Você está na página 1de 214

ClarkConnect Administration Manual

Revised: January, 2008

http://www.clarkconnect.com
ClarkConnect Administration Manual

Table of Contents
Introduction...................................................................................................................................... 8
Welcome...................................................................................................................................... 8
Features...................................................................................................................................... 8
What's New.................................................................................................................................. 9
Comparing Software Editions...................................................................................................... 9
System Requirements...................................................................................................................... 9
Overview...................................................................................................................................... 9
Network Cards............................................................................................................................. 9
PCI Network Cards................................................................................................................. 9
ISA Network Cards................................................................................................................ 10
Wireless Network Cards........................................................................................................ 10
Internet Connection................................................................................................................... 10
Cable Modems...................................................................................................................... 10
DSL and PPPoE.................................................................................................................... 10
Wireless................................................................................................................................ 10
ISDN..................................................................................................................................... 10
Links.......................................................................................................................................... 10
Compatibility................................................................................................................................... 10
Overview.................................................................................................................................... 10
Vendors..................................................................................................................................... 11
Recommended...................................................................................................................... 11
Not Recommended............................................................................................................... 11
RAID Compatibility..................................................................................................................... 11
RAID Support................................................................................................................................. 11
Overview.................................................................................................................................... 11
Software RAID...................................................................................................................... 12
Hardware RAID..................................................................................................................... 12
Links.......................................................................................................................................... 12
Installation...................................................................................................................................... 13
Starting the Install...................................................................................................................... 13
Installation CD....................................................................................................................... 13
Starting the Installation.......................................................................................................... 13
Configuration Options................................................................................................................ 13
Selecting Your Server Type.................................................................................................. 13
Selecting Your Network Connection Type............................................................................. 13
Selecting Your Network Card Drivers.................................................................................... 13
Configuring Your Network..................................................................................................... 14
Configuring Your Network - PPPoE....................................................................................... 14
Configuring Your LAN IP Address......................................................................................... 14
Selecting Your Hostname - Password - Timezone................................................................ 15
Selecting Your Hard Disk Partitioning Settings...................................................................... 15
Selecting Your Software........................................................................................................ 15
Configure Partitioning and RAID................................................................................................ 16
Overview............................................................................................................................... 16
Select Advanced Partitioning................................................................................................. 16
Using the Disk Druid Partition Tool........................................................................................ 16
Example: Software RAID 1.................................................................................................... 16
Testing Software RAID.......................................................................................................... 18
Links...................................................................................................................................... 18
Troubleshooting......................................................................................................................... 18

Page 2 of 214
ClarkConnect Administration Manual

Overview............................................................................................................................... 18
Network Configuration.................................................................................................................... 18
Overview.................................................................................................................................... 18
Configuration............................................................................................................................. 19
Network................................................................................................................................. 19
Interfaces.............................................................................................................................. 20
Accessing Login Prompt............................................................................................................ 20
LAN Configuration.......................................................................................................................... 20
Overview.................................................................................................................................... 20
Network Settings................................................................................................................... 21
Windows 95/98.......................................................................................................................... 21
Step 1 - Control Panel........................................................................................................... 21
Step 2 - IP Address............................................................................................................... 22
Step 3 - Gateway Settings..................................................................................................... 23
Step 4 - DNS Settings........................................................................................................... 23
Windows 2000........................................................................................................................... 24
Step 1 - Network Connections............................................................................................... 24
Step 2 - Configuring TCP/IP.................................................................................................. 26
Windows XP.............................................................................................................................. 28
Step 1 - Control Panel........................................................................................................... 28
Step 2 - Select IP Properties................................................................................................. 29
Step 3 - IP Address............................................................................................................... 30
Step 4 - DNS Settings........................................................................................................... 30
Web-based Administration............................................................................................................. 30
Overview.................................................................................................................................... 30
Access....................................................................................................................................... 31
Certificate Warning................................................................................................................ 31
Username and Password...................................................................................................... 31
Technical Notes.................................................................................................................... 31
Help........................................................................................................................................... 31
Next Step................................................................................................................................... 32
System Registration....................................................................................................................... 32
Overview.................................................................................................................................... 32
System Activation...................................................................................................................... 32
Create an Online Account..................................................................................................... 32
Complete Registration Wizard............................................................................................... 32
Software Modules........................................................................................................................... 33
Overview.................................................................................................................................... 33
Finding a Module....................................................................................................................... 33
Installing a Module..................................................................................................................... 33
Software Modules via Apt............................................................................................................... 33
Overview.................................................................................................................................... 33
Finding a Module....................................................................................................................... 34
Installing a Module..................................................................................................................... 34
Troubleshooting......................................................................................................................... 35
Network Settings............................................................................................................................ 35
Bandwidth.................................................................................................................................. 35
Overview............................................................................................................................... 35
Services................................................................................................................................ 36
How It Works......................................................................................................................... 36
Configuration......................................................................................................................... 36
Units - kbit/s, kbps, Mbps and Other Confusing Notation...................................................... 37
Links...................................................................................................................................... 37

Page 3 of 214
ClarkConnect Administration Manual

DHCP Server............................................................................................................................. 37
Overview............................................................................................................................... 37
Installation............................................................................................................................. 38
Configuration......................................................................................................................... 38
Common Errors..................................................................................................................... 40
Links...................................................................................................................................... 40
Hosts and DNS Server............................................................................................................... 40
Overview............................................................................................................................... 40
Configuration......................................................................................................................... 40
Tips and Tricks...................................................................................................................... 40
Links...................................................................................................................................... 40
IP Settings................................................................................................................................. 41
Overview............................................................................................................................... 41
Configuration......................................................................................................................... 41
Configuration from the Console............................................................................................. 42
Troubleshooting.................................................................................................................... 43
Multi-WAN................................................................................................................................. 44
Overview............................................................................................................................... 44
Network Tools....................................................................................................................... 47
UPnP..................................................................................................................................... 48
Wireless Card Configuration.................................................................................................. 48
Firewall........................................................................................................................................... 50
1 to 1 NAT................................................................................................................................. 50
Overview............................................................................................................................... 50
Installation............................................................................................................................. 50
Configuration......................................................................................................................... 50
Advanced................................................................................................................................... 52
Overview............................................................................................................................... 52
Installation............................................................................................................................. 52
Configuration......................................................................................................................... 52
Links...................................................................................................................................... 52
DMZ........................................................................................................................................... 52
Overview............................................................................................................................... 52
Installation............................................................................................................................. 52
Configuration......................................................................................................................... 53
Links...................................................................................................................................... 53
Group Manager.......................................................................................................................... 54
Overview............................................................................................................................... 54
Installation............................................................................................................................. 54
Configuration......................................................................................................................... 54
Incoming.................................................................................................................................... 55
Overview............................................................................................................................... 55
Configuration......................................................................................................................... 55
Outgoing.................................................................................................................................... 56
Overview............................................................................................................................... 56
Configuration......................................................................................................................... 56
Troubleshooting.................................................................................................................... 58
Links...................................................................................................................................... 58
Peer-to-Peer.............................................................................................................................. 58
Overview............................................................................................................................... 58
Installation............................................................................................................................. 58
Configuration......................................................................................................................... 58
Troubleshooting.................................................................................................................... 58

Page 4 of 214
ClarkConnect Administration Manual

Links...................................................................................................................................... 59
Port Forwarding......................................................................................................................... 59
Overview............................................................................................................................... 59
Configuration......................................................................................................................... 59
Troubleshooting.................................................................................................................... 60
Security.......................................................................................................................................... 60
Intrusion Detection..................................................................................................................... 60
Overview............................................................................................................................... 60
Services................................................................................................................................ 61
Configuration......................................................................................................................... 61
Links...................................................................................................................................... 61
Intrusion Prevention................................................................................................................... 61
Overview............................................................................................................................... 61
Services................................................................................................................................ 61
Configuration......................................................................................................................... 61
Troubleshooting.................................................................................................................... 62
Links...................................................................................................................................... 62
Account Manager........................................................................................................................... 62
Users......................................................................................................................................... 62
Overview............................................................................................................................... 62
Configuration......................................................................................................................... 63
Tips and Tricks...................................................................................................................... 64
Links...................................................................................................................................... 64
Groups....................................................................................................................................... 64
Overview............................................................................................................................... 64
Configuration......................................................................................................................... 64
System Tools.................................................................................................................................. 65
Backup and Restore.................................................................................................................. 65
Overview............................................................................................................................... 65
Installation............................................................................................................................. 65
Configuration......................................................................................................................... 65
Troubleshooting.................................................................................................................... 66
Date........................................................................................................................................... 66
Overview............................................................................................................................... 66
Configuration......................................................................................................................... 66
Encrypted File Systems............................................................................................................. 67
Overview............................................................................................................................... 67
Installation............................................................................................................................. 67
Configuration......................................................................................................................... 67
Troubleshooting.................................................................................................................... 68
Links...................................................................................................................................... 69
Language................................................................................................................................... 69
Overview............................................................................................................................... 69
Running Services....................................................................................................................... 69
Overview............................................................................................................................... 69
Shutdown and Restart............................................................................................................... 69
Overview............................................................................................................................... 69
E-Mail Notification/Alert (SMTP Relay)...................................................................................... 69
Overview............................................................................................................................... 69
Installation............................................................................................................................. 70
Configuration......................................................................................................................... 70
Test Relay............................................................................................................................. 71
Examples.............................................................................................................................. 71

Page 5 of 214
ClarkConnect Administration Manual

Links...................................................................................................................................... 72
SSL Certificate Manager............................................................................................................ 72
Overview............................................................................................................................... 72
Installation............................................................................................................................. 73
Configuration......................................................................................................................... 73
Troubleshooting.................................................................................................................... 86
Links...................................................................................................................................... 87
Webconfig............................................................................................................................. 87
Modules.......................................................................................................................................... 87
Database................................................................................................................................... 87
MySQL.................................................................................................................................. 87
Email.......................................................................................................................................... 88
Antispam............................................................................................................................... 88
Antispam - Quarantine.......................................................................................................... 90
Antispam - Training............................................................................................................... 91
Antivirus................................................................................................................................ 92
Aliases.................................................................................................................................. 93
Mail Archive........................................................................................................................... 95
Mail Filters (Greylisting)....................................................................................................... 102
Maildrop.............................................................................................................................. 104
POP and IMAP.................................................................................................................... 105
Mail Server - SMTP............................................................................................................. 109
Webmail.............................................................................................................................. 114
File Services............................................................................................................................ 115
Flexshare............................................................................................................................ 115
FTP Server.......................................................................................................................... 128
Windows-Samba................................................................................................................. 129
LAN Backup and Recovery................................................................................................. 132
Printing.................................................................................................................................... 160
Print Server......................................................................................................................... 160
Web Proxy............................................................................................................................... 161
Access Control.................................................................................................................... 161
Banner Ad and Pop-up Blocker........................................................................................... 166
Content Filter....................................................................................................................... 167
Web Proxy........................................................................................................................... 170
Groupware............................................................................................................................... 174
Groupware Configuration.................................................................................................... 174
VPN......................................................................................................................................... 193
PPTP................................................................................................................................... 193
IPsec................................................................................................................................... 198
Entertainment.......................................................................................................................... 201
Photo Gallery...................................................................................................................... 201
Web......................................................................................................................................... 202
Web Server......................................................................................................................... 202
Reports......................................................................................................................................... 207
Current Status.......................................................................................................................... 207
Overview............................................................................................................................. 207
Dashboard............................................................................................................................... 207
Overview.................................................................................................................................. 207
Intrusion Detection................................................................................................................... 207
Overview............................................................................................................................. 207
Logs......................................................................................................................................... 207
Overview............................................................................................................................. 207

Page 6 of 214
ClarkConnect Administration Manual

SMTP Mail............................................................................................................................... 208


Overview............................................................................................................................. 208
Statistics.................................................................................................................................. 208
Overview............................................................................................................................. 208
Installation........................................................................................................................... 208
Statistics.............................................................................................................................. 208
Links.................................................................................................................................... 209
Web Proxy............................................................................................................................... 209
Overview............................................................................................................................. 209
Report Types....................................................................................................................... 210
Web Server.............................................................................................................................. 214
Overview............................................................................................................................. 214
Installation........................................................................................................................... 214
Configuration....................................................................................................................... 214
Links.................................................................................................................................... 214

Page 7 of 214
ClarkConnect Administration Manual

Introduction

Welcome
Thank you for choosing ClarkConnect.

ClarkConnect is a server Operating System (OS) that provides enterprise-level network security
and application services to the Small/Medium-sized Business (SMB) market. It protects against
incoming threats, enables your organization to enforce outgoing policy and increases productivity
through integration of services

Configuration using an easy-to-use web interface for the helps keep the required knowledge of
Linux to a minimum. You should, however, have at least a working knowledge of basic network
concepts in order to make optimal use of the installation wizard.

This document describes how to install and configure your ClarkConnect server/gateway. The
following are required:
● x86 based hardware for the server
● a DSL or cable modem Internet connection
● a small network

Features
The following features are included in ClarkConnect:
● Web-based manager ● Peer-to-peer manager
● Auto software updates ● Internal DHCP server
● Stateful firewall ● Caching DNS server
● Multi-WAN support ● RAID support
● Intrusion detection ● Multi-processor support

Page 8 of 214
ClarkConnect Administration Manual

● Intrusion prevention ● Web server (HTTP)


● 1-to-1 NAT support ● PHP support
● DMZ support ● MySQL support
● Egress blocking support ● SSL certificate manager
● PPTP & IPSec VPN ● SSL support (HTTPS)
● Managed/Dynamic VPN ● FTP server
● Dynamic DNS ● Mail Archive
● Groupware/Collaboration ● Encrypted Volumes
● Flexshares ● Print sharing (CUPS)
● SMTP server ● File sharing (SAMBA)
● Antispam (Dual) ● LAN/server backup
● Antivirus ● Health monitoring/alerts
● POP and IMAP servers ● Daily security audit
● Webmail ● Active OSS community
● Banner ad blocking ● Developer API
● Web proxy ● SOAP support
● Content filtering ● Linux 2.6 kernel
● Bandwidth manager ● Technical support

What's New
Release notes are available http://www.clarkconnect.com/help/release_notes.

Comparing Software Editions


A comparison chart of available ClarkConnect editions is available at:

http://www.clarkconnect.com/info/compare.php

System Requirements

Overview
General hardware requirements and recommendations are listed at:

http://www.clarkconnect.com/info/requirements.php.

Network Cards

PCI Network Cards


Generally, Linux does a good job at auto-detecting hardware. Most mass-market PCI network
cards are supported. Refer to Red Hat Hardware Compatibility List
(https://hardware.redhat.com/?pagename=hcl&view=advsearch#form) to check the
compatibility of your network card. If you see your network card listed for an older version of Red
Hat, then the card is almost certainly also supported in more recent versions. If you plan on buying
new network cards for ClarkConnect and have two spare PCI slots, then save yourself some time
and select the network cards that are designated 100% compatible.

Page 9 of 214
ClarkConnect Administration Manual

ISA Network Cards


Do you only have ISA slots available or older ISA network cards around? You can still install the
ClarkConnect software, but it will take some extra work to get the network cards working. You may
have to edit the driver configuration file.

Wireless Network Cards


Though wireless card drivers are included in ClarkConnect, we cannot guarantee compatibility. For
this reason, wireless network cards are not recommended. Instead, we suggest purchasing a
dedicated wireless router for your network.

Internet Connection
ClarkConnect supports most DSL (including PPPoE) and cable modem broadband Internet
connections. We do not expect to add support for ISDN or satellite broadband at present.
However, if you have had success with getting Linux working on such a system, then please let us
know. We want to hear from you!

Cable Modems
Most cable modem Internet service providers will include a standard Ethernet card and external
modem to enable your high-speed Internet connection. The days of proprietary software and logins
are mostly behind us, so you should be able to set up ClarkConnect without too much tinkering.
However, some cable modem providers may still have some quirks. Fortunately, Vladimir Vuksan
has put together a great resource of Cable Modem Providers. If you are having trouble getting
ClarkConnect to work with your cable ISP, check http://tldp.org/HOWTO/Cable-Modem for some
troubleshooting tips.

DSL and PPPoE


During the ClarkConnect installation process, you will be asked which type of DSL service you use
- PPPoE or Standard. These are mutually exclusive implementations, so you will need to select the
correct type during installation. It is very important to know how your Internet service provider
configures your network. If you are not sure, ask the ISP's technical support staff before you begin.

Wireless
The software supports wireless networks. Make sure you select a supported wireless card.

ISDN
We do not support ISDN Internet service providers.

Links
● RAID support and compatibility

Compatibility

Overview
ClarkConnect 4.x is based on Red Hat Enterprise Linux 4. For the most part, hardware that is

Page 10 of 214
ClarkConnect Administration Manual

compatible with Enterprise Linux will be compatible with ClarkConnect. For checking compatibility,
check the online Red Hat Compatibility Guide - Version 4. Keep in mind, there are many other
hardware products that are compatible -- the list is not exhaustive.
Here are some tips when selecting hardware:
● Avoid the latest technologies and chipsets. This will reduce the likelihood of compatibility
issues and the possible reliability issues that might come with unproven hardware.
● Avoid desktop systems. You may save a few hundred dollars on a desktop system, but they
are more likely to fail when used as a server/gateway.

In case you missed the previous bullet point, avoid desktop systems.

● Check the vendors web site for Linux compatibility. If you can purchase ServerXYZ with a
version of Red Hat Enterprise Linux pre-installed, then the system is very likely compatible
with ClarkConnect.

Vendors
When it comes to Linux support, some hardware vendors are better than others.

Recommended
The following vendors ship servers with Linux pre-installed and have a good record when it comes
to driver support. You should still check the Red Hat Compatibility Guide - Version 4, especially on
any new models.
● Dell servers (not desktops')
● HP servers
● IBM servers

Not Recommended
The following vendors have a poor track record for Linux support.
● Supermicro
● Promise
● Dell Optiplex desktops

RAID Compatibility
See RAID Support.

RAID Support

Overview
Both software and hardware RAID are supported in ClarkConnect. If you plan on implementing
hardware RAID, please read the section below regarding supported hardware. Before you decide
to purchase an expensive hardware RAID controller card, consider the following passage from the
experts at O'Reilly.

"Software RAID has unfortunately fallen victim to a FUD (fear, uncertainty, doubt) campaign in the
system administrator community. I can’t count the number of system administrators whom I’ve
heard completely disparage all forms of software RAID, irrespective of platform. Many of these
same people have admittedly not used software RAID in several years, if at all. Why the stigma?

Page 11 of 214
ClarkConnect Administration Manual

Well, there are a couple of reasons. For one, when software RAID first saw the light of day,
computers were still slow and expensive (at least by today’s standards). Offloading a high-
performance task like RAID I/O onto a CPU that was likely already heavily overused meant that
performing fundamental tasks such as file operations required a tremendous amount of CPU
overhead. (...) But today, even multiprocessor systems are both inexpensive and common."

The rest of the passage is available online in the sample chapter: Managing RAID on Linux from
O'Reilly. The book is an excellent resource and highly recommended!

Software RAID
You can implement software RAID in ClarkConnect by selecting the Advanced Partitioning option
during the installation wizard and then following the detailed instructions in the Red Hat 9 User
Guide:
● Partitioning Your System
● Software RAID Configuration

Hardware RAID
Some hardware RAID controller cards are not true hardware controller cards. They are simple IDE
controllers with BIOS and drivers to do software RAID. If redundancy is your primary concern, then
software RAID will serve you better than a quasi-hardware RAID card. To quote (again) from the
Managing RAID on Linux book from O'Reilly:

"The low-end (RAID) controllers are, in essence, software RAID controllers because they rely on
the operating system to handle RAID operations and because they store array configuration
information on individual component disk. The real value of the controller is in the extra ATA
channels."

Supported hardware RAID cards:


● Adaptec SCSI - 200x, 21xx, 22xx, 27xx, 28xx, 29xx, 32xx, 34xx, 39xx, 54xx
● Adaptec IDE - 2400A
● 3ware IDE - Escalade 3W 5xxx/6xxx/7xxx

Non-supported, but may work:


● Check the Serial ATA (SATA) on Linux web site

Non-supported and not recommended:


● Most Promise hardware, notably FastTrak100 TX and FastTrak TX2000
● Adaptec ATA RAID 12xx

As a rule of thumb, if a hardware card is under USD $150, then it is probably not true hardware
RAID (and therefore likely not supported).

Links
● Serial ATA (SATA) Technical Guide

Page 12 of 214
ClarkConnect Administration Manual

Installation

Starting the Install

Installation CD
A bootable CD drive is required to install the ClarkConnect software. The rest of the software is
installed from the CD-ROM or directly over your high-speed Internet connection.

Starting the Installation


The contents of all your hard disks on the target computer will be completely erased.
● If necessary, change your BIOS settings to run bootable CDs
● Insert the ClarkConnect CD
● Turn on your target computer
● Follow the installation wizard

Configuration Options

Selecting Your Server Type


ClarkConnect now supports standalone server mode. This mode is used to create a server on a
local area network (behind an existing firewall). Only one network card is required. Gateway Mode
allows your system to act as a firewall and server on your local network and at least two network
cards. If you have two or more network cards installed in the server and want to protect your local
network against threats originating from the Internet, then select gateway mode.

Selecting Your Network Connection Type


If you are installing with a CD-ROM, you will need to select the type of Internet connection you
have (DSL, DSL/PPPoE, Cable).

Selecting Your Network Card Drivers


You will need to manually configure your network card settings if the installer does not
automatically detect the driver. Most ISA-based network cards may also require the I/O and IRQ

Page 13 of 214
ClarkConnect Administration Manual

settings for the driver. See the Linux Ethernet HOWTO and ISA Network Cards for some tips and
tricks.

Configuring Your Network


Unless your Internet Service Provider (ISP) provides a static IP address, it is recommended that
you use Dynamic IP Configuration. If your ISP assigns a static IP you will need to enter the
individual TCP/IP settings as provided by your ISP. Make sure you have these settings available
during the installation process.

Configuring Your Network - PPPoE


ClarkConnect supports PPPoE DSL connections. Add the username and password provided by
your ISP on this screen. For brain dead ISPs, you may also need to specify DNS servers.

Configuring Your LAN IP Address


If you are installing ClarkConnect as a gateway, you must specify the network settings for your
local area network. The LAN hostname can be used instead of the IP address for many network
tools. For instance, you will be able to access the web-based administration tool at https://<LAN-
hostname>:81 in your web browser.

Page 14 of 214
ClarkConnect Administration Manual

Selecting Your Hostname - Password - Timezone


The next few screens will ask for your system name, system password and time zone.

Do not forget your system password!

Selecting Your Hard Disk Partitioning Settings


If you would like to specify your own partition scheme, then you should select "yes" on the "Select
Partition Type" screen. The Advanced Partitioning screen will appear in the second stage of the
installation process... don't panic!

Selecting Your Software


Select the software components to install on your system. Not all the modules (including AppleTalk
and Junkbuster) are shown here - don't panic. With the ClarkConnect web-based configuration,
you can add other modules at any time.

Page 15 of 214
ClarkConnect Administration Manual

Configure Partitioning and RAID

Overview
For some installations, you may want to define a custom partition scheme instead of using the
default. Typically, custom partitioning is required for:
● Software RAID
● Creating a separate /home partition
● Data redundancy with DRBD

Select Advanced Partitioning


If you do not wish to use the default partitioning scheme on your system, then select advanced
partitioning in the installation wizard (see screenshot).The tool for creating partitions will appear at
a later stage in the installer. Continue with the rest of the installation wizard after selecting the
partition type on this screen.

Using the Disk Druid Partition Tool


When the installer displays a disk partitioning setup page, select the Disk Druid option on this
screen. The documentation for this partitioning tool is available here:
● Disk Druid Documentation

Example: Software RAID 1


Using software RAID is a common way to protect against a hard disk failure. Here is a step-by-step

Page 16 of 214
ClarkConnect Administration Manual

guide to implement Software RAID 1 on regular IDE hard disks.

Preparing the Hardware


For software RAID 1, you need two hard disks. Since the RAID partitions on both the hard disks
must be of equal size, it is a good idea to use two hard disks with (roughly) the same storage
capacity. In our example, we are using two IDE disks on two different disk controllers. These hard
disks are detected in Linux as:
● /dev/hda
● /dev/hdc

Deleting Existing Partitions


Some hard disks may have partitions already defined. These existing partitions (if any) must first
be deleted.
● Use the tab key to move to the main window (one tab after highlighting the Back button)
● Use the up/down arrows to select a partition
● Use the tab key to highlight the Delete button and hit return
● Repeat until all partitions are deleted

Creating the Swap Partition


After all the partitions are deleted, we can start our RAID configuration. First, we are going to start
with the swap memory partitions. Putting swap memory on a software RAID partition is not
recommended. For this reason, simply create swap partitions on both hard disks.
● Tab to the New button and hit return
● Tab down to File System Type and select swap
● Tab to Allowable Drives and mark only hda and take the mark off of hdc.
● Tab down to Size (MB) and type in the size of your RAM in megabytes (MB)
● Tab down to OK and hit return.

Repeat the same process, but this time mark hdc as an allowable drive and take the mark off of
hda.

Creating RAID Partitions


The boot partition (/boot) is where we are going to start with our RAID solution.
● Tab to the New button and hit return
● Tab down to File System Type and select software raid
● Tab to Allowable Drives and mark only hda and take the mark off of hdc.
● Tab down to Size (MB) and type in 100
● Tab down to OK and hit return.

Repeat the same process, but this time mark hdc as an allowable drive and take the mark off of
hda. Now that we have two identical 100 MB partitions on both disks, we can create the software
RAID disk:
● Tab to the RAID button and hit return
● Type in /boot in the Mount Point field
● Tab to RAID Level and select RAID1
● Tab to RAID Members and make sure the two partitions created earlier are selected

This example creates the /boot partition. Go through the same process for the root partition (/) and
optionally any other partition that you want to create (/home, /var, etc.).

Page 17 of 214
ClarkConnect Administration Manual

Configuring the Boot Loader


We are almost done with the software RAID configuration. Next, the installation wizard will ask for
the boot loader settings.
● Select Grub as your boot loader
● Disable the boot password (unless you really need it)

If have trouble booting up your system with Grub, you can use the Lilo boot loader as an
alternative. However, you will need to type the following on the first installation screen: linux lilo.
If the secondary disk fails (/dev/hdc), then the system will still be bootable. If the primary disk fails
(/dev/hda), then your system will not boot. In order to make the secondary disk bootable as well,
run the following command:

# grub-install /dev/hdc

Or:
# grub-install --recheck /dev/hdc

Testing Software RAID


If you would like to sanity check your RAID system, then:
● Power down the machine
● Unplug the data connector from the drive (just unplugging the power is going to make the
BIOS unhappy and the system will not be bootable)
● Power up the machine

Links
● Software RAID Howto
● Old Red Hat Installation Guide

Troubleshooting

Overview
There are thousands of pieces of hardware and related drivers available for use in the PC world.
The advantage: consumer choice. The disadvantage: hardware compatibility issues are common.
There are several debug screens in the installer that can help when an installation fails. Use the
Alt-FX key combination to view:
● Alt-F1: main install screen
● Alt-F2: command line (not always available)
● Alt-F3: general log
● Alt-F4: driver log
● Alt-F5: hard disk / CD log

Network Configuration

Overview
When you start the system for the first time, you will be taken to a login screen for the network
console tool. The purpose of this console tool is to configure your network settings. After you
login with your system password, you will see a screen similar to the one shown below.

Page 18 of 214
ClarkConnect Administration Manual

Once your network is up and running, open a web browser on any desktop or laptop. You can then
use the web-based administration tool to configure other applications in ClarkConnect.

Configuration

Network

Mode
The ClarkConnect system can run in four modes:
● Standalone Mode - No firewall - for a standalone server without a firewall (1 network card)
● Standalone Mode - for a standalone server with a firewall (1 network card)
● Gateway - for connecting your LAN to the Internet (2 network cards)
● DMZ - for connection a LAN and DMZ to the Internet (3 network cards)

Page 19 of 214
ClarkConnect Administration Manual

Hostname
A hostname is the full name of your system. If you have your own domain, you can use a
hostname like gateway.example.com, mail.example.com, etc. If you do not have your own
domain then make one up, for instance: gateway.lan, mail.lan. The hostname does require at
least one period (.).

Name/DNS Servers
On DHCP and DSL/PPPoE connections, the DNS servers will be configured automatically. In
these two types of connections there is no reason to set your DNS servers. Users with static IP
addresses should use the DNS servers provided by your Internet Service Provider (ISP).

Interfaces
The network interface section of the console tool lets you configure the roles and settings of each
network card on the system. More information is provided in the IP Settings section of the user
guide.

Accessing Login Prompt


If you are an advanced user and would like to access the standard login prompt, hit Alt-F2 on your
keyboard. To return to ClarkConnect console, hit Alt-F7 (Alt-F1 for versions 4.0 or earlier).

LAN Configuration

Overview
All of the computers and devices on your network should have Internet addresses between
192.168.x.2 and 192.168.x.254. When you are configuring your network, you have two choices:

Page 20 of 214
ClarkConnect Administration Manual

● Manually set the IP address to a specific number (static IP) or


● Allow ClarkConnect to automatically set the client IP address (via the DHCP server).

If you configure devices with static IP addresses, make sure you only use an address between
192.168.1.2 - 192.168.1.99. ClarkConnect includes a caching DNS server, but you can use this as
your Internet Service Provider's DNS servers if you wish.

Network Settings
Feature Description
Default ClarkConnect IP Address 192.168.1.1
Available static IPs 192.168.1.2 - 192.168.1.99
Addresses used by DHCP 192.168.1.100 - 192.168.1.254
DNS Servers 192.168.1.1 and/or your ISP's DNS servers

Windows 95/98
To set up networking in the Windows 95/98 environment...

Step 1 - Control Panel


● Click on the Start button, then follow the menu to Settings Control Panel
● Double-click on the Network icon to bring up a window that will look similar to the
screenshot
● Select TCP/IP and click on the Properties button.

Page 21 of 214
ClarkConnect Administration Manual

Step 2 - IP Address
On the IP Address tab, you can select Obtain an IP address automatically and ClarkConnect will
automatically assign an IP address for you.

Alternatively, you can choose Specify an IP address (as shown in the screenshot). Make sure you
pick an address between 192.168.1.2 to 192.168.1.99. The subnet mask is always 255.255.255.0.

Page 22 of 214
ClarkConnect Administration Manual

Step 3 - Gateway Settings


Click on the Gateway tab. If you decided to let ClarkConnect assign your IP address automatically,
then there is no need to add an Installed Gateway. Your ClarkConnect software will automatically
handle this for you. If you decided to specify your IP address, then you will need to add
192.168.1.1 to the list of installed gateways (as shown).

Step 4 - DNS Settings


If you decided to let the ClarkConnect assign your IP address automatically, then you can select
Disable DNS. ClarkConnect will automatically configure these settings.

If you decided to specify your IP address, then you will need to add 192.168.1.1 to the DNS
Server Search Order list (as shown).

You should also add a host name and then add "lan" as the domain. If you prefer to bypass the
ClarkConnect DNS cache, you can add the DNS servers given by your Internet service provider.

Page 23 of 214
ClarkConnect Administration Manual

Windows 2000
To set up networking in the Windows 2000 environment...

Step 1 - Network Connections


Click on the Start button, then follow the menu to Settings Network and Dial-up Connections

Right-click on the Local Connection icon and go to properties.

Page 24 of 214
ClarkConnect Administration Manual

If the Local Area Connection Properties does have Internet Protocol (TCP/IP) go to Step 2 -
Configuring TCP/IP. If the Local Area Connection Properties does not have Internet Protocol
(TCP/IP), you will need to install it using the Install button.

The "Select Network Component Type" dialog box will appear.

Page 25 of 214
ClarkConnect Administration Manual

● Select "Protocol" and click on Add. The enumeration of the protocols will take a minute or
so.
● Select "Microsoft" from the left panel and select Internet Protocol (TCP/IP) from the right
panel.
● Click the OK button.

Step 2 - Configuring TCP/IP


You can configure the TCP/IP properties by clicking on the properties button in the Local Area
Connection dialog box.

Page 26 of 214
ClarkConnect Administration Manual

Select "Obtain and IP address automatically" and ClarkConnect will automatically assign an IP
address for you.

Alternatively, you can choose "Use the following IP address:" and enter the IP address, subnet
mask, default gateway and DNS server addresses. If you have more than three DNS servers, use
the advanced button at the bottom of the dialog box to specify the addresses and the order in
which they are used.

Page 27 of 214
ClarkConnect Administration Manual

Windows XP
To set up networking in the Windows XP environment:

Step 1 - Control Panel


● Click on the Start button, then follow the menu to Settings Control Panel
● Double-click on the Network Connections
● Right click on Local Area Connection and go to Properties

Page 28 of 214
ClarkConnect Administration Manual

Step 2 - Select IP Properties


Select TCP/IP and click on the Properties button.

Page 29 of 214
ClarkConnect Administration Manual

Step 3 - IP Address
On the IP Address tab, you can select Obtain an IP address automatically and ClarkConnect will
automatically assign an IP address for you.

Alternatively, you can choose Specify an IP address (as shown in the screenshot). Make sure you
pick an address between 192.168.1.2 to 192.168.1.99. The subnet mask is always 255.255.255.0.

Step 4 - DNS Settings


If you decided to let the ClarkConnect assign your IP address automatically, then you can select
Disable DNS. ClarkConnect will automatically configure these settings.

If you decided to specify your IP address, then you will need to add 192.168.1.1 to the DNS
Server Search Order list (as shown).

You should also add a host name and then add "lan" as the domain. If you prefer to bypass the
ClarkConnect DNS cache, you can add the DNS servers given by your Internet service provider.

Web-based Administration

Overview
Once you have your network up and running with the network configuration tool, you can configure

Page 30 of 214
ClarkConnect Administration Manual

all other ClarkConnect features from the web browser of any desktop or laptop computer.

Access
To access the ClarkConnect web-based administration tool, type the following into your web
browser:
https://IP_Address:81

for example:

https://192.168.1.1:81

The IP address that you need to use was selected during installation. If you do not remember this
information, you can always connect a keyboard and monitor to the system and check the network
configuration tool.

Certificate Warning
You will see a warning about your security certificate
(see adjacent screenshot). Click on the appropriate
button to ignore the message. Your connection is still
secure and encrypted, but your server certificate is
not official. A valid certificate costs over $100 a year
to maintain and is not necessary in this situation.

Username and Password

You will then see a login prompt (see adjacent


screenshot). Login with the username root and
your system password.

Technical Notes
Please note the following about the web-based
administration tool:
● it uses the encrypted protocol (https
instead of http)
● it runs on a non-standard port (the :81
appended to the web page address) so
that it does not interfere with an existing
web server

Help
Every configuration page in the web-based administration tool includes a web link to the user
guide. If you ever need more information on a particular page, simply click on the link (see
screenshot below).

Page 31 of 214
ClarkConnect Administration Manual

Next Step
After logging in, registering your system should be your first task.

System Registration

Overview
ClarkConnect is much more than a collection of software packages to perform gateway and server
functionality. A distributed network infrastructure (ClarkConnect Gateway Services) provides,
among other things:
● Gateway Services account interface - online demo
● Software updates via FTP and APT
● DNS and dynamic DNS services
● Content filter updates
● Intrusion detection and prevention updates
● Remote port and system monitoring
● Security audits
● Remote backup/restore (Q1 2008)

System Activation

Create an Online Account


If you do not yet have a ClarkConnect online account, you can create one here. It is quick, painless
and free!

Complete Registration Wizard


With your online account information in hand, you are now ready to register your ClarkConnect
system.
● Login to your system via the Webconfig UI
● Click on Services Register Register System in the menu
● In the first step in the wizard, enter your online account username and password

The next step in the registration process (see screenshot) is important -- especially for upgrades
and re-installs. Make sure you select the right option.

Page 32 of 214
ClarkConnect Administration Manual

Software Modules

Overview
Software modules can be installed via the are offered via the web-based administration tool. For
users who prefer command line interfaces, you can find more information on the suite of apt tools
here.

Finding a Module
The web-based administration tool lists all available modules under the Services Software
Install Modules in the menu (see screenshot). This page displays the list of available modules
that can be installed on your ClarkConnect system.

Installing a Module
Select the module you wish to install, and hit 'Go'. Installing a module may take some time,
depending on the size of the package, dependencies, your connection speed and the load/number
of connections on the apt-get repository server. Please be patient!

Once complete, you will see an additional navigation link under the appropriate heading. For
example, if you were installing DMZ and 1:1 NAT firewall module, you will find the configuration
pages under the Network Firewall in the menu.

Software Modules via Apt

Overview

For users who prefer the command line environment over the web-based interface, the apt suite
tools provide a way to search and install modules. The following table summarizes the most
commonly used commands; detailed information follows.

Page 33 of 214
ClarkConnect Administration Manual

Finding a Module
A complete listing of all packages in the apt-get repository can be found by using the following
command:

Command Description
apt-get update for updating the latest list of available software packages
apt-get upgrade for installing all the available updates for your current installation
apt-get dist-upgrade for installing updates after a ClarkConnect upgrade
apt-get install for downloading and installing software packages
apt-cache search search term for searching for software packages

You can narrow your search by specifying a search term. For example, if you wanted to find
packages relating to the Postfix SMTP mail server, you could issue the following command:
The response would include all packages containing the search string 'postfix':

Installing a Module
The following example would install the advanced firewall rule set from ClarkConnect.
The result would be something similar to the following screenshot.

Page 34 of 214
ClarkConnect Administration Manual

Troubleshooting
Do not forget to run apt-get update before you start using the suite of apt tools. If you do not run
this command first, you may find yourself using obsolete software package information.

Network Settings

Bandwidth

Overview
Bandwidth Information
Description Manages bandwidth through the gateway.
Package Name cc-bandwidth
Configuration Page Network IP Settings Bandwidth

The bandwidth manager is used to shape or prioritize incoming and outgoing network traffic. You

Page 35 of 214
ClarkConnect Administration Manual

can limit and prioritize bandwidth based on IP address, IP address ranges, port, and port ranges.

Services
The Bandwidth Monitor service provides hourly bandwidth measurements from our remote system
monitors. The service is an excellent tool for monitoring your Internet Service Provider's (ISP)
quality of service. This service will monitor your downstream rate, the rate at which you can receive
data from an external source (download speed).

How It Works
The bandwidth manager is designed to guarantee a certain speed for either an IP address and/or
port on your LAN (or DMZ). The bandwidth manager does not manage traffic to the ClarkConnect
box itself. To demonstrate how the system works, lets go through a scenario with a voice-over-IP
(VoIP) server. We have:
● a 1000 kbit/s upload and download connection to the Internet
● a voice-over-IP (VoIP) server at 192.168.1.80 on our local network
● enabled a bandwidth rule that reserves 500 kbit/s upload and download for the VoIP server

In our example, the network is at first completely congested with web downloads. The VoIP server
is idle, so the full 1000 kbit/s is used for the web downloads. In other words, the web downloads
are allowed to "borrow" the bandwidth we have reserved for the VoIP server.
Someone in the office then makes an outbound 4-person conference call via the voice-over-IP
server. The conference call requires 300 kbit/s and the bandwidth manager will go into action. The
lower priority web downloads will get slowed from the maximum 1000 kbit/s to 700 kbit/s. The
higher priority conference call will receive its required 300 kbit/s.

Configuration

Bandwidth Rules
A bandwidth management rule contains the following six parameters.

Nickname
The first parameter is an optional nickname you can use to easily identify the rule. Valid nicknames
can contain alphanumeric characters (A-z0-9) and optional dashes '-' or underscores '_". Spaces
are not allowed.

IP Address/Range
The IP address parameter can contain:
● A single IP address
● A IP address range
● nothing

If this field is left blank, then the bandwidth rule will be used by all IP addresses will. IP ranges can
be specified using network and netmask, for example: 192.168.0.1/255.255.255.0 or
192.168.0.1/24.

Port/Range
The port parameter is used to apply a bandwidth rule to a particular service. For instance, you can
limit web traffic by specifying port 80. If the port is left empty, then all ports will be affected. You
may also specify a colon-delimited port range. For instance, 5000:5010 would impact all the ports

Page 36 of 214
ClarkConnect Administration Manual

between 5000 and 5010.

Priority
Priority provides a mechanism to prioritize traffic when all bandwidth rules are at capacity.
Higher priority traffic will be given preference over lower priority traffic. There are 7 priority levels, 1
- 7, where 1 is the highest priority. By default, traffic that is not matched by a bandwidth rule will be
assigned the lowest priority.

Upload
The upload rate in kilobits per second. If left empty, the upload rate will be unlimited.

Download
The download rate in kilobits per second. If left empty, the download rate will be unlimited. Note: If
both upload and download are left empty, then the rule will be invalid.

Peer-to-Peer Bandwidth Rules


In order to manage peer-to-peer traffic, make sure you have the Peer-to-Peer module installed.

Configuring bandwidth control for peer-to-peer is similar to creating a regular bandwidth rule.
However, you need to specify the peer-to-peer network instead of the IP address and port.

Units - kbit/s, kbps, Mbps and Other Confusing Notation


Depending on where you are and who you are talking too, there are different measurement units
used for bandwidth. Here are some tips to help with converting from one unit to another --
capitalization is important:

Unit Alternatives
kilobits per second kbps kbit/s kb/s
kilobytes per second kBps kbytes/s kB/s
megabits per second Mbps Mbit/s Mb/s
megabytes per second Mbps Mbytes/s MB/s

Conversion tips:
● Mega is 1000 times larger than kilo
● A byte is 8 times larger than a bit
Examples:
● 1 Megabit per second is approximately 1000 kilobits per second
● 1 Megabyte per second is approximately 8000 kilobits per second

Links
● Linux Advanced Routing and Traffic Control
● HTB Queueing

DHCP Server

Overview
DHCP Server Information

Page 37 of 214
ClarkConnect Administration Manual

Description DHCP server for dynamically assigning IP addresses.


Package Name cc-dnsmasq
Configuration Page Network IP Settings DHCP

The Dynamic Host Configuration Protocol (DHCP) allows hosts on a network to request and be
assigned IP addresses. This service eliminates the need to manually configure new hosts that join
your network.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Global Settings

Status
You can enable and disable the DHCP server at any time.

Authoritative
Unless you are running more than one DHCP on your network, enable Authoritative mode. When
this is enabled, then DHCP requests on unknown leases from unknown hosts will not be ignored.
This will be the case when a foreign laptop is plugged into your network.

Domain Name
The server can auto-configure the default domain name for systems using DHCP on your network.
You can either use a registered domain (for example: example.com) or you can simply make one
up (for example: lan). Example:
● A desktop system on your local network has a system name scooter and uses DHCP.
● The domain name specified in the DHCP server is example.com.
● On startup, the desktop system appends example.com to its system name. Its full
hostname would become scooter.example.com.

Subnet Configuration
In a typical installation, the DHCP server is configured on all LAN interfaces. To add/edit DHCP
settings for a particular network interface, click on the appropriate add/edit button. The following
screenshot highlights the button for adding DHCP settings for the eth1 network interface.

Network, Netmask and Broadcast

Page 38 of 214
ClarkConnect Administration Manual

The network, netmask and broadcast are automatically detected. In almost all circumstances, you
want to use these detected default values.

IP Ranges
Keep a range of IP addresses available for systems and services that require static addresses. For
instance, VPN and some types of network printers require static IP addresses.

In a typical local area network, the first 99 IP addresses are set aside for static addresses while the
remaining addresses from 100 to 254 are set aside for the systems using the DHCP server. Adjust
these settings to suit your needs and your network.

DNS Address
The server can auto-configure the DNS settings for systems using DHCP on your network. By
default, the IP address of the caching DNS server on your ClarkConnect system is used. You
should change this setting if you want to use an alternate DNS server.

WINS Address
If you have a Microsoft Windows Internet Naming Service (WINS) server on your network, you can
provide the IP address to all Windows computers on your network. This will allow Windows
systems to access resources via Network Neighborhood. You can enter the LAN IP address of
your ClarkConnect system here if you have enabled the WINS server on ClarkConnect.

Active and Static Leases


A list of systems that are actively using the DHCP server is shown in the Active Leases table. If
you would like to make a DHCP lease for a particular system permanent, you can click on the
appropriate Add button in this list. In the screenshot below, the button to add
192.168.2.212/Scooter as a static lease is shown.

Page 39 of 214
ClarkConnect Administration Manual

Common Errors
● You should only have one (1) DHCP server per network.
● Enabling DHCP on your Internet connection is not a good idea.

Links
● Dnsmasq Documentation

Hosts and DNS Server

Overview
Hosts and DNS Server Information
Description Hosts file and local DNS server configuration.
Package Name cc-dnsmasq
Configuration Page Network IP Settings Hosts and DNS Server

Hosts (/etc/hosts) is a simple text file that associates IP addresses with hostnames. If you have the
caching DNS server installed, all the entries in the hosts file will be made available.

Configuration
A host is defined as any system with an IP address -- desktop, laptop, printer, media device, etc.
Each host can have a hostname, along with any number of aliases. For example, you could add a
hostname for a file server on your network with the following settings:
● IP Address: 192.168.1.10
● Hostname: fileserver.example.com

After adding the hostname, you are given an opportunity to add additional aliases (or hostnames)
for the given host. If we were using the file server as a backup server, we could add
backup.example.com to the list of aliases.

Tips and Tricks


You may have noticed that a default alias is added whenever you add a hostname. For example,
adding the hostname fileserver.example.com will also add the default alias fileserver. This alias
can be used as a shortcut on your network. How? If you use the ClarkConnect DHCP server, you
can specify a default domain name. Staying with our example, our default domain name should be
set to example.com. Any system using DHCP could then access other systems on the network
using the alias (fileserver) instead of the full hostname (fileserver.example.com).

Links
● Dnsmasq

Page 40 of 214
ClarkConnect Administration Manual

IP Settings

Overview
IP Settings Information
Description IP, hostname and DNS settings.
Package Name cc-network
Configuration Page Network IP Settings IP Settings

A configuration page for configuring your network cards, hostname and DNS servers.

Configuration
Linux will auto-detect most PCI-based network cards. Older ISA cards may require setting
parameters for the IRQ and IO. You may also need to disable plug-and-play features on the card.
Please check Red Hat's Hardware Compatibility Lists to see what settings may be required for
your brand of network card.

Network Roles
When configuring a network interface, the first thing you
need to consider is the network role. Will this network
card be used to connect to the Internet, for a local
network, for a network with just server systems? The
following network roles are supported in ClarkConnect
and are described in further detail in the next sections:
● External - network interface with direct or indirect
access to the Internet
● LAN - local area network
● Hot LAN - local area network for untrusted systems
● DMZ - de-militarized zone for a public network

On a standalone system, your network card should be configured with an external role, not a LAN
role.

External
The external role provides a connection to the Internet. On a ClarkConnect system configured as a
gateway, the external role is for your Internet connection. On a ClarkConnect system configured in
standalone mode, the external role is for connecting to your local area network.

With the Office and Enterprise Editions, you can have more than one external interface configured
for load balancing and automatic failover. See the Multi-WAN section of the user guide for details.

Gateway Setting -- If you have a static IP address, it is important to make sure the gateway
configuration setting is correct. If the gateway setting is missing or invalid, your system will be
unable to reach the Internet. On most networks, the gateway IP address will be on the same
network as your external IP address. For example, an external IP address of 10.22.22.22 will
typically have a gateway at 10.22.22.1 or 10.22.22.254. In some circumstances, the gateway will
not be on the same network. You will see a warning message about this unusual gateway
configuration.

Page 41 of 214
ClarkConnect Administration Manual

LAN
The LAN (local area network) role provides network connectivity for your desktops, laptops and
other network devices. LANs should be configured with an IP address range of 192.168.x.x or
10.x.x.x. For example, you can configure your ClarkConnect LAN interface with the following:
● IP: 192.168.1.1
● Netmask: 255.255.255.0

All systems on your LAN would have IP addresses in the range of 192.168.1.2 to 192.168.1.254.

Hot LAN
Hot LAN (or "Hotspot Mode") allows you to create a separate LAN network for untrusted systems.
Typically, a Hot LAN is used for:
● Servers open to the Internet (web server, mail server)
● Guest networks
● Wireless networks

A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN. As an
example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in
the meeting room could access the Internet and each other, but not the LAN used by employees.

The Port Forwarding page in the web-based administration is used to forward ports to both LANs
and Hot LANs.

Only one Hot LAN is permitted.

DMZ
In ClarkConnect, a DMZ interface is for managing a block of public Internet IP addresses. If you
do not have a block of public IP addresses, then use the Hot LAN role. A typical DMZ setup looks
like:
● WAN: An IP addresses for connecting to the Internet
● LAN: A private network on 192.168.x.x
● DMZ: A block of Internet IPs (e.g from 216.138.245.17 to 216.138.245.31)

The web-based administration tool has a DMZ Configuration tool to managed the DMZ network.

Virtual IPs
ClarkConnect supports virtual IPs. To add a virtual IP address, click on the link to configure a
virtual IP address and add specify the IP Address and Netmask.

You will also need to create advanced firewall rules if the virtual IP is on the Internet.

Configuration from the Console


You can access network configuration tools from the Administration Console tool. All other
configuration is done remotely via a web browser -- the console is only used to change or configure
your network information. The console can be accessed from a monitor and keyboard attached the
server.

Page 42 of 214
ClarkConnect Administration Manual

Troubleshooting
The two network cables coming from your box may need to be swapped. If you are having a hard
time connecting to the Internet, make sure you try swapping the cables.
In most installs, the network cards and IP settings will work straight out of the box. However,
getting the network up the first time can be an exercise in frustration on some installs. Issues
include;
● Network cards that are not auto-detected
● Invalid networks settings (username, password, default gateway)
● Finicky cable/DSL modems that cache network card hardware information
Here are some helpful advanced tools and tips to diagnose a network issue. After booting the
system, hit Alt-F2 to get to a login prompt. Login with your username root and your password. The
following tools will show detailed diagnostic data on your network cards.
● mii-tool displays link status and speed
● ethtool eth0 displays links status, speed, and many other stats - not all cards support this
tool
● ifconfig eth0 displays IP settings on eth0

Page 43 of 214
ClarkConnect Administration Manual

Multi-WAN

Overview
MultiWAN Information
Description Support for multiple connections to the Internet.
Package Name cc-multiwan
Configuration Page Network IP Settings Multi-WAN

The multi-WAN feature in ClarkConnect allows you to connect your system to multiple Internet
connections. ClarkConnect multi-WAN not only provides load balancing, but also automatic
failover.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

How It Works
ClarkConnect multi-WAN has the following features:
● auto-failover
● load balanced

Page 44 of 214
ClarkConnect Administration Manual

● round-robin based on user-defined weights (see configuration section)

To give you an example of how multi-WAN works, imagine two 1 Mbit/s DSL lines with two users
on the local network. With every new connection to a server on the Internet, the multi-WAN system
alternates WAN interfaces. User A could be downloading a large file through WAN #1, while User
B is making a voice-over-IP (VoIP) telephone call on WAN #2.

With some applications, the download speed for the multi-WAN system can use the full 2 Mbit/s
available. For example, downloading a large file from a peer-to-peer network will use the
bandwidth from both WAN connections simultaneously. This is possible since the peer-to-peer
technology uses many different Internet "peers" for downloading. At the other end of the spectrum,
consider the case of downloading a large file from a web site. In this case, only a single WAN
connection is used -- 1 Mbit/s maximum.

Bandwidth aggregation (combining multiple WAN interfaces to look like a single WAN interface) is
not possible without help for your ISP since both ends of an Internet connection must be
configured.

Configuration

Enable/Disable
When multi-WAN is enabled, all active WAN interfaces are used to connect to the Internet. When
multi-WAN is disabled, the first active WAN interface is the only network used to connect to the
Internet.

Weights
Multi-WAN weights are used
to load balance outbound
Internet traffic. By default, all
WAN interfaces are given a
weight of one. This default
configuration means the
network traffic will be
(roughly) evenly split amongst the different WAN connections.
In one of the typical multi-WAN configurations, a second broadband connection is used for backup.
This second connection is often a low-cost and low-bandwidth connection. In this case, you would
want to set the weight on your high-bandwidth connection to 3 or 4, while leaving your low-
cost/low-end connection with a weight of 1.

Source Based Routes


In some situations, you may want a system on your local area network (LAN) to always use a
particular WAN interface. The screenshot below displays the configuration for two scenarios:
● Sending network traffic for the 216.138.245.16/28 block of Internet IPs out the eth0 WAN.
● Sending network traffic from a voice-over-IP (VoIP) server on the LAN at 192.168.1.100 out
the eth1 WAN.

Page 45 of 214
ClarkConnect Administration Manual

Destination Port Rules


In some situations, you may want to send network traffic for a specific port from your LAN out a
particular WAN interface. The screenshot below displays the configuration for always sending DNS
traffic (port 53) out the eth0 WAN network.

Destination port rules only apply to connections originating on your LAN. These rules do not apply
to traffic originating from the ClarkConnect system itself

Routing Policies
Some Internet service providers (ISPs) will not allow traffic from source addresses they do not
recognize as their own. The following scenarios will give you a good idea of common issues faced
in a multi-WAN environment. In the examples, we assume two connections, but the same issues
crop up with three or more connections.

DNS Servers
The DNS servers configured on the ClarkConnect system will be provided by one or both ISPs. In
our example, we are going to assume that ISP #1 provides the DNS servers. If a DNS request from
your network goes out the ISP #2 connection, it might get blocked by ISP #1. Result: DNS
requests will only succeed on ISP
#1.

Solution -- Use DNS servers that


are accessible from any network. If
your ISPs do not provide such DNS
servers, then we recommend using
OpenDNS.
Note: your DHCP/DSL network
configuration settings should have
the Automatic DNS Servers
checkbox unchecked - see
screenshot.

DMZ Networks and 1-to-1 NAT


If you have a range of extra IP addresses provided by ISP #1, you may need to explicitly send

Page 46 of 214
ClarkConnect Administration Manual

traffic from these extra IPs out the ISP #1 connection. ISP #2 may drop the packets.
Solution -- Use a Source Based Route for your DMZ network.

Links
● Linux Advanced Routing and Traffic Control

Network Tools

Overview
Network Tools Information
Description Tools to monitor and diagnose the network.
Package Name cc-nettools
Configuration Page Network IP Settings Network Tools

Provides basic networking tools to help diagnose network problems.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Connection Monitor
The connection monitor shows real-time information on connections going in and out of the
ClarkConnect system. This tool can be useful when diagnosing issues on your local network (for
example, finding a computer with a virus).
● Protocol -- the Internet protocol used by the connection
● Expires -- the time in hours remaining before the connection expires
● Source -- the source IP address
● Destination -- the destination IP address
● Status -- the status of the connection
● Port -- the source port and destination port
● Service -- the service associated with the destination port (if known)

Routing Table
The routing table provides technical information on the active routes on the system.

Protocol Statistics
Detailed technical information on the underlying TCP/IP network.

Links
● Linux Advanced Routing and Traffic Control

Page 47 of 214
ClarkConnect Administration Manual

UPnP

Overview
UPnP Information
Description Universal plug and play software.
Package Name linuxigd
Configuration Page N/A

UPnP should only be used on a home or trusted network. Avoid using this software on office,
school other other untrusted networks. See note below.

There are many opponents against UPnP. However, we feel that Open Source is all about giving
people choices, and letting intelligent people make intelligent decisions about its use. A lot of us
really need this daemon, and can live with the consequences because we are simply connecting a
home network to the internet through one IP.

UPnP version 1.0 is inherently flawed. What appears to have happened is that in Microsoft's first
UPnP implementation they weren't concerned with security or any advanced controls. Simply all
they wanted was connectivity. So we are stuck with this for now. The UPnP server, by itself, does
no security checking. If it receives a UPnP request to add a portmapping for some IP address
inside the firewall, it just does it. Theoretically this could open up ports on some other system.

Wireless Card Configuration

Overview
Wireless Networking Information
Description Wireless network card settings.
Package Name cc-wireless
Configuration Page Network IP Settings Wireless

ClarkConnect includes support for wireless network cards.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Supported Hardware
Many wireless network cards work out of the box in Linux (see Links section below). However, we
only officially support the following:
● PCI: Netgear 11Mbps 802.11b Wireless PCI Card (MA311)
● ISA-to-PCMCIA bridge: All models
● PCI-to-PCMCIA bridge: Buffalo Tech WLI-PCI-OP
● PCMCIA: Orinoco Silver and Gold 802.11b PCMCIA

Page 48 of 214
ClarkConnect Administration Manual

From the Orinoco site: "For PCs with an ISA slot, the ORiNOCO ISA adapter is strongly advised."
In other words, only purchase the PCI card if your system is PCI-only.

PCMCIA Settings

If you use a PCMCIA (laptop) card, you may need to change some of the settings.

PCIC Driver
There are a few different types of hardware drivers (PCIC drivers) available for PCMCIA. Consult
your hardware's user guide or online support to determine your settings. For the Orinoco PCMCIA
cards, use i82365

PCIC Options and Core Options


Some PCMCIA hardware drivers require special options. In most cases, you can leave the PCIC
Options and Core Options blank. Consult your hardware's user guide or online support if the
system is unable to detect your card. For the Orinoco PCMCIA cards, you may need to use
i365_base=0x3e2 for PCIC Options (leave Core Options blank).

Network Settings

The network configuration for a wireless card is done just like any other network card. However,
the following extra wireless-only options are required.

ESSID
The ESSID is a nickname to give your wireless network. In the screenshot, the name Woburn
Wireless is used. When configuring other wireless devices on your network, make sure you use

Page 49 of 214
ClarkConnect Administration Manual

the same ESSID.

Mode
The wireless card can run in a number of different modes. The most common are Ad-Hoc and
Master/Access Point. From the list of officially supported wireless cards, only Ad-Hoc mode is
supported. For un-official wireless cards, you may be able to run the card in other modes.

Secret Key
The Secret Key is used to encrypt your network traffic. The Orinoco Silver card requires a 5-
character (40-bit) key prefixed with 's:' - e.g. s:abcde. This must match the settings for other
wireless devices on your network.

MAC Address Filtering

For added security, you can allow only certain network MAC addresses on your wireless network.

Links
● Seattle Wireless
● Linux Wireless LAN Howto
● WLAN Adapter Chipset Directory

Firewall

1 to 1 NAT

Overview
1-to-1 NAT Firewall Information
Description Configuration tool for 1-to-1 NAT.
Package Name cc-firewall-dmz
Configuration Page Network Firewall 1-to-1 NAT

1-to-1 NAT maps a real Internet IP to an IP on your local area network (LAN).

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
You can map 1-to-1 NAT IPs in one of two ways:
● With no firewall at all

Page 50 of 214
ClarkConnect Administration Manual

● With selective ports open

1-to-1 NAT - No Firewall


Some protocols can be finicky behind firewalls. In this case you want to configure 1-to-1 NAT with
no firewall (make sure you firewall/secure the target LAN system some other way!). In the
screenshot below:
● 216.138.245.23 is mapped to a LAN machine at 192.168.2.2
● no firewall is enabled.

1-to-1 NAT - Selective Ports Open


In the screenshot below:
● 216.138.245.23 is mapped to an LAN machine at 192.168.2.2
● only port 22 (SSH) and port 80 (web) are accessible

1-to-1 NAT - With MultiWAN


As of ClarkConnect 4.0 it is now possible to utilize 1-to-1 NAT with a MultiWAN configuration. The
configuration remains mostly the same with the addition of an Interface drop-down box containing
a list of configured MultiWAN network interfaces.1-to-1 NAT with MultiWAN support is only
available in the 4.x Edition.

Each 1-to-1 NAT rule must be assigned to an external MultiWAN interface as shown by example
below:

Page 51 of 214
ClarkConnect Administration Manual

Advanced

Overview
Advanced Firewall Information
Description Configuration tool advanced firewall rules.
Package Name cc-firewall-advanced
Configuration Page Network Firewall Advanced

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
The advanced firewall tool can be used to create special firewall rules. For instance, you can use
this tool to allow connections to the web-based administration from the Internet -- but only from a
particular IP address. You can find some examples in the advanced firewall tips and tricks
documentation.An invalid advanced rule will cause the firewall to go into a lock-down mode -- all
other firewall rules will not be active in this mode.

Links
● Netfilter/Iptables Home Page

DMZ

Overview
DMZ Firewall Information
Description Configuration tool for DMZ-based firewalls.
Package Name cc-firewall-dmz
Configuration Page Network Firewall DMZ

The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third
network card is used exclusively for the DMZ network.
● If you are configuring a few extra public IPs (not a whole network), then go to the 1-to-1
NAT section of the User Guide.
● If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate
Hot LANs in the IP Settings section of the User Guide.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 52 of 214
ClarkConnect Administration Manual

Configuration

Network Configuration
Before you can use the DMZ firewall configuration, you need to configure one of your network
cards with the DMZ role. In our example, we used the IP Settings tool to configure a third network
card (eth2) with the following:
● Role: DMZ
● IP Address: 216.138.245.17
● Netmask: 255.255.255.240
● Network: 216.138.245.16/28
All the systems connected to this third network card can then be configured with an IP address in
the 216.138.245.18 to 216.138.245.30 range.

Incoming Connections
By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the
exception of the ping protocol). You can permit connections to systems on the DMZ by allowing:
● all ports and protocols to a single public IP
● all ports and protocols to the whole network of public IPs
● a specific port and protocol to a single public IP
In the screenshot below, both 216.138.245.27 and 216.138.245.28 are not firewalled at all, while
216.138.245.26 can only be accessed via TCP port 2000.

Pinhole Connections (DMZ-to-LAN)


In some situations, you may want to allow particular network traffic from your DMZ to your LAN -- a
pinhole rule. In our example, we have a document management system running on port 2401 on
the LAN (at IP address 192.168.2.2). We want to allow a web server in our DMZ to access this
document management system and we create a pinhole rule to do it (see screenshot).

Links
● Definition

Page 53 of 214
ClarkConnect Administration Manual

Group Manager

Overview
Firewall Groups Information
Description A tool to group together firewall rules.
Package Name cc-firewall
Configuration Page Network Firewall Group Manager

The Group Manager makes it easy to categorize and manage related Firewall rules. All rules not
assigned to a group will be listed at the top of the page. You can change the rules Nickname or
assign it to a new or existing group by clicking on Edit.

Installation
This module is part of the base Firewall package which is always installed.

Configuration
There are three sections to the Group Manager page.
● Individual rule listing (rules that are not assigned to a group)
● Group listing
● Group manager, useful for enabling/disabling or deleting an entire group

Assigning Rules to Groups


To assign a rule to a group, click on the rule's Edit button. This will bring up the rule editor dialog
which looks like the following screen-shot:

The top of the edit dialog shows the fields of the firewall rule; the protocol, address, port, and
parameter (optional, contains extended information). This is displayed to help you identify the rule.
Below this information, you can enter a new or edit an existing Nickname to help identify the rule's
purpose. To the right you may assign this rule to an existing group using the drop-down, or add it
to a new group by entering the desired name in the input box below. Click on confirm to save your
changes.

Removing a Rule From a Group


To remove a rule from a group, click on the rule's Edit button. You will see the group name in the

Page 54 of 214
ClarkConnect Administration Manual

drop-down box. Change this to "Remove from group" and then click on Confirm. If there are no
more rules in any given group, the group will no longer show up in the group drop-down list.

Group Management
At the very bottom of the Group Manager page you can enable/disable or delete a group. Simply
click on the appropriate button.

Deleting a group will delete all member firewall rules. If you want to remove just the
group, remove each rule from the group manually.

Incoming

Overview
Firewall Incoming Information
Description Tool for configuring incoming connections on the firewall.
Package Name cc-firewall
Configuration Page Network Firewall Incoming

Configuration

Allow Incoming Connections


If you want to run a server on your ClarkConnect system, you must open the appropriate port on
the firewall to allow access to users on the Internet. For instance, if you are running the web server
and secure web server, make sure port 80 and 443 are open.

Unlike other firewalls you do not need to open a port on the incoming page if you're
forwarding the the port to an internal server on your LAN or on your DMZ.

You can also open up ports to allow for remote management of your ClarkConnect system. For
example, you can open up port 22 to allow for SSH access and port 81 to give access to
Webconfig.

Select Firewall Incoming in the web-based administration tool. There are three ways to add an
incoming firewall rule:
● select a standard service in the Standard Services drop down
● input a single port number in the Port Number box.
● input multiple consecutive ports in a port range in the Port Range box.

Page 55 of 214
ClarkConnect Administration Manual

Block Internet Hosts


If you want to block a remote site from accessing your ClarkConnect system, add the IP address or
network to the block list. This is typically used to unwanted connections from . If you want to block
web sites from your users, the Content Filter is a more effective solution.

Outgoing

Overview
Firewall Outgoing Information
Description Tool for blocking or allowing (depending on mode) outgoing
connections on your network.
Package Name cc-firewall
Configuration Page Network Firewall Outgoing

Configuration
From the Firewall Outgoing page, you can block or allow certain kinds of traffic from leaving your
network depending on the mode/policy.

As of ClarkConnect 4.0, it is now possible to reverse the meaning of rules created from the
Firewall Outgoing page. The language used in the following documentation has been altered to
reflect this change. Users of older ClarkConnect versions can only allow all outgoing traffic by
default and then selectively block certain hosts and services. See Choose an Outgoing Mode
below for more details.

This module is useful for blocking/allowing instant messaging, chat, peer-to-peer


music downloads, and more.

You have two ways to block/allow traffic:


● by destination port/service
● by destination IP address/domain

Note: If you want to block peer-to-peer file sharing programs like Kazaa and Limewire, you will
also want to check the Peer-to-Peer section of the user guide.

Choose an Outgoing Mode


As of ClarkConnect 4.0, you can toggle the outgoing traffic mode or policy. All previous versions of
ClarkConnect allowed all outgoing traffic by default, only providing the administrator with the ability
to specifically block certain hosts or services. With ClarkConnect 4.0 and above, it is possible to
block all outgoing traffic by default and only open or allow certain destination domains,
ports/services to be contacted.

Page 56 of 214
ClarkConnect Administration Manual

Note: These are the two Outgoing Traffic policies available as of ClarkConnect 4.0.

Outgoing Traffic - By Port/Service


Destination Ports prevents/allows a connection on a particular port/service. For instance, adding
port 80 (web) disables/enables web-surfing for your entire local network.

Outgoing Traffic - By Host/Destination


Destination Domains allows you to block/allow certain networks and sites. For instance, if your
Outgoing Mode is set to allow all outgoing traffic, blocking windowsupdate.microsoft.com blocks
Windows from connecting to the windows update site. Keep in mind, some sites use multiple
servers to handle network traffic and are not easily blocked. If you block destinations with the
firewall bear in mind that users of the proxy may not be blocked. If you require proxy users to be
blocked, your best option is to block the destinations using the DansGuardian Content Filter
Module.

As of ClarkConnect 4.0, the Block/Allow by Destination form has changed slightly. The standard
services drop-down box has been removed and merged into the Destination Ports form illustrated
above.

Page 57 of 214
ClarkConnect Administration Manual

Troubleshooting

Links

Peer-to-Peer

Overview
Peer-to-Peer Information
Description A tool to block peer-to-peer traffic.
Package Name cc-firewall-p2p
Configuration Page Network Firewall Peer-to-Peer

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
The following applications can be blocked and/or throttled:
● eDonkey, eMule, Kademlia
● KaZaA, FastTrack
● Gnutella
● Direct Connect
● BitTorrent, extended BT
● AppleJuice
● WinMX
● SoulSeek
● Ares, AresLite

For some protocols, the peer-to-peer blocker will only halt the initial connection to other systems. In
other words, a system that is already connected to a peer-to-peer network will not get blocked. If
you are sanity checking this tool, please disconnect the peer-to-peer client.

Troubleshooting
The world of peer-to-peer networks is fast paced and constantly changing. If you find that your
peer-to-peer software is not getting blocked, then feel free to post your feedback on the online
forums:

Page 58 of 214
ClarkConnect Administration Manual

● Online Forums - Bandwidth

Links
● IPP2P Web Site

Port Forwarding

Overview
Port Forwarding Information
Description Tool for forwarding ports to systems on your local network.
Package Name cc-firewall
Configuration Page Network Firewall Port Forwarding

Configuration
If you run servers behind your ClarkConnect gateway, you can use the Port Forwarding page to
forward ports to a system on your local area network. In the example below, two port forwarding
rules are configured:
● A web server (port 80) is running on the LAN at 192.168.4.10
● SSH (port 22) is also running on 192.168.4.10. Since port 22 is already used on the
gateway, we specify an alternate port (2222). We then configure our SSH client to use port
2222 to connect directly to 192.168.4.10 from the Internet.

Page 59 of 214
ClarkConnect Administration Manual

Troubleshooting

In order for port forwarding to work properly. the target system on your local network must have
the default gateway set to ClarkConnect system. In the adjacent screenshot, the configuration for a
Windows system is shown. The default gateway in this case is 192.168.1.1 (the IP address of the
ClarkConnect system).

Security

Intrusion Detection

Overview
Intrusion Detection Information
Description An advanced intrusion detection system.
Package Name cc-snort
Configuration Page Page Network Security Intrusion Detection

The intrusion detection package is included with ClarkConnect to make users more aware of some
of the daily hostile traffic that can pass by your Internet connection. The software is able to detect
and report unusual network traffic including attempted break-ins, trojans/viruses on your network,
and port scans.

Page 60 of 214
ClarkConnect Administration Manual

Services
New exploits are discovered everyday. The intrusion detection software maintains a uses a list of
2000+ rules. You can receive automatic updates by subscribing to the Intrusion Detection Updates
service.

Configuration
The intrusion detection system includes a daily report. Do not panic when you see alerts in this
daily report. In fact, it would be quite unusual not to see anything reported. Hostile traffic is a
normal part of today's Internet and it is one of the reasons firewalls are necessary. You can find
more information about the report here.

Intrusion detection does require some horsepower. If you find your system sluggish,
you might want to consider disabling the software.

Security and Policy Rules


There are two different types of rules for the intrusion detection system. The Security rules detect
issues related to overall system security, while Policy rules detect issues related to your
organization's Internet usage policies. For example, the chat policy rules will detect instant
messaging traffic that goes through your ClarkConnect system.

Links
● Intrusion Detection Reports
● Sourcefire website
● Snort Intrusion Detection website

Intrusion Prevention

Overview
Intrusion Prevention Information
Description An advanced intrusion prevention system.
Package Name cc-snortsam
Configuration Page Page Network Security Intrusion Prevention

The intrusion prevention system blocks suspected attackers from your system.

Services
New exploits are discovered everyday. The intrusion detection software maintains and uses a list
of 2000+ rules. You can receive automatic updates by subscribing to the Intrusion Detection
Updates service.

Configuration
The Intrusion Prevention system displays a list of IP addresses that have been blocked due to
inappropriate network traffic.

Page 61 of 214
ClarkConnect Administration Manual

Description

SID
The SID corresponds to the Intrusion Detection ID that triggered the block. This is a hyper-link that
can be followed to reveal more information about the specific conditions that were matched.

Blocked IP
This is the IP address that triggered the block. If this IP address should not be blocked, you can
add it to a "don't block" list by clicking on Whitelist under Action.

Date / Time
The date/time fields show when the block occurred.

Time Remaining
The remaining block time is listed last. The IP address will be unblocked when this reaches 0.

Action
A blocked host can be added to a Whitelist so it will not be blocked in the future. You can also
remove a blocked host using Delete.

Whitelist
If there are IP addresses in your Whitelist they will be listed below the Active Block List. You can
delete an entry by choosing Delete under Action.

Troubleshooting
If you find the snortsam software taking a long time to startup on your system, make sure the DNS
Servers configured for your ClarkConnect system are working properly.

Links
● SSH Brute Force Attack
● FTP Brute Force Attack

Account Manager

Users

Overview
User Manager Information
Description Tool to add and manage users on the system.
Package Name cc-users
Configuration Page Account Manager All Accounts Users
Keywords LDAP

Page 62 of 214
ClarkConnect Administration Manual

The user manager page allows you to add, delete and manage users on the system.

Configuration

User Overview
The first thing you will see on the user manager page is a summary of existing users. This
summary includes the username, name and the enabled options for each user. Depending on the
platform/version you are using, you may see a dialog box indicating how many mailbox accounts
are in use and how many are available. The Enterprise Edition allows you to purchase additional
mailbox licenses to increase the number of users who have can send/receive mail on the server.

In the screenshot shown, user tim has access to all the available services while user veruca only
has access to e-mail and the file server.

User Information
Every user must have the following information configured:
● Username - a username (lowercase only)
● First name - the user's first name
● Last name - the user's last name
● Password and Verify - a password

Depending on your ClarkConnect version, you may also see additional fields, for example
telephone number, address, title, etc.

User Options
The following options are available in the user configuration. Note: the option will not appear if the
related software is not installed on the system.

File Server Folder - grant access to home directory on the File Server
FTP Server - grant FTP Server access
Mailbox - grant Mail Server - SMTP
access PPTP Server - grant PPTP VPN
access Proxy Server - grant Web Proxy
access Web Server - grant Web access for Flexshare

Shell Access | If an administrator needs to enable Secure SHell (SSH) access for a user's account,

Page 63 of 214
ClarkConnect Administration Manual

this needs to be done at the command line in versions 4.0 and later. See the "Tips and Tricks"
section below for more information.

Tips and Tricks

Secure Shell (SSH)


Secure Shell (SSH) access option was removed in 4.0 as a security precaution. Most users do not
need SSH access, and yet, many end-users would select all options, not knowing the risks. To
enable SSH access for a user, login as root and type:

Links
● Aliases

Groups

Overview
Group Manager Information
Description Tool to add and manage groups on the system.
Package Name cc-users
Configuration Page Account Manager All Accounts Groups

The group manager page allows you to add, delete and manage groups on the system.

Configuration
The first thing you will see on the group manager page is a summary of existing groups.

Use the "Add Group" form below the summary of existing groups to add a new group.

Page 64 of 214
ClarkConnect Administration Manual

Once you have added a new group, or if you click on the "Edit" link next to an existing group, a
new form will appear providing information specific to the group you created/edited.

Use this form to make changes to the users belonging to the group and/or to change the
description of the group name.

System Tools

Backup and Restore

Overview
Backup and Restore Information
Description A simple backup and restore tool for configuration files.
Package Name cc-backuprestore
Configuration Page System Settings Backup/Restore

The backup/restore feature lets you take a snapshot of all the configuration files and save them to
a separate system for safe keeping. If a ClarkConnect system needs to be restored, you can re-
install the ClarkConnect system and then restore all the configuration settings from the backup.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
The backup/restore tool saves all the configuration information available through the web-based
interface:
● Usernames and passwords (4.0 or higher)
● Network configuration
● Firewall configuration
● Software configuration (for example, content filter)

The backup/restore settings tool does not save user data, logs or mailboxes. Use the LAN/Backup
and Recovery tool for backing up data.

Page 65 of 214
ClarkConnect Administration Manual

If you have installed third party applications on your system, you will need to take extra steps to
save configuration data.

Troubleshooting
During the restore procedure, the original network settings will be restored, but not activated.
Consider this scenario:
● The system settings on a live ClarkConnect gateway have been saved.
● Due to a hard disk failure, ClarkConnect was temporarily replaced with a basic router.
● ClarkConnect is re-installed on another server while connected to your LAN.
● The restore procedure is then used on the newly installed ClarkConnect system.

The network settings are now in limbo. The restored network configuration is expecting to be
connected as a gateway, but the system is temporarily running as a standalone system on your
LAN. In this scenario, you will either need to put the system back into its role as a gateway, or,
reconfigure the network.

Date

Overview
Date Information
Description Tool to set the date, time and timezone.
Package Name cc-webconfig
Configuration Page System Settings Date

The date configuration tool allows you to select your time zone as well as enable/disable automatic
time synchronization.

Configuration

Time Zone
It is important to have the correct time zone configured on your system. Some software (notably,
mail server software) depends on this information for proper time handling.

Time Synchronization
Keeping your system time accurate is recommended, so we suggest having the automatic time
update enabled.

Page 66 of 214
ClarkConnect Administration Manual

Encrypted File Systems

Overview
Encrypted File System Information
Description Encrypted file system manager.
Package Name cc-dmcrypt
Configuration Page System Settings Encrypted File System

The encrypted volume module allows the creation of encrypted volumes that can be used to
protect confidential data from unauthorized access in the event the server is physically removed
from the premise or a portable mass storage device is lost/stolen while in transit.

Data is stored in an encrypted format when a volume has not been mounted. Mounting a volume
requires the password. With a strong password, gaining access to the decrypted data (i.e. usable
information) is impossible in the event the volume is unmounted. A volume is unmounted whenever
a server is restarted (i.e. a shutdown, loss of power etc.) and must be mounted by an administrator
having both Webconfig access and the volume password. It is important to note that this module
does not provide protection against unauthorized access to data when a volume is mounted (i.e.
the state the volume would normally be in during every day use). This module does not replace the
need to maintain software updates, use of a properly configured firewall, IDS/IPS etc.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Adding an Encrypted Volume


Any number of encrypted volumes can be created on the server - either on the local hard disk or
an external mass storage devices. Volumes created on the local disk reside in parallel with other
system/user data. By contrast, volumes created on unmounted devices (i.e. a USB attached hard
disk) fill the entire physical disk size...formatting any/all data that may be on an existing file-system.

Page 67 of 214
ClarkConnect Administration Manual

Volume Name
A unique name that describes the volume (i.e. ArchivedMail, ExternalUSB etc.)

Mount Point
The location the volume will be accessible. By default, the mount point is created in

/mnt/dmcrypt/<VolumeName>

Storage Device
The physical device location.

Size
The size (in MB) of the encrypted volume. Keep in mind, encrypted volumes have an encryption
overhead approximately equal to 1-5% of the total defined size of the volume.

Password
The password required to mount the encrypted volume.

Verify Password
Re-enter the password to verify.

Troubleshooting

What if I forget my password?


In a word: don't. If you forget a volume encryption password, there is absolutely no way to recover
the data.

How can I auto-mount my encrypted volumes on bootup?


You cannot...this would defeat the purpose of creating an encrypted volume.

Page 68 of 214
ClarkConnect Administration Manual

Links
● DM-Crypt Project Home Page

Language

Overview
Language Information
Description Tool to set the language and locale.
Package Name cc-webconfig
Configuration Page System Settings Language

You can change the language used by ClarkConnect from this configuration page.

Running Services

Overview
Running Services Information
Description A tool to view and manage services running on the system.
Package Name cc-webconfig
Configuration Page System Settings Running Services

This configuration page gives you a bird's eye view of the services (also known as "daemons") on
your system.

Shutdown and Restart

Overview
Shutdown and Restart Information
Description A shutdown and restart tool for your system.
Package Name cc-webconfig
Configuration Page System Settings Shutdown/Restart

A tool to shutdown or restart your system.

E-Mail Notification/Alert (SMTP Relay)

Overview
SMTP Relay/Notification Information
Description Allows applications to send reports, alerts, notifications etc. via e-
mail through the configured SMTP relay without having a local

Page 69 of 214
ClarkConnect Administration Manual

Mail Transport Agent (MTA).


Package Name cc-mailer
Configuration Page System Settings SMTP Relay
Keywords Swift

Installation
This module is installed only when a module dependent on the Mailer class is installed. To install
manually, run:

# apt-get update
# apt-get install cc-mailer

Configuration

Configuration of the SMTP relay is access under System Tools SMTP Relay.

SMTP Host
The hostname of the SMTP server to connect to.

Port
The port to used to send the initial connection request on. SMTP usually uses port 25.

SSL/TLS
Encryption protocol to use when connecting to the host server.

Username
A valid username to authenticate to the server.

Password
A valid password to authenticate to the server.

Page 70 of 214
ClarkConnect Administration Manual

Test Relay
Once you have decided on the SMTP server to relay through and obtained and entered the
settings necessary, it is time to test the relay to ensure e-mails can get through. Click on the Test
Settings link. A form will be displayed requiring the input of a valid e-mail address. Enter an
address that you can easily verify receipt of the test message that will be sent.

Click on the Send Test E-mail once


you have entered the recipient of the
test e-mail. If a successful
connection and authentication (if
required) is made, you will receive a
notification that the test was
successful. If the connection could
not be made or if authentication using the settings provided failed, you need to go back and check
your settings for correctness and update before repeating the test.
You should also verify that receipt of the test e-mail that is sent to the address specified, especially
in the cases where you're using localhost as the SMTP hostname. You may find the test is
successful, but you never receive the test message. In this case, the message could be queued on
the local server and unable to deliver - usually because an ISP is blocking SMTP traffic.

Examples

Local SMTP Server


If you are running a local SMTP service on the same server, you can leave the default in place (ie.
port 25 at "localhost"). Keep in mind, this assumes that your local mail server is either:
● a) relaying directly and your ISP does not filter/block SMTP (port 25) traffic
● b) relaying through your ISP's SMTP servers
● c) configured to relay through an alternative (possibly non-standard port) relay service

ClarkConnect's ASP AV/AS SMTP Relay


If the system you are configuring is subscribed to ClarkConnect's ASP Antivirus and/or Antispam
service, you can use Point Clark Networks' SMTP server to relay though, bypassing any filtering
(blocking) on the part of your ISP.

Field Value
SMTP Host antivirus.pointclark.com
Port 2525
SSL/TLS None
Username
Password

Google Mail (Gmail)


With a valid Gmail account, one can easily setup the ClarkConnect's 'Mailer' module to relay
through Google's SMTP server. Here is an example for a user with a Gmail account of
"pcnl.developer@gmail.com".

Field Value
SMTP Host smtp.gmail.com

Page 71 of 214
ClarkConnect Administration Manual

Port 465
SSL/TLS TLS
Username pcn.developer@gmail.com
Password *****

Links
● SwiftMailer

SSL Certificate Manager

Overview
SSL Certificate Information
Description Allows the creation, signing, renewal and revocation of SSL
certificates for implementing cryptography using SSL (v2/v3) and
TLS (v1) protocols.
Package Name cc-ssl
Configuration Page System Settings SSL Certificate Manager

SSL certificates are the de-facto standard for encrypting information sent over a network and can
also be used to provide authentication, as in the case of SMIME email signature signing.

This module provides an administrator with the ability to create a Certificate Authority (CA) which
can then be installed as a trusted CA on any operating system, browser or mail client in order to
encrypt/decrypt (and/or sign emails) communications between two computers. Creating your own
CA and using it to sign certificates is termed "self-signing".

Self-signing of certificates is as secure as purchasing signed SSL certificates from a Trusted CA


like Thawte or Verisign, where prices range from $US 50-300 per year. Self-signing is extremely
convenient (and cost effective!) if you are providing access to known users (ie. employees, clients,
vendors etc.). It is less convenient than a Trusted CA when dealing with unknown users such as
website visitors using a browser to access your online store using HTTPS (HTTP over SSL), since
the user will be prompted by their browser to trust the certificate that is presented to them.

The SSL Certificate Manager module can also create Certificate Signing Request (CSR)
certificates. The contents of a typical CSR certificate are shown below:

A CSR is an unsigned copy of your certificate which can then be sent to a Trusted CA to be
signed. The CSR will be used by the Trusted CA to generate your signed x509 SSL certificate
(CRT). The Trusted CA sends back the signed certificate which may look similar to the CSR, but

Page 72 of 214
ClarkConnect Administration Manual

is not.

Whether your CRT was self-signed or signed by a Trusted CA, it now represents the public part of
a public/private key (certificate) pair. The private half of the key (usually ending in .key or -key.
pem) was generated automatically during the CSR creation and should never be sent across an
untrusted network (i.e. the Internet). Unless this key was intended to secure another server, it
should not be moved from its directory of origin (/etc/ssl/private).

Installation
This module is installed by default and should not be un-installed. SSL certificates are used by the
Webconfig User Interface.

Configuration

Creating a Certificate Authority


A Certificate Authority (or CA) is a trusted entity which issues digital certificates for use in
cryptography and/or authentication. When dealing with unknown persons, you will probably want to
use a commercial CA which is in business to provide a service - verifying an individual or
organization is who they say they are, usually by way of a domain name or email address.
The SSL Certificate Manager module allows you to create your own CA that one can then use to
sign and validate certificates. You can have users download and import this CA to validate
certificates presented to them. A common and cost-effective use of a self-signed certificate is the
SSL certificate that encryptions communications in the Webconfig User Interface.

The module will force you to create a CA prior to allowing the creation of certificates requests,
signed certificates or PKCS12 files. The form to create the CA is presented when no CA is found
on the server (in the /etc/ssl directory) and is shown in a screenshot below. A brief description and
suggested defaults is provided in the following sections.

Page 73 of 214
ClarkConnect Administration Manual

Key Size
This is the RSA key length. 1024b (default) is a good compromise between security and speed.
Anything below 1024b can theoretically be cracked by brute force techniques. Note, this is the RSA
key size and will not impact, for example, the encryption strength of a web browsing session
(typically 128b, but could be 40b or 256b) that is dictated by the capabilities/settings of both the
client web-browser and server.

Common Name
The common name in the certificate authority can be anything. Generally speaking, you will want
this to be descriptive of the purpose of the certificate as a trusted root certificate. An example might
be Point Clark Networks Root Certificate Authority.

Organization Name
Typically the company name or person responsible for the CA. Example - Point Clark Networks
Ltd.

Organization Unit
In larger organizations, the organization unit might be a department within the company, such as
IT Department.

City
The organization's city - for example, Toronto.

State/Province
The organization's state or province - for example, Ontario or ON. Leave blank if this does not
apply.

Page 74 of 214
ClarkConnect Administration Manual

Country
The organization's country - for example, Canada. The module will automatically convert the
country to the 2-letter ISO-3166 country code.

E-mail
The e-mail address of the person responsible for the CA within the organization - for example,
certificates@pointclark.net.

Creating a Certificate Request or Signed Certificate

Once a Certificate Authority has been created on your server, you will see a summary of the CA
and any certificates you have created. If you have only just created your CA, you obviously won't
have any signed certificates or PKCS12 files and your summary will look similar to the screenshot
below.

Use the form below the three summary tables as illustrated above to create either a certificate
request or signed certificate. For those new to SSL and encryption, it may not be immediately
obvious as to the difference.

Certificate Request
The certificate request is a pre-cursor to creating a signed certificate. It represents the public half of
the private/public key pair used in RSA encryption. All signed certificates originate from a
certificate request. A certificate request does not have an expiry date associated with it, but does
have all the other fields associated with a signed certificate (common name, organization name
etc.). A certificate request is cannot be used in cryptography and must be signed (usually from a
trusted CA for an annual fee) in order to be useful.

Signed Certificate
As the name implies, this is a public certificate (the public half of the RSA private/key pair) that has
been signed (verified) by a Certificate Authority (CA). The CA's service to the certificate holder and
to anyone viewing the certificate is as a 3rd party validation as to the authenticity of the certificate
owner. For example, if the certificate is to be used on an encrypted website (HTTPS), the CA will
take measures to verify the owner of the domain against the certificate request being presented to
be signed. A signed certificate has both a not-valid before and non-valid after timestamps that was
attached to the certificate when the CA signed the request.

Page 75 of 214
ClarkConnect Administration Manual

Creating a Certificate Request


If you have determined a need for a trusted CA to sign a certificate request, you can use the
Webconfig UI to generate the key. Select the purpose for the certificate (web/FTP encryption or e-
mail signing/encryption) and your RSA key size (1024b recommended) and select Use Trusted
CA (fees may apply) option from the Signing Authority field. Complete the other fields as they
apply (see troubleshooting below) and click Create.

Notice how the Term field disappears when you selected Use a Trusted CA option - this is by
design, since certificate requests do not store expiry dates.

Creating a Signed Certificate

Selecting the Self-Sign option will use the CA you created during the initializing of the SSL module
to sign a certificate request that is temporarily created during the creation process.

In the example below, we sign our own certificate whose intended use will be to sign e-mail
originating from "Joe Developer" at Point Clark Networks.

Page 76 of 214
ClarkConnect Administration Manual

Two differences to note from the creation of a certificate request example above. First, there is an
additional Term field - this field indicates the expiry date from the date of creation. For
convenience, some users may want to set this to 25 years (essentially no expiry), but lesser terms
may be desired for some applications. Second, additional fields named Import Password for
PKCS12 and Verify Password for PKCS12 are visible. The Personal Information Exchange
Syntax Standard (also called PKCS12) file is a convenient format to install certificates onto client
machines for use in validating e-mail signatures. The file is protected with a password since the
PKCS12 file contains both the private and public keys associated with the SSL signed certificate.

Importing a Signed Certificate from a Trusted CA


In order to import a signed certificate from a trusted CA, you first need a Certificate Request. If you
haven't made one already follow the steps [#Creating_a_Certificate_Request here]. Certificate
requests (also known as unsigned certificates) will be listed in the Unsigned Certificates as
shown in the screenshot below.

This request needs to be downloaded and sent (typically via e-mail or a web form) to a Trusted
CA. Click on the View link to view the contents of the certificate, including the part a Trusted CA
requires.

Page 77 of 214
ClarkConnect Administration Manual

At this point, you have two options to download the certificate request. First, use the Download
link to save the entire PEM file to your local machine. The second option is to simply select the
PEM Contents text starting from and ending (and including) the tag with your mouse, and "cut-
and-paste" this into an e-mail to be sent to a Trusted CA or a web form for submittal.

Once you receive the signed certificate back from the Trusted CA (a process that make take up to
48 hours), return to the SSL Webconfig page, click on View again, and this time, select Import
Signed Certificate from the available Actions. A web form will be displayed allowing you to
"paste" the certificate contents.

Page 78 of 214
ClarkConnect Administration Manual

Once "copied-and-pasted" into the form, click Save. Your certificate is now imported and ready for
use.

Creating, Importing & Installing a Personal Information Exchange Syntax Standard


File (PKCS12)
The Personal Information Exchange Syntax Standard (or PKCS12) file is an industry standard
format for storing or transporting a user's private keys, certificates or other secret information. The
PKCS12 file format is used with the SSL module in ClarkConnect's Webconfig to password-protect
and relate a private key tied to an e-mail address with a certificate authority in order to sign and/or
encrypt e-mail.

Creating a PKCS12 File


A PCKS12 file is created automatically when a self-signed certificate is created with the
Purpose/Use is set to Sign/Encrypt E-mail. See section Creating a Signed Certificate for
information related to the fields/settings to create the PKCS12 in parallel with a self-signed
certificate.

To create a PKCS12 file, you should already have a signed certificate under management with the
appropriate e-mail that will match the user's signature (ie. e-mail address). The screenshot below
shows one certificate (Joe Developer's) - in addition to the root CA - for the purpose of signing

Page 79 of 214
ClarkConnect Administration Manual

Joe's e-mail (joe.developer@pointclark.net).

To start the PKCS12 creation, click on the View link next to the certificate. Details of the certificate
along with several actions which can be executed on the signed certificate will be displayed, similar
to below.

If you do not see the Create PKCS12 option, it is because it already exists on the system. Return
to the main menu and look under the PKCS12 Files table.

Since the certificate already exists, you only need to provide the password and verification that will
be used to secure the PKCS12 file.

Page 80 of 214
ClarkConnect Administration Manual

Clicking on the "Create" button will create the PKCS12 file using the password supplied and list it
for download under the PKCS12 section. See the next sub-section for information on downloading
and installing the file to your computer.

Importing a PKCS12 File


Provided you have been successful in creating a PKCS12 file, you should see thes files listed
under the PKCS12 Files table. You can delete these files at any time, with the knowledge that the
file can be re-created with a new password, if necessary, at any time. Since the PKCS12 file is
specific to a user, once provided to the user, there is no need to keep the file on the server, except
for purposes of backup. The screenshot below shows the PKCS12 summary, containing one file
for Joe Developer. Assuming we are Joe Developer or Joe's IT administrator, we will now go
through the steps to import (download) the PKCS12 file and install it.

Click on the Download link next to the PKCS12 you wish to download to your local machine
(computer). Depending on your OS and browser, you will see a dialog box similar to the one shown
below.

If access is from the machine where the file will be installed, you can choose the "Open With"
which uses the PFXFile binary in Windows. If you will be e-mailing or making the file available to
download via alternative ways (ie. FTP), you'll need to "Save to Disk" to save a copy of the

Page 81 of 214
ClarkConnect Administration Manual

PKCS12 file locally.


Installing on Thunderbird | If you use Mozilla's Thunderbird e-mail client, you need to use the "Save
to File" option and import into the client in a separate step (see below).

Installing a PKCS12 File


Examples have been provided for installing PKCS12 files into two of the more popular mail clients,
Thunderbird and Outlook/Outlook Express.

Thunderbird
Before starting, make sure you have downloaded or received your PKCS12 file and saved it to
your local machine. If you have not yet done this, see instructions provided in the above sections.

Open the Thunderbird mail client and click on Tools Account Settings. Click on the Security
summary under your account. You should see a form similar to the screenshot provided below.

Click on View Certificates under the Certificates section. Under the Your Certificates tab, click
on Import. Use the file manager dialog pop-up to select the PKCS12 file you saved to your
computer earlier. At this point, you may be prompted to created a master password for the security
device. Choose a password you can remember but also difficult for anyone to guess. You will need
to use this password each time you close and re-open Thunderbird to send a signed or encrypted
e-mail.

You will then be prompted for the password for the PKCS12 file you are about to import. This is the

Page 82 of 214
ClarkConnect Administration Manual

password that was used during the creation of the PKCS12 using the ClarkConnect SSL Manager
module. You should now see your certificate installed under Your Certificates.

You're not quite done - note how the Purposes field indicates Issuer Not Trusted. What you did
not see happen transparently when installing the PKCS12 file is the import of a trusted CA under
the Authorities section. You need to explicitly confirm what purpose Your Certificate can be used
for. Click on the Authorities tab and scroll down until you find the Certificate Authority that was
used to sign the certificate used to create the PKCS12 file. When you find your CA in the list, click
once to highlight it and then click on the Edit button. A pop-up dialog box will be displayed as
shown below.

Place a check mark in each checkbox, and click OK. Go back to the Your Certificates - you
should now see the message Issuer Not Trusted has been replaced with Client, Server, Sign,
Encrypt. Close the Certificate Manager dialog window and click on either of the Select buttons in
the Digital Signing or Encryption sections. You will be prompted to select a certificate from a
drop down box which will likely just have the one certificate you installed. Select it, and click OK.
Close the Account Settings dialog window by clicking OK.

Page 83 of 214
ClarkConnect Administration Manual

Congratulations - you can now sign e-mail and receive encrypted e-mail if senders use your public
key to encrypt the message.

Outlook/Outlook Express
Outlook and Outlook Express uses the Windows OS certificate manager to perform message
signing and encryption/decryption. The following help section describes how to install a PKCS12
file onto Microsoft's XP platform.

Click on Start Control Panel and select Internet Options from the menu system. Select the
Content.

Working in the Certificate dialog box pop-up, select the Personal tab and click on the Import
button. An Import Wizard will start up, taking you the process in steps. Click Next to continue.
Click on the Browse button and find the PKCS12 file that you saved to your system. Note, you
may have to the default file type from X509 to Personal Information Exchange to see the proper
extensions. Click Next to continue. The wizard will then ask you for the password. Enter the
password you used in the ClarkConnect SSL Manager module when creating the PKCS12 file. It's
also a good idea to check off both check boxes for additional security.

Page 84 of 214
ClarkConnect Administration Manual

Keep the default location to store the certificate - Personal Store. Click Next to continue. Click
Finish to complete the PKCS12 install. Unlike Thunderbird, Microsoft automatically enabled the
uses for the certificate.

Page 85 of 214
ClarkConnect Administration Manual

Congratulations - you can now sign e-mail with Outlook and receive encrypted communications
from people using your public key.

Renewing a Certificate
Certificates that have been self-signed by the locally created Certificate Authority can be renewed
at any time. Click on the View link, followed by the Renew button under the action options. A form
similar to the one below will allow you to select the term to extend the original certificate in addition
to re-issuing a new PKCS12 file with password.

When renewing a certificate that was not self-signed, a new certificate request will be created
which can then be sent to a Trusted CA for signing and subsequent import.

Troubleshooting
There are really only two fields in the certificate generation process that can get you into trouble -
Common Name and E-mail. These fields are explained below in relation to the two typical
applications of SSL certificates (web and email).

Web/FTP

Common Name Field


For websites or FTP, the Common Name field must match exactly the domain name of the site.

E-mail Field
Typically, this field would be the e-mail address of the web master or some alias referring back to
support.

Example
Website URL: https://secure.clarkconnect.com/webapp/
Common Name = secure.clarkconnect.com
E-mail = accounts@pointclark.net

E-mail Signing/Encryption

Common Name
The common name is typically the full name of the individual.

Page 86 of 214
ClarkConnect Administration Manual

E-mail Field
This field must match exactly the e-mail address of the sender who intends to include a signed
signature and/or receive encrypted communications.

Example
E-mail Address of Sender: joe.developer@pointclark.net
Common Name = Joe Developer
E-mail = joe.developer@pointclark.net

Links
● OpenSSL
● Public Key Cryptography
● CA Cert
● Certificate Authorities

Webconfig

Overview
Webconfig Information
Description Webconfig settings.
Package Name cc-webconfig
Configuration Page System Settings Webconfig

The Webconfig settings page allows you to change the look and feel of the web-based interface.

Configuration
A variety of templates are available for the web-based administration tool; select the one that most
appeals to you.

Modules

Database

MySQL

Overview
Database Information
Description MySQL relational database.
Package Name cc-mysql
Configuration Page Software Database MySQL Setup

The Webconfig UI for MySQL provides login configuration/management to the phpMyAdmin web

Page 87 of 214
ClarkConnect Administration Manual

interface...a separate UI that allows full control over your MySQL databases.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

myPhpAdmin
Once you have set the database master password, you can login to the phpMyAdmin
administration interface. Use:
Username: root
Password: <YOUR PASSWORD>
Where <YOUR PASSWORD> is the database password.

Links
● MySQL home page
● phpMyAdmin home page

Email

Antispam

Overview
Antispam Information
Description Antispam for mail servers.
Package Name cc-spamassassin
Configuration Page Software Mail Antispam

The antispam software works in conjunction with your mail server. The software identifies spam
using a wide range of algorithms on e-mail headers and body text. ClarkConnect also includes
greylisting and additional blacklists -- both are effective tools that can be used to detect spam.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Discard Policy (Block Policy)

Page 88 of 214
ClarkConnect Administration Manual

If you want to discard spam before it reaches mailboxes, you can configure the mail discard policy.
For example, you can discard spam marked with high probability (or higher) by using this tool.

Subject Tag

● Use Subject Tag - enable/disable e-mail subject tag when e-mail is marked as spam
● Subject Tag Threshold - spam score required to trigger a change in the e-mail subject
● Subject Tag - the subject tag to use when e-mail is marked as spam

A subject tag can be added to messages marked as spam. For instance a spam message with the
subject "Premier Invest0r Rep0rt" will be transformed into "[SPAM] Premier Invest0r Rep0rt". This
feature makes it easy for end users to identify and filter spam.

Image Processing (OCR)


Enabling Image Processing will improve the spam identification rate for spam messages containing
images. Using OCR (Optical Character Recognition), antispam engine will convert images to text
and perform analysis on the word content of the image.

White and Black Lists

● White List - a list of e-mail addresses that should never be marked as spam
● Black List - a list of e-mail addresses that should always be marked as spam

The antispam engine includes both white and black lists. The white list is used to mark e-mail
addresses that send non-spam, while the black list is used to mark e-mail addresses that are
known spam.

Among others, newsletters and legitimate e-commerce e-mail can sometimes be marked as spam.
The e-mail addresses for these messages can be added to the white list to prevent the message
from becoming marked as spam.

E-mail addresses in the white and black lists can use the * wildcard character to match any
characters. For instance, *@example.com and *.gov will mark all e-mail from the example.com and
.gov domains.

Page 89 of 214
ClarkConnect Administration Manual

Improving Effectiveness

Spam Training
You can improve the effectiveness of the antispam engine by following training the antispam
engine.

Greylisting and Blacklists


ClarkConnect also includes Mail Filters (Greylisting) and additional blacklists -- both are effective
tools that can be used to detect spam.

Links
● SpamAssassin website

Antispam - Quarantine

Overview
Antispam - Quarantine Information
Description Antispam for mail servers.
Package Name cc-dspam
Configuration Page Software Mail Antispam - Dspam

The Dspam antispam system tracks e-mail by mailbox. In other words, the antispam system bases
its decisions on individual spam databases for each user on the system.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Since the Dspam antispam solution requires specific details about mailboxes and aliases, the
software is not available on systems configured as a mail gateway. For example, a message
destined to sales@example.com forwarded to an Exchange server may end up in Mary and
David's mailbox. It is not possible for the Dspam system to determine this information in mail
gateway mode.

Configuration

Signature Location
The antispam system tracks important elements and statistics on every e-mail message that you
receive. This information is then stored as a "signature" -- basically a unique identification number.
To train the antispam system (see next section), this signature must be included in an e-mail. You
can track these signatures either in the body of the message, or in the message header.
Headers
● advantage: does not clutter the body of e-mail messages
● disadvantage: message must be forwarded as an attachment to train the antispam system
Body
● advantage: message can be forwarded (no attachment) to train the antispam system

Page 90 of 214
ClarkConnect Administration Manual

● disadvantage: spam signature clutters the body of e-mail messages

Subject Tag
Select the subject tag used to mark any messaged deemed to be spam.

Improving Effectiveness - Spam Training


You can improve the effectiveness of the antispam engine by training the spam engine.

Links
● Dspam

Antispam - Training

Overview
You can improve the effectiveness of the antispam systems on your ClarkConnect system by
identifying:
● Messages that were spam, but not identified as such
● Messages that were innocent, but identified as spam (false positive)

With a week or two of diligent training with these messages, you can expect to see a more
effective antispam engine.

Installation
At least one of the antispam engines must be installed on your system.
● SpamAssassin
● Dspam

Training
There are two ways to train the antispam systems on your ClarkConnect system: webmail and
mail-forwarding.

Webmail
Training the antispam system via webmail is simple and more effective. Simply select the
messages that you wish to process and press either the Report as Spam or Report as Innocent
buttons (see screenshot). You will then be shown a confirmation message before the actual
processing takes place.

Page 91 of 214
ClarkConnect Administration Manual

E-mail Forwarding
Training via e-mail forwarding is available in version 4.1 or later.
Training via e-mail forwarding is not as effective since information is lost when you forward a
message. If you decide to use this method, there are two e-mail addresses used for training:
● train.notspam@example.org -- e-mail address for messages incorrectly identified as spam
● train.spam@example.org -- e-mail address for spam that was not identified as such

In order to use this style of spam training, messages must be forwarded as an attachment (see
screenshot).

Links
● Dspam

Antivirus

Overview
Antivirus Information
Description Antivirus for mail servers.
Package Name cc-clamav
Configuration Page Software Mail Antivirus

The antivirus system scans mail messages as they pass through your mail server.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 92 of 214
ClarkConnect Administration Manual

Configuration

Mail Policies
When configuring the antivirus system, you must make some mail policy decisions. There are three
types of policies available:
● Bounce bounce the e-mail
● Discard - silently discard the e-mail
● Pass Through - send e-mail with warning (original sent as an attachment)

Virus Detected Policy


When a virus is detected, you can choose to either discard the message, or pass the message
through. We recommend discard mode for most installations.

Banned File Extension Policy


The antivirus software not only performs virus scanning, but also manages file attachment policies.
Certain types of file attachments are prone to viruses. The ability to block attachments by file
extension is another layer of security for your mail system.

Banned File Extensions


Select the file extensions that you wish to ban from going through your mail system. Both internal
and external mail are checked.

Links
● ClamAV web site

Aliases

Overview
Aliases Information
Description Mail server aliases tool.
Package Name cc-postfix
Configuration Page Software Mail Aliases

Mail aliases allow you to route extra e-mail addresses (for instance sales@, info@, etc) to one or
more e-mail addresses. This tool can also be used to create mail distribution lists - for example,
staff@example.com can be used to send e-mail to all users on the system.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 93 of 214
ClarkConnect Administration Manual

Configuration

Add Mode
When you first click on the "Mail Aliases" navigation link, current aliases set up by domain will be
displayed (along with Edit and Delete options) and a form below this list provides the fields
required to add a new alias. In other words, you are in "add mode".

As an example, if you wanted to create an email alias mapping veruca.salt to a user that you had
created on the system named 'veruca', enter "veruca.salt" in the "Alias" field and select "veruca"
from the "Available" mail accounts list, then click "Add".

There is no limit to how many mailbox accounts an aliased name can be sent to. For example, if
you wanted all three people to receive all email sent to the address "sales@yourdomain.com", you
could add the alias "sales" and select the three users on the "Available" list. Multiple users can be
selected by holding down the "Control" key on your keyboard while clicking on the user in the list.

Edit Mode
To enter "edit mode", you must have at least one alias present. Click on the "Edit" link next the
alias you wish to edit. The form below will now display which of the available recipient's are set-up
as aliased (highlighted) and which are not (listed as available but not highlighted). Select/deselect
amongst the available recipient names using the "Control" key and your mouse and click "Update"
to save your settings.

Add External E-mail (Mail Forwarding)


Mail forwarding to another address/server can be done by addint the e-mail address to the External
E-mail field and clicking on the "Add" link, as shown in the screenshot below.

Page 94 of 214
ClarkConnect Administration Manual

Troubleshooting
If you are working with multiple domains on your system (i.e.
virtual domains are being used), make sure to select the
correct domain from the drop down list prior to starting your
edits.

Links
● Adding users to the server

Mail Archive

Overview
Aliases Information
Description Mail archival system for mail servers.
Package Name cc-archive
Configuration Page Software Mail Archive

The Mail Archival System logs all incoming and outgoing e-mail passing through the gateway to a
central database. This module can be used to meet regulatory compliance or assist an
organization to enforce internal policies for e-mail use in the workplace.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

This module is only available for ClarkConnect Office/Enterprise Edition, 4.2 and
above.

Page 95 of 214
ClarkConnect Administration Manual

Configuration
On first configuring the mail archiver after installation, a warning will be displayed prompting the
user to initialize the database. This is perfectly normal and should be done before continuing.

A table containing three form tabs is displayed as indicated in the screenshot above.
● Mail Archive Settings - General configuration settings
● Current Statistics - Data and actions relating to the current database
● Search Statistics - Data and actions relating to the search database

An explanation of the difference between the Current and Search databases will be explained
below.

E-mail Archive Settings


Activation and configuration of the email archive system can be done via the "Mail Archive
Settings" tab. The section below explains each setting in details.

Archive [Enable/Disable]
Enables or disables the archiving of email passing through the SMTP server.

Policy
Allows an administrator to archive all email passing through the server or restrict (exempt) certain
users, as required. Set this to "All messages" to archive email for every user. Select "Filter
messages" to configure a filter to archive only some users email.

Page 96 of 214
ClarkConnect Administration Manual

Configure (Policy)

A configure link will be displayed when "Filter messages" is selected as the policy. Click on this link
to 'fine tune' which users' email should be archived.

Discard Attachments
The "Discard Attachments" drop down option is only available when the "Policy" is set to "All
messages" - otherwise, discarding of attachments is done in the 'Configure' page.

To save on storage space (and assuming attachments are not required to be archived either by
corporate policy or law), select "Always". Otherwise, select a level in which attachments should be
discarded (i.e. "Never", > 1MB etc.).

Files which are identical but attached to different e-mails as attachments only consume the size of
the file, not N x the size of the file, where N is the number of emails going through the archive
system with the same attachment.

Auto Archive
Auto archive controls the movement of archive data from the "Current" database to an archived
file. This allows the email archive to be easily moved from the server to a storage medium (for
example, another server, a USB Mass Storage Device, a tape drive etc.) for safe storage. All
emails that have been archived to this file can be retrieved and searched at a later date, if required.
Use this field to provide consistent archive files for a give period (i.e. weekly or monthly) or of a
certain size (i.e. a DVD etc.).

Encrypt Archives
The transition of data from the database to a dump file can be encrypted to prevent unauthorized
access. This can be extremely important (and may be required by law) if e-mails contain
confidential information.

AES Encryption Password


The password used to encrypt the archive file if "Encrypt Archives" is set to "Yes". By default, this
password must be at least 12 characters and contain both upper and lower case letters and at
least 1 number.

Twelve characters was chosen as a length to ensure the security of the encrypted

Page 97 of 214
ClarkConnect Administration Manual

file. If a smaller password is desired, you can override this setting in the
/etc/archive.conf file by setting the 'encrypt-password-length' parameter.

Searching the Database Archives

Current vs. Search Database


The mail archive operates using two databases. The 'Current' database is used to retrieve and
store new messages arriving from the SMTP (mail) server. The 'Search' database is a transient
database - its contents can be deleted and replaced with data corresponding to the search
requirements and space of the drive.

The dual-database system is designed for maximum scalability. A single database could quickly
become of such enormous size that an administrator would be continually adding drive storage
space to accommodate the email archives. By giving the user the ability to take certain sized (or
certain periods of time) snapshots from the current database and allowing one or more to be
loaded to the 'Search' database, searching for past emails can be done quickly and efficiently
without the overhead of hundreds of GB of disk space.

Think of the search database as a 'sandbox', where archives can be dumped,


searched and then removed (reset).

The Current Database


The current database contains all archived emails since the last file archive was performed. A
file archive can either be performed manually or can occur automatically if the Auto Archive setting
is enabled and triggered.

Performing a Search
To view how many emails and the approximate size of the archive in the 'Current' database, click
on the Current Statistics tab.

Click on the Search button. A new form will be displayed allowing you to enter your search criteria.

Page 98 of 214
ClarkConnect Administration Manual

Using the add links you can customize your search using a maximum of five (5) criteria using
either AND or OR logic (Match all vs. Match any). The results from your search will be displayed in
the results table below.

The Search Database


The Search Database will normally be empty until at least one file-based mail archive restore is
performed (or if data from a prior search still in the database). Remember, the Search Database is
designed to be reset often so that you can work with datasets that will scale with the ever-
increasing demands of archived e-mails.

To restore a file-based archive, click on the Restore Archive button.

All prior restores will be listed in the Archives table. Rows with a green status mean the link is
intact (archive exists on the server). Rows with a red status icon indicate the link is broken. If you
need to restore from a file whose status is red (broken link), you will need to use Flexshare and the
storage device where the archive was moved to in order to re-establish the link.

Simply click on the Restore button to start a restore to the Search database. Once complete, you
can Search the database as normal.

Page 99 of 214
ClarkConnect Administration Manual

Performing a Search
To navigate to the Search Database, go to the Mail Archive page and click on the Search
Statistics tab. If there is data that you wish to search in the database (given the statistics you may
find that there is data, but you do not remember which file archive it originates from - in this case, it
is advised to reset the database and start again), click the Search button. A search form will be
displayed - the same as occurs when you are searching the Current Database.

You can toggle between searching the Current and Search databases by selecting the appropriate
radio button in the search form.

Enter your search criteria and click Search. Any hits (results) will be displayed in the
table below.

Resetting the Search Database


Since the Search Database is simply a MySQL database created by the import of one more
archive files, it is perfectly safe to Reset the search database to reinitialize the database. You may
want to reset the search database to make make searching the database faster or because
searching an entire index (i.e. mail archive over several years) becomes too large a dataset for
your existing hard disk.

Viewing/Restoring E-mails
Once an e-mail has been found using a search procedure, click on the View link next to the e-mail
of interest. A new page will be displayed containing the email body contents.

Original Header
It is sometime of interest to view the original e-mail header. This information is stored in the archive
database and can be viewed by clicking on the Original Header link (a '+' icon).

The screen capture below displays an e-mail view with the headers expanded.

Page 100 of 214


ClarkConnect Administration Manual

Sending
To resend the email (either to the original recipient or a separate user), click on the Resend E-
mail link. A new form will appear allowing you to resend the email.

Resending the e-mail uses the SMTP relay module...make sure it has been
configured correctly to send outgoing mail through your local mail server or your
ISP.

Admin (root) account vs. Users Account


The mail archives (both current and search databases) can be searched by the system
administrator (logged in under the 'root' account) or by users. To give users access to the archive,
use the System Administration ACL to grant access to specific users to the Mail Archive module.
When logged in as 'root', all emails will be returned from a search query. However, when logged in
as a 'user' system administrator, only email that has been sent to or by the user will be returned
from a search query. In other words, users can view/restore mail that was sent or received by
them, but no one else.

Advanced Users

Accessing the Database


This module makes use of the system MySQL service for the database back-end. The system
MySQL server is a 'sandboxed' service running on a non-standard port. To access the database
from the command line, you will need to fetch the database password:

Page 101 of 214


ClarkConnect Administration Manual

# cat /etc/system/database

password = AAAAAAAAAAAAAAA
reports.password = BBBBBBBBBBBBBB
zoneminder.password = CCCCCCCCCCCCCCC
archive.password = PASSWORD
dspam.password = DDDDDDDDDDDDD
The email archive database password is keyed on 'archive.password'.
Next, you'll need to access the MySQL console in a slightly different manner than the default
MySQL server.
/usr/share/system-mysql/usr/bin/mysql DBNAME -uUSER -pPASSWORD

Where:
DBNAME = archive_current or archive_search
USER = archive
PASSWORD = the password retrieved from the /etc/system/database file

Troubleshooting

What if I forget my password?


In a word: don't. If you forget your archive password, there is absolutely no way to recover any e-
mail from the encrypted mail archive file.

Links
Using Flexshares

Mail Filters (Greylisting)

Overview

Greylisting Information
Description Greylisting and filters for mail servers.
Package Name cc-filters
Configuration Page Software Mail Filters

Greylisting and mail filters are extra tools to prevent spam from reaching your users' mailboxes.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 102 of 214


ClarkConnect Administration Manual

Configuration

Greylisting
Greylisting can dramatically reduce the amount of spam reaching your mailboxes. When the
service is enabled, a mail message that is not recognized will be gently rejected. If the mail
message is legitimate, the sending mail server will re-attempt subsequent deliveries and the
ClarkConnect server will then accept it. For the most part, spammers do not bother with the second
delivery attempt and this results in less spam. The parameters that you can use to fine tune the
greylisting engine are described below.

Status
State of the greylisting engine.

Delay
The amount of time that must pass before a subsequent delivery attempt is allowed.

Data Retention Time


The greylisting engine keeps track of both mail servers and sender e-mail addresses for a
specified amount of time (default is 35 days). If messages from validated sender or server arrives,
the greylisting engine will accept delivery on the first attempt. For example, if dave@example.com
sends an e-mail to one of your users on a weekly basis, only the very first mail message is
delayed. All subsequent messages are delivered automatically since dave@example.com has
been validated.

Blacklists
ClarkConnect provides extra mail blacklists to protect against spam. You can enable or disable this
blacklist at any time.

Links
● Postgrey
● SA-Blacklist

Page 103 of 214


ClarkConnect Administration Manual

Maildrop

Overview

Maildrop Information
Description Fetchmail/maildrop software to fetch mail from external servers.
Package Name cc-fetchmail
Configuration Page Software Mail Maildrop

The fetchmail package can conveniently retrieve mail from other servers allowing the
'centralization' of e-mail on a single server.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
Any number of servers can be added to the maildrop list using the "Add Maildrop Entry" form. The
interval polling time can be configured from 1 minute up to 3 hours.

Field Description
Server The server name. For example, gmail.com.
Protocol The server protocol. Currently, POP3, IMAP and APOP protcols are
supported. If you do not know the protocol, you can have the system auto-
detect by selecting 'auto'.
Username This is the username on the source server.
Password This is the password on the source server.
Local User This is the username of a mail account configured to receive mail on the
server you are configuring.
Keep on Server Enable this checkbox to leave a copy of the mail on the server.
Active Enable this checkbox to start polling the remote server for mail to fetch.

As with any other POP3 or IMAP connection, your username and password for the
mail account on the destination mail server will be passed in clear text.

Troubleshooting
Have a look at the system logs if you are having problems. The fetchmail daemon logs to
/var/log/maillog. Ignore any entries you see similar to:

Server CommonName mismatch: localhost.localdomain != mail.pointclark.net

Page 104 of 214


ClarkConnect Administration Manual

This entry is a result of fetchmail attempting to use SSL for authentication.

Links
● Fetchmail Home Page

POP and IMAP

Overview
POP and IMAP Information
Description Mail access for desktop mail clients.
Package Name cc-cyrus
Configuration Page Software Mail POP and IMAP

ClarkConnect provides both POP and IMAP servers for providing mail delivery to desktop clients.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Server Configuration

Mail Server Protocols


The mail server supports four different protocols (see screenshot):
● IMAP
● Secure IMAP
● POP
● Secure POP

Page 105 of 214


ClarkConnect Administration Manual

We strongly suggest using the secure protocols if possible. Keep in mind, you will need to generate
an SSL Certificate to enable the secure protocol.

Push E-mail
Some mail clients support the push e-mail feature (also known as the IMAP Idle feature). With this
feature enabled on both the server and client, e-mail will appear in your mailbox as soon as it
arrives. This feature is most useful on wireless and hand held devices. The following mail clients
are known to support push e-mail (IMAP Idle):
● Thunderbird - Many platforms
● Chattermail - Palm Treo
● FlexMail - Windows Mobile

Mail Client Configuration

Secure POP - Mozilla Thunderbird


If you are using Mozilla's Thunderbird, click on "Tools Account Settings", then select "Server
Settings" from the navigation bar. Ensure the "Use secure connection (SSL)" checkbox is enabled.

Page 106 of 214


ClarkConnect Administration Manual

Secure POP - MS Outlook/Outlook Express


For Outlook and Outlook Express, click on "Tools Accounts", select the account you wish to
configure and click on the Properties button.

Page 107 of 214


ClarkConnect Administration Manual

Next, click on the "Advanced" tab, and ensure the "This server requires a secure connection
(SSL)" checkbox is enabled.

Page 108 of 214


ClarkConnect Administration Manual

Secure POP - Other Mail Clients


For other mail clients, similar set-up/configuration will exist. Please refer to documentation for your
mail client for specific instructions.

Troubleshooting
Do not forget to open up firewall ports for e-mail. You only need to open the POP or IMAP ports if
you plan on picking up your mail from outside your local network. The default ports are listed
below:
● POP - 110
● Secure POP - 995
● IMAP - 143
● Secure IMAP - 993

Links
● Dovecot Secure IMAP Server
● Setting up a Mail Server - SMTP
● Adding Users
● Adding incoming firewall rules

Mail Server - SMTP

Overview
Mail Server - SMTP Information
Description SMTP/MTA mail server.
Package Name cc-postfix
Configuration Page Software Mail SMTP Mail Server

You can manage your own mail server. There are a number of reasons this might be
advantageous:
● Ability to have a customized user and domain name - ie. anyone@anydomain.com
● Mailboxes limited only by hard disk storage capacity and your own administration settings
● Alias support - i.e. sales@yourcompany.com can be sent to bob@yourcompany.com and
joe@yourcompany.com
● No waiting around for new users to be added
● Custom antispam control
● Antivirus support
● Privacy
● Full control

Services
Point Clark Networks provides an MX backup service for mail servers. Please visit the Gateway
Services page for details.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 109 of 214


ClarkConnect Administration Manual

Configuration

SMTP Mail Configuration

General Settings
The Hostname does not have to be related to the e-mail domains that you host. It can be ANY
valid Internet name for your machine. For example, you may wish to have a dedicated mail server
on your network. In this case, you might want to name this machine mail.yourdomain.com. This
would be the Hostname you would enter.

The Primary Domain field indicates the domain name this server will act as an SMTP/Mail server
for. If you have a single domain name that you receive mail for, enter the domain here.

If SMTP Authentication field is set to on, any client attempting to send mail through the server will
require a username/password before accepting mail for delivery.

The Maximum Message Size sets the maximum size of an individual mail message. Most Internet
service providers (ISPs) block mail larger than 10 or 20 MB, so do not expect to have larger
messages delivered to outside users. Due to the way e-mail systems work, an attached file may be
50% larger once attached.

The Catch-All setting can be used to catch mis-addressed e-mail and deliver it to a specific user
account. We highly recommend avoiding this feature for the following reasons:
● Your system will scan all messages for viruses and spam instead of bouncing the message
right away. This means more system resources (CPU, RAM) are required.
● Your system will attract more spam. Spammers will avoid invalid e-mail addresses, but
setting a catch-all user means all e-mail addresses to your domain are valid.

SMTP Authentication - Thunderbird


For Mozilla's Thunderbird, click on "Tools Account Settings" and then click on the "Outgoing
Server (SMTP)" field. You should see a window similar to the screenshot below.

Page 110 of 214


ClarkConnect Administration Manual

Ensure the "Use name and password" setting is checked and enter the username of the mail
account in the username field. The password will be requested by the mail client application on the
first attempt to send mail. There will be an option to save it to the "Password Manager" so that you
do not have to enter each time you send mail through the server.

SMTP Authentication - MS Outlook/Outlook Express


If you are using MS Outlook/Outlook Express, click on "Tools Accounts". Select the account
which will use this mail server to send mail and click on the "Properties".

Page 111 of 214


ClarkConnect Administration Manual

Make sure the "My server requires authentication" is checked. Click on the "Settings" button to
enter the details of your username/password.

Setting the Catch All User to an valid user on the server will pass all mail sent to an "Unknown
user" to this account. To bounce mail addressed to an invalid recipient, set to Return to sender.

Trusted Networks
A trusted network is a list of networks that are allowed to send mail through the SMTP server.
Dynamic IP's should not be added to this list. It is important that you do not make an error with this
parameter. The default setting allows any user with a 192.168.x.x address send e-mail through the
server. If you use a 10.x.x.x address, you should add 10.0.0.0/8 to the list of trusted networks.

Outbound Relay Hosts


Some ISPs will block all traffic on port 25 unless it it destined for their mail servers. In this case,
you would want to specify your ISPs mailserver as the Outbound Relay Hosts.

In addition, if you are subscribed to the ASP Antivirus service and want to scan your user's
outgoing mail, you should enter the following: antivirus.pointclark.com

This address points to a cluster of three (or more) mail servers. The change is required since the
newer version of Postfix included with ClarkConnect supports only one outbound relay host.

Page 112 of 214


ClarkConnect Administration Manual

Additional Domains

Destination Domains
If your company/organization has multiple domains and you wish to receive email sent to any user
for any of the domains, enter additional domains to the Destination Domains list. For example, if
our primary domain was setup to be "pointclark.net" and we wanted all emails sent to the following
registered domains to be valid:
● pointclark.com
● pointclark.org
● clarkconnect.com
● clarkconnect.org
we would add the bulleted domain list above to the "Destination" domains list.

Virtual Domains
Use the "Virtual Domains" list if you are using ClarkConnect as an SMTP server for multiple clients.
By adding to the Virtual Domains list rather than the Destination Domains list, you will have
complete control over which user receives mail for a particuliar domain.

Mail Forward Domain List


If you are configuring your server as a mail gateway, add the domain name to the "Mail Forward
Domain list". If the antispam engine is installed and running on the server, mail will be subject to
the spam identification rules you have configured. Similarly, if the antivirus module is installed and
running, all mail for the domains will be scanned before passing the mail on to the destination
server.
● Follow the link for more information on Configuring an Antivirus and Antispam Gateway.

Troubleshooting

Firewall
Do not forget to open up firewall ports for your e-mail server: port 25 on the firewall configuration
page.

ISP Blocking
Some ISPs are known to block SMTP (port 25) traffic to residential broadband connections in an
attempt to cut down on SPAM originating from their network. If you think your configuration is set-
up correctly and you suspect your ISP is blocking SMTP traffic, try a port scan.

Virtual Domains
If you are using the server to provide mail service to multiple domains (virtual domains), it is
advisable to set up all domains on the system as virtual and enter a false domain (ie.
placeholder.com) in the "Primary Domain" field. Otherwise, all users would have access to the
domain listed in the primary domain field.

Links
● Setting up a POP/IMAP server
● Postfix Documentation
● Adding incoming firewall rules
● Setting up your Mail Server - Flash Tutorial Series]

Page 113 of 214


ClarkConnect Administration Manual

Webmail

Overview
Webmail Information
Description Web-based mail system.
Package Name cc-horde
Configuration Page Software Mail Webmail

A web-based e-mail solution ideal for allowing users 'on the road' and without a mail client to
access mail on the server using any computer connected to the Internet.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

This module is described as the "Web Access Module" under Webconfig's "Software
Modules" list.

Accessing Webmail
● The webmail system runs on port 83 on the HTTPS protocol. To access the system type
https://192.168.1.1:83/ or https://yourdomain.com:83/
● If webmail access is required from the Internet, please allow connections to port 83
(webmail) on the firewall .
● Web-based mail requires the IMAP server to be running.
● Users will receive a pop-up warning in their web browser similar to that shown below. This
is normal and does not diminish the fact that the connection is encrypted and secure. If
desired, you can customize and manage the secure certificate using the SSL Certificate
Manager.

Page 114 of 214


ClarkConnect Administration Manual

Vacation / Auto-Reply
The webmail system includes a vacation / auto-reply system. To access this feature:
● Login to your webmail account
● Click on Mail Filters in the menu
● Select the Vacation filter

Links
● Horde Web Site
● Adding incoming firewall rules

File Services

Flexshare

Overview
Flexshare Information
Description A file collaboration utility.
Package Name cc-flexshare
Configuration Page Software File Services Flexshare

Flexshare is a flexible and secure collaboration utility which integrates four of the most common
methods of accessing files or content:
● Web (HTTP/HTTPS)
● FTP (FTP/FTPS)

Page 115 of 214


ClarkConnect Administration Manual

● File Shares (Samba)


● E-mail (SMTP/MIME/SMIME)

It is an extremely powerful and versatile tool that has many uses. The example below (a
hypothetical engineering consulting firm Eng-123 and its client OEM-XYZ) describes a Flexshare
and a typical working environment.

A Flexshare might be defined on a server owned by Eng-123 after successfully bidding on an


engineering project for OEM-XYZ. CAD files (engineering drawings) associated with the project's
design are centrally located on the server and should be accessed only by the users included in
Eng-12's engineering group. The file-sharing (Samba) Flexshare definition is used to allow
restricted access to this directory from the Local Area Network (LAN) or over Virtual Private
Network (VPN) tunnels in the event engineers work remotely.

By adding Flexshare's FTPS (secure FTP) access and configured to require a username/password
for read-only permission, the project manager of OEM-XYZ can have access to the drawings at
any time from anywhere on the Internet. The increase in productivity by allowing real-time access
to the CAD drawings keeps the project on track and negates having to e-mail CAD files which are
often large and not ideal for e-mail transfers.

In the event Eng-123 and OEM-XYZ want to track schedule 'snapshots' of an OpenOffice Calc
document or notes on the design phase in PDF format, Eng-123's administrator configures
Flexshare's email upload access. Both companies can now send signed/encrypted emails to a
single email address where the attachment (a .ods or .pdf file extension in this case) is
automatically stripped from the email and stored on the server. These same files can then be
accessed by web, FTP or file share and provides the added benefit of having a historical view of
the entire project.

Nearing the completion of the project, OEM-XYZ's sales/marketing team make a request to have
an assortment of images created from the CAD software's rendering engine from 3D wire-frame.
Flexshare's web access, set-up with unrestricted access, gives the sales team the images they
need to begin pre-selling - with just a browser and a URL provided.
The above illustrates just one possible use of Flexshares. Much simpler Flexshare's can be
created for every-day tasks common to any small business such as hosting and updating a
website, creating user-restricted file shares or using e-mail as a simple file transfer utility.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

You will also need to install one or more of the following modules to enable functionality for the
following services:
● Web access - cc-httpd
● FTP access - cc-proftpd
● File access - cc-smbd
● E-mail upload - cc-postfix, cc-cyrus

Page 116 of 214


ClarkConnect Administration Manual

Configuration

Share Overview
Once the system user has been updated with the password provided, you will be presented with
the Flexshare Overview.

The first table lists the shares you have currently defined, allowing you to quickly view which
access methods are enabled in addition to overall Flexshare status (either enabled or disabled).
You can Edit, Delete and Toggle the status of each Flexshare using the Action links in the right
hand column. Of course, if no Flexshares are defined, the Action links will not be visible.

The second table allows you to define (create) a new Flexshare. See Creating a New Flexshare
below.

Creating a New Flexshare


To define a new Flexshare, fill out the Name and Description fields and select a Unix group to
represent the share owner in the Add a new Flexshare form. A Flexshare template will be created
(with no access and disabled by default). The Editing a Flexshare form will be displayed, allowing
you to customize the share options and enable access options.

Editing a Flexshare
You can make edits/changes to any defined Flexshare at any time. A newly created Flexshare will
have no access points enabled, so you will want to configure at least one service (Web, FTP,
Filesharing or E-mail) to take advantage of the share you have created.

To begin editing a Flexshare, you'll need to select which access point you want to modify.

Page 117 of 214


ClarkConnect Administration Manual

Select the appropriate tab and use the help sections below to guide you through each type of
access point and the options that are available.

Changes will take place immediately upon clicking the Update button if the share is
enabled.

Web

Configuring Flexshare's Web access enables anyone (or authorized users only) to use a web-

Page 118 of 214


ClarkConnect Administration Manual

browser to navigate to a website in order to view content, interact with a dynamic web page (for
example - a PHP or CGI enabled online store) or download files from an index listing.

One of the most common uses of Web access it to configure a Flexshare to define
settings for a company website.

The rest of this section will describe the different settings that will modify the behaviour of a Web
accessible Flexshare.

Enabled
Indicates the current status of the Web Access for a Flexshare. Note, even though the Web
Access point is enabled, the overall Flexshare must also be Enabled in order to work.

Use the Enabled/Disabled link at the bottom of the form to toggle the status..

Last Modified
A timestamp indicating the last time a change was made to the Web Flexshare configuration.

Server Name
The server name (domain name) that will be used to access this Flexshare. If the default ports are
being used (ie. 80 for HTTP or 443 for HTTPS), this parameter is locked to the Server Name field
defined in the Web Server configuration. If custom ports are used, you can set this parameter to
take advantage of Apache's Virtual Host capability.

Server URL
This field (actually a hyperlink for convenience) indicates the URL which will be used to access the
share.

Accessibility
Accessibility allow you to restrict which interfaces incoming requests to the share are allowed from.
Setting this field to LAN Only essentially makes your Flexshare accessible from your Intranet only.

If set to All, make sure you have added the appropriate incoming firewall rule if the
server is the gateway, or forwarded the appropriate port on your firewall.

Show Index
If Show Index is set to Yes, browsers will display a listing of all files if there is no index page (ie.
index.html, index.php etc.). This is normally only desirable if using the Flexshare as a file access
service (similar to FTP). If you are running a website, this option should definately be set to No.

Follow Symbolic Links


If Follow Symoblic Links is set to Yes, symbolic links leading to directories outside the document
root will followed.

Allow Server Sides Includes (SSI)


If Allow Server Side Includes is set to Yes, standard includes will be allowed. By default,
execution of code on a SSI will not occur for security reasons. To override this behavior, please

Page 119 of 214


ClarkConnect Administration Manual

see the Flexshare API.

Allow .htaccess Override


If Allow .htaccess Override is set to Yes, the presence of a file named .htaccess will permit users
to change specific options inside the web directory. The default and recommended setting for this
parameter is No, unless you have advanced knowledge of this Apache directive.

Require SSL (HTTPS)


Determines the protocol to use - HTTP or HTTPS. If you have enabled authentication, you are
advised to set this to Yes (use HTTPS) since users will be required to provide their
username/passwords to authenticate to the server. Using HTTPS ensures this sensitive data is
encrypted.

Override Default Port


In some cases (for example, an ISP that blocks port 80), you may want to run the server on a non-
standard port. In this case, set this field to Yes and supply a valid port for the service to bind to.

Require Authentication

If set to Yes, upon first connecting to the server, a user (ie. web client) will be prompted with a
login dialog pop-up where they will enter their username/password. Before gaining access to the
Flexshare, the username/password will be confirmed as a valid account on the server. In addition,
the user must belong to at least one group that has been given access to the share as defined
in the Group Access field (see below).

Web Domain (Realm)


Indicates to the person logging in what realm they are attempting to access. The only time the
value of this field is displayed in during the authentication process. In the screenshot above, the
text "Sales Team Secure Flexshare" is the Web Domain (Realm) entry.

Group Access
Displays a list of all user-defined groups on the system (note, not system groups). A user
requiring authentication must belong to at least one group that is enabled to access the Flexshare
(checkbox in a checked state) in order to gain access to the share.

Enable PHP
Enables the execution of PHP script on the server. Any file with a .php/php4/php5 extension will be

Page 120 of 214


ClarkConnect Administration Manual

parsed by the PHP engine rather than by Apache directly.

Enable CGI
Similar to the PHP field above, but pertaining to CGI script. CGI script, however, is isolated to the
/cgi-bin sub-directory (ie. http://beaker.lan/flexshare/sales/cgi-bin/store).

FTP
Configuring Flexshare's FTP access enables anonymous or authorized users only (or both) to use
an FTP-client to connect via File Transfer Protocol in order to upload and/or download files to the
server. The FTP protocol, while outdated, is still a prominent service today and is particularly useful
for handling large files.

One of the downsides of the FTP protocol is that it uses separate ports to control
data flow and transmit payload data which causes conflicts with firewalls (both
server and client side).

Enabled
Indicates the current status of the FTP Access for a Flexshare. Note, even though the FTP Access
point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status.

Page 121 of 214


ClarkConnect Administration Manual

Last Modified
A timestamp indicating the last time a change was made to the FTP Flexshare configuration.

Server URL
The FTP URL (or domain name) used to access the service. This parameter is defaults to the
Server Name field defined in the ProFTP Server configuration. If you are having difficulty
accessing the Flexshare, see the troubleshooting section at the end of this section.

Require SSL (FTPS)


Determines the protocol to use - FTP or FTPS. If you have enabled authentication, you are advised
to set this to Yes (use FTPS) since users will be required to provide their username/passwords to
authenticate to the server. Using FTPS ensures this sensitive data is encrypted.

Override Default Port


Flexshare FTP/FTPS uses port 2121/2120 and 2123/2122 as the default ports (see bubble below
for an explanation). You can override these standard ports by setting this parameter to Yes and
entering the custom ports in the fields that will appear upon changing the override drop-down.

Unlike the Apache web-server, the ProFTP FTP-server lacks true virtual host
capability, restricting the server domain to a single entry. As a result, the ProFTP
server default ports for FTP and FTPS have been set to 2121 and 2123 respectively
to allow users/administrators to continue to the default configuration file for FTP for
their own custom use (ie. users home directories etc.).

Allow Passive (PASV)


Allowing passive connections can improve the experience/usability of FTP access to clients
accessing the service outside the local network. However, care must be taken to open or forward
appropriate ports to your network for the port range you designate for passive exchange. For more
information on Active vs. Passive connections, see the #Links links section below.

Require Authentication
If set to Yes, non-anonymous authentication is required. Before gaining access to the FTP
Flexshare, the username/password will be confirmed as a valid account on the server. In addition,
the user must belong to the group that owns the share.

Group Greeting
A greeting that is displayed once when a user authenticates and has access to the FTP Flexshare.

Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined groups on the system (note, not system groups). A user
requiring authentication must belong to at least one group that is enabled to access the Flexshare
(checkbox in a checked state) in order to gain access to the share.

Group Permissions
Depreciated in 4.2 and above
Files uploaded via FTP to the server require to constraints:
● Ownership (user and group)

Page 122 of 214


ClarkConnect Administration Manual

● Permissions (user, group and world)

For authenticated connections, the first constraint is satisfied by using the username of the user
logged in and the default system group Flexshare. This allows tracking who originally uploaded
the folder, yet the generic Flexshare allows anyone who has access to the share to be able to
read (and possibly overwrite) the file.

The second constraint is dealt with by setting FTP's UMASK directive. This setting is handled by
the Group Upload Attributes parameter.

Group Upload Attributes


Depreciated in 4.2 and above
Allows you to set FTP's UMASK directive, which sets the file permissions on upload. This field
consists of three drop-down boxes, each with the same permissions options.
● List 1 - User permissions
● List 2 - Group permissions
● List 3 - World permissions

The options contained in each drop-down box contain three characters. The characters are defined
as:
● Hyphen - No permissions
● r - Read
● w - Write
● x - Execute

Allow Anonymous
Allows anonymous FTP access. Users only have to provide the username anonymous and
(usually) their e-mail address to gain access to the share. Use anonymous when you are not
providing access to restricted files and you do not want/need to create individual accounts on your
server to authenticate against.

Anonymous Greeting
Same as Group Greeting except applied to the anonymous login.

Anonymous Permissions
Same as Group Permissions except applied to the anonymous login.

Anonymous Upload Attributes


Depreciated in 4.2 and above
Same as Group Upload Attributes except applied to the anonymous login.

File

Page 123 of 214


ClarkConnect Administration Manual

Configuring Flexshare's File access (SAMBA) enables public or authorized users only (or both) to
connect via file sharing in order to move files from desktop to the server and vice-versa.

Enabled
Indicates the current status of the File Access for a Flexshare. Note, even though the File Access
point is enabled, the overall Flexshare must also be Enabled in order to work.

Use the Enabled/Disabled link at the bottom of the form to toggle the status..

Last Modified
A timestamp indicating the last time a change was made to the File Flexshare configuration.

Comment
Allows a comment or description of the fileshare to be displayed to other computer clients
accessing the share.

Public Access
Set Public Access field to Yes if you want to allow anyone on the Local Area Network (LAN)
access to the Flexshare.

Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined< groups on the system (note, not system groups). A user
requiring authentication must belong to at least one group that is enabled to access the Flexshare
(checkbox in a checked state) in order to gain access to the share.

Permissions
The Permissions field determines what type of access group members (or public if set) they have
to files on the share.

File Write Attributes


If users have write permission to this Flexshare, setting this field will set all files copied to the
server with the appropriate permissions. See Group Upload Attributes for information on these
settings.

Page 124 of 214


ClarkConnect Administration Manual

E-mail

Configuring Flexshare's E-mail access allows the uploading of files to the server. This is
accomplished by simply attaching one or more files to the an e-mail and sending it to the
corresponding Flexshare e-mail address. To place restrictions on who can upload files, mandatory
digital signatures combined with group lists and a separate Access Control List (ACL) are imposed.

Enabled
Indicates the current status of the E-Mail Access for a Flexshare. Note, even though the E-Mail
Access point is enabled, the overall Flexshare must also be Enabled in order to work.

Use the Enabled/Disabled link at the bottom of the form to toggle the status..If disabled, all email
sent to the Flexshare will automatically be deleted, regardless of the Save Attachments setting.

Last Modified
A timestamp indicating the last time a change was made to the E-mail Flexshare configuration.

Email Address
The e-mail address that users will use to upload files to the Flexshare.

Save Attachment Path


Possible options are:
● Root Directory - files will be saved to /var/flexshare/shares/FLEXSHARE_NAME
● Mail Sub-Directory - files will be saved to the /mail sub-directory off the root directory
● Specify in Subject Heading - A user can specify the path they would like the file(s)
uploaded to by using the format Dir = PATH in their subject, where PATH is the directory
path to use

Page 125 of 214


ClarkConnect Administration Manual

Write Policy
Allows you to control overwrites if a file already exists.

Save Attachments
Setting this field to Require Confirmation keeps messages (and their attachments) in the queue.
Any file attachments will only be saved when confirmed.

Set this field to Automatically poll at 5 minute intervals to have the server initiate a check for
new messages and save the attachments automatically to the server. These files will then be
immediately accessible by the other Flexshare access methods.

Notify on Receive (e-mail)


If the Save Attachments field is set to Require Confirmation, use the Notify on Receive (e-
mail) field to enter a valid e-mail address to send an alert upon receiving new e-mails contains file
attachments.

Restrict Access
Set this to Yes to match an address to a system user or the ACL.

It is highly recommended that the Restrict Access feature is enabled to prevent


anonymous file uploads from occurring.

Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined groups on the system (note, not system groups). A user sending
an e-mail with attachment(s) to the Flexshare address must belong to at least one group that is
enabled to access the Flexshare (checkbox in a checked state) in order for the file(s) to be saved.
If it is determined the e-mail sender does not have access to upload files, the e-mail will be
deleted.

E-mail ACL
Add e-mails to the E-mail ACL (Access Control List) to allow non-system accounts access to
upload files to the server via e-mail.

Require Signature
Signing e-mail using digital signatures is the only way to verify e-mail is originating from the
address it claims to be sent from. Enabling this feature will discard any e-mails and the associated
attachments which are not signed.

It is a trival task to spoof the From Address contained in an e-mail header. Take
advantage of 4.0's SSL Certificate Manager and use signed certificates to validate
the sender's address.

File Write Attributes


Saved files to the server originating from e-mail attachments will use the permissions set in this
field. See Group Upload Attributes for information on these settings.

Page 126 of 214


ClarkConnect Administration Manual

Deleting a Flexshare
Deleting a Flexshare that is
currently defined can be
done from the Overview
page. Click on the Delete
link next to the share you
wish to delete. A form
similar to the one shown
below will be displayed
requesting you to confirm
your intention to delete the
share. Checking the Delete all files and remove share directory will do exactly that - make sure
you no longer need any files in the share directory and all sub-directories or have backups located
elsewhere.

Use the Disable share function instead of Delete in the event you want to remove
share access temporarily but not lose all your configuration settings.

Advanced Configuration

Custom Paths
In some cases, it is desirable to host a Flexshare in a location other than the default path
(/var/flexshare/shares/SHARENAME). For example, a mounted USB Mass Storage Device or an
encrypted filesystem. In this case, edit the file /etc/flexshare.conf using an editor or a utility like
SCP. The parameter key is named FlexshareDirCustom. The format of the value is name:path.
For multiple entries, each definition is separated by the pipe (|) character. The following is a valid
entry example:

FlexshareDirCustom=Iomega:/mnt/dmcrypt/Iomega|USB:/mnt/usb

The above would provide two additional paths to the drop down list of any Flexshare...The first
(Iomega) mounts an Iomega REV drive with an encrypted file-system to the path
/mnt/dmcrypt/Iomega. The second is an example of a mounted USB drive at /mnt/usb.

Troubleshooting

Firewall
Remember to open up appropriate ports on your firewall if your intention is to allow access from
outside your network. Some common ports for Flexshare access services are listed below.

FTP Access Going to Home Directory Instead of Flexshare


If you have enabled FTP access and require authentication and you find that users are being sent
to their home directories instead of the defined Flexshare, the solution is quite simple - the cause
quite complex.

The problem stems from the fact that ProFTP does not support virtual domains and is attempting to
resolve the system hostname in order to determine which configuration to use. If you have an entry

Page 127 of 214


ClarkConnect Administration Manual

in your /etc/hosts file mapping your system hostname to your internal IP, users logging in from
outside the network will experience the problem described above. To fix the problem, use
Webconfig and navigate to "Network Hosts and DNS Server". Remove the entry that maps your
server hostname to the internal address (ie. 127.x.x.x or 192.168.x.x or 10.x.x.x). Once you have
done this, goto the ProFTP configuration and stop and then restart the service.

Access
Not all access methods have the same capabilities because of the protocol/design of individual
services. The table below illustrates the capabilities of the four access services available to the
Flexshares you have created.

Access Method View Upload Download Default Port(s)


Web 80 (HTTP), 443 (HTTPS)
FTP 2121/2120 (FTP),
2123/2122 (FTPS)
File N/A
E-Mail 25 (SMTP)

Links
● ProFTP - List of Directives
● FTP - Active vs. Passive
● SAMBA Man Page

FTP Server

Overview
FTP Server Information
Description A full-featured FTP server.
Package Name cc-proftpd
Configuration Page Software File Services FTP

Configuration
The default configuration for ClarkConnect system allows read-only anonymous FTP to the /var/ftp
directory and full access to valid user accounts. Advanced configuration of the FTP server can be
done in one of two ways:
● Creating and configuring a Flexshare (Version 4.0 and up only)
● Editing the /etc/proftpd.conf configuration file. See the links section below for details.

Page 128 of 214


ClarkConnect Administration Manual

Links
● ProFTPd home page
● List of Directives
● FileZilla - An Open-Source FTP client for Windows

Windows-Samba

Overview
File Sharing / Samba Information
Description Samba file sharing system for Windows.
Package Name cc-samba
Configuration Page Software File Services Windows File Sharing

Your ClarkConnect system provides file serving capabilities for a Windows network. Among other
tasks, you can use the software for backup file storage, and sharing printers.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Basic Configuration
The basic configuration for the Windows/Samba file server is straightforward -- at the very least,
you will want to change the Name, Workgroup and Comment. If you are using Windows PCs, you
will be able to see your ClarkConnect box through your Network Neighborhood.

Page 129 of 214


ClarkConnect Administration Manual

Name
The name of the system as it appears on Windows Networks.

Workgroup
The Windows Network workgroup. If you are configuring your system as the primary domain
controller (PDC) then this is also the name of the domain.

Comment
The comment is a short description for the system.

WINS Server / WINS Support


If you plan on using VPN or have more than two local networks, we strongly recommend that you
enable a WINS server on your network. If you already have a WINS server, you can enter the IP
address of the server in the WINS Server field. Alternatively, the ClarkConnect system can be
configured as a WINS server on your network. Enable the WINS Support option. More information
on WINS is available in this Howto.

PDC - Primary Domain Controller


If you would like your ClarkConnect system to act as a primary domain controller (PDC), you can
configure the settings.

You must be using version 4.1 or higher for PDC mode

Page 130 of 214


ClarkConnect Administration Manual

Status
Toggle this field to enable/disable PDC mode.

Administrator
Select a user account for PDC administration. This account will be used to add computers systems
to the domain.

Logon Fields
Review the Samba documentation for configuring the Logon fields.

Common File Shares

● The homes folder contains private user folders.


● The printers icon will appear if you configure a shared printer.
● The shared folder is for public file sharing.
● The website folder contains the files for your web site.
● The ftpsite folder contains the files for your web site.

Custom File Shares


To add custom file shares, use the Flexshare tool.

Page 131 of 214


ClarkConnect Administration Manual

Advanced Configuration
For some installations, you may need to fine tune the Windows/Samba file sharing software.
Please review the Samba documentation before changing these settings.

Security Type
If you are using ClarkConnect as a PDC, this should be set to Domain, otherwise it should be set
to User. If you want to disable user authentication, you can set this option to Share (not
recommended).

Domain Master
If you do not have a Windows server running on your network, you may want the ClarkConnect
system to act as the Domain Master (in other words, the "boss" of the Windows Network). You
should also set the OS Level to 50 or higher.

Local Master
In most cases, this should be set to Automatic.

OS Level
See the Domain Master section.

Troubleshooting

Due to a feature in Microsoft networking, you


may not see the ClarkConnect system in
Network Neighborhood right away; sometimes it
takes several minutes to appear. A quick way
around this "feature" is to use the Find
Computer tool and typing typing the IP address
of the System.

LAN Backup and Recovery

Overview
LAN Information
Backup/Reco

Page 132 of 214


ClarkConnect Administration Manual

very
Description Client/server backup and recovery.
Package Name cc-bacula
Configuration Page Software File Services LAN Backup/Recovery

Bacula is a network-based backup program. It allows an administrator to backup, recover and


verify data on any number of systems on a local area network (and across VPN tunnels), on a
variety of operating systems. Bacula supports various storage media devices, including file, tape,
removable HDD.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Supported Media
ClarkConnect's implementation of the Bacula backup/restore software is customized to support a
limited selection of hardware.
● The server's hard disk - obviously not recommended for server backup
● Iomega REV (35GB and 70GB) with the following interfaces:
● IDE/ATAPI
● USB
● SATA
● USB Mass Storage Device (USB drives, memory sticks etc.)
● Another workstation on the LAN
● DVD (beta)

Configuration

Bacula's Webconfig overview provides links to actions and other reporting or configuration
information that might be of interest. A status window displays the latest messages originating from
the Bacula Director - the main daemon responsible for orchestrating backups and restores.

If you are a novice user and looking to use this module to simply make backups of the server to a
supported storage media device, you can do everything you wish with the options listed in the

Page 133 of 214


ClarkConnect Administration Manual

Basic section.

As you become more familiar with the software you will quickly realize the full potential Bacula
offers for complete network disaster recovery implementation. The advanced section provides links
to some of the features that you will need in setting up new clients, creating new file sets,
configuring schedules etc.

The Webconfig utility that provides the Graphical User Interface (GUI) is not the only method of
interacting with the Bacula daemons. Bacula has its own, shell-based, console which advanced
users will find extremely useful for situations where the GUI does not support a specific
feature/function of Bacula.

As of version 4.1, this text-based console is accessible via the Advanced


Configuration listing under Virtual Console.

This manual will describe the features and functionality of the Webconfig GUI that should provide
the majority of users with the ability to backup, validate and restore files from any number of client
machines on the local area network. For circumstances where it is necessary to access more
advanced features, please refer to the Bacula console (or Webconfig's virtual console) and
sections of the online Bacula manual.

Basic Configuration

Backup Server
This option will begin a wizard which will take the user through backing up the server to an
appropriate device. Although a server backup can be done to the local hard disk, this option
provides no disaster recovery and only provides a measure of safety against accidental deletion of
files by the user/administration.
In addition to listing any removable devices like USB MSD or Iomega REV RRD's, an option to
backup to a Windows desktop on the LAN is possible. Use this option to provide recovery in the
event of a hard disk failure or loss of just the server. Similar to the file option, this does not protect
against a disaster that the destruction or loss of both the server and client machine on the LAN (i.e.
fire, theft etc.).

Backup Client
Kicks off a wizard that will take you through the backup of a client on the LAN.

Restore Server
Begin a wizard that will restore a full backup to the server provided you have the bootstrap file
(BSR) and physical media containing the volume where the backup was stored to.

Restore Client
To restore a client on the LAN that has been backed up to the server, use the WX-Console (for
Windows) or B-Console (for Linux/Unix) user interface to restore.

Device Controls
Used if you need to mount/unmount or eject removable media.

Page 134 of 214


ClarkConnect Administration Manual

Auto-Detect (Storage) Hardware


Use the auto hardware detection link to view possible physical media recognized by the Linux
kernel that can be used as a storage medium.

Some devices like the


Iomega REV drive will
automatically be added and
configured as a storage
device. In this case, Update
will be displayed under the
Action column should an
admin wish to make custom
changes.
If a device needs user-
intervention to configure the
properties of the device properly, the device will be displayed in the list with Add under the Action
column. Click on the Add link to add this medium and then configure it.

You do not need to add your main hard disk as a storage device, even though it will
be listed in the auto-discovery process. Use the "File" type instead.

Advanced Configuration

Global Settings
Enable the "Email on Edit" setting to automatically e-mail a set of your current Bacula configuration
files to the admin contact (see "Director Daemon Settings" section below).
The configuration files can be saved to the backup medium just as any other file. However, having
these files to start with greatly simplifies the recovery process should the files be lost in a hard
drive failure or other incident. Having the latest configuration files avoids a sort of 'chicken and the
egg' scenario.
Use the "Email all files" link to send all current configuration files immediately. You should make
sure the mailserver setting is set correctly in the section below prior to attempting to mail out a set
of files.

Director Daemon Settings


The director is the main Bacula daemon that directs all operations. It acts as the 'go-between'
between a client resource and the storage device.

Name
The director's name. We recommend adhering to the Bacula's convention of using the system
name appended with "-dir". This directive should not require changing after the intial set-up.

Address
The director's address. This should be changed to a fully qualified domain name or IP address. It
should not be left as the default setting 'localhost' as client machines will fail on backup.
Examples of an address or FQDN include:
● 192.168.1.1
● gateway.lan
● mydomain.com (preferred)

Page 135 of 214


ClarkConnect Administration Manual

Port
The port the director daemon listens on. By default, port 9101.

Password
This is the director's password that is used to authenticate to a client or storage device.

Operator e-mail
This address receives notifications for required interactivity - for example, replacing a removal
media drive or labeling a tape.

Admin e-mail
This address receives all notifications relating to the general 'health' of the system.

Mailserver Address
If you do not run an SMTP server on the machine you have installed the Bacula director on, you
will need to specify the mail server address in this field (for example, your ISP's mailserver). If you
are running an SMTP locally, leave the default setting, 'localhost'.

Database Password
Bacula uses a MySql back-end to track and manage files and directories that are backed up or
restored. This field will change the password used to access this database.

File Daemon Settings


The file daemon is responsible for providing files to the director or receiving files from the director
during a backup or recovery, respectively. The file daemon is platform-dependent and needs to be
installed, configured and running on each client to be included in the backup/recovery process.

Name
The file daemon's name. We recommend adhering to the Bacula's convention of using the system
name appended with "-fd". This directive should not require changing after the initial set-up.

Port
The port the file daemon listens on. By default, port 9102.

Storage Daemon Settings


The storage daemon is responsible for providing files to the director or receiving files from the
director during a recovery or backup, respectively.

Name
The storage daemon's name. We recommend adhering to the Bacula's convention of using the
system name appended with "-sd". This directive should not require changing after the intial set-up.

Port
The port the file daemon listens on. By default, port 9103.

Creating and Editing Clients


Click on the "Configure Clients" link from the main menu to display and access the edit/add links
for clients. A client is simply another computer on your network that you wish to have 'backed-up'

Page 136 of 214


ClarkConnect Administration Manual

to your storage device.

The screenshot above shows one client (the default server) with a new client about to be created
(MP3-Collection-fd).

Adding a Client Resource


Select a client nickname (ie. MP3-Collection-fd) and click on the "Add" link. You will be taken
directly to the "Edit Client" form to complete the remaining information that is required.</p>
The next section describes each of the fields of the client resource exposed via the GUI.

Editing a Client Resource

Name
The client's name. We recommend adhering to the Bacula's convention of using the system name
appended with "-fd". This directive should not require changing after the intial set-up.

Address
The client's address. See the Director's Address for recommended entries.

Port
The port the client file daemon listens on. By default, port 9102.

Page 137 of 214


ClarkConnect Administration Manual

Password
This is the client's password that the director daemon uses to authenticate.

File Retention
Defines the length of time that Bacula will keep File records in the Catalog database. When this
time period expires, and if AutoPrune is set to yes Bacula will prune (remove) File records that are
older than the specified File Retention period. Note, this affects only records in the catalog
database. It does not effect your archive backups.

Job Retention
Defines the length of time that Bacula will keep Job records in the Catalog database. When this
time period expires, and if AutoPrune is set to yes Bacula will prune (remove) Job records that are
older than the specified File Retention period.

Auto Prune
If auto prune is set to "Yes" (default), Bacula will prune the files and jobs from the catalog
according to the retention times (see above). If disabled, your catalog will continue to grow in size
on each backup, since older data will not be removed (pruned).
After you add a client, you will need to download the Bacula Client specific for the Operating
System (OS) running on the machine. For example, if you are running Windows(TM) XP, you will
need to go to SourceForge and install the Win32 for the appropriate version.Note: To determine
the version installed on your system, use "rpm -qi cc-bacula".

Installing and Configuring the Client Software (File Daemon)


The backup/recovery module allows you to backup multiple client machines on the LAN, across
VPN tunnels or over the Internet, although this latter method is highly discouraged as data traffic is
not encrypted during backup/restore. The director daemon requires a file daemon to be installed
and configured properly on each machine to be backed. The remainder of this section will go
through the installation and configuration of a Windows XP, Linux (Mandrake) and Mac OSX
install.

Before Installing Client Software

Page 138 of 214


ClarkConnect Administration Manual

Before you begin to download and install the client software, you'll need to determine what version
you need. If you are familiar with command line Linux, you can query the RPM using the "-qi"
options. An alternative and simple method is to get your local backup server running, and click on
the "Current Status" link.

Once the page updates with the current status information, look to the second line to get the
version information.Windows XP

Now that we know which version we are looking for (in the case of the above example, version
1.36.2), we need to find the appropriate client download. Bacula is an Open Source Software
package developed and maintained on the SourceForge listing - http://sourceforge.net/index.php.
A simpler way of searching for the correct packages might be to go directly to the Bacula Home
Page and look for the "Current Files" link. This link will take you to the exact location - Bacula on
SourceForge.net.

Scroll down to the Windows section (Win32), ensure you are looking at your version list (1.36.2 in
our example), and click on the "Download winbacula-1.36.2.exe" link to start the download.

Page 139 of 214


ClarkConnect Administration Manual

Depending on where you have your browser set to save downloads, find the file and run the
executable by double clicking on the icon. Confirm the first few steps of the install wizard and
pause when you are asked to select an install location. You can choose to install in any directory
you wish, however, for the purposes of this manual, we are going to assume you create a new
directory so that the location appears as "C:\Program Files\Bacula".

As you continue on through the installation, two configuration files will be displayed. You will need
to edit them according to the information you provided during the setup of the director and client -
specifically:

bacula-fd

Director {
Name = Director's Name
Password = Client's Password
}

FileDaemon {
Name = Client's Name
FDport = 9102
WorkingDirectory = "C:\\Program Files\\Bacula\\working"
Pid Directory = "C:\\Program Files\\Bacula\\working"
}

Note: WorkingDirectory and Pid Directory may differ from above, depending on the "Destination
Folder" selected during install (see above).

Page 140 of 214


ClarkConnect Administration Manual

Messages {
Name = Standard
director = Director's Address = all, !skipped
}

bconsole

Director {
Name = Director's Name
DIRport = 9101 (by default Director's Port)
address = Director's Address
Password = Director's Password
}

wx-console

Director {
Name = Director's Name
DIRport = 9101 (by default Director's Port)
address = Director's Address
Password = Director's Password
}

Linux (Mandrake)
Once you have
determined the
Bacula version
installed on your
ClarkConnect
server (see
above), you'll
need to download
the client
packages for your
Linux distribution.
In this example,
we will be

installing/configuring the client on Mandrake 10.1 Community Edition. You only need the bacula-
client package...not the full install, since the director and storage daemons will be running on
ClarkConnect.Having downloaded the RPM, install it on your system (as root).rpm -ivh bacula-
client-1.36.1-3.i586.mdk101.rpmPreparing... ###########################################
[100%] 1:bacula-client ########################################### [100%]Bacula will
install the relevant configuration files in the /etc/bacula directory. You will need to edit the same
two files listed in the Windows configuration section above, namely:
● bacula-fd.conf
● bconsole.conf
To start the client daemon, type:

# /etc/rc.d/init.d/bacula-fd start

Page 141 of 214


ClarkConnect Administration Manual

Mac OSX
TODO

Creating and Editing Schedules


Scheduling jobs allows backups to be performed automatically without human intervention,
provided the storage device is available to be written to. You can create as many schedule
definitions as you wish. Once created, the schedule is available to be associated with a job, which
will then be run automatically at the specified time(s).

Adding a Schedule
To add a schedule, enter a unique schedule name and click 'Add'. A schedule default template will
be created and the edit schedule form will be displayed (see Editing a schedule).

Editing a Schedule

Each schedule definition can have an unlimited number of 'events' associated with it. An event is a
combination of a backup level (Full, Incremental or Differential), a schedule definition (Every
Saturday, Monday through Friday etc.) and a time.

Creating and Editing Filesets


A fileset instructs the Bacula director what directories and files to backup and which ones to leave
alone. Generally speaking, you will probably have at least one unique fileset for each client
machine. However, a fileset can be used in any job, for any client backup.
This module ships with two default filesets
● Catalog
● Config

which are protected.

The Catalog fileset can not be


edited nor deleted and is responsible
for creating a database image of the
Bacula catalog and backing up the
resultant file.

The Config fileset can be edited but


can not be deleted. It is responsible
for saving important configuration
files for the software and services
than run on your server. It is
recommended that you keep the default file/directory entries and add to this list in the event you
add a package with custom edits to a configuration file.

Page 142 of 214


ClarkConnect Administration Manual

The fileset list in the screen capture above shows the two default entries in addition to three
uniquely named additions, one of which, the user has protected against deletion (the "Home"
fileset).

Adding a Fileset Resource


Choose a unique name for your fileset that describes the sort of directories/files are reflected. For
example, you might name a fileset WinXP-MyDocs for any Windows XP machine on the LAN
where you wish to backup the owner's "MyDocuments" contents. You will be taken directly to the
"Edit Fileset" form to complete the remaining information that is required.

The "Database" checkbox defines whether a backup represents a set of files/directories (off) or the
data contained within a database (on). MySQL and PostgreSQL are currently supported.

The next section describes how to edit a fileset in order to achieve the desired backup results.

Page 143 of 214


ClarkConnect Administration Manual

Editing a Fileset Resource


Filesets structures are extraordinarily flexible in defining directories and files to be backed up,
however, this diversity comes at a cost: complexity. In the current Webconfig User Interface, only a
fraction of the power of fileset building is exposed. Greater functionality/features will be added in
future releases.

Advanced users should read the Bacula chapter dedicated to creating fileset
resources and may wish to consider editing via CLI to achieve the desired results.

The Bacula webconfig UI has two 'modes' to edit filesets - Regular and Database.

Regular Fileset
The regular fileset mode allows you to add include and exclude statements in order to define which
files you wish to back up and those you do not wish to backup. Any number of include statements
are allowed within a fileset definition, but only one exclude. Each include statement can have
unique options that work together to describe the files you wish to have backed up. The table
below describes the directives supported bia the User Interface (UI).

Compression
Use software compression (GZIP). If you are backup up to a device that supports hardware
compression, you are advised not to enable software compression.

Signature
Compute and store an MD5 or SHA1 signature with each file. Users are strongly advised to use
MD5 or SHA1.

IgnoreCase
When set to "Ignore", all regular expressions and wildcards will ignore differences based on upper
and lower case.

Exclude
When set to 'Include', all wild-cards and regular expression matches will include files and
directories to be backed up. If the 'Exclude' option is set, matching files and directories will not be
selected.

Wild
A wild-card string to match files or directories.

Wildfile
A wild-card string to match files only.

Wilddir
A wild-card string to match directories only.

Regex
A regular expression string to match files or directories.

Page 144 of 214


ClarkConnect Administration Manual

Regexfile
A regular expression string to match files only.

Regexdir
A regular expression string to match directories only.

Database Fileset
The ClarkConnect LAN backup and recovery module allows you to backup two of the most popular
open-source database engines available:
● MySQL
● PostgreSQL

Backing up data stored in an SQL database must be done by 'dumping' the contents of the
database to file first. Backing up the files directly would result in data corruption as the content is
dynamically being updated.

This module simplifies database backup by providing a separate interface when the database is
enabled. This flag can only be enabled during the creation of a fileset (see "Adding a Fileset"
section above). A typical database backup configuration form is shown below.

Name
The Fileset name.

Compression
See above.

Signature
See above.

Page 145 of 214


ClarkConnect Administration Manual

Type
The SQL engine. Currently, MySQL and PostgreSQL are supported.

Hostname
The IP address or hostname where the server is located. A database does not have to be running
on the localhost in order to be backed up.

Database Name
The name of the database

Username
A username that has rights to access this database. Leave blank if there is full access to any user.

Password
The database password. Leave blank if no password is associated with the database.

Port
The port the SQL service is listening on. The default ports for the two supported engines are listed
below.
● MySQL - 3306
● PostgresSQL - 5432

Creating and Editing Jobs


Jobs are collections of other resources (ie. a client, a fileset, a storage device etc.) that work tie
together to backup (or restore) your data. Jobs can be scheduled to run automatically, removing
the need for human intervention (except if you have removable storage device media, of course).
By default, ClarkConnect contains two jobs pre-defined
● BackupCatalog - backs up an image of the Bacula MySQL database
● Restore - a restore template

The restore template is unique in that Bacula only uses a single restore job which is then modified
at run-time for specific recovery operations. This uniqueness is described in more detail in the
"Type" section below.

Adding a Job Resource

Choose a unique name for your job that describes the action. You will be taken directly to the "Edit
Job" form to complete the remaining information that is required.

Page 146 of 214


ClarkConnect Administration Manual

Editing a Job Resource

A typical job edit form looks like the screen capture below.

The following directives are supported by the Webconfig UI for the Bacula module:

Name
A unique name for the job.

Type
The job type. Valid options are:

Backup
Normally, you will have at least one backup for each client machine you backup. You will also have
the pre-installed backup for the MySQL catalog.
Restore
The restore type is restricted (via the Webconfig UI) to a single job definition. Since a restore
template is pre-defined, this option will not be available if you add a job if the restore template still
exists.
Verify
Verifies that the information stored in the database (which maps to the actual backup file(s)
matches that which resides in the directories at the current time, and reports differences, as
evident.
Admin
Runs an administrative (normally database related) job. See the Bacula manual for more
information.

Level
The level. Valid options are:
Full
Includes all files defined with the associated Fileset, regardless of whether or not they have

Page 147 of 214


ClarkConnect Administration Manual

changed.
Differential
Includes all files since the last successful full backup. In practice this means that a full restore
requires just the last Full and the last Differential backup.
Incremental
Includes all files since the last successful backup (either Full or Incremental) . As a result, a full
restore requires the last Full backup and all successive incrementals.

Client
A valid client resource.

File Set
A valid file set resource.

Schedule
A valid schedule resource.

Storage Device
A valid storage device resource.

Pool
A valid pool resource.

Priority
Permits prioritization of jobs to determine which jobs run first. The higher the integer, the lower the
job priority.

Create Bootstrap (BSR)


Creates a bootstrap (BSR) file associated with the job, permitting restore without a catalog.

Send Admin BSR via E-mail


Send the BSR file to the value in the administration email. Useful in cases where the Bacula
database is lost, damaged, corrupt, stolen or otherwise rendered useless, but the backup image
exists on the storage daemon or removable media. Sending this file to a Gmail account or other
web-based email service provides another option in the event of data loss.

Creating and Editing Pools


Pools are collections of volumes where your data is stored. Many installs will use a single (Default)
pool. Or, you may wish to create and specify a unique pool for each client or job.

Page 148 of 214


ClarkConnect Administration Manual

Adding a Pool Resource


Choose a unique name for your pool that describes the client or job. You will be taken directly to
the "Edit Pool" form to complete the remaining information that is required.

Editing a Pool Resource


The following directives are supported by the Webconfig UI for the Bacula module:

Name
A unique name for the pool.

Type
The pool type. Currently, only backup pools can be configured.

Recycle
Specifies the default for recycling Purged Volumes. If a Volume is recycled, all previous data
written to that Volume will be overwritten.

Auto Prune
If AutoPrune is set to yes, Bacula will automatically apply the Volume Retention period (see below)
when a new Volume is needed and no appendable Volumes exist in the Pool. Volume pruning
causes expired Jobs (older than the Volume Retention period) to be deleted from the Catalog and
permits possible recycling of the Volume.

Volume Retention
Defines the length of time job records associated with the Volume will be kept. When this time
period expires, and if AutoPrune is set to yes, Bacula will prune (remove) job records that are
older than the specified Volume Retention period.

Accept any Volume


The directives determines whether any volume will be accepted by the Bacula director to write to
during a backup. If it is no only the first writable volume in the Pool will be accepted for writing
backup data.

Label Format
If the Label Media directive in the storage resource is set to 'Yes', the label format directive must
be set and will automatically label the media during a backup with the specified format. For
example, a value of "File-", the following volumes will be created:
● File-0001
● File-0002

Page 149 of 214


ClarkConnect Administration Manual

● File-0003
● ...
You can also use variable expansion. For example, all jobs running on Monday with "Weekly-
${WeekDay}" would result in:
● Weekly-Monday0001
● Weekly-Monday0002
● Weekly-Monday0003
● ...

Creating and Editing Storage Devices


The Bacula Server/LAN backup and recovery module has two defined storage device resources in
the configuration files on a default installation:
● File
● Iomega REV removable HDD

The "File" device represents the local hard drive of the server Bacula is installed on. This is an
easy and efficient means to back up data located on machines on the Local Area Network. You
can even backup the server with this configuration, however, it is highly recommended that this
file image be synced to a desktop, or better still, burnt to CD/DVD or copied over the Internet (scp
tool) to a system outside the LAN.

The Iomega REV drive is an ideal backup storage media device for small businesses. The REV is
a hard disk drive offering greater storage capacity over CD-ROM and DVD formats. In addition, the
drive medium is removable, allowing unlimited storage capacity by adding drive units and having
the advantage of being able to move backup data off site in the event of disaster, theft or other
event that would result in loss of the storage medium. It is also fast - over 8 times faster than a
tape backup solution.

The backup and recovery module supports and has been tested using the ATAPI model Iomega
REV drive. USB, Firewire, Serial ATA and SCSI can be used, however, manual configuration may
be required through direct editing of the Bacula configuration files. If you have a choice, the ATAPI
(IDE) model is your best bet. For information on acquiring REV hardware, see the Related Links
section below.

The module supports the creation of multiple backup definitions so you are not limited the defaults
above. Additional file resources can be specified, and these do not necessarily have to be on the
LAN. A file resource could be specified that resides on another network. With the proper firewall
rules and configuration, a satellite office could backup data to the company headquarters, or vice
versa.

If you are considering backing up data across a public network (i.e. the Internet), it is important to
weigh in on the following fact - Bacula does not currently support data encryption at the time of
storage, so any traffic crossing a public network cannot be considered secure.

Besides supporting direct to file and the Iomega REV drive, the native Bacula module supports all
kinds of tape solutions and tape storage auto-changers. Keep in mind, however, that although the
Bacula project supports these devices, the ClarkConnect backup module may not interface with
these devices properly. Direct editing of the configuration may be required in addition to using the
Bacula text-based UI (bconsole) to backup to tape-based drives. For a list of supported tape
drives, see the Bacula hardware support list.

Page 150 of 214


ClarkConnect Administration Manual

Adding a Device Resource

Choose a unique name for your storage resource that describes the device. You will be taken
directly to the "Edit Device" form to complete the remaining information that is required.

Editing a Device Resource

A typical edit configuration form is shown below.

The following directives are supported by the Webconfig UI for the Bacula module:

Name
A unique name for the storage device.

Address
The address where the storage device resides on the network. This field can be a valid IP (internal
or external), FQDN or "localhost".

Although entering "localhost" correctly describes the location of the storage daemon
if running in parallel (ie. the same server) with the director daemon, it is ambiguous

Page 151 of 214


ClarkConnect Administration Manual

(and will cause backups to fail) for machines on the Local Area Network. An IP
address (ie. 192.168.1.1) or a FQDN should be used.

Port
The port the storage daemons listens on. By default, 9103.

Password
This is the storage daemon's password that the director will pass to a client for authentication to
the storage device.

Device or Mountpoint

File
Add the full directory path where you would like Bacula to save backup images of your filesets.

Iomega REV HDD


Enter in the mount point you created using the "Mount" action (see here). For example,
"/mnt/REV".

DDS/DLT
Enter the device location. For example, "/dev/nst0".

Media Type
A generic descriptor of the type of storage device. Valid selections include:
● File - a local filesystem (HDD, USB memory stick etc.)
● Iomega REV - see here
● DDS - Digital Data Storage device (DDS-1 [2GB], DDS-2 [4GB], DDS-3 [12GB], DDS-4
[20GB])
● DLT - Digital Linear Tape, a magnetic tape storage device

Label Media
If enabled (set to "yes), the device will automatically label blank media. In other words, it will create
the backup file to write to without user intervention. For information on how to set the Pool resource
label format, click here.

If enabled, you must enter a value for the media label format in the Pool Resource.

If disabled (set to "no"), you will have to manually label media as required. For information on
labeling media using the "Device Actions" feature, click here.

Random Access
Devices that have linear access to storage medium (ie. a tape moving across a static head), set to
"No". Otherwise, set to "Yes".

Page 152 of 214


ClarkConnect Administration Manual

Auto Mount
Set this directive to "Yes" to permit the Bacula daemon to examine the storage media and search
for a Bacula labeled volume.

Removable Media
Set this directive to "Yes" if the storage device uses media that can be removed from the server
(ie. a REV HDD, DAT, USB memory etc.).

Always Open
It is recommended that you set the "Always Open" directive to "Yes", making the storage media
always available to Bacula. This allows scheduled backups to be run without user intervention. If
set to "No", tape media will be rewound at the end of each backup.

Maximum Volume Size


Sets a physical limit to the amount of data written to a device media.

Restoring Your Catalog


Your catalog (contained in a protected MySQL database) is the central index of your backup. Think
of your catalog as being the equivalent of a catalog in a library. Without an up-to-date catalog,
recovering your files in the event of a hardware failure or disaster becomes much more difficult.
You may have all the data (books) on a backup storage device, but finding a single file without a
catalog is a time-consuming operation.

As a result of the catalog's importance, the Webconfig utility was designed to give you three
common methods of recovering your catalog in the event it destroyed or corrupted:
● Catalog recovery by bootstrap file (BSR)
● Catalog recovery using locally stored image
● Catalog recovery by uploading an image

You will be given the option to choose which method you wish to use from the "Restore Catalog"
menu (see screenshot below).

A MySQL catalog can become large over time - very large. Depending on the number of clients
and files you backup on a regular basis, it is not uncommon to have a catalog that is in excess of
10-20MB in size. As such, method #1 above is the preferred method - backing the data in the
catalog database on a regular basis to whatever storage device you are using. The only difference

Page 153 of 214


ClarkConnect Administration Manual

during recovery, is that you will use a bootstrap file (BSR) instead of using the catalog - a necessity
since you don't have the catalog.

Using a bootstrap file to re-create your catalog

● Ensure the backup medium containing the latest catalog data is in your storage device
● Click on the "Restore Catalog" link
● Select the "I want to use a bootstrap (BSR) file..." option
● You should have the latest BSR file for the catalog that was e-mailed to the administration
user. Retrieve it and save it to your local hard disk.
● Click on the "Browse" link and select the file you saved in the prior step
● Click on the "Continue" link
● A web dialog will be displayed asking you to confirm or cancel
● Click "Continue". The database import may take several seconds (or minutes if very large)
to complete.

Restoring from a local database image


Select the "I want to use a catalog image stored locally..." option and enter the filename including
absolute path of the database image. Click on "Continue". Confirm your intention to initialize the
database using the data you have in the image.

Uploading/restoring a database image


Due to the file size limitations of uploading files combined with the large file size inherent to the
Bacula catalog database image, this option is limited in use. It is a convenience for those who have
a catalog image mailed to an account (ie. Gmail). However, for any catalog that is larger than 2MB,
you would be advised to use an alternative file transfer method (SCP, FTP, WinSCP etc.).

Device Controls

Some devices require actions like ejecting a tape or removable HDD. You can perform these
actions through the webconfig utility using the drop-down list of supported actions in the "Device
Controls" page.

Mount
Mounts a filesystem at a specified mount point.For IDE and SCSI Iomega REV drives, the device
location will be auto-discovered - only a mount point needs to be specified.For tape systems, this
action will call an internal Bacula mount that ensures the device is available for Bacula to
read/write.

Page 154 of 214


ClarkConnect Administration Manual

Unmount
Unmounts (or umounts) a device.

Unmount and Eject


Same as Unmount, except that the tape or removable media is ejected.

Eject
Ejects removable media from the device.

Label
Bacula uses labels in order to create volumes that are then associated through the use of pools.
This may sound complicated at first, but it is really not. For more information, see the Bacula online
manual concerning Pools, Volumes and Labels.

Rewind
Issues a rewind command. Only applicable for tapes.

Report

The report page provides a graphical display of job history.

Virtual Console
The virtual console gives the administrator the ability to run Bacula commands via the webconfig
GUI rather than the Bacula console. The use of AJAX makes this interface seamlessly bridge the

Page 155 of 214


ClarkConnect Administration Manual

divide between Bacula's console and the PHP webconfig form. Use of this feature should be done
with caution and only by those having a solid understanding of the Bacula console commands.

Performing a Backup
Under most circumstances, backups will be performed automatically by the Bacula scheduler
(provided you have created scheduled backup jobs). However, on occasion or by personal
preference, users may wish to manually initiate a backup job.A backup job must be defined as a
resource in order to initiate a manual backup. If you have not done so already, you will need to
define resources needed by a job definition (ie. FileSet, Pool, StorageDevice etc.), and define a
job.

Performing a Recovery

Recovering Individual Files


Recovering individual files from a specified date is not currently available through the webconfig
User Interface. This functionality is available via the Bacula “bconsole” CLI interface and follow
procedures documentation provided on the Bacula website. Alternatively, if the recovered file(s)
reside on a client machine (not the ClarkConnect server), users can use the graphical user
interface provided by the Bacula client that is available for Linux, Mac and Windows platforms.

Recovering from Total Data Loss (aka: Disaster Recovery)


In the event you lose all data on your ClarkConnect server (through hard drive failure, damage,
theft etc.) and provided you have data that was backed up to either removable media or to another
machine, you will be able to fully restore your system to the state of the last full or
differential/incremental backup.

The first step in restoring your server is to install the ClarkConnect OS on your new (or repaired)
server. Download the latest ClarkConnect ISO matching your previous platform. It is advised (but
not required) to stay with your current version until the server is restored to its original state.
Register your server to the ClarkConnect Gateway Service network using the I am re-installing
an existing system option. For more information on system registration, click here.
Once registered, install the Bacula backup/restore module using the webconfig User Interface (UI)
on port 81 or via command line:

Page 156 of 214


ClarkConnect Administration Manual

# Apt-get update
# Apt-get install cc-bacula

Having installed the Bacula module, use the UI and navigate to the LAN Backup/Restore page
that will be found under the Software heading. From here, you have three steps to a full restore:
● Upload the original Bacula configuration files
● Restore the Bacula file/directory database image
● Perform a full data restore

Uploading Bacula’s Config Files


Although you can include your Bacula’s configuration files in a FileSet to be backed up, this
presents another ‘chicken and the egg’ scenario, since the original configuration files are required
to perform a restore. The UI presents a simple and reliable way to always have available the latest
configuration files by emailing these files as attachments through the General Configuration
page. Locate the most recent configuration files and save them to your local computer’s drive.
There are four (4) configuration files that will be required:
● bconsole.conf
● bacula-dir.conf
● bacula-fd.conf
● bacula-sd.conf

Click on the General Configuration link. You will see four sections:
● Global Settings
● Director Daemon
● File Daemon
● Storage Daemon
Click on the Upload Config Files link under the Director Daemon section. You will see a file
upload entry form similar to the screen shot below.

Page 157 of 214


ClarkConnect Administration Manual

Click on the browse link next to the bconsole.conf file. Locate the bconsole.conf file on your local
computer, and select ‘OK’.

Repeat the procedure for the bacula-dir.conf file.


Once you have both files defined in the corresponding input boxes, click Upload now.
Repeat similar procedures as described above for the File Daemon (bacula-fd.conf) and Storage
Daemon (bacula-sd.conf) sections.
Having uploaded your original configuration files for the Bacula module, are now ready to start the
Bacula services. Return to the main Bacula menu and click on the Configure Daemons link.
Select Start all services. All four bacula services (director, file, storage and the MySQL server)
should now be running. Return to the main menu.

Restoring the Bacula Database Image


Your next task is to restore the Bacaul database image. This operation simplifies the final action of
recovering data. Your Bacula database can be restored in one of two ways:
● BSR File
● Database dump
Follow the instructions provided here for the preferred method. The method you choose will
depend on which method you had planned on using. For example, if your configuration was set to
email the BSR file of the database image upon creation, this will likely be the method you use.
Alternatively, if you have been saving a raw database image to another machine (or even emailing
this image to an account), you can upload this image through the Bacula module UI.

A Bacula database image (or dump file) can grow to a substantial size. Users are
cautioned that emailing this file to an account may not be practical or possible.

Page 158 of 214


ClarkConnect Administration Manual

Restoring Data

Now that your configuration files and database image are restored, simply select and run restores
on any jobs containing filesets that require restoring on the local server. From the Bacula UI main
menu, select Restore. Since your configuration and database have been successfully restored,
you can select the Standard Restore form, completing the fields as required.

Client
The client to which the files should be restored. This should match the client where the files were
backed up from.

File Set
The file set that describes the files and directories to be restored.

Replace Policy
Allows the user to control whether newer files replace older ones or not. This is only applicable
when the Location parameter (below) is left blank.

Location
Specifies the location where Bacula should restore the files to. Set this field to a blank (null) entry if
you wish to restore files to their original location (caution, make sure your Replace Policy is
properly set).

Troubleshooting

Logs
Have a look in the system logs if you are having problems. The bacula daemons log to
/var/log/bacula.

Windows Firewall
Windows XP Personal firewall will block attempts made by the ClarkConnect server to backup a
Windows desktop on the LAN. Open port 9102 on the Windows firewall by going to Start
Security Center Windows Firewall and clicking on the 'Exceptions' tab. Add port 9102 and click
Update.

Backup to client on the LAN


This option, available under the Basic settings, allows you to backup the server to a Windows
shared directory on the Local Area Network (LAN). The following steps will assist you in

Page 159 of 214


ClarkConnect Administration Manual

configuring this option.


● Go to Windows Start My Computer
● Click on Shared Documents
● Select File New Folder
● Enter a folder name
● Right click on folder and select Properties
● Click on the Sharing tab
● Enable the Share this folder on the network checkbox
● Enter a share name...for example 'SharedDoc'
● Enable the Allow network users to change my files
● Click on OK
If you have Windows firewall enabled, you will need to open a port (189).
● Go to Windows Start Control Panel
● Click on Network and Internet Connections
● Click on Windows Firewall
● Click on the Exceptions tab
● Click on Add Port
● Enter Server Backup in the Name field
● Enter 389 in the Port number field
● Select TCP
● Click on OK
In order to test whether you can mount the Windows share, login as root and type:

# smbmount '//IP/NAME' MP -o 'username=USER,password=PASS'

where:
● IP = IP address of Windows desktop
● NAME = your share name, as defined in the steps above
● MP = mount point on CC (i.e. /var/bacula/mnt/SueLaptop)
● USER = Windows username
● PASS = Windows password

Links
● Bacula Home Page
● Find an Iomega REV Drive Reseller
● Iomega REV Drive Home Page
● Bacula Client Downloads

Printing

Print Server

Overview
Print Server Information
Description A print server.
Package Name cc-cups
Configuration Page Software Printing Print Server

Page 160 of 214


ClarkConnect Administration Manual

ClarkConnect includes the Cups - the Common Unix Printing System - as well as a large set of
printer drivers.

Configuration
Configuration of the printing system is done using the Cups web interface. You can access this
interface via the ClarkConnect web-based interface.

As a security precaution, the Cups web interface is only accessible on a trusted


(LAN) network. You can not access the web interface from a remote Internet
connection.

Supported Printers
Not all printers are compatible with Linux. The best resource is the Linux Printing Database. You
can find whether or not your printer is supported. If so, then follow the link from the web-based
administration tool to add your printer.

Cups and Samba


When you configure a new printer with Cups, it will appear as a shared printer in Windows Network
Neighborhood (if Samba is installed). However, you will need to restart the Samba service after
adding a new printer.

Links
● CUPS Home Page
● How to make Windows use CUPS IPP

Web Proxy

Access Control

Overview
Web Proxy Access Control Information
Description Time and user-based access control for the web proxy.
Package Name cc-squid-acl
Configuration Page Software Proxy and Filtering Access Control

Time-based Access Control allows an administer to enforce time-of-day web access to users or
computers (IP or MAC address) using the web proxy.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 161 of 214


ClarkConnect Administration Manual

Configuration

Adding Time Periods


Time periods define the day of week (i.e. Monday, Tuesday ...) and the time of day (i.e. 12:00 -
13:00) that an access control rule should apply. Select Add/Edit Time Period from the Webconfig
tab menu to:
● display and/or edit a currently defined time period
● add a new time period definition
● delete an existing time period definition

Deleting a time period will delete any access control rule that depends on the time
period definition being deleted.

In the sample screenshot below, we have created two time period definitions. The first defines a
lunch break on weekdays between 12:00pm and 1:00pm (13:00). The second covers the entire
day over a weekend (Saturday and Sunday).

Adding Access Control Lists


An unlimited number of access control list definitions can be created to customize precisely how
users or machines on the LAN should be given access to the web via the proxy server. In the
example below, a rule to allow all machines on the LAN to have access to the web during the
weekend is being created. By specifying an internal IP range of 192.168.1.100 to 192.168.1.255,
the IP based identification will apply this rule to all computers on the LAN receiving a DHCP lease
in this IP range.

Page 162 of 214


ClarkConnect Administration Manual

Name
A unique name identifying the access control.

ACL Type
Sets the ACL rule type - allow or deny. Allow provides web access to the user/computer...Deny
forbids web access.

Time-of-Day ACL
References a unique time of day rule. The drop down menu will be empty and a link to create a
new time period will be displayed if no time definitions have been created.

Restriction
Determines whether the ACL rule will apply to the time period defined or all time outside of the
time period defined. For example, if you defined a time period name Lunchtime that was defined
as 12:00 - 13:00 from Monday to Friday and you wanted a specific rule to apply during the lunch
hour, select Within. Conversely, if you wanted a rule to be applied for all hours outside of the lunch
period, you would select Outside.

Method of Identification
Depending on your proxy configuration, up to three different methods of user/machine identification
are possible - username, IP address and MAC address.

Username
Username-based authentication is only available if you have User Authentication enabled. Users
must provide login credentials and have access to the proxy server (as defined by the User
Options configuration). Once logged into a proxy session, ACL rules based on username will
apply.

Page 163 of 214


ClarkConnect Administration Manual

IP Address
To restrict web access to a particular computer or multiple computers (i.e. a computer lab), IP
address based identification can be used. A single IP address or a range of IP addresses
(separated by a dash) can be added. Valid entry examples include:
● 192.168.1.100
● 10.0.0.121
● 192.168.1.100-192.168.1.150

The IP address represents the address of the machine connecting to the proxy. Since the
computer is located on the LAN segment of the network, any IP address or range listed here
should be restricted to an internal IP address or range.

MAC Address
A MAC address is a unique identifier originating from a computer's network card. MAC addresses
can be a good alternative to IP addresses if an administrator does not lock down the network
settings of a machine which might allow a savvy user to get around an IP address-based access
control rule. A MAC address must be obtained from the machine and is dependent on the OS.

Linux
Open up a shell and type:

# ifconfig eth0

Where eth0 represents the network (Ethernet) card. The MAC address for the sample sample
output below comes after the HWaddr header and is 00:40:63:DA:E7:23:

Windows
To obtain the MAC address under Windows, click on the Start button and select the Run menu
option. Enter cmd in the run field. Once you are at the Windows command prompt, type:

C:\> ipconfig /all

and click enter. Find the MAC address next to the Physical Address field. Make sure you get the
MAC address of the correct device...there may be more than one if you have both a network card

Page 164 of 214


ClarkConnect Administration Manual

and wireless networking card.

ACL Priority
New ACL rules are added to the bottom of the list...that is to say, new rules begin with the lowest
priority.

The proxy server analyzes each rule in successive order...starting from the top and working
through each rule. The first rule to match a true condition stops the processing and allows (or
denies, depending on the rule type) access to the web.

In the example below, there are three rules...AllEmployees has the highest priority, followed by
LunchHourStaff and finally (lowest priority) HourlyEmployees.

To understand priorities, it is probably easiest to follow through a few scenarios.

Saturday - since it is a weekend, and through the creation of the AllEmployees rules, all IP
address on the LAN have be defined in the creation of the ACL, all computers on the LAN will have
access to the web, regardless of MAC or username based ACL's and regardless of whether it is
lunch hour (i.e. 12pm - 1pm) or not. In this case, the first rule (All Employees) applies (returns
true) and processing of further rules is not performed.

Monday @ 12:15pm - All users who are using computers whose IP's have been added to the

Page 165 of 214


ClarkConnect Administration Manual

LunchHourlyEmployees IP list will have access to the web.

Monday @ 1:15pm - All users who are using computers whose IP's have been added to the
HourlyEmployees IP list will be denied access to the web.
This is because the third rule is applied since the first two
rules did not return a true statement. Any user who is using a
computer whose IP is not listed in the HourlyEmployees
rule will be allowed access to the web.

By default, if no ACL rules return true (i.e. are executed as


allow/deny) a user is allowed access to the web. To apply a
blanket block rule, create an IP range ACL using the deny
type along with a time definition from 00:00 - 24:00.

Use the up and down arrows on the ACL Summary page to


bump the priority of any ACL rule you create in order to enforce time of day web access.

Troubleshooting

Links
● Squid Proxy website

Banner Ad and Pop-up Blocker

Overview
Banner Ad and Pop-Up Blocker Information
Description The software blocks banner ads and pop-ups at the gateway.
Package Name cc-privox
Configuration Page Software Proxy and Filtering Web Proxy

The software filters cookies, ads, banners, pop-ups, and other unwanted Internet content.

Configuration
If you use ClarkConnect as a gateway, you can configure the banner ad blocker in transparent
mode. In other words, it is not necessary to change the settings for all the web browsers on the
PCs on your network.
● Step 1 - Install the required Web Proxy server
● Step 2 - From Web Proxy's web-based administration page, set the proxy to transparent
mode.
● Step 3 - From Banner Ad administration page, enable banner ad blocker integration.

Links
● Privoxy Home Page

Page 166 of 214


ClarkConnect Administration Manual

Content Filter

Overview
Content Filter Information
Description A smart and robust web content filter.
Package Name cc-dansguardian
Configuration Page Software Proxy and Filtering Content Filter

The content filtering software blocks inappropriate websites from the end user. The software can
also be used to enforce company policies; for instance, blocking personal webmail sites like
Hotmail can decrease lost productivity at the office.

The filter engine uses a variety of methods including phrase matching, URL filtering and
black/white lists. Although the filter works effectively 'out-of-the-box', for best results, we
recommend subscribing to a service level the includes the 'Content Filter Update' service (see
Services link below). By keeping your blacklist up-to-date, you will be providing your LAN with the
most effective blocking solution against the 'churn' of sites that change daily.

Services
New sites appear, old sites disappear and current sites move around. By enabling the Content
Filter Updates service, you will receive regular updates to the filter lists. See website for more
details.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
The web-based administration tool gives you access to a number of configuration settings. The
filter must be run in parallel with the Web Proxy server.

It is important to understand the implications of running the content filter with a


web proxy server configured to run in standard mode.

Standard Mode
In standard mode, the web proxy operates on port 3128 and the content filter operates on port
8080. You must change the settings of all the web-browsers located on the local network to point
to one of the above ports in order to take advantage of proxy or filtering services. If users have the
technical knowledge and have access to the browser settings on their local machine, they could
potentially by-pass the proxy server and have full access to content on the Internet.

Transparent Mode
In transparent mode, all requests from the local network automatically pass through the web proxy
cache. The settings for the local machines do not need to be changed. By-passing the proxy is not
possible by changing browser settings on the local machine. Obviously, this is the preferred
configuration.

Page 167 of 214


ClarkConnect Administration Manual

Content Filter Update Service

If you have a subscription to the "Content Filter Blacklist Update" service (enabled through your
ClarkConnect Gateway Service account) you can check to make sure the update service is active.
If the update service is activated, you will see a screen capture similar to that shown below.

Updates are pulled or pushed automatically from the ClarkConnect Gateway Service network
approximately every week.

Configure Advanced Filtering

Banned File Extensions / Banned MIME Types


Banned File Extensions
Banning specific file extensions is a useful tool for limiting content available to users on the LAN. It
can also greatly decrease the chances of users unwittingly downloading and running 'arbitrary'
code downloaded from the Internet which could potentially contain viruses, spyware of other
malicious code.

By checking a box next to an extension, you are disallowing filtered users from accessing this file
type. If you wish an extension to be blocked and it is not listed in the available list, add it to the list
using the "Add a new extension type" form.

Banned MIME Types


Similarly, MIME types instruct a browser to utilize certain applications in order to display content
encoding. Security exploits in the applications themselves can be used to infiltrate a computer.

Page 168 of 214


ClarkConnect Administration Manual

MIME types checked in the "Banned MIME Types" form will not be allowed to pass through the
firewall and to the computer making the request on the LAN, providing a more secure environment.

Banned Site List / Exempt Site List


Banned Site List
Sites entered in the "Banned Site List" will be banned, regardless of the site's content, or whether
the site is on one of the blacklists.

Exempt Site List


Sites entered in the "Exempt Site List" will be allowed, regardless of the site's content. Use this
form if content on a site triggers a 'false positive' that you wish to override.

Banned User IP List / Exempt User IP List


If you have some or all of your workstations configured to use static IP addresses, you can
configure individual workstations' access to the web.

Banned User IP List


Here you can configure LAN IP addresses that will be completely blocked from accessing the web.
You can either add IP addresses individually or add groups as defined below.

Exempt User IP List


Here you can configure LAN IP addresses that will be granted completely unfiltered access to
the web. You can either add IP addresses individually or add groups as defined below.

Groups
You can configure groups of IP addresses to simplify and organize workstation access to the web.
For example in an educational environment you can add all administrator/staff IP addresses to a
Staff group and add them to the Exempt User IP List.

Weighted Phrasing
The content filter system uses phrase lists to calculate a score for every web page. You can fine
tune your content filter scoring by specifying which phrase lists to use.
In general you will want the phrase lists you select here to correspond with the blacklists you are
using. At a minimum you will want to include the proxies phraselist to prevent your users from
bypassing the filter.

Note that more weighted phrases activated for the content filter mean that the filter
will take more time to look at each page. It is recommended that if you are using a
low powered server, you limit the number of weighted phrase lists you use and
instead use more blacklists.

If you have problems with some of the phraselists - that they're either blocking too strictly or not
enough, please send information to phrasemaster@dansguardian.org.

Blacklists
The content filter system uses black lists to block specific web sites. You can fine tune your content
filter black lists by specifying which lists to use. Note that these lists are updated weekly by the
Content Filter Update Service if you have subscribed to that service.

If you have problems with some of the phraselists - that they're either blocking too strictly or not

Page 169 of 214


ClarkConnect Administration Manual

enough, please submit your changes at http://www.urlblacklist.com/?sec=submit.

Configure Filter
Language - If your native language is supported by the DansGuardian content filter, you can
configure the filter to use your language when displaying block reports to your users and error
messages.
Sensitivity Level - The sensitivity level is an arbitrary scale that allows 'coarse' adjustment of the
phrase filter sensitivity. Increasing the sensitivity level means that fewer bad phrases/words will
cause the filter to block the page.
PICS Level - An Internet standard for rating web content. This setting will prove to be of minor
significance as sites self-administrate this parameter. As a general rule, the recommendation is to
disable this setting.
Reporting Level - Five options are available to customize what a user 'sees' when the filter blocks
a page:
● Stealth Mode - Site is not blocked...User's IP and site is logged
(/var/log/dansguardian/access.log)
● Access Denied - User's browser will receive an 'Access Denied' in place of the web page.
● Short Report - A short error message 'bubble' will be displayed like the one below:

● Full Report - Same as above, but the weighted limit and actual value will be displayed
(useful for fine-tuning the system).
● Custom Report - Uses the customizable HTML template located at
/etc/dansguardian/languages/[language] where language is the language you have
selected in the setting above. The HTML template file is template.html and the default
en_US language folder is /etc/dansguardian/languages/ukenglish.

Block IP Domains - Used to prevent users from circumnavigating the URL-based portion of the
filter by using IP addresses instead of URL's. Pages will still be filtered based on the other filtering
mechanisms: weightedphrases, mime types, file extensions etc.

Blanket Block - Most restrictive setting. All sites will be blocked with the exception of those listed
in the exempt list. Useful for kiosks/public terminals where a browser is used to access a company
site etc.

Links
● DansGuardian website
● URLBlacklist.com - used by the CCGS Service

Web Proxy

Overview
Web Proxy Information
Description Web proxy cache server.

Page 170 of 214


ClarkConnect Administration Manual

Package Name cc-squid


Configuration Page Software Proxy and Filtering Web Proxy

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and
HTTP. The software not only saves bandwidth and speeds up access time, but also gives
administrators the ability to track web usage in the daily report.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

General Settings

Maximum Cache Size


The maximum size on your hard disk to use for the proxy server cache.

Maximum Object Size


Any file (image, web page, PDF, etc) above the maximum object size will still go through the proxy
but will not be cached. Large files (for instance, a movie file) can take up a lot of space in your
proxy cache. If you have a cache size of 2 Gb and two people happen to download 1 Gb files at
the same time, then these two files would replace everything else in your cache. You can limit the
maximum object size to prevent this situation.

Maximum Download File Size


If you want to limit downloads of large files (for instance, movies) you can set a maximum size. Any
file above this limit will get blocked.

Reset Cache
Use the reset cache button to delete all the files currently stored by the web proxy server.

Mode
The web proxy and content filter work together to filter web traffic on your network. The
combination of these two applications can operate in several different modes.

Off
This mode is typically used to either temporarily disable the web proxy service or implement a
custom proxy configuration file. Web traffic can still continue to flow un-proxied on port 80, while
access to port 3128 (web proxy) and port 8080 (content filter) are also available.

Off + Content Filter


In this mode, all workstations on the local network must be configured to use port 8080 (content
filter) as the proxy server. In other words, the only way a person can access the web is by
configuring their web browser to go through the content filter.

Page 171 of 214


ClarkConnect Administration Manual

On
This mode is typically used to take advantage of the improved bandwidth usage and speed of a
proxy server. In transparent mode, all web requests from the local network automatically pass
through the proxy. No configuration changes are required on the workstations.

On + Content Filter
This mode is typically used to enforce content filtering without the need to make configuration
changes on the workstations. As soon as you enable this mode, all web traffic going through your
gateway goes through the content filter.

Web Site Bypass


In some circumstances, you may need to by-pass the proxy server when it is running in
transparent mode. Typically, this is required for web sites that are not proxy-friendly (notably, older
Microsoft IIS web servers send invalid web server responses -- these responses may not get
through the proxy server).

Example: Tivo personal video recorders (PVRs) are unable to connect via a proxy server. Adding
Tivo's network 204.176.0.0/14 to the proxy by-pass list solves the issue.

Web Browser Configuration


In non-transparent mode, you must change the settings on all the web browsers running on your
local network. The following describes the steps for configuring Internet Explorer, but other
browsers have similar procedures. In Internet Explorer
● Click on Tools in the menu bar
● Select Internet Options
● Click on the Connections tab
● Click on the LAN Settings button

Page 172 of 214


ClarkConnect Administration Manual

In the Proxy Server settings box, specify


your gateway's IP address (default:
192.168.1.1) and the proxy port (see next
section). You may not be able to access
websites on your Squid machine or on
your local network unless you select
"Bypass proxy server for local addresses".

Reports
The Web Proxy Report includes statistics on top sites, number of hits, usage by LAN IP address,
daily traffic size, and more. You can view the report from the web-based administration tool.

FTP Proxy
From the Squid Web Proxy FAQ:
Question: Can I make my regular FTP clients use a Squid cache?
Answer: It's not possible. Squid only accepts HTTP requests.

Troubleshooting
If you see the message A configuration issue with your web browser settings was detected,
please make sure your browser settings match your proxy server configuration.

Page 173 of 214


ClarkConnect Administration Manual

Links
● Squid Proxy website

Groupware

Groupware Configuration

Overview
Groupware/Collaboration Information
Description A groupware and collaboration module.
Package Name cc-groupware
Configuration Page Software Collaboration

ClarkConnect's Groupware module provides an open-standards based shared environment with


support for calendars, notes, tasks and contact lists. These common task (goal) elements can be
accessed through a number of client interfaces.
● Microsoft OutlookTM 2000/XP
● KDE KontactTM
● Mozilla ThunderbirdTM
● Horde Webmail (available Q1, 2007)

Together with e-mail and the Flexshare module, a simple and secure environment can be created
within an organization or between trusted parties to collaborate together on common projects.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Page 174 of 214


ClarkConnect Administration Manual

Configuration

Service

Groupware is a collection of software and services tightly integrated to allow groups of users to
collaborate effectively. The groupware overview page reflects this dependence.

You may not have selected packages which provide additional features or
functionality. If a module is not installed, you can use the Software Modules utility to
look up and install modules that were not selected or available during the installation
process.

Creating User Accounts


Use the ClarkConnect User Interface (Webconfig) to add accounts that include mailbox
functionality to support the groupware features.

By default, the Community and Enterprise Editions include 10 accounts that have
groupware/mailbox functionality. The Enterprise Edition is upgradeable to 250 users
(in units of 5) by purchasing additional mailbox licenses from Point Clark Networks.

If this is your first time setting up the ClarkConnect user accounts, you will be redirected to the
server set-up page if you have not entered basic server defaults. Complete the global system
parameter set-up and return to the users page. You will see a summary similar to the screen
capture below.

Page 175 of 214


ClarkConnect Administration Manual

Follow the instructions here to add accounts for those users will have access to the groupware
functionality of ClarkConnect.

Configuring Your Firewall


Groupware is a solution that allows groups of people within an organization to be productive both
on the trusted Local Area Network and outside. For example, an employee's home, a WIFI access
point at an airport, a hotel broadband connection or an Internet café. Depending on what remote
access you want to allow, making precise changes in your firewall are required. Below, you will
find a table of typical services that groupware uses, and the ports you would need to open in order
allow remote access.

Protocol Description Default Port


SMTP Simple Mail Transfer Protocol (with or without SSL) 25
POP3 Post Office Protocol (non-encrypted) 110
POP3S Post Office Protocol with SSL (encrypted) 995
IMAP Internet Message Access Protocol (non-encrypted) 143
IMAPS Internet Message Access Protocol with SSL(encrypted) 993
HTTP File or website access via web server 80
HTTPS File or website access via web server with encryption 443
FTP File Transfer Protocol 21211
FTPS File Transfer Protocol with TLS (SSL encryption) 21232

1 - ClarkConnect Flexshare using FTP. Default FTP is port 21.


2 - ClarkConnect Flexshare using FTPS. Default FTP with TLS is port 21.

Configuring Clients
Once accounts are set-up on the server, it is time to configure a user's individual mail client that
will be used to interface to the collaborative environment.

Page 176 of 214


ClarkConnect Administration Manual

As with any advanced configuration and installation of software, it is advisable to


make a backup of your system or the data files related to the mail client you are
using (for example, the Outlook PST file).

Microsoft Outlook

Installing the Toltec Connector


The first step in configuring Outlook is to download and install the Toltec Connector.

ClarkConnect FTP: ftp://download.clarkconnect.com/4.1/other/toltec-2.2.0-en-kolabxml-cc.exe

Make sure to close any running instance of Outlook before installing the Toltec
Connector.

Once you have downloaded the file, use Explorer to navigate to the directory it was downloaded to
and double click on the executable. A familiar install splash screen will be displayed.

Click Next to continue. After reading the License Agreement, select I accept the agreement and
click on Next. By default, the Toltec Connector will be installed in C:\Program Files\Toltec.
Generally speaking this default and the remaining defaults can be used to quickly complete the
install wizard.

Licensing the Toltec Connector

Start Microsoft Outlook, select Help About Toltec Connector as displayed below.

Page 177 of 214


ClarkConnect Administration Manual

Click on Load a License Key and select the directory where you have your key. If you haven't yet
purchased a key, you can purchase one through ClarkConnect's Online Store or directly from the
Toltec site.

Page 178 of 214


ClarkConnect Administration Manual

Close the About dialog box and click on Outlook's Tools Options from the menu. You should
now see an additional tab labeled Toltec Connector.

Before you continue with the next step, ensure the ClarkConnect server's IMAP
service is enabled, an account has been created for the user's client you are
configuring and the ClarkConnect's IMAP server can be accessed from the system
are configuring.

Page 179 of 214


ClarkConnect Administration Manual

Outlook Modes (Outlook 2000 ONLY)


The first step in configuring Outlook 2000 is to switch to Corporate Workgroup Mode. Open
Outlook and select Tools Options and select the Mail Delivery Tab.

Select Reconfigure Mail Support.

Select Corporate or Workgroup mode and click on the Next button. Confirm your intention to

Page 180 of 214


ClarkConnect Administration Manual

change the mode by selecting Yes. Restart Outlook.

Mapping Toltec to a Message Store

Under the Toltec Connector tab, click on the New button to create a new message store to map
to. Click Next on the first dialog box that appears informing you that you are about to start the next
wizard.

Most users will want to select the default message store (outlook.pst) from the list of available
message stores. If so, select Personal Folders (you may have renamed it to something more
"personal") and click Next.

Select Open Format (Kolab-XML 2.x) and click Next.

Page 181 of 214


ClarkConnect Administration Manual

Enter your server's hostname in the appropriate field, followed by your user account's username
and password (matching those used when you created a user on the server). Ensure the checkbox
for encrypting communications with TLS/SSL is enabled, then click Next to continue.

At the next stage a connect/protocol test will be performed. If everything is functioning properly,
you should see an output from this test which resembles the following screen capture. Click Next
followed by Finish to complete the set-up.

Connection issues may be caused by firewall software running on your desktop!

Page 182 of 214


ClarkConnect Administration Manual

At this point, the Toltec connector has successfully been mapped to your Personal Folder.

Outlook Accounts - POP3(S) vs. IMAP(S)


The Toltec connector uses the secure IMAP protocol to synchronize data between your Outlook

Page 183 of 214


ClarkConnect Administration Manual

client and the ClarkConnect IMAP service. As a result (and although it is counter-intuitive), you
should create a POP3 account to fetch mail from the server and setup an outgoing SMTP service
to send mail. If you were using POP3(S) with Outlook, you don't need to do anything. If you were
using IMAP or are using Outlook for the first time, you'll need to create a POP3 account with your
user settings matching the ClarkConnect server. The following sections explain how to do this and
how to detach (dis-associate) the Toltec mapping and re-assign it to another personal mailbox (pst
file).

Start Outlook and click on Tools E-mail Accounts. Select View or change existing e-mail
accounts. Click Next to continue.

You will be shown a list of all accounts you have created. If you recognize one as connecting via
POP(S) to your ClarkConnect server, you don't need to do anything other than to check that the
Toltec connector is mapped to it (see next section).

If you need to create a new account for sending/receiving e-mail from the ClarkConnect server,
click on the Add button. A number of options for account types will be listed.

Select POP3 and click continue.

Page 184 of 214


ClarkConnect Administration Manual

Complete the mail account settings for the specific user. Use the Test Account Settings button to
see if you have configured your account and server correctly.

If you are using SSL encryption to receive or send mail (highly recommended), click on the More
Settings Advanced tab and select This server requires a secure connection (SSL) on the
Incoming and Outgoing servers as required.

POP3 with SSL encryption uses a different than POP3 - remember to open up port
995 instead of 110 if you enable SSL on the account.

Page 185 of 214


ClarkConnect Administration Manual

Clicking Next will send you back to the account list where you should now see your entry.

Detaching/Re-attaching the Toltec Connector


If you need to re-assign the Toltec connector to another Message Store, click on
Tools Options Toltec Connector. Select the Message Store to be disassociated with the
connector and click Detach.

If you remove a mapping, you will need to either remove the PST file or delete/re-
create the account on the IMAP server before mapping again - otherwise all entires
will be duplicated.

Page 186 of 214


ClarkConnect Administration Manual

To attach the connector to another Message Store, follow the instructions above.

Mapping to multiple IMAP4 servers is possible but beyond the scope of this
document.

Synchronizing Outlook with the Server


By default, Toltec will synchronize data between Outlook and the ClarkConnect server when the
object is selected in the Folder List.

You can customize this behavior by selecting an object (for example, your calendar), and using
right-click Properties.

Page 187 of 214


ClarkConnect Administration Manual

Select the Toltec folder. You will see a number of options to allowing you to synchronize data on
events or periodically.

Page 188 of 214


ClarkConnect Administration Manual

Users who have a large number of messages (10000+ in a single folder) may only
want to synchronize manually to avoid processing delays.

Mozilla Thunderbird
Support for Thunderbird with Kolab groupware synchronization is currently in development (beta).
Please check back later.

Testing Object Synchronization

As a simple test, we will assume at least two users on the server have been created to on the
server - in this example, Mary and David who work for Point Clark Networks. David is Mary's
assistant and regularly schedules her appointments and meetings for her. As such, he requires

Page 189 of 214


ClarkConnect Administration Manual

shared access to Mary's calendar.

Note, the administrator has been sure to give both Mary and David access to both the mail and
web user options.

Sharing a Calendar
The first configuration to be made is David's shared access to Mary's calendar. To do this, Mary
would open her mail client (Outlook in this case) and Right-Click on the Calendar object in the
folder list and select Properties.

Clicking on the Toltec tab displays a button labeled Folder Sharing Options. Mary clicks on this
button and adds David with the desired sharing privileges.

Page 190 of 214


ClarkConnect Administration Manual

Once done and a synchronization has been performed, David will see Mary's calendar in his
Folder List.

At this point, creating meetings and appointments for Mary is straight forward. David simply select
Mary's calendar, and creates appointments or meetings on behalf of Mary. Mary's Outlook client
will synchronize with additions/changes made by her assistant in addition to keeping track of her
own entries.

Webmail
Upgrades to the Webmail module supporting groupware is scheduled for Q2, 2008.

Page 191 of 214


ClarkConnect Administration Manual

Sharing/Accessing Files
Please refer to the Flexshare section of this manual.

Troubleshooting

Outlook 2000 and Calendar Format

If meeting requests are not working in Outlook 2000, you may need to set the default format to use
iCalendar (iCal). To do this, start Outlook 2000 and click on Tools Options Preferences
(tab). Click on Calendar Options and ensure the Send meeting requests using iCalendar by
default checkbox is enabled.

Tips and Tricks

Manual Synchronization
You can synchronize data between your Outlook client and the server at any time by clicking on
the icon found in the Outlook menu bar.

Synchronization Progress

You can view the progress being made on synchronization between your Outlook client and the
server by Right-Clicking on the Toltec Icon in your Windows system tray and selecting View.

Page 192 of 214


ClarkConnect Administration Manual

Enabling Free/Busy Scheduling Without User Authentication

Links
● Kolab Groupware Project
● Toltec Groupware Connector
● Toltec Connector for Windows Download
● Toltec Installation Guide (PDF)
● Kolab Syncronization Plugin for Mozilla Thunderbird
● Purchase ClarkConnect Toltec Licenses

VPN

PPTP

Overview
VPN Server - PPTP Information
Description Virtual Private Network PPTP server.
Package Name cc-pptp
Configuration Page Software VPN PC-to-LAN

The PPTP server is a secure and cost effective way to provide road warrior VPN connectivity. The
PPTP VPN client is built-in to Windows 98, ME, 2000, and XP. No extra software is required and
ClarkConnect provides full password and data encryption.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

Configuring the PPTP Server

Local IP and Remote IP


You must select a range of LAN IP addresses for the PPTP VPN connections. This range should
be on the same network as your local area network. By default, the DHCP Server on ClarkConnect
only uses IP addresses above x.x.x.100. All addresses below this number are reserved for static
use. We strongly suggest you use this sub-100 static range for PPTP.

Encryption Key Size


Most PPTP VPN clients support the stronger 128-bit encryption key. However, some VPN clients
(especially hand-held computers and mobile phones) can only support 40-bit encryption. Change
the encryption key size to meet your needs.

Domain
The default domain used by the PPTP client.

Page 193 of 214


ClarkConnect Administration Manual

WINS Server
The Microsoft Networking WINS server used
by the PPTP client. Depending on your
network configuration, you may need to
specify the WINS settings in VPN client
configuration.

DNS Server
The DNS server used by the PPTP client.

Usernames and Passwords


PPTP users must have a valid account with
the PPTP option enabled. See the User
Options page for more information.

Configuring Microsoft Windows

Configuring Windows 95/98

● For stronger encryption and improved


performance, install the latest version
of Dial-Up Networking. See 128-bit
Encryption for Windows 95/98
● Install the Virtual Private Networking
client from the Windows 98 CD. Use
the Add/Remove Programs tool in the
Control Panel. Click on the Windows
Setup tab, and select
Communications from the list. Click
on the Details button and make sure
Virtual Private Networking is
selected (see screenshot). You may
need to reboot your system after
changing this setting.
● The PPTP Client in Windows 98 is
part of the Dial-up networking tools. It
may seem strange using dial-up
networking over another dial-up
connection (or in some cases over
broadband)... but that is the way it is.
● Go to dial-up networking by clicking
on My Computer on your desktop.
● Click on Make New Connection.
● Name the connection and select the
Microsoft VPN Adapter.
● Continue with the wizard and enter the
IP or Hostname of the PPTP server.
● You are not quite done yet. Right-click
on the VPN connection you just
created.
● Select the Server Types tab.

Page 194 of 214


ClarkConnect Administration Manual

● Make sure Require encrypted password, Require data encryption are selected (see
screenshot).
● Disable the NetBEUI and IPX/SPX protocols (unless you really need them).
● Click on the TCP/IP Settings button.
● Use the default gateway on the remote network (see screenshot). This may not be
necessary in some situations.

Configuring Windows XP
The PPTP client is built-in to Windows XP.
● Go to the Control Panel.
● Click on Network Internet Connections (this step may not be necessary.
● Click on Network Connections.
● Click on Create a New Connection to start the configuration wizard (see screenshot).

● Select connect to the network at my workplace.


● Select Virtual Private Network connection.
● Add a connection name, and dial settings, and hostname.
● Click on the Properties button (or right-click on the new connection, and select Properties

Page 195 of 214


ClarkConnect Administration Manual

from the menu.


● Select the Security
● Make sure Require data encryption is selected.

● Select the Networking tab.


● From the Type of VPN drop box, select PPTP VPN.

Page 196 of 214


ClarkConnect Administration Manual

Troubleshooting

Error 619, PPTP and Firewalls


PPTP requires special software when passing through firewalls. If you are having trouble
connecting to a PPTP server, make sure any firewalls between your desktop and the ClarkConnect
server support PPTP passthrough mode.

PPTP Passthrough
If you are connecting a desktop from behind a ClarkConnect gateway to a remote PPTP server,
then you need to have PPTP passthrough software installed and enabled on the firewall. This
software is included in ClarkConnect.

However, we do not recommend running PPTP Passthrough and a PPTP server simultaneously.
By default, the ClarkConnect gateway will automatically disable PPTP Passthrough when the
Firewall Incoming is configured to allow PPTP server connections. If you would like to run PPTP
Passthrough and a PPTP server simultaneously, follow the Force PPTP Passthrough
documentation.

Two PPTP Connections to the Same Server


The PPTP protocol does not allow two VPN connections from the same remote IP address. In
other words, if you have two people behind a gateway (for example, ClarkConnect) connecting to

Page 197 of 214


ClarkConnect Administration Manual

the same PPTP server, then the connection should fail. Note: it is fine to have two people behind a
gateway connecting to different PPTP servers.

Some PPTP servers and gateways (including ClarkConnect) do make an exception for this
shortcoming. However, some PPTP servers may strictly follow the standard below:

"The PPTP RFC specifies in section 3.1.3 that there may only be one control channel connection
between two systems. This should mean that you can only masquerade one PPTP session at a
time with a given remote server, but in practice the MS implementation of PPTP does not enforce
this, at least not as of NT 4.0 Service Pack 4. If the PPTP server you're trying to connect to only
permits one connection at a time, it's following the protocol rules properly. Note that this does not
affect a masqueraded server, only multiple masqueraded clients attempting to contact the same
remote server."

Links
● PoPToP PPTP Server
● 128-bit Encryption for Windows 95/98
● PPTP handles 100s of users

IPsec

Overview
VPN Server - IPSec Information
Description Virtual Private Network tools for LAN-to-LAN connections.
Package Name cc-ipsec
Configuration Page Software VPN LAN-to-LAN

You can use the web-based administration tool to create a connection with other ClarkConnect
servers (on licensed systems, dynamic IP support is included).

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuring Connections with Managed VPN


Managed VPN support not only simplifies configuration, but also improves the up-time of the
connections. In order to create a connection between to systems, you need to configure both
ClarkConnect systems.

If you are configuring a VPN connection between your local gateway and a remote gateway, then
configure the remote gateway first. Once the VPN is started on the remote system it will only be
accessible when the VPN connection is up. If run into trouble configuring the tunnel, you can use a
dial-up or other location to access the remote location.

From the web-based administration tool, click on Create in the Managed VPN Connections box.
You need to:
● Select the IP address of the remote connect
● Type in a pre-shared secret (password)

Page 198 of 214


ClarkConnect Administration Manual

On the first connection or when an IP address changes, it may take a few minutes for the
connection to synchronize.

The two LAN networks at either end of the VPN connection must not overlap! If you need to
change the LAN IP address/network on your ClarkConnect server, please use the Administration
Console.

Configuring Un-managed VPN Connections (not recommended)

Select Headquarters and Satellite


Pick one server to be the "Headquarters" and the other to be the "Satellite". This is just a naming
convention -- pick a convention and stick with it! The OpenSWAN documentation uses "left" and
"right" in their documentation. This can be confusing at times, so we also use an alternate set of
names: "headquarters" and "satellite".

Gather Network Information


You must gather some network information for the IPsec server configuration, namely: the IP
address, next hop (gateway), and network for both sides of the network. Make sure these settings
are correct -- you will save many hours of pain and frustration. The information for the local
ClarkConnect system is shown when you start to configure an unmanaged VPN connection.
The two LAN networks at either end of the VPN connection must not overlap! If you need to
change the LAN IP address/network on your ClarkConnect server, please use the Administration
Console

Select a Connection Name and Pre-Shared Secret


Once you have your network settings in hand, enter the information on both ends of the VPN
connection. Enter a simple nickname for the connection along with a strong pre-shared secret.
When configuring the other end of the VPN connection, do not be tempted to swap the
Headquarters and Satellite information! The configuration screens on both ends of the connection
will look exactly the same.

Page 199 of 214


ClarkConnect Administration Manual

Sanity Checking
Start the IPsec server on both ends of the connection. Do not use Windows Network Neighborhood
to verify the VPN (there is a Howto on getting your Windows Network up and running). Instead,
make sure you can ping from:
● gateway to gateway
● gateway to remote PC
● remote PC to gateway
● remote PC to remote PC
If the connection fails, double check your network settings and restart your firewall. Look in the log
files -- /var/log/messages and /var/log/secure -- for error messages.

Configuration for Road Warriors


The web-based administration tool does not support Road Warrior connections or interoperability
with other IPsec servers. The software is capable of these configurations (including X.509
solutions), however, you must manually configure these connection types. Configuration can be a
non-trivial task, so please read the OpenSwan site for more information.

For road warriors/telecommuters, we strongly suggest using the


128-bit encrypted PPTP server. This option is not only more cost
effective, but also easy to configure. See PPTP for installation and
configuration instructions.

Configuring Windows Network Neighborhood - WINS


Do you want to be able to browse Windows Network Neighborhood
across your VPN connection? You must configure and use a WINS
server. Fortunately, ClarkConnect has all the pieces of the puzzle in
place. Please view the additional documentation here.

Page 200 of 214


ClarkConnect Administration Manual

Interoperability
The IPsec protocol is an industry standard, but one with many of loose ends. This means that other
IPsec servers - though standards compliant - may not be able to connect to a ClarkConnect IPsec
server. If you are familiar with the command line environment, you may be able to successfully
connect a ClarkConnect system to a third party system. You can find more information in the
OpenSwan Interoperability Documentation.

Technical support is not provided for IPsec interoperability.

Troubleshooting
● Make sure your firewall allows incoming connections for IPsec traffic
● The IPsec protocol does not pass through NAT-based routers. In other words, if your
external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based
router.

Entertainment

Photo Gallery

Overview
Photo Gallery Information
Description A web-based photo album.
Package Name cc-gallery
Configuration Page Software Fun Photo Gallery

Gallery is a web based photo album that provides you with the ability to create and maintain your
own online photo collection via an intuitive web interface.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
More information can be found on the Gallery page in the web-based administration tool.

Links
● Gallery website

Page 201 of 214


ClarkConnect Administration Manual

Web

Web Server

Overview
Web Server Information
Description A powerful and popular web server.
Package Name cc-httpd
Configuration Page Software Web Web Server

ClarkConnect includes the Apache web server -- the same software that powers many of the
world's largest websites.

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration

General

Global
The basic set-up of the Apache web server is installed by default. In the main configuration, you
need to specify two items:

Server Name
The server name is a valid
name (for example,
www.example.com) for your
web server. This name is
used on some infrequently
used error pages, so it is not
all that important.

SSL-Enabled - Secure Site


The web server comes with
built-in SSL encryption for enhanced security. If your website requires a username and password
for login, then it is a good idea to use encryption. For instance, if you have the webmail or
groupware solution installed, you should access their respective login pages via the secure web
server. In your web browser, you should use the encrypted https://your.domain.com instead of
the un-encrypted http://your.domain.com (https vs http). When enabled, all communication
between the web server and user's web browser is encrypted using a 128-bit security key.

SSL encryption requires a web site certificate. ClarkConnect automatically

Page 202 of 214


ClarkConnect Administration Manual

generates a default certificate that is 100% secure. However, this certificate is not
verified by one of the web site certificate authorities (it costs at least $100 per year
to maintain a verified web site certificate). Your users will see the following warning
(or similar) when connecting to the secure web server.

Allow FTP Upload


Enables an administrator/user to upload or change content on the website via FTP. By default, the
FTP uses a non-standard port of 2121. A user must be created on the server with FTP access in
order to provide authentication credentials to login to the FTP server. Any user belonging to the
group configured in the Group Access setting will have read/write access to the website directory.

You must use an FTP client (rather than a browser) if you would like to upload files to the server.

Allow File Server Access


Enables an administrator/user on the LAN (or remotely via VPN) to upload or change content on
the website via file shares (Samba). To access the share using a Windows client on the LAN, goto
"Start My Computer" and enter:

\\SERVERNAME\DOMAINNAME

Where:

SERVERNAME = your server's hostname (i.e. webserver.lan)


DOMAINNAME = your website's domain name (i.e. mywebsite.com)

Any user belonging to the group configured in the Group Access setting will have read/write access

Page 203 of 214


ClarkConnect Administration Manual

to the website directory.

Group Access
Select a group which will be used to grant access to users who should have access to make
modifications (uploads) to the website. If no groups have been created on your server, you will
have to add one first before configuring either FTP or file server based access.

Virtual Hosts

The web server includes support for "virtual hosts". This means your web server can be used for
hosting more than one web site.

Adding Static Content to Your Site

Text Editor
Not the most efficient means, but certainly possible. Use your favorite text editor and start typing
away!

Example:
# vi /var/www/html/index.html

And add:

Page 204 of 214


ClarkConnect Administration Manual

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<html>
<head>
<title>My First Web Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-
8859-1">
</head>
<body>
<p align="center">Hello World</p>
</body>
</html>

Web Design Applications


There are a number of products (free and commercial) to design your own webpages. See the
links below for

Adding Dynamic Content to Your Site


There are many options for adding dynamic content to a website:
● CGI
● PHP
● JSP
● ASP

The set-up and configuration of these engines are beyond the scope of this help document. PHP,
however, is available as a module.
Installing the PHP Module

Flexshares and your Web Server


ClarkConnect's Flexshare feature is a convenient way to add and configure more advanced web
server functionality like user-authenticated logins to the LDAP service, file indexing etc.

Flexshares are only available in ClarkConnect 4.0 Editions and above.

Troubleshooting

ISP Blocking
Some ISPs are known to block web (port 80) traffic to residential broadband connections in an
attempt to cut down on illegal sites hosted on their network. If you think your configuration is set-up
correctly and you suspect your ISP is blocking HTTP traffic, try a port scan.

Firewall Rules
A web server listens to client requests coming in on port 80 (HTTP) or 443 (HTTPS/secure). Did
you remember to open the correct port(s)?

Unable to Gain FTP or File Share Access - Access Denied


If you have just created a user and/or group, try stopping and restarting the FTP and/or file service,
depending on which access methods you have configured.

Page 205 of 214


ClarkConnect Administration Manual

Links
● Adding incoming firewall rules
● Apache Web Server Project

Page 206 of 214


ClarkConnect Administration Manual

Reports

Current Status

Overview
Current Status Information Information
Description Disk load, system load, memory usage, and other system status.
Package Name cc-status
Configuration Page System System Information Current Status

Dashboard

Overview
Dashboard Information
Description The dashboard shows a big picture overview of your system.
Package Name cc-webconfig
Configuration Page Dashboard Overview

The dashboard page is a bird's eye view of your system.

Intrusion Detection

Overview
Intrusion Detection Information
Description A report displaying summary information on the intrusion detection
system.
Package Name cc-snort
Configuration Page Reports Reports Intrusion Detection

The intrusion detection report provides a way to analyze hostile traffic arriving on your network
interfaces.

Logs

Overview
Logs Information
Description Log viewer.
Package Name cc-reports

Page 207 of 214


ClarkConnect Administration Manual

Configuration Page System System Information Logs

The log report page allows you to view and filter detailed log files on your system.

SMTP Mail

Overview
SMTP Mail Report Information
Description A report displaying summary information on the mail server.
Package Name cc-postfix
Configuration Page Reports Reports SMTP Mail

Statistics

Overview
System Statistics Information
Description Historical information on system performance.
Package Name cc-mrtg
Configuration Page Reports System Information Statistics

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Statistics
The charts shown in the statistics page show the following information:
● Maximum value over the period (e.g. one day)
● Average value over the period
● Current value

Load
The system load is a measure of how the overall system is performing. A common misconception
is that the system load is a measure of CPU usage. However, a high system load can be caused
by excessive hard disk access or other types of bottlenecks in the overall system.

Two different trend lines are shown on this chart. The green line indicates the average system load
for a given 5-minute time period. The blue line indicates the average system load for a given 15-
minute time period.

A sustained load above 200 on the chart indicates an overloaded system (occasional spikes above
this number are normal).The system load displayed on the charts is multiplied by 100. For
instance, if you see a load of 53 in the chart, then the load is really 0.53.

Page 208 of 214


ClarkConnect Administration Manual

Open Connections
This statistic shows the number of open network connections to your system. For instance, an end
user fetching their e-mail from the server will open one (or more) network connections. If your
system comes under an unwanted attack, you will likely see a large spike in open connections.

Processes
The number of processes running on your system.

Swap Memory
Swap memory usage is an indirect indicator of how well your system is managing RAM (physical)
memory. The green background in this chart (if shown) is the amount of swap memory available.
The blue line indicates the amount of swap memory used. If the blue line sustains a level of 75% of
the total swap memory available, then you need to take action:
● Disable unused software/services running on the system
● Investigate potential software bugs/issues
● Add more RAM
The intrusion detection system and content filter system use quite a bit of system resources.

On a Linux system, all unused RAM is used to optimize file access. Do not be
surprised to find your RAM usage at 95% or higher.

Uptime
The uptime charts how long your system has been running without a reboot.

Links
● MRTG Web Site

Web Proxy

Overview
Web Proxy Reports Information
Description A report displaying information on proxy and content filter usage.
Package Name cc-squid
Configuration Page Reports Reports Web Proxy

Reports are created through the ClarkConnect API using a dedicated MySQL database. This
makes extraction of the report logs simple to do in the event other report medium (ie. PDF) or
statistics are required.

Page 209 of 214


ClarkConnect Administration Manual

Report Types

Overview

Page 210 of 214


ClarkConnect Administration Manual

User/IP Summary

Page 211 of 214


ClarkConnect Administration Manual

Domain Summary

Ad-hoc Summary

Page 212 of 214


ClarkConnect Administration Manual

Page 213 of 214


ClarkConnect Administration Manual

Web Server

Overview
Web Server Reports Information
Description A report displaying statistics for the web server.
Package Name cc-awstats
Configuration Page Reports Reports Web Reports

Installation
If you did not select this module to be included during the installation process, you must first install
the module.

Configuration
To access the Web Reports, you will need to set a password. In the web-based administration tool:
● Enter the password you wish for the reports and click on Update.
● In the Reports by Domain panel at the bottom of the screen, click on the domain report
you wish to view.
● A new window will appear asking for a username and password. Enter awstats for the
username and the password you assigned above.

Links
● Awstats Home Page

Page 214 of 214

Você também pode gostar