SonicWall™ Enforced Client Policy

and Reporting Server

Adminstration Guide
Copyright © 2017 SonicWall Inc. All rights reserved.
SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other
trademarks and registered trademarks are property of their respective owners
The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied,
by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products.
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR
ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS
PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON‐ INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR
ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or
warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to
update the information contained in this document.
For more information, visit https://www.sonicwall.com/legal/.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Content Filtering Client Adminstration Guide

Updated ‐ March 2017
Software Version ‐ 2.3
232‐003346‐01 Rev A
Contents 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Document Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Guide Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
About EPRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How EPRS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How to Access CFC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Navigating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing the Client on User Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Adding a Schedule Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Editing a Schedule Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deleting a Schedule Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Searching for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Importing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deleting a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Users & Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Google Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About the User Groups List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Searching for a User Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Synchronizing LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deleting User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Importing User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Importing User Groups from LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Assigning Primary Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
About the Users List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

SonicWall EPRS 2.3 Adminstration Guide

3
Contents
Searching for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Editing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Assigning a Primary Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Blocking/Unblocking Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Importing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Importing Users from LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Enforcement Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Blocked Web Page Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
CFS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Custom List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Searching for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Add/edit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Client Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
About the Client Groups List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Searching Client Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Adding or Editing Client Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Deleting Client Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Searching for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Deleting Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Moving Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Blocking Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Unblocking Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Initiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Installation Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Content Filtering Client Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

SonicWall EPRS 2.3 Adminstration Guide

4
Contents
 1
Overview
SonicWall offers comprehensive web content security that blocks selected web content and enforces protection
and productivity policies. The main components are Content Filtering Service (CFS), Content Filtering Client
(CFC), and SonicWall EPRS (Content Filtering Client). CFS protects the devices behind the firewall; CFC protects
devices regardless of where the device is located, even if it is connected outside the firewall, and Content
Filtering Client provides administrators with the means to manage CFC from a central web interface.
This document describes how to use Content Filtering Client. Global policies can be created and assigned to all
CFC client systems without having to log into each system separately. Additionally, policies can be defined for
groups or individual users that can also be managed from the central web interface.
Topics:
• About This Guide describes how this guide is organized and the conventions used to designate
specialized text.
• About EPRS describes how to navigate EPRS and license a client. It also provides general administration
guidelines.

About This Guide

This document is intended for system administrators who define filtering policy for systems that will be
accessing web content from the internet.
• Document Contents describes how this document is organized.
• Guide Conventions defines the text conventions used in this document.

Document Contents
This document includes:
• This chapter, Overview, provides a general document overview and describes the conventions used
within this guide.
• Chapter 2, System, describes the System option, which includes viewing status, managing Schedule
Groups and managing certificates.
• Chapter 3, LDAP, describes how to access user and group data from the LDAP server.
• Chapter 4, Google Directory, describes how to access user and group data from Google Directory.
• Chapter 5, User Groups, describes how to utilize user groups that have already been established in LDAP
and Google Directory. You can then apply the same policies to everyone in a group. All the groups can be
viewed and managed from this option.
• Chapter 6, Users, describes how to view and manage users.
• Chapter 7, Content Filter, discusses how to set up and customize the content filtering for the Content
Filtering Client (CFC).

SonicWall EPRS 2.3 Adminstration Guide

5
Overview
 • Chapter 8, Enforcement, reviews how to configure enforcement policies and describes settings for Client
Groups and Clients.
• Chapter 9, Reports, shows the reports that are available from the Reports tab.
• Chapter 10, Troubleshooting, provides some troubleshooting tips for common issues.

Guide Conventions
The following conventions used in this guide are as follows:

Text conventions
Convention Use
Bold Highlights dialog box, window, and screen names. Also highlights buttons. Also
used for file names and text or values you are being instructed to type into the
interface.
Italic Indicates the name of a technical manual. Also indicates emphasis on certain
words in a sentence. Sometimes indicates the first instance of a significant
term or concept.
Computer code Indicates sample code or text to be typed into data fields.

About EPRS
Content Filtering Client provides a single point from which to configure filtering policies and view reporting from
users systems that are running CFC. EPRS is comprised of:
• Web management interface and policy manager—a Web‐based interface that provides the system
administrator the ability to configure, create, and apply global policies and generate activity reports for
client systems.
• Policy Server—Supports policy functions including global management and user access credentials.
• Reporting Server—Provides summarization of raw data to be used in reports and supports the various
types of reports along with search and filtering functions.
Additional topics:
• How EPRS Works
• How to Access CFC
• Navigating the Interface
• Installing the Client on User Systems

How EPRS Works

The administrator can access the management interface directly through a MySonicWall account. Single sign‐on
access allows the administrator to seamlessly move from one site or account to another without the need to
remember multiple account details.
EPRS features include dynamic updates of licensing on the firewall registered to use the content filtering client
an policy application based on client licensing.

SonicWall EPRS 2.3 Adminstration Guide

6
Overview
 NOTE: Some of these features are available only when using a customer’s deployed SonicWall Global
Management System (GMS) instead of the Cloud‐based Content Filtering Client ‐ Policy & Reporting
Admin.

When deployed in the Cloud, EPRS is a customized, stripped down version of SonicWall Global Management
System (GMS) providing just the client management function as a service. This means the server is optimized to
perform at higher loads and also designed to be scalable when additional servers need to be added as the
volume of clients requesting policies increases.
The Policy Manager is integrated with MySonicWall and the SonicWall License Manager. Data is saved in the
database and is used when a request for a policy is made to the Policy Server Web Services.

How to Access CFC

MySonicWall provides two links that the administrator can click to access the EPRS management interface to
create or manage client policies.
• Firewall (unit) level link to manage CFC policies licensed on this firewall.
• Global level link to manage multiple firewalls under the MySonicWall account. Single Sign‐On is
supported for MySonicWall users when logging in to the Policy Server.
Administrators can click a link on the Security Services > Client CFS Enforcement page to access and manage the
client. When the link is clicked, a MySonicWall login screen (similar to the one used when licensing other
services) prompts the user to log in using the MySonicWall account. After successfully logging in, the user is
forwarded from MySonicWall to the EPRS interface using Single Sign‐On.
Logging in to EPRS from MySonicWall allows you to configure and view policies and reporting for all the
SonicWall appliances that are registered to that MySonicWall account.
When you log in to EPRS from an individual firewall, the interface only displays configuration pages for the unit
from which you logged in.

Navigating the Interface

When you first open EPRS, the default display is a global view of System > Status.

The far left pane displays the devices being managed. You can select a specific device to view or manage or you
can select the top node name, as in the figure above, to see information applicable to the global node.

NOTE: If you have only a single node or unit, the node pane is not displayed.

The Global View provides the Settings, Policies, and Client Groups pages, but does not provide the r Clients
pages since it pertains to a single SonicWall appliance.

SonicWall EPRS 2.3 Adminstration Guide

7
Overview
You can hide the node pane by clicking on the green arrow in the top bar. Click on the arrow again to expand the
view.
From the EPRS interface you can switch between Policies view and Reports view. Select the tab of the view that
you want. Different options are listed depending on whether you selected the global node or a specific device.

Installing the Client on User Systems

A new SonicWall firewall is deployed on a network, registered, and licensed for Content Filtering. The feature is
enabled as Enforced for Content Filtering. The administrator logs into the Policy Server and uses the Policy
Manager interface to create one or more policies for client systems in the network. The administrator can also
define user accounts on SonicWall Content Filtering Client with the necessary credentials to manage policies for
one or more clients.
When a user tries to access the Internet and does not have the client installed, the user is taken to a Block page,
which provides the information on where and how to download the client and install it.
Once the SonicWall Content Filtering Client software is installed, it contacts the SonicWall license manager to
verify licensing. After a successful license check, the SonicWall license manager sends the URL of the Policy
Server to the client software. The client contacts the server and downloads the policy, then uses the policy to
determine the appropriate action for that user.
The software can also be installed on client systems by accessing a URL in Internet Explorer, and with an MSI
package in conjunction with a domain group policy. In the final release, SonicWall software can also be installed
on client systems from the command line.

SonicWall EPRS 2.3 Adminstration Guide

8
Overview
 2
System
The System option on the Policies tab allows you to view status on the nodes, manage the schedules and mange
the certificates. If you have an environment with more than one firewall in it, you can view and manage the
system settings at two levels: globally and on the firewall. By selecting the global node (the top node in the left
pane) you can configure and make changes across all the firewalls in your environment. By selecting an
individual node, or firewall, you can configure and make changes that apply only to that particular node.
Topics:
• Status
• Schedules
• Certificates

Status
The global view (global node is selected) of the System > Status page is the default display when you first access
Content Filtering Client. To see the status of particular node, select the node from the left pane.

The System > Status page displays the status information for the node selected. The status information includes:
• General—Displays the serial number.
• Services—Displays the following information:
• License status (Current or Expired)
• Expiration date of the license
• Nodes or client machines currently in use with the CFC installed
• Total number of nodes licensed to install the Content Filtering Client
SonicWall EPRS 2.3 Adminstration Guide
9
System
 • LDAP Settings—Displays LDAP Domain Alias
• LDAP Automatic Sync Status—Displays a message noting status and when LDAP was last synchronized.
• Google Directory Automatic Sync Status‐Displays a message noting status and when LDAP was last
synchronized.
You can also synchronize the license of the unit on this page by clicking Synchronize with MySonicWall.com.

Schedules
The System > Schedules page displays the default scheduled configured and available to use for policy
configuration. You configure and manage additional schedules from this page. If you expand a specific schedule
name, details of the schedule is displayed. If you expand the Name group, all the schedule names are expanded.

Topics:
• Adding a Schedule Group
• Editing a Schedule Group
• Deleting a Schedule Group

Adding a Schedule Group

You can create a Schedule Group with multiple times in which the schedule is enforced.

SonicWall EPRS 2.3 Adminstration Guide

10
System
To add a schedule:
1 Navigate to the System > Schedules page. Click the Add Schedule Group link.
2 Enter the Name of the Schedule Group.
3 Select the Day(s) for the schedule to be enforced.
4 Specify the Start Time for the schedule to begin. Time should be entered in using the 24‐hour format.
5 Specify the Stop Time for the schedule to end. Time should be entered in using the 24‐hour format.
6 Click Add. This will save the newly created schedule, displaying the Day(s) and Time, in a list below. You
can continue to create other schedules for this group by specifying the parameters then clicking Add.
You can also delete a time period in the list by selecting the period and clicking Delete, or clicking Delete
All to delete all schedules listed.
7 Click OK to save a Schedule Group.

Editing a Schedule Group

To edit a schedule group that has already been created:
1 Navigate to the System > Schedules page.
2 Click the Edit icon of the Schedule Group you wish to edit. The Schedule Settings screen displays.

3 You can add a schedule by specifying the parameters and clicking Add. You can also delete a time period
in the list by selecting the existing schedule and clicking Delete, or clicking Delete All to delete all
schedules listed.
4 Click OK to save changes.

SonicWall EPRS 2.3 Adminstration Guide

11
System
Deleting a Schedule Group
To delete a schedule group:
1 Navigate to the System > Schedules page.
2 Check the box next to the Schedule Group you wish to delete. To delete multiple Schedule Groups,
selected multiple groups.
3 Click the Delete Schedule Group(s) link. You can also click the Delete icon under the Configure column of
the group you wish to delete.

Certificates
The System > Certificates page allows administrators to perform a search for certificates. This page also allows
administrators to manage certificates and certificate requests.
Topics:
• Searching for Certificates
• Importing a Certificate
• Deleting a Certificate

Searching for Certificates

To search for a certificate:
1 To specify what part of the search field to match against, choose from the following:
• Equals—The entire field must match the text you provide.
• Starts with—The field must start with the text you provide.
• Ends with—The field must end with the text you provide.
• Contains—The field must contain the text you provide.
2 In the blank field, type in the text that you want to search for.
3 Click Search.
4 Click Clear to return the search fields to their default values and clear the text field.

SonicWall EPRS 2.3 Adminstration Guide

12
System
Importing a Certificate
EPRS allows you to import a CA certificate on the System > Certificates page. You can import a CA certificate with
a .p7b, .pem, .der, or .cer encoded file.

To import a certificate:
1 On the System > Certificates page, click the Import link. The Import Certificate page displays.

2 Browse to where the certificate is stored and select the file.

3 Select Import to import the certificate from your local system.

Deleting a Certificate
To delete a certificate:
1 Navigate to the System > Certificate page.
2 Check the box next to the certificate you wish to delete.
3 Click the Delete Certificate(s) link. You can also click the Delete icon under the Configure column of the
group you wish to delete.

SonicWall EPRS 2.3 Adminstration Guide

13
System
 3
LDAP
Lightweight Directory Access Protocol (LDAP) is one of the options under Directory Services that administrators
can use to efficiently manage Users and Groups from the LDAP server. LDAP is used to sync Users/Groups into
EPRS, so CFS Policies can be tied to the Client Groups where the Clients belong. If you have an environment with
more than one firewall in it, you can manage LDAP at two levels: globally and on the firewall. By selecting the
global node, you can configure and make changes across all the firewalls in your environment. By selecting an
individual node, or firewall, you can configure and make changes that apply only to that particular unit.
Topics:
• Settings
• Schema
• Directory
• Users & Groups
• Test

Settings
To configure the settings on the LDAP page:
1 On the Policies tab, navigate to Directory Services > LDAP. The LDAP page defaults to the Settings tab.

SonicWall EPRS 2.3 Adminstration Guide

14
LDAP
 2 Check the box to Configure LDAP.
3 Enter the name or IP address for the LDAP Server.
4 Enter the TCP port number running the LDAP service.
You can also choose one of the Standard Port Choices from the drop‐down list. The default LDAP port is
389. Be sure to open this port number in your firewall for inbound communication with the LDAP server.
5 Specify the Server timeout period in seconds. If no connection is made after this period elapses the
client stops attempting to connect to the server.
6 Specify Overall operation timeout in minutes. This is the maximum time spent on any auto‐operation.

NOTE: Some operations, such as directory configuration or importing user groups, can take several
minutes, especially if running across multiple LDAP servers.

7 Select one of the following authentication methods:

Authentication method Definition and process

Anonymous login
Give login name/location in tree Select to authenticate through a login process. Also:
Give bind distinguished name
Select to login without the LDAP server authenticating information
or “binding” to the server.
1 Enter the Login user name.
NOTE: You need to provide the user’s distinguished name. This is
different from the user login ID. For example, John Doe may have a
user login ID as ‘jdoe’. However, you would enter ‘John Doe’ in this
field. When selecting this option, you will also need to provide User
Tree for Login to Server, located on the Directory Services > LDAP,
Directory tab.
2 Enter the Login password. If you leave the password field
empty, the current password will remain unchanged.
3 Select the Protocol version from the drop down list.
Select to bind to the LDAP server using the full distinguished name.
Also:
1 Enter the Bind distinguished name.
2 Enter the Login password. If you leave the password field
empty, the current password will remain unchanged.
3 Select the Protocol version from the drop down list.

8 Check the Use TLS (SSL) box to enable the authentication of servers and clients and encryption of
messages on LDAP.
9 Click Update to save these settings.

Schema
To set up the LDAP schema:
1 On the Policies tab, navigate to Directory Services > LDAP.
2 Select the Schema tab.

SonicWall EPRS 2.3 Adminstration Guide

15
LDAP
 3 Select the LDAP Schema from the drop‐down list.
• Selecting any of the predefined schemas automatically populates the fields used by that schema
with their correct values.
• If the LDAP schema you wish to use is not an option in the drop‐down list, select User defined and
go to the next procedure.

To configure a user‐defined schema:

1 In the LDAP Schema field, select User defined from the drop down list.
2 In the User Objects section:
a Define the Object class. This defines which attribute represents the individual user account to
which the login name attribute and the user group membership attribute apply.
b Define the Login name attribute. This is the LDAP attribute that corresponds to the User ID.
c Define the User group membership attribute. This is the LDAP attribute that lists the groups or
mailing lists that the user is a member of.
d Define the Additional user group ID attribute. If set and Use is enabled (the boxed checked), then
when a user object is found with one or more instances of the specified attribute, a search for
additional user groups matching the specified attribute is made in the LDAP directory. If a group is
found with the Additional user group match attribute set to that value then the user is also made
a member of that group.

NOTE: This attribute may be inefficient to the load performance of your LDAP server.

3 In the User Group Objects section:

a Define the Object class for the group for the LDAP schema.
b Specify the Member attribute that corresponds to group members.

SonicWall EPRS 2.3 Adminstration Guide

16
LDAP
 c Set the Additional user group match attribute. This is the LDAP attribute that allows for a schema
to set additional memberships for a user group. If a group is found with this attribute set to the
specified value, then the user will also be made a member of that group.

NOTE: This attribute may be inefficient to the load performance of your LDAP server

4 Select Read from Server to retrieve the LDAP schema from the LDAP server.
5 Choose to:
• Automatically update the schema configuration
• Export details of the schema
6 Click OK.
7 Click Update to save these settings.

Directory
Depending on the authentication method you specified on the Settings tab, you may have to enter additional
information on the Directory tab.

To configure Directory settings:

1 On the Policies tab, navigate to Directory Services > LDAP.
2 Select the Directory tab.

SonicWall EPRS 2.3 Adminstration Guide

17
LDAP
 3 Depending on your selection on the Settings tab, define the User Directory Information:
• If you selected Anonymous Login or Give bind distinguished name, provide the Primary domain
or check the box to Fetch domain alias automatically.
• If you selected Give login name/location in tree, specify the Primary Domain and the User Tree
for Login to Server fields. This specifies the tree in the directory that includes the user object for
the user that you configured on the Settings tab.
4 Click Update to save these settings

Users & Groups

To mirror LDAP users and user groups:
1 On the Policies tab, navigate to Directory Services > LDAP.

2 Select the Users & Groups tab.

3 Check the box to Mirror LDAP users and user groups automatically.
4 Specify the Refresh period in hours.This is the period between mirroring operations. A valid value can
range from 8 to 168 hours.
5 Click Update to save these settings.

SonicWall EPRS 2.3 Adminstration Guide

18
LDAP
Test
To test the LDAP settings:
1 On the Policies tab, navigate to Directory Services > LDAP.

2 Select the Test tab.

3 Enter a valid LDAP User name and Password.
4 Click the Test button. EPRS retrieves any messages from the LDAP server as well as returned user
attributes in the appropriate fields.

SonicWall EPRS 2.3 Adminstration Guide

19
LDAP
 4
Google Directory
Google Directory is one of the options under Directory Services that administrators can use to efficiently
manage Users and Groups from the Google server. If you have an environment with more than one firewall in it,
you can manage Google Directory at two levels: globally and on the firewall. By selecting the global node, you
can configure and make changes across all the firewalls in your environment. By selecting an individual firewall
you can configure and make changes that apply only to that particular unit.

NOTE: Both Google Directory and LDAP server can be configured on the same firewall.

Topics:
• Settings
• Users and Groups
• Test

Settings
To configure the Google Directory:
1 On the Policies tab, navigate to Directory Services > Google Directory. The Google Directory page
defaults to the Settings tab.

SonicWall EPRS 2.3 Adminstration Guide

20
Google Directory
 2 Check the box to enable Configure Google Directory.
3 Enter the Domain name for Google Directory service.
4 Set up an authorized service account the server‐to‐server interactions between EPRS and Good Directory
service can occur. This only needs to be done once.
a Make a note of the Client ID of the service account for use later: 113161272571085955191.
b Login to https://admin.google.com/ using your Google Super admin account (Service account
email) for the domain.
c Navigate to Security > Advanced settings > Authentication > Manage API client access.
d In the Client name text box, enter the client ID.
e In the API Scopes text box, copy/paste the string below:
https://www.googleapis.com/auth/admin.directory.group.member.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly
f Click on Authorize.
5 Enter the Service Account Email.
6 Click Update to save these settings.

Users and Groups

To mirror Google Directory users and user groups:
1 On the Policies tab, navigate to Directory Services > Google Directory.

2 Select the Users & Groups tab.

SonicWall EPRS 2.3 Adminstration Guide

21
Google Directory
 3 Check the box to Mirror LDAP users and user groups automatically.
4 Specify the Refresh period in hours.This is the period between mirroring operations. A valid value can
range from 8 to 168 hours.
5 Click Update to save these settings.

Test
To test the Google Directory settings:
1 On the Policies tab, navigate to Directory Services > Google Directory.

2 Select the Test tab.

3 Enter a valid user ID (primary email of the user).
4 Click the Test button. EPRS retrieves any messages from Google as well as returned user attributes in the
appropriate fields.

SonicWall EPRS 2.3 Adminstration Guide

22
Google Directory
 5
User Groups
The User Groups function allows you to utilize user groups that have already been established in LDAP and
Google Directory. You can then apply the same policies to everyone in a group. All the groups can be viewed and
managed on the Policies tab at Directory Services > User Groups.
If you have an environment with more than one firewall in it, you can also manage User Groups at two levels:
globally and on the firewall. By selecting the global node, you can configure and make changes across all the
firewalls in your environment. By selecting an individual firewall you can configure and make changes that apply
only to that particular unit.
Topics:
• About the User Groups List
• Searching for a User Group
• Synchronizing LDAP
• Deleting User Groups
• Importing User Groups
• Importing User Groups from LDIF
• Assigning Primary Groups

About the User Groups List

The User Groups list has several tools that are useful for finding and managing user group information. At the
top of the list is a search function. Refer to Searching for a User Group for information on using the search.
The names in the body of the table represent what has been mirrored from either LDAP or Google Directory.
The source of the information is listed in the column called Mirrored From. The Type column indicates what kind
of group this is. Options include User Group or Organizational Unit. Members tells how many users are in the
group. The Directory column indicates the source for the Users information. The options are LDAP or Google (for
Google Directory).

SonicWall EPRS 2.3 Adminstration Guide

23
User Groups
In the Configuration column, several icon allow operations on the User Group listed on that line. the edit and
delete icons allow you to mange the user data.
• The view/edit icon allows you to view the settings for the group (Settings tab) and you can edit the group
members on the Members tab.

SonicWall EPRS 2.3 Adminstration Guide

24
User Groups
 • The group icon allows you to set this group as the Primary Group to the users (or some of the user) in the
group. Refer to Assigning Primary Groups, for more information.
• The delete icon allows you to delete the group on this line. You are asked to confirm the deletion before
continuing.
At the bottom of the list, a note states how many user groups were found and how many of them have no
members.

Searching for a User Group

The User Groups Search function is useful if you have a large number of user groups and need find a specific
one. The function can search for text in the Name, Mirrored From, Type or Directory fields. To search for a
specific user group, choose the node that you want to search. On the Policies tab, select Directory Services >
User Groups.

To search for a user group:

1 Select the user group field to be searched. You can select either the Name, Mirrored From, Type, or
Directory fields.
2 To specify the type of match, choose from the following:
• Equals—The entire field must match the text you provide.
• Starts with—The field must start with the text you provide.

SonicWall EPRS 2.3 Adminstration Guide

25
User Groups
 • Ends with—The field must end with the text you provide.
• Contains—The field must contain the text you provide.
3 In the blank field, type in the text that you want to search for.
4 Click Search.
5 Click Clear to return the search fields to their default values and clear the text field.

Synchronizing LDAP
The User Groups page allows you to synchronize your LDAP and Google Directory to easily authenticate users.
Click the Synchronize link at the bottom of the page to efficiently synchronize the list of User Groups.
Synchronizing user groups:
• Replicates any membership changes for user groups listed in the User Groups Mirrored from LDAP and
Google Directory.
• Removes any deleted user groups from the list of User Groups Mirrored from LDAP/Google Directory.
• Removes client groups for the deleted user groups.
You will be asked to confirm your action because of the changes that could be made to your groups.

Deleting User Groups

To delete user groups:
1 On the Policies tab, navigate to Directory Services > User Groups.
2 Check the box corresponding to the User Group you want to delete. Then, click the Delete User Group(s)
link at the bottom of the page or click the Delete icon in the Configure column for that group.

NOTE: You can delete multiple groups at a time. Check the boxes by the group names you want to
delete and click the Delete User Group(s) link at the bottom of the page.

3 Click on OK after being asked to confirm that you want to delete the group.

NOTE: If you delete a group that has clients that uses a policy defined for that group, you get
warning message showing the relationship between the user group to the client. Then you can take
corrective action based on the comments provided.

Importing User Groups

User groups can be imported from either your LDAP server or the Google Directory or both.

To import User Groups:

1 On the Policies tab, navigate to Directory Services > User Groups.
2 Click the Import User Groups link at the bottom of the User Groups page. A list of available user groups
displays. The following figure shows the view for LDAP.

SonicWall EPRS 2.3 Adminstration Guide

26
User Groups
3 Check the Directory Type and change it to the type you want by selecting from the drop down menu. The
following figure shows the view for Google Directory.

SonicWall EPRS 2.3 Adminstration Guide

27
User Groups
 4 You can then select the groups to import by checking the box and click the Save Selected button to add
those user groups to EPRS.

NOTE: If you have a long list of User Group/OU Names, you can use the Search function at the top
of the page to filter the list. Select the field to search on (name, type, location); choose the type of
search (equals, starts with, ends with, contains); input the search string and select Search.

You can also perform other functions from the Import page:
• To remove user groups from EPRS, select one or more groups by checking the box, then click the Remove
from List button.
• Click on Undo to undo any action.

Importing User Groups from LDIF

Content Filtering Client also supports importing from Lightweight Directory Interchange Format (LDIF) files. LDIF
is a standard plain text data interchange format for representing LDAP directory content. While LDAP is the
recommended format to use, LDIF is a more secure method for administrators because they do not have to
connect to a server to retrieve information, unlike LDAP.

SonicWall EPRS 2.3 Adminstration Guide

28
User Groups
LDIF files must contain schema attributes that are the same as the current LDAP schema settings. The following
schema is configured for User Groups:
• LDAP Schema ‐ Microsoft Active Directory
• Group Object class ‐ group
• Member attribute ‐ member

NOTE: Inclusion of other LDAP attributes in the file may result in large file volume. The server may take a
considerable amount of time to process the large files

NOTE: If you need to edit the User Groups, you will need to upload a new LDIF file with the changes.

To import an LDIF file:

1 On the Policies tab, navigate to Directory Services > User Groups.
2 Click the Import User Groups from LDIF link at the bottom of the User Groups page.

3 Click the Browse button to select the LDIF file.

4 Select Import.

Assigning Primary Groups

The User Groups page allows you to assign users to primary groups. Primary Groups are essential in organizing
users and ensuring the proper policies are assigned to each user. An individual user may belong to multiple
groups, each of which has a variety of policies to enforce. To ensure the correct policies are applied to this user,
the administrator should assign the primary group to which the user should belong.

NOTE: If a user is not assigned to a Primary Group, EPRS assigns the user to the first Primary Group the
user is a part of.

To assign primary groups to users:

1 Click the Assign Primary Group icon.

A dialog window displays the list of groups and users.

SonicWall EPRS 2.3 Adminstration Guide

29
User Groups
 NOTE: For large groups, this may take several minutes to populate.

2 Select a username from the list, then click the > button to add this user to the Users Having Selected
Group as Primary. This user will have the selected Primary Group as his/her primary group.
Select a username from the list, then click the < button to add this user to the Users Not Having Selected
Group as Primary. This user will not have the selected Primary Group as his/her primary group.
3 Click the OK button to finish and save changes.

NOTE: When assigning a user to a user group, you can approach from one of two perspectives. When
making the assignment from the User Group page, you can look at all the individuals that make up the
user group. You can then easily validate that all the users needed for that group are included and remove
any that should not be in there. When making the assignment from the Users page, you only see the group
that individual belongs to, and you can choose a different group, if appropriate.

SonicWall EPRS 2.3 Adminstration Guide

30
User Groups
 6
Users
The Users function allows you to view and manage users on the Policies tab at Directory Services > Users. If you
have an environment with more than one firewall in it, you can manage Users at two levels: globally and on the
firewall. By selecting the global node, you can configure and make changes across all the firewalls in your
environment. By selecting an individual firewall you can configure and make changes that apply only to that
particular unit.
Topics:
• About the Users List
• Searching for Users
• Deleting Users
• Assigning a Primary Group
• Blocking/Unblocking Users
• Importing Users
• Importing Users from LDIF

About the Users List

The Users list has several tools that are useful for finding and managing user information. At the top of the list is
a search function. Refer to Searching for Users for information on using the search.
The names in the body of the table represent what has been mirrored from either LDAP or Google Directory.
Both the Name and the Display Name are shown.
The information in the Primary Group column shows that a user is a member of multiple groups. The number
indicates how many other groups that user is a member of. If you hover the mouse over the group icon, a
message will show indicating if this user needs to be assigned to a Primary Group. Go to Assigning a Primary
Group for information on how to assign a user to a Primary Group.
A green check in the Allowed column indicates that the user is not blocked from using the filtering client. A red
X indicates the user is blocked.
The Directory column indicates the source for the Users information. The options are LDAP or Google (for
Google Directory).
In the Configuration column, the edit and delete icons allow you to mange the user data. Refer to Editing Users
for more information on using the edit icon. Refer to Deleting Users for more information on using the delete
icon.

SonicWall EPRS 2.3 Adminstration Guide

31
Users
Searching for Users
The Users Search function is useful if you have a large number of users and need find a specific one. The
function can search for text in the Name, Display Name, Allowed or Directory fields. To search for a specific
users, choose the node that you want to search. On the Policies tab, select Directory Services > Users.

To search for a user:

1 Select the user group field to be searched. You can select either the Name, Display Name, Allowed, or
Directory fields.
2 To specify what part of that field to match against, choose from the following:
• Equals—The entire field must match the text you provide.
• Starts with—The field must start with the text you provide.
• Ends with—The field must end with the text you provide.
• Contains—The field must contain the text you provide.
3 In the blank field, type in the text that you want to search for.
4 Click Search.
5 Click Clear to return the search fields to their default values and clear the text field.

SonicWall EPRS 2.3 Adminstration Guide

32
Users
Editing Users
Selecting the edit icon for a user allows you to block or unblock a user and select a primary group.

To edit a user:
1 On the Policies tab, navigate to Directory Services > Users.
2 Click on the edit icon for the user you want to change.

3 Check the Block box to block this user from being filtered.
4 Select the Groups tab.

5 Select the Primary Group from the drop down list.

6 Click on OK to save settings.

SonicWall EPRS 2.3 Adminstration Guide

33
Users
Deleting Users
To delete users:
1 On the Policies tab, navigate to Directory Services > Users.
2 Check the box corresponding to the User you want to delete. Then, click the Delete User(s) link at the
bottom of the page or click the Delete icon in the Configure column for that group.
3 When the confirmation message pops up, click on OK if you want to continue with deleting the user.

NOTE: You can delete multiple users at a time. Check the boxes by the user names you want to
delete and click the Delete User(s) link at the bottom of the page.

Assigning a Primary Group

The Users page allows you to assign users to primary groups. Primary Groups are essential in organizing users
and ensuring the proper policies are assigned to each user. An individual user may belong to multiple groups,
each of which has a variety of policies to enforce. To ensure the correct policies are applied to this user, the
administrator should assign the primary group to which the user should belong.

To assign a user to a primary group:

1 On the Policies tab, navigate to Directory Services > Users.
2 Check the box for the user you want to assign. Multiple nodes can be selected and assigned at the same
time.
3 Click on the Assign Primary Group link at the bottom of the list. A window displays.

4 Select the Primary Group from the drop‐down list at the top of the window.
5 Click the OK button to finish and save changes.

SonicWall EPRS 2.3 Adminstration Guide

34
Users
 NOTE: When assigning a user to a user group, you can approach from one of two perspectives. When
making the assignment from the Users page, you only see the group that individual belongs to, and you
can choose a different group, if appropriate. When making the assignment from the User Group page, you
can look at all the individuals that make up the user group. You can then easily validate that all the users
needed for that group are included and remove any that should not be in there.

Blocking/Unblocking Users
Blocking and unblocking provides a way of managing individual licenses. If, for example, someone changed
assignments and no longer needs a filtering license, you can opt to block that user’s use of the license, making it
available to someone else. A blocked license can be restored.

To block users:
1 On the Policies tab, navigate to Directory Services > Users.
2 Check the box for the user you want to block. You can select more than one user at a time.
3 Select the Block User(s) link. The system asks for verification that you want to block this user.
4 Click OK to confirm that you want to block this user.

To unblock users:
1 On the Policies tab, navigate to Directory Services > Users.
2 Check the box for the user you want to unblock. You can select more than one user at a time.
3 Select the Unblock User(s) link. The system asks for verification that you want to unblock this user.
4 Click OK to confirm that you want to unblock this user.

Importing Users
You can import users from your LDAP server or from the Google Directory.

To import users:
1 On the Policies tab, navigate to Directory Services > Users.
2 Click the Import Users link at the bottom of the page. A list of available users displays. The following
figure shows the view for Google Directory, but LDAP would be very similar.

SonicWall EPRS 2.3 Adminstration Guide

35
Users
 3 Check the Directory Type and change it to the type you want by selecting LDAP or Google Directory from
the drop down list.
4 Select the users to import and click the Save selected button to add those users to your EPRS users.
You can perform other functions from this same window. You can search for users and remove users. The search
function works the same as described in other areas. Choose the field to search on, select the search
parameters, provide the search string and select Search.
Users can be removed in several ways:
• All selected users—Select the users from the list, then select the All selected users option. Click the
Remove from list button.
• Any user whose [Name/Description/Location] contains [field]—Select either Name, Description or
Location from the drop down list and then the search string. For example, you may select Location, then
specify the field as “San Jose” to find all users that located in San Jose. Click the Remove from list button
to remove these users from the list.
• All users [at/at or under]—Select either at or at or under from the drop down list. From the next drop
down list, select the location of the users. For example, this option can be used to remove users under an
email alias or similar groups, such as [email protected]. By clicking the Remove from
list button, it removes all users listed in the [email protected] group.

NOTE: If there are no user groups found on the LDAP server or Google Directory, a list of possible reasons
displays. See the image below for an example.

SonicWall EPRS 2.3 Adminstration Guide

36
Users
Importing Users from LDIF
Similar to importing user groups from LDIF, you can import users from LDIF files. While LDAP is the
recommended format to use, LDIF is a more secure method for administrators because they do not have to
connect to a server to retrieve information, unlike LDAP. LDIF files must contain schema attributes that are the
same as the current LDAP schema settings. The following schema is currently configured for Users:
• LDAP Schema ‐ Microsoft Active Directory
• User Object class ‐ user
• Login name attribute ‐ sAMAccountName
• User group membership attribute ‐ memberOf
• Use Additional User group membership attribute ‐ false

SonicWall EPRS 2.3 Adminstration Guide

37
Users
 • Group Object class ‐ group
• Member attribute ‐ member

NOTE: Including other LDAP attributes in the file may result in large file volume. The server may take a
considerable amount of time to process the large files

NOTE: If you need to edit the Users, you need to upload a new LDIF file with the changes.

To import Users from an LDIF file:

1 On the Policies tab, navigate to Directory Services > User Groups.
2 Click the Import Users from LDIF link at the bottom of the Users page.

3 Click the Browse button to select the LDIF file.

4 Select Import.

SonicWall EPRS 2.3 Adminstration Guide

38
Users
 7
Content Filter
The Content Filter option is used to set up and customize the content filtering for CFC. If you have an
environment with more than one firewall in it, you can manage the filtering at two levels: globally and on the
firewall. By selecting the global node (the top node in the left pane) you can configure and make changes across
all the firewalls in your environment. By selecting an individual node, or firewall, you can configure and make
changes that apply only to that particular unit.
Topics:
• Settings
• Custom List
• Policies

Settings
To configure the Content Filter Settings, choose the global or firewall that you want to manage. (In this example
a firewall has been selected.) On the Policies tab, select Content Filter > Settings.
Topics:
• Enforcement Setting
• Blocked Web Page Display
• CFS Settings

SonicWall EPRS 2.3 Adminstration Guide

39
Content Filter
Enforcement Setting
When a client system running CFC is put on the network behind the firewall, you can opt to suspend CFC if
Gateway CFS is active.

To configure Enforcement Settings:

1 Check the box if you want to Suspend CF Client when behind Firewall with active Gateway CFS.
2 Update the Firewall List/Client Distribution Group with the serial numbers of the firewalls traffic is being
routed through.

NOTE: The firewall listed can be edited in this section too. Enter serial Number in the text field and
click on the Add icon. Click on the edit icon to update a serial number and save it. Click on the
delete icon to delete a firewall from the list.

3 Select Update to save the Enforcement Settings or Reset to reload the prior settings.

Blocked Web Page Display

To select the Web page to display when blocking:
Choose to display the default Web page or customize your own Web page.
• Leave the text field blank to use the default page.

SonicWall EPRS 2.3 Adminstration Guide

40
Content Filter
 • Use the Preview button to see what the web page will look like.
• Select Default Blocked Page to return back to using the default page.
• Select Update to save any changes to the web page display settings or Reset to reload the prior settings.

CFS Settings
These settings are used when on the user system is protected by the firewall and CFC is suspended.

To select the CFS Settings:

1 Check the box to Enable HTTPS Content Filtering.
HTTPS Content Filtering is based on IP and hostname. While HTTP Content Filtering can perform
redirects to enforce authentication or provide a block page HTTPS filtered pages will be silently blocked.
2 Check the box to Show a notification when HTTPS is blocked. If left unchecked, not notification is given.
3 Check the box to automatically Block Access to URL that is marked as forbidden.
4 Check the box to automatically Log Access to URL that is marked as forbidden.
5 Select Update to save any changes to the CFS settings or Reset to reload the prior settings.

Custom List
To configure the Content Filter Custom List, choose the global or node that you want to manage. (In this
example a node has been selected.) On the Policies tab, select Content Filter > Custom List.

From the Content Filter > Custom List page, you can manage:
• Allowed Domains—Allows user access to these domains with their Web browser.
• Select Add New Allowed Domain to add a domain to the allowed list. You can add multiple
domains at the same time; separate them with a semicolon (;).
• Select Import... to select a text file of allowed domain names. Each domain name should appear
on a separate line.
• Click on the delete icon next to the domain name to delete it from the allowed list. You can also
check the box next to one or more domain names and select Delete Allowed Domain(s).

SonicWall EPRS 2.3 Adminstration Guide

41
Content Filter
 • Forbidden Domains—Forbids user access to domains with their Web browser.
• Select Add New Forbidden Domain to add a domain to the forbidden list. You can add multiple
domains at the same time; separate them with a semicolon (;).
• Select Import... to select a text file of forbidden domain names. Each domain name should
appear on a separate line.
• Click on the delete icon next to the domain name to delete it from the forbidden list. You can also
check the box next to one or more domain names and select Delete Forbidden Domain(s).
• Keywords—Defines keywords used to offer protection against Web sites that have not explicitly been
added to the Master Database or defined as allowed or forbidden site.
• Select Add New Keyword to add a keyword to the list. You can add multiple keywords at the same
time; separate them with a semicolon (;).
• Select Import... to select a text file of keywords. Each keyword should appear on a separate line.
• Click on the delete icon next to the keyword to delete it from the list. You can also check the box
next to one or more keywords and select Delete Keyword(s).

Policies
The Content Filter > Polices page allows you to search for, add, and delete policies that block objectionable Web
sites. To configure the Content Filter > Policies, choose the global or node that you want to manage. (In this
example a node has been selected.) On the Policies tab, select Content Filter > Policies.

NOTE: A default policy is provided called Default. This policy can be viewed and cloned, but cannot be
deleted.

Topics:
• Searching for Policies
• Add/edit Policy

Searching for Policies

The Policies page displays the policies that have been configured for CFC. As with many pages, the Policies page
has a search function on it so you can easily find the specific policy you want or filter a long list to something
smaller. The search is made on the Name field.

To search for a policy:

1 To specify what part of that field to match against, choose from the following:
• Equals—The entire field must match the text you provide.
• Starts with—The field must start with the text you provide.
• Ends with—The field must end with the text you provide.
• Contains—The field must contain the text you provide.
2 In the blank field, type in the text that you want to search for.
3 Click Search.
4 Click Clear to return the search fields to their default values and clear the text field.

SonicWall EPRS 2.3 Adminstration Guide

42
Content Filter
Add/edit Policy
Adding and editing a policy are very similar, using the same policy setup window. Select the Add New Policy
option to define your own policies for CFC users. Select a policy and click on the edit icon edit a policy.

To add a policy:
1 On the Policies tab, navigate to Content Filter> Policies.
2 At the bottom of the Policies list, click the Add New Policy link at the bottom of the page. The policies set
up page displays.

3 On the Policy tab, enter the policy name in the Name field.
4 On the Categories tab, select the forbidden categories from the list provided. You can opt to select all
categories by checking the Select All Categories box at the top of the page.

SonicWall EPRS 2.3 Adminstration Guide

43
Content Filter
5 On the Settings tab set the following options:

Custom Global Settings

Source of Allowed Domains
Source of Forbidden Domains
Source of Keyword
Safe Search Enforcement
Enable Safe Search Enforcement
YouTube for Schools
Enable YouTube for Schools
School ID
Filter Forbidden URLs by time of day
Time of day drop down list
Select None, Global or Per policy from the drop down list.
Select None, Global or Per policy from the drop down list.
Select None, Global or Per policy from the drop down list.
Select to Enable Safe Search Enforcement.
Select to Enable YouTube for Schools.
Enter your school ID. Note that the ID field is not active until
YouTube for Schools is enabled.
Select the time of day you want filtering enforced. Several
options are provided to choose from. The default is Always
on.

6 The Custom List tab create a list of Allowed Domains, Forbidden Domains or Keyword.

In the Content field add the domain name you want to allow or forbid, or add the keyword and click Add.
You can also highlight or an entry in the list and choose Update to make changes or Remove to delete the
entry. Select Remove all to delete all entries in that section.

SonicWall EPRS 2.3 Adminstration Guide

44
Content Filter
7 Configure the setting on the Advanced tab. The following table provides more information on each of
the settings.

Override Settings
Allow client to override forbidden Check the box to enable this option.
websites
Override Password Enter a password that a user can enter to override
the forbidden website. If the password field is left
empty, the current password remains unchanged.
Use blank password Check the box to enable this option. A blank is
allowed for the Override Password field.
Override Duration Input the length of time, in minutes, that the
override is in effect.
Authorized Processes ‐ Process Name
Enter Process Name Type the process name in the text field and click on
the add icon.
Any process (a.k.a application) that is installed in a
non‐privileged folder(s) is blocked by the CF Client.
Only Users with admin privileges is allowed to install
in a privileged folder. If you want to allow any such
process that is installed in a non‐privileged location
then you have to specify the complete path (a path
that can be specified with wild cards) to the process
or the path to the folder that contains the process.
When the policy is updated on the CF Client it will
allow this process to run if it matches the path.
Authorized Processes ‐ Certificate Subject Name
Enter Subject Cert Name Type the subject certificate name in the text field
and click on the add icon.
This is the string that appears in the CN= portion of
a certificate’s subject field. The Certificate Subject
Name must be specified exactly how it appears in
the Name of the certificate.

8 Click on OK to save the policy.

SonicWall EPRS 2.3 Adminstration Guide

45
Content Filter
 8
Enforcement
Navigate to the Enforcement menu on EPRS, located on the Policies tab. You can configure enforcement
policies, as well as settings for Client Groups and Clients. If you have an environment with more than one
firewall in it, you can manage the enforcement at two levels: globally and on the firewall. By selecting the global
node, you can configure and make changes across all the firewalls in your environment. By selecting an
individual firewall you can configure and make changes that apply only to that particular unit.

NOTE: Note that when the global node is selected, the command options are Policies and Client Groups.
When an individual node or firewall is selected, the Client command option is also available.

Topics:
• Policies
• Client Groups
• Clients

Policies
Content Filtering Client includes a Default Desktop Policy and a Default Mobile Policy that you can access from
the Enforcement > Policies page. The Default Desktop and Default Mobile policies provide standard settings for
content filters. These policies are configured to be moderately strict and are suitable for use with most Content
Filtering Clients. They cannot be edited or deleted.
You can create a new policy or clone one from an existing policy, such as the Default Desktop Policy. Cloning the
Default Desktop Policy or an existing policy is recommended. Then edit specific fields within the cloned policy.
This is an effective way to create a new policy that is similar to an existing policy.
Note that the client does not assign a content filtering policy to the Default Desktop Policy. Content filtering
policies are assigned only to the Default Mobile Policy.

NOTE: When all settings are left as the default settings, all desktop devices acquire the policies as defined
in the Default Desktop Policy. Likewise, all mobile devices, such as a laptop, acquire the policies defined in
the Default Mobile Policy.

To clone a policy or add a new policy:

1 Navigate to the Enforcement > Policies page and choose either the global node or a specific firewall for
the policy.
2 To clone an existing policy, click the Clone icon under Configure in the row for the policy that you want to
clone. To create a new policy, click Add New Policy.

SonicWall EPRS 2.3 Adminstration Guide

46
Enforcement
 NOTE: The contents are slightly different between a new policy and cloned policy so you may see
slight differences in the screen captures. The pages, tabs and fields are the same though.

3 On the General tab, input or change the name of the Policy in the Name field.
4 Add descriptive information about the policy in the Comments field.
5 Under the Version Settings section, select the desired Version (specific release) from the drop‐down list.
This allows the policy to be configured for a specific version. You can select General Release, Early
Release, Alpha or Beta.
6 Select the Content Filter tab.

7 Select the Default local policy from the drop‐down menu.

SonicWall EPRS 2.3 Adminstration Guide

47
Enforcement
 8 Select a Scheduled policy from the drop‐down list. A scheduled policy is one that has a Schedule
associated with it. If a Schedule is selected and the schedule matches the time, the policy is used for
enforcement during the specified window of time. If a scheduled policy is not selected, the default would
apply all the time. Note that only policies with a schedule set appear in this drop‐down list.
9 Click OK.

Client Groups
Administrators can configure client groups on the Enforcement > Client Groups page. You can edit existing client
groups or create new client groups. The Default Client Group can be edited, but cannot be deleted.
All clients requesting a policy for the first time are automatically added to the Default Client Group and are
served with the policy defined for this group. The administrator can move a client to a different client group
after the client is initially added to the Default Client Group.

NOTE: All desktop devices acquire the policies as defined in the Default Desktop Policy. All mobile devices,
such as a laptop, acquire the policies defined in the Default Mobile Policy. If you would like to modify the
service associated with the client defined default policy, you must clone the Default Desktop or Mobile
Policy, then add/remove the services that the default client groups contain.

The Enforcement > Client Groups page is available on the Policies tab.

SonicWall EPRS 2.3 Adminstration Guide

48
Enforcement
Topics:
• About the Client Groups List
• Searching Client Groups
• Adding or Editing Client Groups
• Deleting Client Groups

About the Client Groups List

The Client Groups list has several tools that are useful for finding and managing client group information. At the
top of the list is a search function. Refer to Searching Client Groups for information on using the search.
The following table describes the columns in the Client Groups list.

Name Represents the client groups that have been defined.

Type Indicates what kind of group this is. Options include User Group, Organizational
Unit, or Host.

SonicWall EPRS 2.3 Adminstration Guide

49
Enforcement
 Desktop Policy Indicates which desktop policy is being applied to the group.
Mobile Policy Indicates which mobile policy is being applied to the group.
Comments If a green comments icon is present, indicates additional information about the
Client Group. Hold your cursor over the icon and the comment pops up.
Directory Indicates the source for the Users information. The options are LDAP or Google (for
Google Directory).
Configure Shows the edit and delete icons so you can change or delete the client group.

Searching Client Groups

The Client Groups Search function is useful if you have a large number of client groups and need find a specific
one. The function can search for text in the Name, Type, Desktop Policy, Mobile Policy or Directory fields. To
search for a specific user group, choose the node that you want to search. On the Policies tab, select
Enforcement > Client Groups.

To search for a client group:

1 Select the client group field to be searched. You can select either the Name, Type, Desktop Policy,
Mobile Policy, or Directory fields.
2 To specify the type of match, choose from the following:
• Equals—The entire field must match the text you provide.
• Starts with—The field must start with the text you provide.
• Ends with—The field must end with the text you provide.
• Contains—The field must contain the text you provide.
3 In the blank field, type in the text that you want to search for.
4 Click Search.
5 Click Clear to return the search fields to their default values and clear the text field.

Adding or Editing Client Groups

To add or edit a client group:
1 On the Policies tab, navigate to the Enforcement > Client Groups page.
2 To add a new client group, click Add New Client Group. To edit an existing client group, click the Edit icon
in the Configure column for the client group you want to edit. The Add Client Group window displays.

SonicWall EPRS 2.3 Adminstration Guide

50
Enforcement
 3 Type a descriptive name into the Group Name field
4 In the Comment field, enter a descriptive comment.
5 Select a policy for the group from the Desktop Policy drop‐down list. All existing policies are available for
selection.
6 Select a policy for the group from the Mobile Policy drop‐down list. All existing polices are available for
selection.
7 Click OK to complete.

Deleting Client Groups

You can delete one or more host‐based client groups on the Enforcement > Client Groups page.

To delete one or more client groups:

1 On the Policies tab, navigate to the Enforcement > Client Groups page.
2 The delete options are:
• To delete all client groups except the default, check the box next to the Name column heading,
then click Delete Client Group(s) at the bottom of the page.
• To delete multiple client groups, check the box next to each one you want to delete and click
Delete Client Group(s).
• To delete a single client group, click the trash can icon in the same row, or check the box next to it
and then click Delete Client Group(s).

NOTE: The Default Client Group and User Group‐based Client Groups cannot be deleted so they
have a grayed‐out icon Trash icon.

When Client Groups with clients are deleted:

• It does not allow you to delete, but prompts you to move the users to another client group.
• A tool tip get a message warning that the client groups cannot be deleted. The warning message shows
the relationship between the client group to the clients. Then you can take corrective action based on
the comments provided.

SonicWall EPRS 2.3 Adminstration Guide

51
Enforcement
Clients
Administrators can configure clients on the Enforcement > Clients page. You can delete clients, move clients
from one client group to another, and block or unblock clients. You can also use the Search function to search for
clients.
Administrators can select a custom policy for the Default Client Group, or leave the Default Policy configured.
The administrator can move a client to a different client group after the client is initially added to the Default
Client Group.
Topics:
• Searching for Clients
• Deleting Clients
• Blocking Clients
• Unblocking Clients

Searching for Clients

The Clients Search area at the top of the page provides a way to search the list of clients. This is useful if you
have a number of clients and need to find one or more with a specific value in the Host Name, Host IP, Client
Group, or Last Contacted field.

To search for a client:

1 Navigate to the Enforcement > Clients.
2 Select the client field to be searched from the drop down list. You can select the Host Name, Client
Group, Client Version, Allowed, or Client Users.

3 To specify what part of that field to match against, choose among the following operators:
• Equals – The entire field must match the text you provide.
• Starts with – The field must start with the text you provide.
• Ends with – The field must end with the text you provide.
• Contains – The field must contain the text you provide.
4 In the blank field, type in the text or value that you want to search for.
5 Click Search.
6 Click Clear to return the search fields to their default values and clear the text field

SonicWall EPRS 2.3 Adminstration Guide

52
Enforcement
Deleting Clients
You can delete one or more clients from the Clients table on the Enforcement > Clients page.

To delete one or more clients:

1 On the Policies tab, navigate to the Enforcement > Clients page.
2 The delete options are:
• To delete all clients, check the box next to the Host Name column heading, then select Delete
Client(s).
• To delete multiple clients, check the box next to each one you want to delete, then click Delete
Client(s).
• To delete a single client, click the trash can icon in the same row, or check the box next to it and
then click Delete Client(s).
3 Click OK in the confirmation dialog box.

Moving Clients
Moving clients allows you to move a Client to a different Client Group. Moving clients is only supported for Host‐
based groups.

To move clients:
1 On the Policies tab, navigate to the Enforcement > Clients page.
2 Check the box next to the clients you want to move.
3 Click the Move Client(s) link at the bottom of the page.

4 When the pop‐up window displays asking you to select the destination client group, select the option
you want.
5 Select OK.

SonicWall EPRS 2.3 Adminstration Guide

53
Enforcement
Blocking Clients
The administrator can prevent clients from accessing the Internet by using the Block Client(s) function.

To block one or multiple clients:

1 On the Policies tab, navigate to the Enforcement > Clients page.
2 Check the box next to the clients you want to block.
3 Click the Block Client(s) link at the bottom of the page. You will be asked to confirm blocking these
clients.
4 When the confirmation message appears, click OK.
Under the Allowed column the green check box turns into a red X, indicating those clients have been
blocked.
Blocking allows the client to recover the licenses back into the pool. After a blocked client gets a policy update
from client, EPRS wipes all content filter policies from the client machine. From this point on, the client system
has no content filter protection. If this client is behind a firewall that is enforcing client content filtering, then
this client is not allowed to access the Internet.

Unblocking Clients
Unblocking clients allows the client to receive content filter protection. Unblocking the client also allows access
to the Internet if it is a client behind a firewall enforcing client content filtering.

To unblock one or multiple clients:

1 On the Policies tab, navigate to the Enforcement > Clients page.
2 Check the box next to the clients you want to unblock.
3 Click the Unblock Client(s) link at the bottom of the page.
4 When the confirmation message appears, click OK.
Under the Allowed column the red X turns into a green check mark, indicating those clients have been
unblocked.

SonicWall EPRS 2.3 Adminstration Guide

54
Enforcement
 9
Reports
The reporting server provides a summary of raw data used in reports, and supports the various types of reports
along with search and filtering functions.
Topics:
• Categories
• Sites
• Initiators
• Details

Categories
The categories report provides information the Categories, Match and Attempts.

Each report has several options for sharing or viewing the data. These options apply to all reports.
• In the upper right corner of the report, you can chose to export the report to a PDF or CVS file.
• The icons in the upper right corner of the shaded area allow you to change the view to chart only, data
only or combined chart and data.
• The icon with two curved arrows refreshes the data.
• To view a percentage amount, move the curser over a category item listed on the right or a section of the
pie chart.

SonicWall EPRS 2.3 Adminstration Guide

55
Reports
• Click on the category or chart item to view the detail report. The categories Match name is shown on the
top right side of the screen as shown in the figure below. Click on the Categories option to return to the
pie chart view.

SonicWall EPRS 2.3 Adminstration Guide

56
Reports
Sites
The sites report provides the Site Name, Match and Attempts. To view a percentage amount, move the curser
over a category item listed on the right or a section of the pie chart.

SonicWall EPRS 2.3 Adminstration Guide

57
Reports
Click on the category or chart item to view the detail report. The Site Name is shown on the top right side of the
screen as shown in the figure below.

Initiators
The initiators report provides information on the Initiator Host, User and Attempts.To view a percentage
amount, move the curser over a category item listed on the right or a section of the pie chart.

SonicWall EPRS 2.3 Adminstration Guide

58
Reports
Click on the category or chart item to view the details report. The Initiator Host name is shown on the top right
side of the screen as shown in the figure below.

SonicWall EPRS 2.3 Adminstration Guide

59
Reports
Details
The details report provides information for Timeline, Categories, Sites and Initiators. To view a specific report,
click on an item under the report type.

NOTE: To add a filter click on the + sign to view the drop down menu as shown in the figure below.

SonicWall EPRS 2.3 Adminstration Guide

60
Reports
 10
Troubleshooting

Topics:
• Installation Errors
• Content Filtering Client Errors

Installation Errors
Two specific errors may occur during installation of the Content Filtering Client:
1 An invalid serial number is entered.
2 The serial number entered is not licensed for the Content Filtering Client.
In both of these install errors, the installation fails and a notepad opens with log messages displays. You can save
this log file for diagnostic reference. You may need to use this log if you contact SonicWall Support.

Content Filtering Client Errors

This section describes how to view the various error messages that may display on the Content Filtering Client.
The images in this section may be useful for diagnostics.
The following error message displays when the Content Filtering Client license has expired. Log in to your
MySonicWall account to renew your service subscription.

SonicWall EPRS 2.3 Adminstration Guide

61
Troubleshooting
The following message displays when the Content Filtering Client policy is not specified. Navigate to the Policies
> Enforcement > Policies page to configure the Policy Settings.

The following message displays when the Content Filtering Client is blocked from use. Navigate to the Security
Services > Client CFS Enforcement page to unblock the client.

SonicWall EPRS 2.3 Adminstration Guide

62
Troubleshooting
The following message displays when the Content Filtering Client is set to log only. The client is not blocking
access to Websites. Navigate to the Policies > Enforcement > Clients page to change the client to block.

For more information and related documentation, see the SonicWall Support Site at
https://support.sonicwall.com/

SonicWall EPRS 2.3 Adminstration Guide

63
Troubleshooting
 11
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance
contract and to customers who have trial versions.
The Support Portal provides self‐help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. To access the Support Portal, go to https://support.sonicwall.com.
The Support Portal provides self‐help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the Support Portal provides direct access to product support engineers through
an online Service Request system.
The Support Portal enables you to:
• View knowledge base articles and technical documentation
• Download software
• View video tutorials
• Collaborate with peers and experts in user forums
• Get licensing assistance
• Access MySonicWall
• Learn about SonicWall professional services
• Register for training and certification
To contact SonicWall Support, refer to https://support.sonicwall.com/contact‐support.
To view the SonicWall End User Product Agreement (EUPA), see https://www.sonicwall.com/legal/eupa.aspx.
Select the language based on your geographic location to see the EUPA that applies to your region.

SonicWall EPRS 2.3 Adminstration Guide

64
SonicWall Support