once you are at the Windows command prompt, type: C:\> ipconfig /all
and click enter. Find the MAC address next to the Physical Address field. Make sure you get the MAC address of the correct device...there may be more than one if you have both a network card
Page 164 of 214
ClarkConnect Administration Manual and wireless networking card.
ACL Priority New ACL rules are added to the bottom of the list...that is to say, new rules begin with the lowest priority. The proxy server analyzes each rule in successive order...starting from the top and working through each rule. The first rule to match a true condition stops the processing and allows (or denies, depending on the rule type) access to the web. In the example below, there are three rules...AllEmployees has the highest priority, followed by LunchHourStaff and finally (lowest priority) HourlyEmployees.
To understand priorities, it is probably easiest to follow through a few scenarios. Saturday - since it is a weekend, and through the creation of the AllEmployees rules, all IP address on the LAN have be defined in the creation of the ACL, all computers on the LAN will have access to the web, regardless of MAC or username based ACL's and regardless of whether it is lunch hour (i.e. 12pm - 1pm) or not. In this case, the first rule (All Employees) applies (returns true) and processing of further rules is not performed. Monday @ 12:15pm - All users who are using computers whose IP's have been added to the Page 165 of 214
ClarkConnect Administration Manual LunchHourlyEmployees IP list will have access to the web. Monday @ 1:15pm - All users who are using computers whose IP's have been added to the HourlyEmployees IP list will be denied access to the web. This is because the third rule is applied since the first two rules did not return a true statement. Any user who is using a computer whose IP is not listed in the HourlyEmployees rule will be allowed access to the web. By default, if no ACL rules return true (i.e. are executed as allow/deny) a user is allowed access to the web. To apply a blanket block rule, create an IP range ACL using the deny type along with a time definition from 00:00 - 24:00. Use the up and down arrows on the ACL Summary page to bump the priority of any ACL rule you create in order to enforce time of day web access.
Troubleshooting Links ●
Squid Proxy website
Banner Ad and Pop-up Blocker Overview Banner Ad and Pop-Up Blocker Information Description
The software blocks banner ads and pop-ups at the gateway.
Package Name
cc-privox
Configuration Page
Software
Proxy and Filtering
Web Proxy
The software filters cookies, ads, banners, pop-ups, and other unwanted Internet content.
Configuration If you use ClarkConnect as a gateway, you can configure the banner ad blocker in transparent mode. In other words, it is not necessary to change the settings for all the web browsers on the PCs on your network. ● Step 1 - Install the required Web Proxy server ● Step 2 - From Web Proxy's web-based administration page, set the proxy to transparent mode. ● Step 3 - From Banner Ad administration page, enable banner ad blocker integration.
Links ●
Privoxy Home Page
Page 166 of 214
ClarkConnect Administration Manual
Content Filter Overview Content Filter
Information
Description
A smart and robust web content filter.
Package Name
cc-dansguardian
Configuration Page
Software
Proxy and Filtering
Content Filter
The content filtering software blocks inappropriate websites from the end user. The software can also be used to enforce company policies; for instance, blocking personal webmail sites like Hotmail can decrease lost productivity at the office. The filter engine uses a variety of methods including phrase matching, URL filtering and black/white lists. Although the filter works effectively 'out-of-the-box', for best results, we recommend subscribing to a service level the includes the 'Content Filter Update' service (see Services link below). By keeping your blacklist up-to-date, you will be providing your LAN with the most effective blocking solution against the 'churn' of sites that change daily.
Services New sites appear, old sites disappear and current sites move around. By enabling the Content Filter Updates service, you will receive regular updates to the filter lists. See website for more details.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration The web-based administration tool gives you access to a number of configuration settings. The filter must be run in parallel with the Web Proxy server. It is important to understand the implications of running the content filter with a web proxy server configured to run in standard mode. Standard Mode In standard mode, the web proxy operates on port 3128 and the content filter operates on port 8080. You must change the settings of all the web-browsers located on the local network to point to one of the above ports in order to take advantage of proxy or filtering services. If users have the technical knowledge and have access to the browser settings on their local machine, they could potentially by-pass the proxy server and have full access to content on the Internet. Transparent Mode In transparent mode, all requests from the local network automatically pass through the web proxy cache. The settings for the local machines do not need to be changed. By-passing the proxy is not possible by changing browser settings on the local machine. Obviously, this is the preferred configuration.
Page 167 of 214
ClarkConnect Administration Manual
Content Filter Update Service
If you have a subscription to the "Content Filter Blacklist Update" service (enabled through your ClarkConnect Gateway Service account) you can check to make sure the update service is active. If the update service is activated, you will see a screen capture similar to that shown below. Updates are pulled or pushed automatically from the ClarkConnect Gateway Service network approximately every week.
Configure Advanced Filtering Banned File Extensions / Banned MIME Types
Banned File Extensions Banning specific file extensions is a useful tool for limiting content available to users on the LAN. It can also greatly decrease the chances of users unwittingly downloading and running 'arbitrary' code downloaded from the Internet which could potentially contain viruses, spyware of other malicious code.
By checking a box next to an extension, you are disallowing filtered users from accessing this file type. If you wish an extension to be blocked and it is not listed in the available list, add it to the list using the "Add a new extension type" form. Banned MIME Types Similarly, MIME types instruct a browser to utilize certain applications in order to display content encoding. Security exploits in the applications themselves can be used to infiltrate a computer. Page 168 of 214
ClarkConnect Administration Manual MIME types checked in the "Banned MIME Types" form will not be allowed to pass through the firewall and to the computer making the request on the LAN, providing a more secure environment. Banned Site List / Exempt Site List
Banned Site List Sites entered in the "Banned Site List" will be banned, regardless of the site's content, or whether the site is on one of the blacklists. Exempt Site List Sites entered in the "Exempt Site List" will be allowed, regardless of the site's content. Use this form if content on a site triggers a 'false positive' that you wish to override. Banned User IP List / Exempt User IP List
If you have some or all of your workstations configured to use static IP addresses, you can configure individual workstations' access to the web. Banned User IP List Here you can configure LAN IP addresses that will be completely blocked from accessing the web. You can either add IP addresses individually or add groups as defined below. Exempt User IP List Here you can configure LAN IP addresses that will be granted completely unfiltered access to the web. You can either add IP addresses individually or add groups as defined below. Groups You can configure groups of IP addresses to simplify and organize workstation access to the web. For example in an educational environment you can add all administrator/staff IP addresses to a Staff group and add them to the Exempt User IP List. Weighted Phrasing
The content filter system uses phrase lists to calculate a score for every web page. You can fine tune your content filter scoring by specifying which phrase lists to use. In general you will want the phrase lists you select here to correspond with the blacklists you are using. At a minimum you will want to include the proxies phraselist to prevent your users from bypassing the filter. Note that more weighted phrases activated for the content filter mean that the filter will take more time to look at each page. It is recommended that if you are using a low powered server, you limit the number of weighted phrase lists you use and instead use more blacklists. If you have problems with some of the phraselists - that they're either blocking too strictly or not enough, please send information to [email protected]. Blacklists
The content filter system uses black lists to block specific web sites. You can fine tune your content filter black lists by specifying which lists to use. Note that these lists are updated weekly by the Content Filter Update Service if you have subscribed to that service. If you have problems with some of the phraselists - that they're either blocking too strictly or not Page 169 of 214
ClarkConnect Administration Manual enough, please submit your changes at http://www.urlblacklist.com/?sec=submit.
Configure Filter Language - If your native language is supported by the DansGuardian content filter, you can configure the filter to use your language when displaying block reports to your users and error messages. Sensitivity Level - The sensitivity level is an arbitrary scale that allows 'coarse' adjustment of the phrase filter sensitivity. Increasing the sensitivity level means that fewer bad phrases/words will cause the filter to block the page. PICS Level - An Internet standard for rating web content. This setting will prove to be of minor significance as sites self-administrate this parameter. As a general rule, the recommendation is to disable this setting. Reporting Level - Five options are available to customize what a user 'sees' when the filter blocks a page: ● Stealth Mode - Site is not blocked...User's IP and site is logged (/var/log/dansguardian/access.log) ● Access Denied - User's browser will receive an 'Access Denied' in place of the web page. ● Short Report - A short error message 'bubble' will be displayed like the one below:
Full Report - Same as above, but the weighted limit and actual value will be displayed (useful for fine-tuning the system). ● Custom Report - Uses the customizable HTML template located at /etc/dansguardian/languages/[language] where language is the language you have selected in the setting above. The HTML template file is template.html and the default en_US language folder is /etc/dansguardian/languages/ukenglish. ●
Block IP Domains - Used to prevent users from circumnavigating the URL-based portion of the filter by using IP addresses instead of URL's. Pages will still be filtered based on the other filtering mechanisms: weightedphrases, mime types, file extensions etc. Blanket Block - Most restrictive setting. All sites will be blocked with the exception of those listed in the exempt list. Useful for kiosks/public terminals where a browser is used to access a company site etc.
Links ● ●
DansGuardian website URLBlacklist.com - used by the CCGS Service
Web Proxy Overview Web Proxy
Information
Description
Web proxy cache server. Page 170 of 214
ClarkConnect Administration Manual Package Name
cc-squid
Configuration Page
Software
Proxy and Filtering
Web Proxy
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP. The software not only saves bandwidth and speeds up access time, but also gives administrators the ability to track web usage in the daily report.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration General Settings Maximum Cache Size
The maximum size on your hard disk to use for the proxy server cache. Maximum Object Size
Any file (image, web page, PDF, etc) above the maximum object size will still go through the proxy but will not be cached. Large files (for instance, a movie file) can take up a lot of space in your proxy cache. If you have a cache size of 2 Gb and two people happen to download 1 Gb files at the same time, then these two files would replace everything else in your cache. You can limit the maximum object size to prevent this situation. Maximum Download File Size
If you want to limit downloads of large files (for instance, movies) you can set a maximum size. Any file above this limit will get blocked. Reset Cache
Use the reset cache button to delete all the files currently stored by the web proxy server.
Mode The web proxy and content filter work together to filter web traffic on your network. The combination of these two applications can operate in several different modes. Off
This mode is typically used to either temporarily disable the web proxy service or implement a custom proxy configuration file. Web traffic can still continue to flow un-proxied on port 80, while access to port 3128 (web proxy) and port 8080 (content filter) are also available. Off + Content Filter
In this mode, all workstations on the local network must be configured to use port 8080 (content filter) as the proxy server. In other words, the only way a person can access the web is by configuring their web browser to go through the content filter.
Page 171 of 214
ClarkConnect Administration Manual On
This mode is typically used to take advantage of the improved bandwidth usage and speed of a proxy server. In transparent mode, all web requests from the local network automatically pass through the proxy. No configuration changes are required on the workstations. On + Content Filter
This mode is typically used to enforce content filtering without the need to make configuration changes on the workstations. As soon as you enable this mode, all web traffic going through your gateway goes through the content filter.
Web Site Bypass In some circumstances, you may need to by-pass the proxy server when it is running in transparent mode. Typically, this is required for web sites that are not proxy-friendly (notably, older Microsoft IIS web servers send invalid web server responses -- these responses may not get through the proxy server). Example: Tivo personal video recorders (PVRs) are unable to connect via a proxy server. Adding Tivo's network 204.176.0.0/14 to the proxy by-pass list solves the issue.
Web Browser Configuration In non-transparent mode, you must change the settings on all the web browsers running on your local network. The following describes the steps for configuring Internet Explorer, but other browsers have similar procedures. In Internet Explorer ● Click on Tools in the menu bar ● Select Internet Options ● Click on the Connections tab ● Click on the LAN Settings button
Page 172 of 214
ClarkConnect Administration Manual
In the Proxy Server settings box, specify your gateway's IP address (default: 192.168.1.1) and the proxy port (see next section). You may not be able to access websites on your Squid machine or on your local network unless you select "Bypass proxy server for local addresses".
Reports The Web Proxy Report includes statistics on top sites, number of hits, usage by LAN IP address, daily traffic size, and more. You can view the report from the web-based administration tool.
FTP Proxy From the Squid Web Proxy FAQ: Question: Can I make my regular FTP clients use a Squid cache? Answer: It's not possible. Squid only accepts HTTP requests.
Troubleshooting If you see the message A configuration issue with your web browser settings was detected, please make sure your browser settings match your proxy server configuration.
Page 173 of 214
ClarkConnect Administration Manual
Links ●
Squid Proxy website
Groupware Groupware Configuration Overview Groupware/Collaboration
Information
Description
A groupware and collaboration module.
Package Name
cc-groupware
Configuration Page
Software
Collaboration
ClarkConnect's Groupware module provides an open-standards based shared environment with support for calendars, notes, tasks and contact lists. These common task (goal) elements can be accessed through a number of client interfaces. ● Microsoft OutlookTM 2000/XP ● KDE KontactTM ● Mozilla ThunderbirdTM ● Horde Webmail (available Q1, 2007) Together with e-mail and the Flexshare module, a simple and secure environment can be created within an organization or between trusted parties to collaborate together on common projects.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Page 174 of 214
ClarkConnect Administration Manual
Configuration Service
Groupware is a collection of software and services tightly integrated to allow groups of users to collaborate effectively. The groupware overview page reflects this dependence. You may not have selected packages which provide additional features or functionality. If a module is not installed, you can use the Software Modules utility to look up and install modules that were not selected or available during the installation process.
Creating User Accounts Use the ClarkConnect User Interface (Webconfig) to add accounts that include mailbox functionality to support the groupware features. By default, the Community and Enterprise Editions include 10 accounts that have groupware/mailbox functionality. The Enterprise Edition is upgradeable to 250 users (in units of 5) by purchasing additional mailbox licenses from Point Clark Networks. If this is your first time setting up the ClarkConnect user accounts, you will be redirected to the server set-up page if you have not entered basic server defaults. Complete the global system parameter set-up and return to the users page. You will see a summary similar to the screen capture below. Page 175 of 214
ClarkConnect Administration Manual
Follow the instructions here to add accounts for those users will have access to the groupware functionality of ClarkConnect.
Configuring Your Firewall Groupware is a solution that allows groups of people within an organization to be productive both on the trusted Local Area Network and outside. For example, an employee's home, a WIFI access point at an airport, a hotel broadband connection or an Internet café. Depending on what remote access you want to allow, making precise changes in your firewall are required. Below, you will find a table of typical services that groupware uses, and the ports you would need to open in order allow remote access.
Protocol SMTP POP3 POP3S IMAP IMAPS HTTP HTTPS FTP FTPS
Description Simple Mail Transfer Protocol (with or without SSL) Post Office Protocol (non-encrypted) Post Office Protocol with SSL (encrypted) Internet Message Access Protocol (non-encrypted) Internet Message Access Protocol with SSL(encrypted) File or website access via web server File or website access via web server with encryption File Transfer Protocol File Transfer Protocol with TLS (SSL encryption)
Default Port 25 110 995 143 993 80 443 21211 21232
1 - ClarkConnect Flexshare using FTP. Default FTP is port 21. 2 - ClarkConnect Flexshare using FTPS. Default FTP with TLS is port 21.
Configuring Clients Once accounts are set-up on the server, it is time to configure a user's individual mail client that will be used to interface to the collaborative environment.
Page 176 of 214
ClarkConnect Administration Manual As with any advanced configuration and installation of software, it is advisable to make a backup of your system or the data files related to the mail client you are using (for example, the Outlook PST file). Microsoft Outlook Installing the Toltec Connector
The first step in configuring Outlook is to download and install the Toltec Connector. ClarkConnect FTP: ftp://download.clarkconnect.com/4.1/other/toltec-2.2.0-en-kolabxml-cc.exe Make sure to close any running instance of Outlook before installing the Toltec Connector. Once you have downloaded the file, use Explorer to navigate to the directory it was downloaded to and double click on the executable. A familiar install splash screen will be displayed.
Click Next to continue. After reading the License Agreement, select I accept the agreement and click on Next. By default, the Toltec Connector will be installed in C:\Program Files\Toltec. Generally speaking this default and the remaining defaults can be used to quickly complete the install wizard. Licensing the Toltec Connector
Start Microsoft Outlook, select Help About Toltec Connector as displayed below.
Page 177 of 214
ClarkConnect Administration Manual
Click on Load a License Key and select the directory where you have your key. If you haven't yet purchased a key, you can purchase one through ClarkConnect's Online Store or directly from the Toltec site.
Page 178 of 214
ClarkConnect Administration Manual
Close the About dialog box and click on Outlook's Tools Options from the menu. You should now see an additional tab labeled Toltec Connector.
Before you continue with the next step, ensure the ClarkConnect server's IMAP service is enabled, an account has been created for the user's client you are configuring and the ClarkConnect's IMAP server can be accessed from the system are configuring.
Page 179 of 214
ClarkConnect Administration Manual Outlook Modes (Outlook 2000 ONLY)
The first step in configuring Outlook 2000 is to switch to Corporate Workgroup Mode. Open Outlook and select Tools Options and select the Mail Delivery Tab.
Select Reconfigure Mail Support.
Select Corporate or Workgroup mode and click on the Next button. Confirm your intention to
Page 180 of 214
ClarkConnect Administration Manual change the mode by selecting Yes. Restart Outlook. Mapping Toltec to a Message Store
Under the Toltec Connector tab, click on the New button to create a new message store to map to. Click Next on the first dialog box that appears informing you that you are about to start the next wizard. Most users will want to select the default message store (outlook.pst) from the list of available message stores. If so, select Personal Folders (you may have renamed it to something more "personal") and click Next.
Select Open Format (Kolab-XML 2.x) and click Next. Page 181 of 214
ClarkConnect Administration Manual
Enter your server's hostname in the appropriate field, followed by your user account's username and password (matching those used when you created a user on the server). Ensure the checkbox for encrypting communications with TLS/SSL is enabled, then click Next to continue.
At the next stage a connect/protocol test will be performed. If everything is functioning properly, you should see an output from this test which resembles the following screen capture. Click Next followed by Finish to complete the set-up. Connection issues may be caused by firewall software running on your desktop!
Page 182 of 214
ClarkConnect Administration Manual
At this point, the Toltec connector has successfully been mapped to your Personal Folder.
Outlook Accounts - POP3(S) vs. IMAP(S)
The Toltec connector uses the secure IMAP protocol to synchronize data between your Outlook Page 183 of 214
ClarkConnect Administration Manual client and the ClarkConnect IMAP service. As a result (and although it is counter-intuitive), you should create a POP3 account to fetch mail from the server and setup an outgoing SMTP service to send mail. If you were using POP3(S) with Outlook, you don't need to do anything. If you were using IMAP or are using Outlook for the first time, you'll need to create a POP3 account with your user settings matching the ClarkConnect server. The following sections explain how to do this and how to detach (dis-associate) the Toltec mapping and re-assign it to another personal mailbox (pst file). Start Outlook and click on Tools E-mail Accounts. Select View or change existing e-mail accounts. Click Next to continue.
You will be shown a list of all accounts you have created. If you recognize one as connecting via POP(S) to your ClarkConnect server, you don't need to do anything other than to check that the Toltec connector is mapped to it (see next section). If you need to create a new account for sending/receiving e-mail from the ClarkConnect server, click on the Add button. A number of options for account types will be listed.
Select POP3 and click continue. Page 184 of 214
ClarkConnect Administration Manual
Complete the mail account settings for the specific user. Use the Test Account Settings button to see if you have configured your account and server correctly.
If you are using SSL encryption to receive or send mail (highly recommended), click on the More Settings Advanced tab and select This server requires a secure connection (SSL) on the Incoming and Outgoing servers as required. POP3 with SSL encryption uses a different than POP3 - remember to open up port 995 instead of 110 if you enable SSL on the account.
Page 185 of 214
ClarkConnect Administration Manual
Clicking Next will send you back to the account list where you should now see your entry.
Detaching/Re-attaching the Toltec Connector
If you need to re-assign the Toltec connector to another Message Store, click on Tools Options Toltec Connector. Select the Message Store to be disassociated with the connector and click Detach. If you remove a mapping, you will need to either remove the PST file or delete/recreate the account on the IMAP server before mapping again - otherwise all entires will be duplicated.
Page 186 of 214
ClarkConnect Administration Manual To attach the connector to another Message Store, follow the instructions above. Mapping to multiple IMAP4 servers is possible but beyond the scope of this document. Synchronizing Outlook with the Server
By default, Toltec will synchronize data between Outlook and the ClarkConnect server when the object is selected in the Folder List.
You can customize this behavior by selecting an object (for example, your calendar), and using right-click Properties.
Page 187 of 214
ClarkConnect Administration Manual
Select the Toltec folder. You will see a number of options to allowing you to synchronize data on events or periodically.
Page 188 of 214
ClarkConnect Administration Manual
Users who have a large number of messages (10000+ in a single folder) may only want to synchronize manually to avoid processing delays. Mozilla Thunderbird
Support for Thunderbird with Kolab groupware synchronization is currently in development (beta). Please check back later.
Testing Object Synchronization
As a simple test, we will assume at least two users on the server have been created to on the server - in this example, Mary and David who work for Point Clark Networks. David is Mary's assistant and regularly schedules her appointments and meetings for her. As such, he requires Page 189 of 214
ClarkConnect Administration Manual shared access to Mary's calendar. Note, the administrator has been sure to give both Mary and David access to both the mail and web user options. Sharing a Calendar
The first configuration to be made is David's shared access to Mary's calendar. To do this, Mary would open her mail client (Outlook in this case) and Right-Click on the Calendar object in the folder list and select Properties.
Clicking on the Toltec tab displays a button labeled Folder Sharing Options. Mary clicks on this button and adds David with the desired sharing privileges.
Page 190 of 214
ClarkConnect Administration Manual
Once done and a synchronization has been performed, David will see Mary's calendar in his Folder List.
At this point, creating meetings and appointments for Mary is straight forward. David simply select Mary's calendar, and creates appointments or meetings on behalf of Mary. Mary's Outlook client will synchronize with additions/changes made by her assistant in addition to keeping track of her own entries.
Webmail Upgrades to the Webmail module supporting groupware is scheduled for Q2, 2008.
Page 191 of 214
ClarkConnect Administration Manual
Sharing/Accessing Files Please refer to the Flexshare section of this manual.
Troubleshooting Outlook 2000 and Calendar Format
If meeting requests are not working in Outlook 2000, you may need to set the default format to use iCalendar (iCal). To do this, start Outlook 2000 and click on Tools Options Preferences (tab). Click on Calendar Options and ensure the Send meeting requests using iCalendar by default checkbox is enabled.
Tips and Tricks Manual Synchronization You can synchronize data between your Outlook client and the server at any time by clicking on the icon found in the Outlook menu bar.
Synchronization Progress
You can view the progress being made on synchronization between your Outlook client and the server by Right-Clicking on the Toltec Icon in your Windows system tray and selecting View. Page 192 of 214
ClarkConnect Administration Manual
Enabling Free/Busy Scheduling Without User Authentication Links ● ● ● ● ● ●
Kolab Groupware Project Toltec Groupware Connector Toltec Connector for Windows Download Toltec Installation Guide (PDF) Kolab Syncronization Plugin for Mozilla Thunderbird Purchase ClarkConnect Toltec Licenses
VPN PPTP Overview VPN Server - PPTP
Information
Description
Virtual Private Network PPTP server.
Package Name
cc-pptp
Configuration Page
Software
VPN
PC-to-LAN
The PPTP server is a secure and cost effective way to provide road warrior VPN connectivity. The PPTP VPN client is built-in to Windows 98, ME, 2000, and XP. No extra software is required and ClarkConnect provides full password and data encryption.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration Configuring the PPTP Server Local IP and Remote IP
You must select a range of LAN IP addresses for the PPTP VPN connections. This range should be on the same network as your local area network. By default, the DHCP Server on ClarkConnect only uses IP addresses above x.x.x.100. All addresses below this number are reserved for static use. We strongly suggest you use this sub-100 static range for PPTP. Encryption Key Size
Most PPTP VPN clients support the stronger 128-bit encryption key. However, some VPN clients (especially hand-held computers and mobile phones) can only support 40-bit encryption. Change the encryption key size to meet your needs. Domain
The default domain used by the PPTP client. Page 193 of 214
ClarkConnect Administration Manual WINS Server
The Microsoft Networking WINS server used by the PPTP client. Depending on your network configuration, you may need to specify the WINS settings in VPN client configuration. DNS Server
The DNS server used by the PPTP client. Usernames and Passwords
PPTP users must have a valid account with the PPTP option enabled. See the User Options page for more information.
Configuring Microsoft Windows Configuring Windows 95/98 ●
●
●
● ● ● ● ●
●
For stronger encryption and improved performance, install the latest version of Dial-Up Networking. See 128-bit Encryption for Windows 95/98 Install the Virtual Private Networking client from the Windows 98 CD. Use the Add/Remove Programs tool in the Control Panel. Click on the Windows Setup tab, and select Communications from the list. Click on the Details button and make sure Virtual Private Networking is selected (see screenshot). You may need to reboot your system after changing this setting. The PPTP Client in Windows 98 is part of the Dial-up networking tools. It may seem strange using dial-up networking over another dial-up connection (or in some cases over broadband)... but that is the way it is. Go to dial-up networking by clicking on My Computer on your desktop. Click on Make New Connection. Name the connection and select the Microsoft VPN Adapter. Continue with the wizard and enter the IP or Hostname of the PPTP server. You are not quite done yet. Right-click on the VPN connection you just created. Select the Server Types tab. Page 194 of 214
ClarkConnect Administration Manual Make sure Require encrypted password, Require data encryption are selected (see screenshot). ● Disable the NetBEUI and IPX/SPX protocols (unless you really need them). ● Click on the TCP/IP Settings button. ● Use the default gateway on the remote network (see screenshot). This may not be necessary in some situations. ●
Configuring Windows XP
The PPTP client is built-in to Windows XP. ● Go to the Control Panel. ● Click on Network Internet Connections (this step may not be necessary. ● Click on Network Connections. ● Click on Create a New Connection to start the configuration wizard (see screenshot).
● ● ● ●
Select connect to the network at my workplace. Select Virtual Private Network connection. Add a connection name, and dial settings, and hostname. Click on the Properties button (or right-click on the new connection, and select Properties Page 195 of 214
ClarkConnect Administration Manual from the menu. ● Select the Security ● Make sure Require data encryption is selected.
● ●
Select the Networking tab. From the Type of VPN drop box, select PPTP VPN.
Page 196 of 214
ClarkConnect Administration Manual
Troubleshooting Error 619, PPTP and Firewalls PPTP requires special software when passing through firewalls. If you are having trouble connecting to a PPTP server, make sure any firewalls between your desktop and the ClarkConnect server support PPTP passthrough mode.
PPTP Passthrough If you are connecting a desktop from behind a ClarkConnect gateway to a remote PPTP server, then you need to have PPTP passthrough software installed and enabled on the firewall. This software is included in ClarkConnect. However, we do not recommend running PPTP Passthrough and a PPTP server simultaneously. By default, the ClarkConnect gateway will automatically disable PPTP Passthrough when the Firewall Incoming is configured to allow PPTP server connections. If you would like to run PPTP Passthrough and a PPTP server simultaneously, follow the Force PPTP Passthrough documentation.
Two PPTP Connections to the Same Server The PPTP protocol does not allow two VPN connections from the same remote IP address. In other words, if you have two people behind a gateway (for example, ClarkConnect) connecting to Page 197 of 214
ClarkConnect Administration Manual the same PPTP server, then the connection should fail. Note: it is fine to have two people behind a gateway connecting to different PPTP servers. Some PPTP servers and gateways (including ClarkConnect) do make an exception for this shortcoming. However, some PPTP servers may strictly follow the standard below: "The PPTP RFC specifies in section 3.1.3 that there may only be one control channel connection between two systems. This should mean that you can only masquerade one PPTP session at a time with a given remote server, but in practice the MS implementation of PPTP does not enforce this, at least not as of NT 4.0 Service Pack 4. If the PPTP server you're trying to connect to only permits one connection at a time, it's following the protocol rules properly. Note that this does not affect a masqueraded server, only multiple masqueraded clients attempting to contact the same remote server."
Links ● ● ●
PoPToP PPTP Server 128-bit Encryption for Windows 95/98 PPTP handles 100s of users
IPsec Overview VPN Server - IPSec
Information
Description
Virtual Private Network tools for LAN-to-LAN connections.
Package Name
cc-ipsec
Configuration Page
Software
VPN
LAN-to-LAN
You can use the web-based administration tool to create a connection with other ClarkConnect servers (on licensed systems, dynamic IP support is included).
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuring Connections with Managed VPN Managed VPN support not only simplifies configuration, but also improves the up-time of the connections. In order to create a connection between to systems, you need to configure both ClarkConnect systems. If you are configuring a VPN connection between your local gateway and a remote gateway, then configure the remote gateway first. Once the VPN is started on the remote system it will only be accessible when the VPN connection is up. If run into trouble configuring the tunnel, you can use a dial-up or other location to access the remote location. From the web-based administration tool, click on Create in the Managed VPN Connections box. You need to: ● Select the IP address of the remote connect ● Type in a pre-shared secret (password) Page 198 of 214
ClarkConnect Administration Manual
On the first connection or when an IP address changes, it may take a few minutes for the connection to synchronize. The two LAN networks at either end of the VPN connection must not overlap! If you need to change the LAN IP address/network on your ClarkConnect server, please use the Administration Console.
Configuring Un-managed VPN Connections (not recommended) Select Headquarters and Satellite Pick one server to be the "Headquarters" and the other to be the "Satellite". This is just a naming convention -- pick a convention and stick with it! The OpenSWAN documentation uses "left" and "right" in their documentation. This can be confusing at times, so we also use an alternate set of names: "headquarters" and "satellite".
Gather Network Information You must gather some network information for the IPsec server configuration, namely: the IP address, next hop (gateway), and network for both sides of the network. Make sure these settings are correct -- you will save many hours of pain and frustration. The information for the local ClarkConnect system is shown when you start to configure an unmanaged VPN connection. The two LAN networks at either end of the VPN connection must not overlap! If you need to change the LAN IP address/network on your ClarkConnect server, please use the Administration Console
Select a Connection Name and Pre-Shared Secret Once you have your network settings in hand, enter the information on both ends of the VPN connection. Enter a simple nickname for the connection along with a strong pre-shared secret. When configuring the other end of the VPN connection, do not be tempted to swap the Headquarters and Satellite information! The configuration screens on both ends of the connection will look exactly the same.
Page 199 of 214
ClarkConnect Administration Manual
Sanity Checking Start the IPsec server on both ends of the connection. Do not use Windows Network Neighborhood to verify the VPN (there is a Howto on getting your Windows Network up and running). Instead, make sure you can ping from: ● gateway to gateway ● gateway to remote PC ● remote PC to gateway ● remote PC to remote PC If the connection fails, double check your network settings and restart your firewall. Look in the log files -- /var/log/messages and /var/log/secure -- for error messages.
Configuration for Road Warriors The web-based administration tool does not support Road Warrior connections or interoperability with other IPsec servers. The software is capable of these configurations (including X.509 solutions), however, you must manually configure these connection types. Configuration can be a non-trivial task, so please read the OpenSwan site for more information. For road warriors/telecommuters, we strongly suggest using the 128-bit encrypted PPTP server. This option is not only more cost effective, but also easy to configure. See PPTP for installation and configuration instructions.
Configuring Windows Network Neighborhood - WINS Do you want to be able to browse Windows Network Neighborhood across your VPN connection? You must configure and use a WINS server. Fortunately, ClarkConnect has all the pieces of the puzzle in place. Please view the additional documentation here. Page 200 of 214
ClarkConnect Administration Manual
Interoperability The IPsec protocol is an industry standard, but one with many of loose ends. This means that other IPsec servers - though standards compliant - may not be able to connect to a ClarkConnect IPsec server. If you are familiar with the command line environment, you may be able to successfully connect a ClarkConnect system to a third party system. You can find more information in the OpenSwan Interoperability Documentation. Technical support is not provided for IPsec interoperability.
Troubleshooting ● ●
Make sure your firewall allows incoming connections for IPsec traffic The IPsec protocol does not pass through NAT-based routers. In other words, if your external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based router.
Entertainment Photo Gallery Overview Photo Gallery
Information
Description
A web-based photo album.
Package Name
cc-gallery
Configuration Page
Software
Fun
Photo Gallery
Gallery is a web based photo album that provides you with the ability to create and maintain your own online photo collection via an intuitive web interface.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration More information can be found on the Gallery page in the web-based administration tool.
Links ●
Gallery website
Page 201 of 214
ClarkConnect Administration Manual
Web Web Server Overview Web Server
Information
Description
A powerful and popular web server.
Package Name
cc-httpd
Configuration Page
Software
Web
Web Server
ClarkConnect includes the Apache web server -- the same software that powers many of the world's largest websites.
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration General Global
The basic set-up of the Apache web server is installed by default. In the main configuration, you need to specify two items: Server Name
The server name is a valid name (for example, www.example.com) for your web server. This name is used on some infrequently used error pages, so it is not all that important. SSL-Enabled - Secure Site
The web server comes with built-in SSL encryption for enhanced security. If your website requires a username and password for login, then it is a good idea to use encryption. For instance, if you have the webmail or groupware solution installed, you should access their respective login pages via the secure web server. In your web browser, you should use the encrypted https://your.domain.com instead of the un-encrypted http://your.domain.com (https vs http). When enabled, all communication between the web server and user's web browser is encrypted using a 128-bit security key. SSL encryption requires a web site certificate. ClarkConnect automatically
Page 202 of 214
ClarkConnect Administration Manual generates a default certificate that is 100% secure. However, this certificate is not verified by one of the web site certificate authorities (it costs at least $100 per year to maintain a verified web site certificate). Your users will see the following warning (or similar) when connecting to the secure web server.
Allow FTP Upload
Enables an administrator/user to upload or change content on the website via FTP. By default, the FTP uses a non-standard port of 2121. A user must be created on the server with FTP access in order to provide authentication credentials to login to the FTP server. Any user belonging to the group configured in the Group Access setting will have read/write access to the website directory. You must use an FTP client (rather than a browser) if you would like to upload files to the server. Allow File Server Access
Enables an administrator/user on the LAN (or remotely via VPN) to upload or change content on the website via file shares (Samba). To access the share using a Windows client on the LAN, goto "Start My Computer" and enter: \\SERVERNAME\DOMAINNAME Where: SERVERNAME = your server's hostname (i.e. webserver.lan) DOMAINNAME = your website's domain name (i.e. mywebsite.com)
Any user belonging to the group configured in the Group Access setting will have read/write access Page 203 of 214
ClarkConnect Administration Manual to the website directory. Group Access
Select a group which will be used to grant access to users who should have access to make modifications (uploads) to the website. If no groups have been created on your server, you will have to add one first before configuring either FTP or file server based access. Virtual Hosts
The web server includes support for "virtual hosts". This means your web server can be used for hosting more than one web site.
Adding Static Content to Your Site Text Editor
Not the most efficient means, but certainly possible. Use your favorite text editor and start typing away! Example: # vi /var/www/html/index.html
And add: Page 204 of 214
ClarkConnect Administration Manual
My First Web Page <meta http-equiv="Content-Type" content="text/html; charset=iso8859-1"> Hello World
Web Design Applications
There are a number of products (free and commercial) to design your own webpages. See the links below for
Adding Dynamic Content to Your Site There are many options for adding dynamic content to a website: ● CGI ● PHP ● JSP ● ASP The set-up and configuration of these engines are beyond the scope of this help document. PHP, however, is available as a module. Installing the PHP Module
Flexshares and your Web Server ClarkConnect's Flexshare feature is a convenient way to add and configure more advanced web server functionality like user-authenticated logins to the LDAP service, file indexing etc. Flexshares are only available in ClarkConnect 4.0 Editions and above.
Troubleshooting ISP Blocking Some ISPs are known to block web (port 80) traffic to residential broadband connections in an attempt to cut down on illegal sites hosted on their network. If you think your configuration is set-up correctly and you suspect your ISP is blocking HTTP traffic, try a port scan.
Firewall Rules A web server listens to client requests coming in on port 80 (HTTP) or 443 (HTTPS/secure). Did you remember to open the correct port(s)?
Unable to Gain FTP or File Share Access - Access Denied If you have just created a user and/or group, try stopping and restarting the FTP and/or file service, depending on which access methods you have configured. Page 205 of 214
ClarkConnect Administration Manual
Links ● ●
Adding incoming firewall rules Apache Web Server Project
Page 206 of 214
ClarkConnect Administration Manual
Reports Current Status Overview Current Status Information
Information
Description
Disk load, system load, memory usage, and other system status.
Package Name
cc-status
Configuration Page
System
System Information
Current Status
Dashboard Overview Dashboard
Information
Description
The dashboard shows a big picture overview of your system.
Package Name
cc-webconfig
Configuration Page
Dashboard
Overview
The dashboard page is a bird's eye view of your system.
Intrusion Detection Overview Intrusion Detection
Information
Description
A report displaying summary information on the intrusion detection system.
Package Name
cc-snort
Configuration Page
Reports
Reports
Intrusion Detection
The intrusion detection report provides a way to analyze hostile traffic arriving on your network interfaces.
Logs Overview Logs
Information
Description
Log viewer.
Package Name
cc-reports Page 207 of 214
ClarkConnect Administration Manual Configuration Page
System
System Information
Logs
The log report page allows you to view and filter detailed log files on your system.
SMTP Mail Overview SMTP Mail Report
Information
Description
A report displaying summary information on the mail server.
Package Name
cc-postfix
Configuration Page
Reports
Reports
SMTP Mail
Statistics Overview System Statistics
Information
Description
Historical information on system performance.
Package Name
cc-mrtg
Configuration Page
Reports
System Information
Statistics
Installation If you did not select this module to be included during the installation process, you must first install the module.
Statistics The charts shown in the statistics page show the following information: ● Maximum value over the period (e.g. one day) ● Average value over the period ● Current value
Load The system load is a measure of how the overall system is performing. A common misconception is that the system load is a measure of CPU usage. However, a high system load can be caused by excessive hard disk access or other types of bottlenecks in the overall system. Two different trend lines are shown on this chart. The green line indicates the average system load for a given 5-minute time period. The blue line indicates the average system load for a given 15minute time period. A sustained load above 200 on the chart indicates an overloaded system (occasional spikes above this number are normal).The system load displayed on the charts is multiplied by 100. For instance, if you see a load of 53 in the chart, then the load is really 0.53. Page 208 of 214
ClarkConnect Administration Manual
Open Connections This statistic shows the number of open network connections to your system. For instance, an end user fetching their e-mail from the server will open one (or more) network connections. If your system comes under an unwanted attack, you will likely see a large spike in open connections.
Processes The number of processes running on your system.
Swap Memory Swap memory usage is an indirect indicator of how well your system is managing RAM (physical) memory. The green background in this chart (if shown) is the amount of swap memory available. The blue line indicates the amount of swap memory used. If the blue line sustains a level of 75% of the total swap memory available, then you need to take action: ● Disable unused software/services running on the system ● Investigate potential software bugs/issues ● Add more RAM The intrusion detection system and content filter system use quite a bit of system resources. On a Linux system, all unused RAM is used to optimize file access. Do not be surprised to find your RAM usage at 95% or higher.
Uptime The uptime charts how long your system has been running without a reboot.
Links ●
MRTG Web Site
Web Proxy Overview Web Proxy Reports
Information
Description
A report displaying information on proxy and content filter usage.
Package Name
cc-squid
Configuration Page
Reports
Reports
Web Proxy
Reports are created through the ClarkConnect API using a dedicated MySQL database. This makes extraction of the report logs simple to do in the event other report medium (ie. PDF) or statistics are required.
Page 209 of 214
ClarkConnect Administration Manual
Report Types Overview
Page 210 of 214
ClarkConnect Administration Manual
User/IP Summary
Page 211 of 214
ClarkConnect Administration Manual
Domain Summary
Ad-hoc Summary
Page 212 of 214
ClarkConnect Administration Manual
Page 213 of 214
ClarkConnect Administration Manual
Web Server Overview Web Server Reports
Information
Description
A report displaying statistics for the web server.
Package Name
cc-awstats
Configuration Page
Reports
Reports
Web Reports
Installation If you did not select this module to be included during the installation process, you must first install the module.
Configuration To access the Web Reports, you will need to set a password. In the web-based administration tool: ● Enter the password you wish for the reports and click on Update. ● In the Reports by Domain panel at the bottom of the screen, click on the domain report you wish to view. ● A new window will appear asking for a username and password. Enter awstats for the username and the password you assigned above.
Links ●
Awstats Home Page
Page 214 of 214