ESS & SS 9.2 - Testing on TS Servers
I'm currently testing these versions on a Test MS TS server but I've some issues;
1. Is there a way to ensure the DeepGuard service is working properly?
2. Do F-Secure have test URLs which can be used to test the additional components added in this version?
3. The Browsing Protection Ratings aren't appearing in IE when you do a search in Google for example.
I'm wondering if additional ports need opening on our firewalls but I read that it'll use port 80 for traffic and 53 for DNS.
If the ORSP service needs to connect to backend servers, are there any IPs/URLs which you could allow access to in a firewall rule for example? I'd rather be in a position of controlling outbound traffic from our server VLAN, just to be safe!
You can use fstestdomain.com to verify that Browsing Protection and DeepGuard work as expected. The links are self explanatory:
Did you enable 3rd party extensions in IE? By default, Enhanced Security Configuration blocks IE extensions/plug-ins on Windows Server platforms. If Browsing Protection plug-in is disabled, then ratings are not properly shown in search results.
Yes, the ORSP service requires outbound HTTP connections to our backend servers. Please consult this Knowledge Base article (http://www.f-secure.com/en/web/business_global/support/article/kba/2712) for list of IPs that the firewall should allow communication with.
I'll try to answer some of your questions:
1. Check DeepGuard->Monitored programs in WebUI.
2. Type "download free screensavers" in google and you'll find a harmful website
3. Check your IE advanced internet options. Enable "Enable third-party browser extensions" parameter and restart IE.
Yes, the ORSP service needs a connection to backend server. You can find details in Help to Genaral->Privacy page of WebUI.
Our UTM firewall supports the use of hostnames which would be easier because if you decide to add or remove backend servers, we could be left with servers having access to unknown hosts or hosts that can't be reached because our firewall rule doesn't allow the traffic!
I assume that for all those IP addresses, you're using some kind of DNS round-robin?
If so, what URL do those IPs resolve to?
That'll be the best way for us.
Hello Vad, Dmitriy.
I've created a full http outbound rule for that test TS server through our firewall using port80 as normal but the rating service says it's unavailable! All the links come up as a grey question mark.
Also, after following both your suggestions, none of it seems to be working other than the basic server AV protection - that's DeepGuard, the link scanner and site ratings and note, I can't find any evidence that the ORSP service is even communicating with your FSBWServers. It is running as a service as I've checked that.
Any other suggestions?
To check that ORSP connections work, go to %ProgramFiles%\F-Secure\ORSP Client folder and run orspdiag.exe from the command line. The output has a line about the connection ("Connectivity state"); if it says "Ok", then the connection works. If it says "Connecting" then the connection to the server has been initialized but the crypto session is still uninitialized (i.e. there hasn't been any queries to the server yet). If it says "Timeout", then there's networking congestion.
If you get "Ok" with orspdiag.exe, but don't see Browsing Protection ratings in IE, then the problem might be somewhere else. I'd then suggest to open a support ticket and send us fsdiag report.
Interestingly, tech support have asked me to change the ORSP service from running under the Network Service account to the Local System account.
I find this curious as I didn't change that setting, it was configured during the default installation.
Perhaps there's a bug but I have F-Secure installed at home and it works fine there without me having had to make any changes.
Perhaps it's because we proxy all internet traffic but we have a means of allowing traffic to bypass the proxy and go straight out via our Firewall.