NxFilter v2.2.2 and new NxLogon for safe-search and URL keyword filtering.

[Jinhee]

I implemented proxy based filtering on NxLogon as well. This means you can have
safe-search enforcing, URL filtering on Active Directory users without deployment
issue.

* To reduce the size of NxFilter package I separated the new NxLogon from the main
package. So you need to download it separately to use application-control and
web-filtering.


This is the tutorial part I am working on.

------------------------------------------------------------------------
Safe-search enforcing, URL filtering with NxLogon and NxClient
------------------------------------------------------------------------

As of V2.2.2 NxFilter supports safe-search enforcing and URL keyword filtering and
the other web-proxy based filtering methods. To enable these features you need to have
NxLogon or NxClient running on user PC.

* To reduce the main package size NxLogon has been separated from NxFilter. You need
to download it from our website if you want to use proxy filtering with it.


How it works
  After NxLogon or NxClient started on user system they try to filter user web traffic
  by setting up themselves as the proxy server of the system they are running on. NxLogon,
  NxClient retrieves the filtering policy periodically according to the time value you
  define for 'Agent policy update period' on 'Config > config'.

Supported options
  Block HTTPS : You can block all the HTTPS traffic.

  Block IP host : Blocking HTTP requests with IP host in  URL.

  Block other browser : Currently NxFilter's proxy filtering is being activated through
    system proxy settings. Internet Explorer and Chrome are using system proxy already.
    Many other applications are also using system proxy. But there are other applications
    having their own proxy setup. So you need to block these applications. With this
    option enabled NxLogon or NxClient will block any program making direct HTTP connection
    to the Internet. But this means as long as you use system proxy you can use any program
    with NxLogon or NxClient. So if you want to use Firefox instead of IE or Chrome set
    it up to use system proxy.

  Safe-search : Enforcing safe-search against Google, Bing, Yahoo search engines and
    Youtube. It also blocks HTTPS access against these sites so that user can not get
    away by using HTTPS.

  Blocked keyword in URL : Keyword filtering against URL.

Logging
  You will get domain level log data. But you will see a detailed reason for the block like
  below.

     Domain: www.google.com
     Reason: Blocked by proxy, url_kw=game

Enable proxy filtering only for specific users
  The proxy filtering of NxFilter works globally. If you need to disable it for some users
  check 'disable proxy filtering' option on the 'Policy > policy > edit' on GUI.


------------------------------------------------------------------------
Launching and updating new NxLogon
------------------------------------------------------------------------

The procedure of launching NxLogon is same as before and it's explained on
'http://nxfilter.org/tutorial.php#single_sign' But unlike its predecessor new NxLogon
doesn't require server-ip specified. It finds its server automatically so you don't need
to modify launch scripts anymore.

One thing to note is that we ship a new set of launch scripts which are written using
VBScript. Inside NxLogon package there are '.bat' and '.vbs' scripts  in'/script' directory.
'nxlogon.bat' will just launch 'nxlogon.exe but 'nxlogon.vbs' will copy 'nxlogon.exe'
into user system first and launches it from there so that next time it doesn't need
to transfer the file across your network. This is because the new 'nxlogon.exe''s size
has grown up to 1.6 mega bytes to accommodate all the new features and you may have
some delay from logon script transmitting the file every time a user login.

While using 'nxlogon.vbs' saving your network bandwidth there's a problem with updating
NxLogon. Your new 'nxlogon.exe' will not be copied into user system as they already have
the same name file on their system. As a workaround you can rename 'nxlogon.exe'
differently. In that case you'd need to modify '.vbs' files to change the 'nxlogon.exe'
part in the files.


------------------------------------------------------------------------
Download links
------------------------------------------------------------------------

http://nxfilter.org/download/nxfilter-2.2.2-beta-1.exe
http://nxfilter.org/download/nxfilter-2.2.2-beta-1.zip
http://nxfilter.org/download/nxclient-2.0-beta-3.exe
http://nxfilter.org/download/nxclient-2.0-beta-3.zip
http://nxfilter.org/download/nxlogon-2.0-beta-1.zip

[Giorgio Catena]

Hi Jinhee,

I'm wondering how the proxy setup is done. This because I'm already working with a vbs script (PAC file) to provide either direct connection (using dns filter by nxfilter) or proxy....

How can I manage this with the new nxlogon? Is there a possibility to exclude proxy settings in a system wide manner?
Regards

[Jinhee Lee]

Both nxlogon and client setup themselves as system proxy.
I knew this kind of way of filtering already but the problem
Is deployment. With nxlogon you don't need to install it.
Only it has grown up to 1.6mega byte file. Still launchable.
Considering its feature set its size is acceptable. And that's
What i have been working on so far. Reducing the size.

[Giorgio Catena]

If we could exclude the proxying option, it could be useful in my perception....

[Jinhee]

Yeah, you can disable globally or policy specific just like application control.

[Matthew Marlowe]

Sometimes, trying  to make it easier makes it harder.  For me, I enjoy being able to specify the server from the command line - Especially for testing.

On this new version, if you specify a server (can you specify a server?) will it not try and find a server?

[Jinhee]

If you test it use it on the system which is using NxFilter as its DNS server.
Otherwise use hosts file to specify the server.

  192.168.0.100 block.nxfilter.org

It's not about making it easier.
It's a part of bigger plan for clustering.

[Matthew Marlowe]

So far, so good - For the most part.  I enabled block all traffic for direct HTTP... Chrome is being killed as '[2014-06-29 18:45:43] INFO app_log, svchost.exe.other_browser', so some logic is not quite right.  I turned it off for now.  The fact that it can find things like Dropbox, great.  Need to be able to set an ignore list BY policy..

[Matthew Marlowe]

I have some great use cases that for us, blocking all direct HTTP traffic would be ideal, yet we need an ignore list, and we need an ignore list by profile.  For me, I need all access.  Some users, may have some applications that I'd like to allow (i.e., Dropbox).., Etc. Great concept I think it's on it's way.

---

This message contains confidential information and is intended only for the individual named. This e-mail may not be disseminated, distributed or copied without written permission from RCP Management Company. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

[Jinhee]

Maybe you can use the application control for that. Anyway 'svchost.exe.' can't be killed by nxlogon as it is a service. We don't kill a service and it doesn't have enough permission to kill a service if you're not an admin. But it's killed and cases Chrome died. Strange..

[Matthew Marlowe]

Well, most users are NOT Admin, only me - But it def. did kill svchost.. and others, quickly - And nicely at that..

06/29 18:47 Y 1   0 svchost.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:46 Y 3   0 svchost.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:46 Y 1   0 chrome.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:45 Y 1   0 svchost.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:45 Y 1   0 SolutoService.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:45 Y 1   A atlanticareit.tomorrowsoffice.com mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked by admin

06/29 18:44 Y 1   0 Dropbox.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:44 Y 1   0 SessionUI.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:44 Y 1   0 SolutoService.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:44 Y 2   0 SimpleHelp.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:44 Y 1   0 chrome.exe.other_browser.app mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked application

06/29 18:41 Y 1   A atlanticareit.tomorrowsoffice.com mmarlowe 192.168.17.200 Administrators No_Block unclassified Blocked by admin

But why Chrome detected as svchost, beyond me.

[Jinhee]

Your chrome also got killed as it's making a direct HTTP connection. It's possible if you have some extensions making HTTP connection without using proxy. Only I thought chrome was already in excluded list. About that svchost.exe we don't know if it's a real service. Try 'tasklist /FI "imagename eq svchost.exe" on your system.

[Jinhee]

There was a bug for killing other browser. Detection is OK but internal whitelist not working. I will get you a new one tomorrow.

[Jinhee]

Now 'Excluded keywords' applied for other-browser blocking.
If there's 'firefox' keyword you can use Firefox even though it's not using proxy.
This one works based on keyword matching against process name not title.

[Matthew Marlowe]

Image Name                     PID Session Name        Session#    Mem Usage

========================= ======== ================ =========== ============

svchost.exe                    692 Services                   0     10,680 K

svchost.exe                    812 Services                   0      8,944 K

svchost.exe                   1004 Services                   0     21,228 K

svchost.exe                    304 Services                   0    199,684 K

svchost.exe                    376 Services                   0     12,456 K

svchost.exe                    516 Services                   0     45,776 K

svchost.exe                   1028 Services                   0     20,236 K

svchost.exe                   1260 Services                   0     22,464 K

svchost.exe                   1420 Services                   0     19,960 K

svchost.exe                   4876 Services                   0      5,740 K

svchost.exe                   5132 Services                   0     53,304 K

svchost.exe                   6564 Services                   0      5,352 K

[Jinhee]

v2.1 will not try to kill services.

[Matthew Marlowe]

On v2.2, though...

[Matthew Marlowe]

Anyway, I am thinking nxlogon killed chrome, because chrome wasn't using the proxy. Now that it is, it should work.  I still need a way to add applications to 'allow' list, pref. by policy, NOT to be killed.

[Jinhee]

I meant NxLogon v2.1. But this one will not kill chrome because I thought chrome always use system proxy. Don't know if I need to accept your case as a special one or I need to kill chrome when it's not using proxy.