How to block “Ammyy Admin” in network?

Leave a reply

This tutorial will guide you to block “Ammyy” with “WFilter Enterprise 4.0″.

First, Add “Ammyy” Protocol.

Ammyy has one pattern:
“ammyy_tcp”:
  Type — “TCP SEND”
  Format — “0″
  Content — “^\x25[\x00-\xff]{4}\x2e\xf4\xff\xff”

Second, Enable blocking of Ammyy in certain blocking levels.

And apply this blocking policy to certain computers.

Now, Ammyy will be blocked.

WFilter blocking events:

Failure connection of Ammyy.

Related Links:

http://blog.wfilterngf.com/How+To+Block+TeamViewer+On+My+Network+Using+WFilter.aspx

How to block hotspot shield in network?

Leave a reply

Hotspot Shield is a free vpn service for you to access blocked websites. With hotspot shield, you can bypass internet filter on your network.

So, to implement internet access policies in business networks, it is required to block hotspot shield traffic.

This tutorial will guide you to block hotspot shield with WFilter.

Add hotspot shield protocol

Because “hotspot shield” is not a default protocol of WFilter, you need to define it manually in “Customize Protocols”.

As in the above figure, add a new protocol named “HotSpot” in “Customize Protocols”. Three patterns are required:

UDP send pattern 1: “^\x88[\x00-\xff]{8}(\x00){5}$”

UDP send pattern 2: “^\x28[\x00-\xff]{9}(\x00){4}”

TCP send pattern: “\x00\x0e\x88[\x00-\xff]{8}(\x00){5}$”

Enable blocking of “hotspot shield”

Now, by enabling “Block hotspot” in blocking level settings, hotspot will be blocked.


Please notice:

Hotspot can be completely blocked when your WFilter is deployed in “pass-through” mode. However, in “pass-by” mode, for complete blocking of hotspot, you also need to block udp ports 900-65534 in your router or firewall. check: How to block certain UDP ports in router/firewall?

How to manage several WFilter servers from a central location?

Leave a reply

When you need to manage several offices internet access, it will be helpful if you can do the management in a central location.

This tutorial will guide you to manage several WFilter servers within a same user interface.

1. Edit WFilter servers

Step1: In WFilter’s dashboard, click “Edit” to define remote servers.

Step2: add servers.

Please notice:

  1. Remote server’s admin password is required.
  2. The remote WFilter server shall be configured as “Allow Remote Access” in “System Settings”->”Remote Access Control”.
  3. If you’re connecting the remote server from internet, you need to forward tcp port 9090 to the WFilter server in the remote network router.
  4. If the remote network don’t have a fixed internet ip address, you also can access the remote server by dynamic domain name.

2. Switch WFilter servers in the dashboard.

Now you can switch WFilter servers in the dashboard. All the data will be retrieved from remote servers. So you can manage different WFilter servers in a central location.



  

How to block stock market trading programs in network?

Leave a reply

Employees can spend hours on reading market data and online stock trading. To keep productivity, it is necessary to block online trading traffic during working hours.

This tutorial will guide you to block “Nest trader” and “(IIFL) Trader Terminal” traffic in your network.

Since WFilter does not have these two protocols supported in default, you need to add customize protocols in “System Settings”->”Customize Protocols”.

1. Block IIFL trade terminal

1). Add a new protocol named “IIFL Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TLS”. Set pattern content as “swaraj\.indiainfoline\.com”.

3). Check “Block IIFL Trader” in your blocking policy.

4). Now IIFL trader can be blocked.

2. Block “Nest trader”

1). Add a new protocol named “Nest Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TCP SEND”. Set pattern content as “^\x00\x00\x00\x13\x52\x55\x00\x0f\x6c\x69\x63\x65\x6e\x73\x65\x5f\x63\x68\x65\x63\x6b\x65\x72″.

3). Check “Block Nest Trader” in your blocking policy.

4). Done. Now Nest trader will also be blocked.

How to block youtube website access of network computers?

Leave a reply

Since youtube video streaming can consume a lot bandwidth, you might want to block youtube access during working hours. This tutorial will guide you to setup an internet policy to block youtube access at work with WFilter 4.0 version.

You can block youtube at different levels:

  1. Block youtube access completely.
  2. Block youtube access during working hours.
  3. Block youtube videos, but allow youtube website.

1. Block youtube website completely

You can block youtube with WFilter’s “Website black list”, as shown in below figure:


You also can block youtube by blocking the “Streaming Media” website category. All streaming websites in WFilter url database will be blocked.

Access blocked.

Because youtube also provides HTTPS access, you need to enable a HTTPS black list to block HTTPS access of youtube.


HTTPS access blocked.

2. Block videos, but allow website access

If you want to allow youtube website, but block all videos. You can enable the “Block Online HTTP Video and Downloading of Video Files” option to do it.


How to customize WFilter reports by directly querying the database?

Leave a reply

Though WFilter already has many reports by default, there has the chance that you need other report formats or data. In this case, you can directly query the database tables to get what you need.

It’s complicated to customize reports for WFilter file-based version. So you need to install WFilter database version first. For steps to install WFilter database version, please check: WFilter Database Version Installation Guide

There has a “web surfing time report” in “Detailed Reports”->”Web Report”, you can generate this report “by name” or “by website” in WFilter user interface. Now if you need to get a report of web surfing time both “by name” and “by website”, you need to customize a sql query. The data is stored in table “webreport” with below structure:

create table webreport
(

mac char(12) NOT NULL /* MAC address */
ip varchar(20) /* ip address */
acct varchar(200) /* domain username */
happendate varchar(10) /* date */
method char(1) /* 0 – get, 1 – post */
categoryid varchar(10) /* website category id */
host varchar(100) /* website domain name*/
visitcnt varchar(20) /* visits number */
duration varchar(20) /* surfing time in seconds*/

)

1. Web surfing time report by ip address

To get a report by ip address and websites for a certain date, you can execute a sql like:

select ip, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and ip is not null group by ip, host order by ip, cnt desc

You will get such kind of data:

192.168.1.131 www.google.com 226
192.168.1.131 forum.imfirewall.us 192
192.168.1.131 ct1.addthis.com 180
192.168.1.131 l.yimg.com 180
192.168.1.131 sports.yahoo.com 153
192.168.1.20 m614.mail.qq.com 266
192.168.1.20 share.baidu.com 254
192.168.1.20 forum.imfirewall.us 200
192.168.1.20 hm.l.qq.com 180
192.168.1.20 info.iet.unipi.it 180

2. Web surfing time report by user

If you have “Account Monioring” enabled, you also can generate reports based on AD usernames. The sql will be:

select acct, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and acct is not null group by acct, host order by acct, cnt desc

You will get such kind of data:

CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com 226
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng forum.imfirewall.us 192
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng l.yimg.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng ct1.addthis.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng sports.yahoo.com 153
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng test.org.uk 96
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.yahoo.com 72
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.bc.yahoo.com 67
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.websense.com 59
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.g.doubleclick.net 34
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com.hk 31


Please notice, the “acct” column is urlencoded. You need to urldecode it to get a readable username.

Online urldecode.

How to deploy WFilter in a VMware ESXi server?

Leave a reply

VMware ESX and ESXi server are widely used in business networks. This document will guide you to deploy WFilter in a ESXi server to filter internet traffic of virtual systems.

In a VMware ESXi server, WFilter can work both in “Pass-by” and “Pass-through” modes. For more details about these two modes, please check: WFilter deployment modes

It is simple for WFilter to work in “Pass-by” mode in a VMware ESXi server. You simply need to install WFilter in a VMWare virtual computer and allow “Promiscuous mode” of the virtual switch. However, because WFilter can not filter UDP traffic in pass-by mode, you also need to configure udp blocking in an up-layer router/firewall. Please check: How to block certain UDP ports in router/firewall?

In this tutorial, we will introduce you to deploy WFilter in pass-through mode in a VMware ESXi server.

Deploy WFilter in pass-through mode in a VMware ESXi server.

To deploy WFilter in pass-through mode on a VMware ESXi server, following conditions are required:

  1. A virtual computer with two adapters to install WFilter.
  2. At least two virtual switches.
  3. The two adapters shall be connected to different virtual switches.

As in below figure, the wfilter server “94-wfilter-server” is connected between “vSwitch0″ and “vSwitch1″. In this topology, all virtual computers in vSwitch1 will be monitored and filtered by the WFilter server “94-wfilter-server”.

Step 1, create a new virtual switch

As in below figure, a new virtual switch with no physical adapter is created.

Step 2, connect the two adapters to different virtual switches

To bridge the virtual switches, two adapters of the WFilter server shall be connected to different virtual switches.

Step 3, allow “Promiscuous mode” of virtual switches

The virtual switches connected to the wfilter server shall be configured to accept “Promiscuous Mode”.

Now, you also need to bridge the two adapters inside the WFilter server. And the WFilter program shall be configured to work in “Pass-through mode”. Please check this document for more details: Deploy WFilter in a windows network bridge.

How to whitelist yahoo mail and hotmail websites in WFilter?

Leave a reply

How to whitelist yahoo email and hotmail websites?


Sometimes you might want to block all websites with exception. In that case, you can enable WFilter’s “website whitelist” to do this.


However, websites can be complicated with differenet images/ad/files hosts. It will require you to whitelist several domains for a webpage to be properly loaded. For example, mail.yimg.com is also requiried for images in yahoo email.


In this topic, I will demonstrate you to identify the required domains for a website.


First, add the domain into the exception list


Second, make a visit and check real-time blocking of WFilter.


Make a visit to this website and check “real-time blocking” or “Current Activity” in WFilter, you will see several blocking events. These domains are also required for this webpage.


Add more domains into the exception list


Add more blocked domains into the exception list until the website can be properly loaded.


In this example, for hotmail and yahoo mail to work, you need to add below list:


*mail.yahoo*


*mail.yimg.com


*.live.com


*.hotmail.com


*.wlxrs.com

How to set a redirect denial page in WFilter?

Leave a reply

Sometimes you might want to redirect blocked websites to a new URL. To do this, you need to edit WFilter denial page in source mode.

This tutorial will guide you to configure a redirect denial page in WFilter.

First, edit a blocking level

Edit a blocking level and new a denial page. Please don’t forget to list your new URL in the exception list.

Second, edit the denial page in source mode.

A javascript code is required:

<script>window.location=”http://www.yourwebsite.com/…”;</script>

Third, uncheck “view source” and click “Save” to save the settings.

Please notice, click “save” after unchecking “view source”.

Done, now all blocked web request will be redirected to the new url.

More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

When shall you use two network cards for monitoring and blocking?

Leave a reply

In “pass-by” filtering mode(WFilter works on a mirroring port), WFilter sends RST packets to block TCP connections. However, if outgoing traffic is limited on the blocking adapter, blocking feature of WFilter might not be working.

The default settings of WFilter use a same adapter for monitoring and blocking. However, it will not work if a following condition is met.

  1. The monitoring switch does not allow outgoing traffic on the mirroring port. You can check this by “ping” other computers in the monitoring computer. This problem can be solved by changing switch settings(if supported) or adding a separated blocking adapter. Cisco switches have a parameter “ingress” to enable outgoing traffic on the mirroring port.
  2. The monitoring adapter is too busy of receiving mirrored packets. We recommend you to use another NIC for blocking when you have 50+ computers. To check this issue, you can run “System Settings”->”Check Settings” to perform a checking on the blocking adapter.

Steps to add a blocking adapter

1. Add a physical network card and connect this NIC to a normal port in your switch. If you have multiple VLANs, the blocking adapter shall be in a VLAN which can reach other VLANs.

2. Assign an available ip address and gateway settings to the new NIC.

3. If WFilter does not detect the new card in “System Settings”->”Monitoring Settings”, please click “Start”->”IMFirewall WFilter”->”Tools”->”Restart WFilter Service” to reload the adapters list.

4. Choose the new network card as the “blocking adapter” in “System Settings”->”Monitoring Settings”->”Monitoring Device Settings”.

5. Run “System Settings”->”Check Settings” to check.

6. Sometimes windows can not choose the correct network card for communicate, in that case, please check this topic to set “Metric”: Blocking adapter doesn’t work when using two network cards

Further readings:

How WFilter works to block internet connections in network?