Escolar Documentos
Profissional Documentos
Cultura Documentos
http://www.clarkconnect.com
ClarkConnect Administration Manual
Table of Contents
Introduction...................................................................................................................................... 8
Welcome...................................................................................................................................... 8
Features...................................................................................................................................... 8
What's New.................................................................................................................................. 9
Comparing Software Editions...................................................................................................... 9
System Requirements...................................................................................................................... 9
Overview...................................................................................................................................... 9
Network Cards............................................................................................................................. 9
PCI Network Cards................................................................................................................. 9
ISA Network Cards................................................................................................................ 10
Wireless Network Cards........................................................................................................ 10
Internet Connection................................................................................................................... 10
Cable Modems...................................................................................................................... 10
DSL and PPPoE.................................................................................................................... 10
Wireless................................................................................................................................ 10
ISDN..................................................................................................................................... 10
Links.......................................................................................................................................... 10
Compatibility................................................................................................................................... 10
Overview.................................................................................................................................... 10
Vendors..................................................................................................................................... 11
Recommended...................................................................................................................... 11
Not Recommended............................................................................................................... 11
RAID Compatibility..................................................................................................................... 11
RAID Support................................................................................................................................. 11
Overview.................................................................................................................................... 11
Software RAID...................................................................................................................... 12
Hardware RAID..................................................................................................................... 12
Links.......................................................................................................................................... 12
Installation...................................................................................................................................... 13
Starting the Install...................................................................................................................... 13
Installation CD....................................................................................................................... 13
Starting the Installation.......................................................................................................... 13
Configuration Options................................................................................................................ 13
Selecting Your Server Type.................................................................................................. 13
Selecting Your Network Connection Type............................................................................. 13
Selecting Your Network Card Drivers.................................................................................... 13
Configuring Your Network..................................................................................................... 14
Configuring Your Network - PPPoE....................................................................................... 14
Configuring Your LAN IP Address......................................................................................... 14
Selecting Your Hostname - Password - Timezone................................................................ 15
Selecting Your Hard Disk Partitioning Settings...................................................................... 15
Selecting Your Software........................................................................................................ 15
Configure Partitioning and RAID................................................................................................ 16
Overview............................................................................................................................... 16
Select Advanced Partitioning................................................................................................. 16
Using the Disk Druid Partition Tool........................................................................................ 16
Example: Software RAID 1.................................................................................................... 16
Testing Software RAID.......................................................................................................... 18
Links...................................................................................................................................... 18
Troubleshooting......................................................................................................................... 18
Page 2 of 214
ClarkConnect Administration Manual
Overview............................................................................................................................... 18
Network Configuration.................................................................................................................... 18
Overview.................................................................................................................................... 18
Configuration............................................................................................................................. 19
Network................................................................................................................................. 19
Interfaces.............................................................................................................................. 20
Accessing Login Prompt............................................................................................................ 20
LAN Configuration.......................................................................................................................... 20
Overview.................................................................................................................................... 20
Network Settings................................................................................................................... 21
Windows 95/98.......................................................................................................................... 21
Step 1 - Control Panel........................................................................................................... 21
Step 2 - IP Address............................................................................................................... 22
Step 3 - Gateway Settings..................................................................................................... 23
Step 4 - DNS Settings........................................................................................................... 23
Windows 2000........................................................................................................................... 24
Step 1 - Network Connections............................................................................................... 24
Step 2 - Configuring TCP/IP.................................................................................................. 26
Windows XP.............................................................................................................................. 28
Step 1 - Control Panel........................................................................................................... 28
Step 2 - Select IP Properties................................................................................................. 29
Step 3 - IP Address............................................................................................................... 30
Step 4 - DNS Settings........................................................................................................... 30
Web-based Administration............................................................................................................. 30
Overview.................................................................................................................................... 30
Access....................................................................................................................................... 31
Certificate Warning................................................................................................................ 31
Username and Password...................................................................................................... 31
Technical Notes.................................................................................................................... 31
Help........................................................................................................................................... 31
Next Step................................................................................................................................... 32
System Registration....................................................................................................................... 32
Overview.................................................................................................................................... 32
System Activation...................................................................................................................... 32
Create an Online Account..................................................................................................... 32
Complete Registration Wizard............................................................................................... 32
Software Modules........................................................................................................................... 33
Overview.................................................................................................................................... 33
Finding a Module....................................................................................................................... 33
Installing a Module..................................................................................................................... 33
Software Modules via Apt............................................................................................................... 33
Overview.................................................................................................................................... 33
Finding a Module....................................................................................................................... 34
Installing a Module..................................................................................................................... 34
Troubleshooting......................................................................................................................... 35
Network Settings............................................................................................................................ 35
Bandwidth.................................................................................................................................. 35
Overview............................................................................................................................... 35
Services................................................................................................................................ 36
How It Works......................................................................................................................... 36
Configuration......................................................................................................................... 36
Units - kbit/s, kbps, Mbps and Other Confusing Notation...................................................... 37
Links...................................................................................................................................... 37
Page 3 of 214
ClarkConnect Administration Manual
DHCP Server............................................................................................................................. 37
Overview............................................................................................................................... 37
Installation............................................................................................................................. 38
Configuration......................................................................................................................... 38
Common Errors..................................................................................................................... 40
Links...................................................................................................................................... 40
Hosts and DNS Server............................................................................................................... 40
Overview............................................................................................................................... 40
Configuration......................................................................................................................... 40
Tips and Tricks...................................................................................................................... 40
Links...................................................................................................................................... 40
IP Settings................................................................................................................................. 41
Overview............................................................................................................................... 41
Configuration......................................................................................................................... 41
Configuration from the Console............................................................................................. 42
Troubleshooting.................................................................................................................... 43
Multi-WAN................................................................................................................................. 44
Overview............................................................................................................................... 44
Network Tools....................................................................................................................... 47
UPnP..................................................................................................................................... 48
Wireless Card Configuration.................................................................................................. 48
Firewall........................................................................................................................................... 50
1 to 1 NAT................................................................................................................................. 50
Overview............................................................................................................................... 50
Installation............................................................................................................................. 50
Configuration......................................................................................................................... 50
Advanced................................................................................................................................... 52
Overview............................................................................................................................... 52
Installation............................................................................................................................. 52
Configuration......................................................................................................................... 52
Links...................................................................................................................................... 52
DMZ........................................................................................................................................... 52
Overview............................................................................................................................... 52
Installation............................................................................................................................. 52
Configuration......................................................................................................................... 53
Links...................................................................................................................................... 53
Group Manager.......................................................................................................................... 54
Overview............................................................................................................................... 54
Installation............................................................................................................................. 54
Configuration......................................................................................................................... 54
Incoming.................................................................................................................................... 55
Overview............................................................................................................................... 55
Configuration......................................................................................................................... 55
Outgoing.................................................................................................................................... 56
Overview............................................................................................................................... 56
Configuration......................................................................................................................... 56
Troubleshooting.................................................................................................................... 58
Links...................................................................................................................................... 58
Peer-to-Peer.............................................................................................................................. 58
Overview............................................................................................................................... 58
Installation............................................................................................................................. 58
Configuration......................................................................................................................... 58
Troubleshooting.................................................................................................................... 58
Page 4 of 214
ClarkConnect Administration Manual
Links...................................................................................................................................... 59
Port Forwarding......................................................................................................................... 59
Overview............................................................................................................................... 59
Configuration......................................................................................................................... 59
Troubleshooting.................................................................................................................... 60
Security.......................................................................................................................................... 60
Intrusion Detection..................................................................................................................... 60
Overview............................................................................................................................... 60
Services................................................................................................................................ 61
Configuration......................................................................................................................... 61
Links...................................................................................................................................... 61
Intrusion Prevention................................................................................................................... 61
Overview............................................................................................................................... 61
Services................................................................................................................................ 61
Configuration......................................................................................................................... 61
Troubleshooting.................................................................................................................... 62
Links...................................................................................................................................... 62
Account Manager........................................................................................................................... 62
Users......................................................................................................................................... 62
Overview............................................................................................................................... 62
Configuration......................................................................................................................... 63
Tips and Tricks...................................................................................................................... 64
Links...................................................................................................................................... 64
Groups....................................................................................................................................... 64
Overview............................................................................................................................... 64
Configuration......................................................................................................................... 64
System Tools.................................................................................................................................. 65
Backup and Restore.................................................................................................................. 65
Overview............................................................................................................................... 65
Installation............................................................................................................................. 65
Configuration......................................................................................................................... 65
Troubleshooting.................................................................................................................... 66
Date........................................................................................................................................... 66
Overview............................................................................................................................... 66
Configuration......................................................................................................................... 66
Encrypted File Systems............................................................................................................. 67
Overview............................................................................................................................... 67
Installation............................................................................................................................. 67
Configuration......................................................................................................................... 67
Troubleshooting.................................................................................................................... 68
Links...................................................................................................................................... 69
Language................................................................................................................................... 69
Overview............................................................................................................................... 69
Running Services....................................................................................................................... 69
Overview............................................................................................................................... 69
Shutdown and Restart............................................................................................................... 69
Overview............................................................................................................................... 69
E-Mail Notification/Alert (SMTP Relay)...................................................................................... 69
Overview............................................................................................................................... 69
Installation............................................................................................................................. 70
Configuration......................................................................................................................... 70
Test Relay............................................................................................................................. 71
Examples.............................................................................................................................. 71
Page 5 of 214
ClarkConnect Administration Manual
Links...................................................................................................................................... 72
SSL Certificate Manager............................................................................................................ 72
Overview............................................................................................................................... 72
Installation............................................................................................................................. 73
Configuration......................................................................................................................... 73
Troubleshooting.................................................................................................................... 86
Links...................................................................................................................................... 87
Webconfig............................................................................................................................. 87
Modules.......................................................................................................................................... 87
Database................................................................................................................................... 87
MySQL.................................................................................................................................. 87
Email.......................................................................................................................................... 88
Antispam............................................................................................................................... 88
Antispam - Quarantine.......................................................................................................... 90
Antispam - Training............................................................................................................... 91
Antivirus................................................................................................................................ 92
Aliases.................................................................................................................................. 93
Mail Archive........................................................................................................................... 95
Mail Filters (Greylisting)....................................................................................................... 102
Maildrop.............................................................................................................................. 104
POP and IMAP.................................................................................................................... 105
Mail Server - SMTP............................................................................................................. 109
Webmail.............................................................................................................................. 114
File Services............................................................................................................................ 115
Flexshare............................................................................................................................ 115
FTP Server.......................................................................................................................... 128
Windows-Samba................................................................................................................. 129
LAN Backup and Recovery................................................................................................. 132
Printing.................................................................................................................................... 160
Print Server......................................................................................................................... 160
Web Proxy............................................................................................................................... 161
Access Control.................................................................................................................... 161
Banner Ad and Pop-up Blocker........................................................................................... 166
Content Filter....................................................................................................................... 167
Web Proxy........................................................................................................................... 170
Groupware............................................................................................................................... 174
Groupware Configuration.................................................................................................... 174
VPN......................................................................................................................................... 193
PPTP................................................................................................................................... 193
IPsec................................................................................................................................... 198
Entertainment.......................................................................................................................... 201
Photo Gallery...................................................................................................................... 201
Web......................................................................................................................................... 202
Web Server......................................................................................................................... 202
Reports......................................................................................................................................... 207
Current Status.......................................................................................................................... 207
Overview............................................................................................................................. 207
Dashboard............................................................................................................................... 207
Overview.................................................................................................................................. 207
Intrusion Detection................................................................................................................... 207
Overview............................................................................................................................. 207
Logs......................................................................................................................................... 207
Overview............................................................................................................................. 207
Page 6 of 214
ClarkConnect Administration Manual
Page 7 of 214
ClarkConnect Administration Manual
Introduction
Welcome
Thank you for choosing ClarkConnect.
ClarkConnect is a server Operating System (OS) that provides enterprise-level network security
and application services to the Small/Medium-sized Business (SMB) market. It protects against
incoming threats, enables your organization to enforce outgoing policy and increases productivity
through integration of services
Configuration using an easy-to-use web interface for the helps keep the required knowledge of
Linux to a minimum. You should, however, have at least a working knowledge of basic network
concepts in order to make optimal use of the installation wizard.
This document describes how to install and configure your ClarkConnect server/gateway. The
following are required:
● x86 based hardware for the server
● a DSL or cable modem Internet connection
● a small network
Features
The following features are included in ClarkConnect:
● Web-based manager ● Peer-to-peer manager
● Auto software updates ● Internal DHCP server
● Stateful firewall ● Caching DNS server
● Multi-WAN support ● RAID support
● Intrusion detection ● Multi-processor support
Page 8 of 214
ClarkConnect Administration Manual
What's New
Release notes are available http://www.clarkconnect.com/help/release_notes.
http://www.clarkconnect.com/info/compare.php
System Requirements
Overview
General hardware requirements and recommendations are listed at:
http://www.clarkconnect.com/info/requirements.php.
Network Cards
Page 9 of 214
ClarkConnect Administration Manual
Internet Connection
ClarkConnect supports most DSL (including PPPoE) and cable modem broadband Internet
connections. We do not expect to add support for ISDN or satellite broadband at present.
However, if you have had success with getting Linux working on such a system, then please let us
know. We want to hear from you!
Cable Modems
Most cable modem Internet service providers will include a standard Ethernet card and external
modem to enable your high-speed Internet connection. The days of proprietary software and logins
are mostly behind us, so you should be able to set up ClarkConnect without too much tinkering.
However, some cable modem providers may still have some quirks. Fortunately, Vladimir Vuksan
has put together a great resource of Cable Modem Providers. If you are having trouble getting
ClarkConnect to work with your cable ISP, check http://tldp.org/HOWTO/Cable-Modem for some
troubleshooting tips.
Wireless
The software supports wireless networks. Make sure you select a supported wireless card.
ISDN
We do not support ISDN Internet service providers.
Links
● RAID support and compatibility
Compatibility
Overview
ClarkConnect 4.x is based on Red Hat Enterprise Linux 4. For the most part, hardware that is
Page 10 of 214
ClarkConnect Administration Manual
compatible with Enterprise Linux will be compatible with ClarkConnect. For checking compatibility,
check the online Red Hat Compatibility Guide - Version 4. Keep in mind, there are many other
hardware products that are compatible -- the list is not exhaustive.
Here are some tips when selecting hardware:
● Avoid the latest technologies and chipsets. This will reduce the likelihood of compatibility
issues and the possible reliability issues that might come with unproven hardware.
● Avoid desktop systems. You may save a few hundred dollars on a desktop system, but they
are more likely to fail when used as a server/gateway.
In case you missed the previous bullet point, avoid desktop systems.
● Check the vendors web site for Linux compatibility. If you can purchase ServerXYZ with a
version of Red Hat Enterprise Linux pre-installed, then the system is very likely compatible
with ClarkConnect.
Vendors
When it comes to Linux support, some hardware vendors are better than others.
Recommended
The following vendors ship servers with Linux pre-installed and have a good record when it comes
to driver support. You should still check the Red Hat Compatibility Guide - Version 4, especially on
any new models.
● Dell servers (not desktops')
● HP servers
● IBM servers
Not Recommended
The following vendors have a poor track record for Linux support.
● Supermicro
● Promise
● Dell Optiplex desktops
RAID Compatibility
See RAID Support.
RAID Support
Overview
Both software and hardware RAID are supported in ClarkConnect. If you plan on implementing
hardware RAID, please read the section below regarding supported hardware. Before you decide
to purchase an expensive hardware RAID controller card, consider the following passage from the
experts at O'Reilly.
"Software RAID has unfortunately fallen victim to a FUD (fear, uncertainty, doubt) campaign in the
system administrator community. I can’t count the number of system administrators whom I’ve
heard completely disparage all forms of software RAID, irrespective of platform. Many of these
same people have admittedly not used software RAID in several years, if at all. Why the stigma?
Page 11 of 214
ClarkConnect Administration Manual
Well, there are a couple of reasons. For one, when software RAID first saw the light of day,
computers were still slow and expensive (at least by today’s standards). Offloading a high-
performance task like RAID I/O onto a CPU that was likely already heavily overused meant that
performing fundamental tasks such as file operations required a tremendous amount of CPU
overhead. (...) But today, even multiprocessor systems are both inexpensive and common."
The rest of the passage is available online in the sample chapter: Managing RAID on Linux from
O'Reilly. The book is an excellent resource and highly recommended!
Software RAID
You can implement software RAID in ClarkConnect by selecting the Advanced Partitioning option
during the installation wizard and then following the detailed instructions in the Red Hat 9 User
Guide:
● Partitioning Your System
● Software RAID Configuration
Hardware RAID
Some hardware RAID controller cards are not true hardware controller cards. They are simple IDE
controllers with BIOS and drivers to do software RAID. If redundancy is your primary concern, then
software RAID will serve you better than a quasi-hardware RAID card. To quote (again) from the
Managing RAID on Linux book from O'Reilly:
"The low-end (RAID) controllers are, in essence, software RAID controllers because they rely on
the operating system to handle RAID operations and because they store array configuration
information on individual component disk. The real value of the controller is in the extra ATA
channels."
As a rule of thumb, if a hardware card is under USD $150, then it is probably not true hardware
RAID (and therefore likely not supported).
Links
● Serial ATA (SATA) Technical Guide
Page 12 of 214
ClarkConnect Administration Manual
Installation
Installation CD
A bootable CD drive is required to install the ClarkConnect software. The rest of the software is
installed from the CD-ROM or directly over your high-speed Internet connection.
Configuration Options
Page 13 of 214
ClarkConnect Administration Manual
settings for the driver. See the Linux Ethernet HOWTO and ISA Network Cards for some tips and
tricks.
Page 14 of 214
ClarkConnect Administration Manual
Page 15 of 214
ClarkConnect Administration Manual
Overview
For some installations, you may want to define a custom partition scheme instead of using the
default. Typically, custom partitioning is required for:
● Software RAID
● Creating a separate /home partition
● Data redundancy with DRBD
Page 16 of 214
ClarkConnect Administration Manual
Repeat the same process, but this time mark hdc as an allowable drive and take the mark off of
hda.
Repeat the same process, but this time mark hdc as an allowable drive and take the mark off of
hda. Now that we have two identical 100 MB partitions on both disks, we can create the software
RAID disk:
● Tab to the RAID button and hit return
● Type in /boot in the Mount Point field
● Tab to RAID Level and select RAID1
● Tab to RAID Members and make sure the two partitions created earlier are selected
This example creates the /boot partition. Go through the same process for the root partition (/) and
optionally any other partition that you want to create (/home, /var, etc.).
Page 17 of 214
ClarkConnect Administration Manual
If have trouble booting up your system with Grub, you can use the Lilo boot loader as an
alternative. However, you will need to type the following on the first installation screen: linux lilo.
If the secondary disk fails (/dev/hdc), then the system will still be bootable. If the primary disk fails
(/dev/hda), then your system will not boot. In order to make the secondary disk bootable as well,
run the following command:
# grub-install /dev/hdc
Or:
# grub-install --recheck /dev/hdc
Links
● Software RAID Howto
● Old Red Hat Installation Guide
Troubleshooting
Overview
There are thousands of pieces of hardware and related drivers available for use in the PC world.
The advantage: consumer choice. The disadvantage: hardware compatibility issues are common.
There are several debug screens in the installer that can help when an installation fails. Use the
Alt-FX key combination to view:
● Alt-F1: main install screen
● Alt-F2: command line (not always available)
● Alt-F3: general log
● Alt-F4: driver log
● Alt-F5: hard disk / CD log
Network Configuration
Overview
When you start the system for the first time, you will be taken to a login screen for the network
console tool. The purpose of this console tool is to configure your network settings. After you
login with your system password, you will see a screen similar to the one shown below.
Page 18 of 214
ClarkConnect Administration Manual
Once your network is up and running, open a web browser on any desktop or laptop. You can then
use the web-based administration tool to configure other applications in ClarkConnect.
Configuration
Network
Mode
The ClarkConnect system can run in four modes:
● Standalone Mode - No firewall - for a standalone server without a firewall (1 network card)
● Standalone Mode - for a standalone server with a firewall (1 network card)
● Gateway - for connecting your LAN to the Internet (2 network cards)
● DMZ - for connection a LAN and DMZ to the Internet (3 network cards)
Page 19 of 214
ClarkConnect Administration Manual
Hostname
A hostname is the full name of your system. If you have your own domain, you can use a
hostname like gateway.example.com, mail.example.com, etc. If you do not have your own
domain then make one up, for instance: gateway.lan, mail.lan. The hostname does require at
least one period (.).
Name/DNS Servers
On DHCP and DSL/PPPoE connections, the DNS servers will be configured automatically. In
these two types of connections there is no reason to set your DNS servers. Users with static IP
addresses should use the DNS servers provided by your Internet Service Provider (ISP).
Interfaces
The network interface section of the console tool lets you configure the roles and settings of each
network card on the system. More information is provided in the IP Settings section of the user
guide.
LAN Configuration
Overview
All of the computers and devices on your network should have Internet addresses between
192.168.x.2 and 192.168.x.254. When you are configuring your network, you have two choices:
Page 20 of 214
ClarkConnect Administration Manual
If you configure devices with static IP addresses, make sure you only use an address between
192.168.1.2 - 192.168.1.99. ClarkConnect includes a caching DNS server, but you can use this as
your Internet Service Provider's DNS servers if you wish.
Network Settings
Feature Description
Default ClarkConnect IP Address 192.168.1.1
Available static IPs 192.168.1.2 - 192.168.1.99
Addresses used by DHCP 192.168.1.100 - 192.168.1.254
DNS Servers 192.168.1.1 and/or your ISP's DNS servers
Windows 95/98
To set up networking in the Windows 95/98 environment...
Page 21 of 214
ClarkConnect Administration Manual
Step 2 - IP Address
On the IP Address tab, you can select Obtain an IP address automatically and ClarkConnect will
automatically assign an IP address for you.
Alternatively, you can choose Specify an IP address (as shown in the screenshot). Make sure you
pick an address between 192.168.1.2 to 192.168.1.99. The subnet mask is always 255.255.255.0.
Page 22 of 214
ClarkConnect Administration Manual
If you decided to specify your IP address, then you will need to add 192.168.1.1 to the DNS
Server Search Order list (as shown).
You should also add a host name and then add "lan" as the domain. If you prefer to bypass the
ClarkConnect DNS cache, you can add the DNS servers given by your Internet service provider.
Page 23 of 214
ClarkConnect Administration Manual
Windows 2000
To set up networking in the Windows 2000 environment...
Page 24 of 214
ClarkConnect Administration Manual
If the Local Area Connection Properties does have Internet Protocol (TCP/IP) go to Step 2 -
Configuring TCP/IP. If the Local Area Connection Properties does not have Internet Protocol
(TCP/IP), you will need to install it using the Install button.
Page 25 of 214
ClarkConnect Administration Manual
● Select "Protocol" and click on Add. The enumeration of the protocols will take a minute or
so.
● Select "Microsoft" from the left panel and select Internet Protocol (TCP/IP) from the right
panel.
● Click the OK button.
Page 26 of 214
ClarkConnect Administration Manual
Select "Obtain and IP address automatically" and ClarkConnect will automatically assign an IP
address for you.
Alternatively, you can choose "Use the following IP address:" and enter the IP address, subnet
mask, default gateway and DNS server addresses. If you have more than three DNS servers, use
the advanced button at the bottom of the dialog box to specify the addresses and the order in
which they are used.
Page 27 of 214
ClarkConnect Administration Manual
Windows XP
To set up networking in the Windows XP environment:
Page 28 of 214
ClarkConnect Administration Manual
Page 29 of 214
ClarkConnect Administration Manual
Step 3 - IP Address
On the IP Address tab, you can select Obtain an IP address automatically and ClarkConnect will
automatically assign an IP address for you.
Alternatively, you can choose Specify an IP address (as shown in the screenshot). Make sure you
pick an address between 192.168.1.2 to 192.168.1.99. The subnet mask is always 255.255.255.0.
If you decided to specify your IP address, then you will need to add 192.168.1.1 to the DNS
Server Search Order list (as shown).
You should also add a host name and then add "lan" as the domain. If you prefer to bypass the
ClarkConnect DNS cache, you can add the DNS servers given by your Internet service provider.
Web-based Administration
Overview
Once you have your network up and running with the network configuration tool, you can configure
Page 30 of 214
ClarkConnect Administration Manual
all other ClarkConnect features from the web browser of any desktop or laptop computer.
Access
To access the ClarkConnect web-based administration tool, type the following into your web
browser:
https://IP_Address:81
for example:
https://192.168.1.1:81
The IP address that you need to use was selected during installation. If you do not remember this
information, you can always connect a keyboard and monitor to the system and check the network
configuration tool.
Certificate Warning
You will see a warning about your security certificate
(see adjacent screenshot). Click on the appropriate
button to ignore the message. Your connection is still
secure and encrypted, but your server certificate is
not official. A valid certificate costs over $100 a year
to maintain and is not necessary in this situation.
Technical Notes
Please note the following about the web-based
administration tool:
● it uses the encrypted protocol (https
instead of http)
● it runs on a non-standard port (the :81
appended to the web page address) so
that it does not interfere with an existing
web server
Help
Every configuration page in the web-based administration tool includes a web link to the user
guide. If you ever need more information on a particular page, simply click on the link (see
screenshot below).
Page 31 of 214
ClarkConnect Administration Manual
Next Step
After logging in, registering your system should be your first task.
System Registration
Overview
ClarkConnect is much more than a collection of software packages to perform gateway and server
functionality. A distributed network infrastructure (ClarkConnect Gateway Services) provides,
among other things:
● Gateway Services account interface - online demo
● Software updates via FTP and APT
● DNS and dynamic DNS services
● Content filter updates
● Intrusion detection and prevention updates
● Remote port and system monitoring
● Security audits
● Remote backup/restore (Q1 2008)
System Activation
The next step in the registration process (see screenshot) is important -- especially for upgrades
and re-installs. Make sure you select the right option.
Page 32 of 214
ClarkConnect Administration Manual
Software Modules
Overview
Software modules can be installed via the are offered via the web-based administration tool. For
users who prefer command line interfaces, you can find more information on the suite of apt tools
here.
Finding a Module
The web-based administration tool lists all available modules under the Services Software
Install Modules in the menu (see screenshot). This page displays the list of available modules
that can be installed on your ClarkConnect system.
Installing a Module
Select the module you wish to install, and hit 'Go'. Installing a module may take some time,
depending on the size of the package, dependencies, your connection speed and the load/number
of connections on the apt-get repository server. Please be patient!
Once complete, you will see an additional navigation link under the appropriate heading. For
example, if you were installing DMZ and 1:1 NAT firewall module, you will find the configuration
pages under the Network Firewall in the menu.
Overview
For users who prefer the command line environment over the web-based interface, the apt suite
tools provide a way to search and install modules. The following table summarizes the most
commonly used commands; detailed information follows.
Page 33 of 214
ClarkConnect Administration Manual
Finding a Module
A complete listing of all packages in the apt-get repository can be found by using the following
command:
Command Description
apt-get update for updating the latest list of available software packages
apt-get upgrade for installing all the available updates for your current installation
apt-get dist-upgrade for installing updates after a ClarkConnect upgrade
apt-get install for downloading and installing software packages
apt-cache search search term for searching for software packages
You can narrow your search by specifying a search term. For example, if you wanted to find
packages relating to the Postfix SMTP mail server, you could issue the following command:
The response would include all packages containing the search string 'postfix':
Installing a Module
The following example would install the advanced firewall rule set from ClarkConnect.
The result would be something similar to the following screenshot.
Page 34 of 214
ClarkConnect Administration Manual
Troubleshooting
Do not forget to run apt-get update before you start using the suite of apt tools. If you do not run
this command first, you may find yourself using obsolete software package information.
Network Settings
Bandwidth
Overview
Bandwidth Information
Description Manages bandwidth through the gateway.
Package Name cc-bandwidth
Configuration Page Network IP Settings Bandwidth
The bandwidth manager is used to shape or prioritize incoming and outgoing network traffic. You
Page 35 of 214
ClarkConnect Administration Manual
can limit and prioritize bandwidth based on IP address, IP address ranges, port, and port ranges.
Services
The Bandwidth Monitor service provides hourly bandwidth measurements from our remote system
monitors. The service is an excellent tool for monitoring your Internet Service Provider's (ISP)
quality of service. This service will monitor your downstream rate, the rate at which you can receive
data from an external source (download speed).
How It Works
The bandwidth manager is designed to guarantee a certain speed for either an IP address and/or
port on your LAN (or DMZ). The bandwidth manager does not manage traffic to the ClarkConnect
box itself. To demonstrate how the system works, lets go through a scenario with a voice-over-IP
(VoIP) server. We have:
● a 1000 kbit/s upload and download connection to the Internet
● a voice-over-IP (VoIP) server at 192.168.1.80 on our local network
● enabled a bandwidth rule that reserves 500 kbit/s upload and download for the VoIP server
In our example, the network is at first completely congested with web downloads. The VoIP server
is idle, so the full 1000 kbit/s is used for the web downloads. In other words, the web downloads
are allowed to "borrow" the bandwidth we have reserved for the VoIP server.
Someone in the office then makes an outbound 4-person conference call via the voice-over-IP
server. The conference call requires 300 kbit/s and the bandwidth manager will go into action. The
lower priority web downloads will get slowed from the maximum 1000 kbit/s to 700 kbit/s. The
higher priority conference call will receive its required 300 kbit/s.
Configuration
Bandwidth Rules
A bandwidth management rule contains the following six parameters.
Nickname
The first parameter is an optional nickname you can use to easily identify the rule. Valid nicknames
can contain alphanumeric characters (A-z0-9) and optional dashes '-' or underscores '_". Spaces
are not allowed.
IP Address/Range
The IP address parameter can contain:
● A single IP address
● A IP address range
● nothing
If this field is left blank, then the bandwidth rule will be used by all IP addresses will. IP ranges can
be specified using network and netmask, for example: 192.168.0.1/255.255.255.0 or
192.168.0.1/24.
Port/Range
The port parameter is used to apply a bandwidth rule to a particular service. For instance, you can
limit web traffic by specifying port 80. If the port is left empty, then all ports will be affected. You
may also specify a colon-delimited port range. For instance, 5000:5010 would impact all the ports
Page 36 of 214
ClarkConnect Administration Manual
Priority
Priority provides a mechanism to prioritize traffic when all bandwidth rules are at capacity.
Higher priority traffic will be given preference over lower priority traffic. There are 7 priority levels, 1
- 7, where 1 is the highest priority. By default, traffic that is not matched by a bandwidth rule will be
assigned the lowest priority.
Upload
The upload rate in kilobits per second. If left empty, the upload rate will be unlimited.
Download
The download rate in kilobits per second. If left empty, the download rate will be unlimited. Note: If
both upload and download are left empty, then the rule will be invalid.
Configuring bandwidth control for peer-to-peer is similar to creating a regular bandwidth rule.
However, you need to specify the peer-to-peer network instead of the IP address and port.
Unit Alternatives
kilobits per second kbps kbit/s kb/s
kilobytes per second kBps kbytes/s kB/s
megabits per second Mbps Mbit/s Mb/s
megabytes per second Mbps Mbytes/s MB/s
Conversion tips:
● Mega is 1000 times larger than kilo
● A byte is 8 times larger than a bit
Examples:
● 1 Megabit per second is approximately 1000 kilobits per second
● 1 Megabyte per second is approximately 8000 kilobits per second
Links
● Linux Advanced Routing and Traffic Control
● HTB Queueing
DHCP Server
Overview
DHCP Server Information
Page 37 of 214
ClarkConnect Administration Manual
The Dynamic Host Configuration Protocol (DHCP) allows hosts on a network to request and be
assigned IP addresses. This service eliminates the need to manually configure new hosts that join
your network.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Global Settings
Status
You can enable and disable the DHCP server at any time.
Authoritative
Unless you are running more than one DHCP on your network, enable Authoritative mode. When
this is enabled, then DHCP requests on unknown leases from unknown hosts will not be ignored.
This will be the case when a foreign laptop is plugged into your network.
Domain Name
The server can auto-configure the default domain name for systems using DHCP on your network.
You can either use a registered domain (for example: example.com) or you can simply make one
up (for example: lan). Example:
● A desktop system on your local network has a system name scooter and uses DHCP.
● The domain name specified in the DHCP server is example.com.
● On startup, the desktop system appends example.com to its system name. Its full
hostname would become scooter.example.com.
Subnet Configuration
In a typical installation, the DHCP server is configured on all LAN interfaces. To add/edit DHCP
settings for a particular network interface, click on the appropriate add/edit button. The following
screenshot highlights the button for adding DHCP settings for the eth1 network interface.
Page 38 of 214
ClarkConnect Administration Manual
The network, netmask and broadcast are automatically detected. In almost all circumstances, you
want to use these detected default values.
IP Ranges
Keep a range of IP addresses available for systems and services that require static addresses. For
instance, VPN and some types of network printers require static IP addresses.
In a typical local area network, the first 99 IP addresses are set aside for static addresses while the
remaining addresses from 100 to 254 are set aside for the systems using the DHCP server. Adjust
these settings to suit your needs and your network.
DNS Address
The server can auto-configure the DNS settings for systems using DHCP on your network. By
default, the IP address of the caching DNS server on your ClarkConnect system is used. You
should change this setting if you want to use an alternate DNS server.
WINS Address
If you have a Microsoft Windows Internet Naming Service (WINS) server on your network, you can
provide the IP address to all Windows computers on your network. This will allow Windows
systems to access resources via Network Neighborhood. You can enter the LAN IP address of
your ClarkConnect system here if you have enabled the WINS server on ClarkConnect.
Page 39 of 214
ClarkConnect Administration Manual
Common Errors
● You should only have one (1) DHCP server per network.
● Enabling DHCP on your Internet connection is not a good idea.
Links
● Dnsmasq Documentation
Overview
Hosts and DNS Server Information
Description Hosts file and local DNS server configuration.
Package Name cc-dnsmasq
Configuration Page Network IP Settings Hosts and DNS Server
Hosts (/etc/hosts) is a simple text file that associates IP addresses with hostnames. If you have the
caching DNS server installed, all the entries in the hosts file will be made available.
Configuration
A host is defined as any system with an IP address -- desktop, laptop, printer, media device, etc.
Each host can have a hostname, along with any number of aliases. For example, you could add a
hostname for a file server on your network with the following settings:
● IP Address: 192.168.1.10
● Hostname: fileserver.example.com
After adding the hostname, you are given an opportunity to add additional aliases (or hostnames)
for the given host. If we were using the file server as a backup server, we could add
backup.example.com to the list of aliases.
Links
● Dnsmasq
Page 40 of 214
ClarkConnect Administration Manual
IP Settings
Overview
IP Settings Information
Description IP, hostname and DNS settings.
Package Name cc-network
Configuration Page Network IP Settings IP Settings
A configuration page for configuring your network cards, hostname and DNS servers.
Configuration
Linux will auto-detect most PCI-based network cards. Older ISA cards may require setting
parameters for the IRQ and IO. You may also need to disable plug-and-play features on the card.
Please check Red Hat's Hardware Compatibility Lists to see what settings may be required for
your brand of network card.
Network Roles
When configuring a network interface, the first thing you
need to consider is the network role. Will this network
card be used to connect to the Internet, for a local
network, for a network with just server systems? The
following network roles are supported in ClarkConnect
and are described in further detail in the next sections:
● External - network interface with direct or indirect
access to the Internet
● LAN - local area network
● Hot LAN - local area network for untrusted systems
● DMZ - de-militarized zone for a public network
On a standalone system, your network card should be configured with an external role, not a LAN
role.
External
The external role provides a connection to the Internet. On a ClarkConnect system configured as a
gateway, the external role is for your Internet connection. On a ClarkConnect system configured in
standalone mode, the external role is for connecting to your local area network.
With the Office and Enterprise Editions, you can have more than one external interface configured
for load balancing and automatic failover. See the Multi-WAN section of the user guide for details.
Gateway Setting -- If you have a static IP address, it is important to make sure the gateway
configuration setting is correct. If the gateway setting is missing or invalid, your system will be
unable to reach the Internet. On most networks, the gateway IP address will be on the same
network as your external IP address. For example, an external IP address of 10.22.22.22 will
typically have a gateway at 10.22.22.1 or 10.22.22.254. In some circumstances, the gateway will
not be on the same network. You will see a warning message about this unusual gateway
configuration.
Page 41 of 214
ClarkConnect Administration Manual
LAN
The LAN (local area network) role provides network connectivity for your desktops, laptops and
other network devices. LANs should be configured with an IP address range of 192.168.x.x or
10.x.x.x. For example, you can configure your ClarkConnect LAN interface with the following:
● IP: 192.168.1.1
● Netmask: 255.255.255.0
All systems on your LAN would have IP addresses in the range of 192.168.1.2 to 192.168.1.254.
Hot LAN
Hot LAN (or "Hotspot Mode") allows you to create a separate LAN network for untrusted systems.
Typically, a Hot LAN is used for:
● Servers open to the Internet (web server, mail server)
● Guest networks
● Wireless networks
A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN. As an
example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in
the meeting room could access the Internet and each other, but not the LAN used by employees.
The Port Forwarding page in the web-based administration is used to forward ports to both LANs
and Hot LANs.
DMZ
In ClarkConnect, a DMZ interface is for managing a block of public Internet IP addresses. If you
do not have a block of public IP addresses, then use the Hot LAN role. A typical DMZ setup looks
like:
● WAN: An IP addresses for connecting to the Internet
● LAN: A private network on 192.168.x.x
● DMZ: A block of Internet IPs (e.g from 216.138.245.17 to 216.138.245.31)
The web-based administration tool has a DMZ Configuration tool to managed the DMZ network.
Virtual IPs
ClarkConnect supports virtual IPs. To add a virtual IP address, click on the link to configure a
virtual IP address and add specify the IP Address and Netmask.
You will also need to create advanced firewall rules if the virtual IP is on the Internet.
Page 42 of 214
ClarkConnect Administration Manual
Troubleshooting
The two network cables coming from your box may need to be swapped. If you are having a hard
time connecting to the Internet, make sure you try swapping the cables.
In most installs, the network cards and IP settings will work straight out of the box. However,
getting the network up the first time can be an exercise in frustration on some installs. Issues
include;
● Network cards that are not auto-detected
● Invalid networks settings (username, password, default gateway)
● Finicky cable/DSL modems that cache network card hardware information
Here are some helpful advanced tools and tips to diagnose a network issue. After booting the
system, hit Alt-F2 to get to a login prompt. Login with your username root and your password. The
following tools will show detailed diagnostic data on your network cards.
● mii-tool displays link status and speed
● ethtool eth0 displays links status, speed, and many other stats - not all cards support this
tool
● ifconfig eth0 displays IP settings on eth0
Page 43 of 214
ClarkConnect Administration Manual
Multi-WAN
Overview
MultiWAN Information
Description Support for multiple connections to the Internet.
Package Name cc-multiwan
Configuration Page Network IP Settings Multi-WAN
The multi-WAN feature in ClarkConnect allows you to connect your system to multiple Internet
connections. ClarkConnect multi-WAN not only provides load balancing, but also automatic
failover.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
How It Works
ClarkConnect multi-WAN has the following features:
● auto-failover
● load balanced
Page 44 of 214
ClarkConnect Administration Manual
To give you an example of how multi-WAN works, imagine two 1 Mbit/s DSL lines with two users
on the local network. With every new connection to a server on the Internet, the multi-WAN system
alternates WAN interfaces. User A could be downloading a large file through WAN #1, while User
B is making a voice-over-IP (VoIP) telephone call on WAN #2.
With some applications, the download speed for the multi-WAN system can use the full 2 Mbit/s
available. For example, downloading a large file from a peer-to-peer network will use the
bandwidth from both WAN connections simultaneously. This is possible since the peer-to-peer
technology uses many different Internet "peers" for downloading. At the other end of the spectrum,
consider the case of downloading a large file from a web site. In this case, only a single WAN
connection is used -- 1 Mbit/s maximum.
Bandwidth aggregation (combining multiple WAN interfaces to look like a single WAN interface) is
not possible without help for your ISP since both ends of an Internet connection must be
configured.
Configuration
Enable/Disable
When multi-WAN is enabled, all active WAN interfaces are used to connect to the Internet. When
multi-WAN is disabled, the first active WAN interface is the only network used to connect to the
Internet.
Weights
Multi-WAN weights are used
to load balance outbound
Internet traffic. By default, all
WAN interfaces are given a
weight of one. This default
configuration means the
network traffic will be
(roughly) evenly split amongst the different WAN connections.
In one of the typical multi-WAN configurations, a second broadband connection is used for backup.
This second connection is often a low-cost and low-bandwidth connection. In this case, you would
want to set the weight on your high-bandwidth connection to 3 or 4, while leaving your low-
cost/low-end connection with a weight of 1.
Page 45 of 214
ClarkConnect Administration Manual
Destination port rules only apply to connections originating on your LAN. These rules do not apply
to traffic originating from the ClarkConnect system itself
Routing Policies
Some Internet service providers (ISPs) will not allow traffic from source addresses they do not
recognize as their own. The following scenarios will give you a good idea of common issues faced
in a multi-WAN environment. In the examples, we assume two connections, but the same issues
crop up with three or more connections.
DNS Servers
The DNS servers configured on the ClarkConnect system will be provided by one or both ISPs. In
our example, we are going to assume that ISP #1 provides the DNS servers. If a DNS request from
your network goes out the ISP #2 connection, it might get blocked by ISP #1. Result: DNS
requests will only succeed on ISP
#1.
Page 46 of 214
ClarkConnect Administration Manual
traffic from these extra IPs out the ISP #1 connection. ISP #2 may drop the packets.
Solution -- Use a Source Based Route for your DMZ network.
Links
● Linux Advanced Routing and Traffic Control
Network Tools
Overview
Network Tools Information
Description Tools to monitor and diagnose the network.
Package Name cc-nettools
Configuration Page Network IP Settings Network Tools
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Connection Monitor
The connection monitor shows real-time information on connections going in and out of the
ClarkConnect system. This tool can be useful when diagnosing issues on your local network (for
example, finding a computer with a virus).
● Protocol -- the Internet protocol used by the connection
● Expires -- the time in hours remaining before the connection expires
● Source -- the source IP address
● Destination -- the destination IP address
● Status -- the status of the connection
● Port -- the source port and destination port
● Service -- the service associated with the destination port (if known)
Routing Table
The routing table provides technical information on the active routes on the system.
Protocol Statistics
Detailed technical information on the underlying TCP/IP network.
Links
● Linux Advanced Routing and Traffic Control
Page 47 of 214
ClarkConnect Administration Manual
UPnP
Overview
UPnP Information
Description Universal plug and play software.
Package Name linuxigd
Configuration Page N/A
UPnP should only be used on a home or trusted network. Avoid using this software on office,
school other other untrusted networks. See note below.
There are many opponents against UPnP. However, we feel that Open Source is all about giving
people choices, and letting intelligent people make intelligent decisions about its use. A lot of us
really need this daemon, and can live with the consequences because we are simply connecting a
home network to the internet through one IP.
UPnP version 1.0 is inherently flawed. What appears to have happened is that in Microsoft's first
UPnP implementation they weren't concerned with security or any advanced controls. Simply all
they wanted was connectivity. So we are stuck with this for now. The UPnP server, by itself, does
no security checking. If it receives a UPnP request to add a portmapping for some IP address
inside the firewall, it just does it. Theoretically this could open up ports on some other system.
Overview
Wireless Networking Information
Description Wireless network card settings.
Package Name cc-wireless
Configuration Page Network IP Settings Wireless
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Supported Hardware
Many wireless network cards work out of the box in Linux (see Links section below). However, we
only officially support the following:
● PCI: Netgear 11Mbps 802.11b Wireless PCI Card (MA311)
● ISA-to-PCMCIA bridge: All models
● PCI-to-PCMCIA bridge: Buffalo Tech WLI-PCI-OP
● PCMCIA: Orinoco Silver and Gold 802.11b PCMCIA
Page 48 of 214
ClarkConnect Administration Manual
From the Orinoco site: "For PCs with an ISA slot, the ORiNOCO ISA adapter is strongly advised."
In other words, only purchase the PCI card if your system is PCI-only.
PCMCIA Settings
If you use a PCMCIA (laptop) card, you may need to change some of the settings.
PCIC Driver
There are a few different types of hardware drivers (PCIC drivers) available for PCMCIA. Consult
your hardware's user guide or online support to determine your settings. For the Orinoco PCMCIA
cards, use i82365
Network Settings
The network configuration for a wireless card is done just like any other network card. However,
the following extra wireless-only options are required.
ESSID
The ESSID is a nickname to give your wireless network. In the screenshot, the name Woburn
Wireless is used. When configuring other wireless devices on your network, make sure you use
Page 49 of 214
ClarkConnect Administration Manual
Mode
The wireless card can run in a number of different modes. The most common are Ad-Hoc and
Master/Access Point. From the list of officially supported wireless cards, only Ad-Hoc mode is
supported. For un-official wireless cards, you may be able to run the card in other modes.
Secret Key
The Secret Key is used to encrypt your network traffic. The Orinoco Silver card requires a 5-
character (40-bit) key prefixed with 's:' - e.g. s:abcde. This must match the settings for other
wireless devices on your network.
For added security, you can allow only certain network MAC addresses on your wireless network.
Links
● Seattle Wireless
● Linux Wireless LAN Howto
● WLAN Adapter Chipset Directory
Firewall
1 to 1 NAT
Overview
1-to-1 NAT Firewall Information
Description Configuration tool for 1-to-1 NAT.
Package Name cc-firewall-dmz
Configuration Page Network Firewall 1-to-1 NAT
1-to-1 NAT maps a real Internet IP to an IP on your local area network (LAN).
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
You can map 1-to-1 NAT IPs in one of two ways:
● With no firewall at all
Page 50 of 214
ClarkConnect Administration Manual
Each 1-to-1 NAT rule must be assigned to an external MultiWAN interface as shown by example
below:
Page 51 of 214
ClarkConnect Administration Manual
Advanced
Overview
Advanced Firewall Information
Description Configuration tool advanced firewall rules.
Package Name cc-firewall-advanced
Configuration Page Network Firewall Advanced
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
The advanced firewall tool can be used to create special firewall rules. For instance, you can use
this tool to allow connections to the web-based administration from the Internet -- but only from a
particular IP address. You can find some examples in the advanced firewall tips and tricks
documentation.An invalid advanced rule will cause the firewall to go into a lock-down mode -- all
other firewall rules will not be active in this mode.
Links
● Netfilter/Iptables Home Page
DMZ
Overview
DMZ Firewall Information
Description Configuration tool for DMZ-based firewalls.
Package Name cc-firewall-dmz
Configuration Page Network Firewall DMZ
The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third
network card is used exclusively for the DMZ network.
● If you are configuring a few extra public IPs (not a whole network), then go to the 1-to-1
NAT section of the User Guide.
● If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate
Hot LANs in the IP Settings section of the User Guide.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Page 52 of 214
ClarkConnect Administration Manual
Configuration
Network Configuration
Before you can use the DMZ firewall configuration, you need to configure one of your network
cards with the DMZ role. In our example, we used the IP Settings tool to configure a third network
card (eth2) with the following:
● Role: DMZ
● IP Address: 216.138.245.17
● Netmask: 255.255.255.240
● Network: 216.138.245.16/28
All the systems connected to this third network card can then be configured with an IP address in
the 216.138.245.18 to 216.138.245.30 range.
Incoming Connections
By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the
exception of the ping protocol). You can permit connections to systems on the DMZ by allowing:
● all ports and protocols to a single public IP
● all ports and protocols to the whole network of public IPs
● a specific port and protocol to a single public IP
In the screenshot below, both 216.138.245.27 and 216.138.245.28 are not firewalled at all, while
216.138.245.26 can only be accessed via TCP port 2000.
Links
● Definition
Page 53 of 214
ClarkConnect Administration Manual
Group Manager
Overview
Firewall Groups Information
Description A tool to group together firewall rules.
Package Name cc-firewall
Configuration Page Network Firewall Group Manager
The Group Manager makes it easy to categorize and manage related Firewall rules. All rules not
assigned to a group will be listed at the top of the page. You can change the rules Nickname or
assign it to a new or existing group by clicking on Edit.
Installation
This module is part of the base Firewall package which is always installed.
Configuration
There are three sections to the Group Manager page.
● Individual rule listing (rules that are not assigned to a group)
● Group listing
● Group manager, useful for enabling/disabling or deleting an entire group
The top of the edit dialog shows the fields of the firewall rule; the protocol, address, port, and
parameter (optional, contains extended information). This is displayed to help you identify the rule.
Below this information, you can enter a new or edit an existing Nickname to help identify the rule's
purpose. To the right you may assign this rule to an existing group using the drop-down, or add it
to a new group by entering the desired name in the input box below. Click on confirm to save your
changes.
Page 54 of 214
ClarkConnect Administration Manual
drop-down box. Change this to "Remove from group" and then click on Confirm. If there are no
more rules in any given group, the group will no longer show up in the group drop-down list.
Group Management
At the very bottom of the Group Manager page you can enable/disable or delete a group. Simply
click on the appropriate button.
Deleting a group will delete all member firewall rules. If you want to remove just the
group, remove each rule from the group manually.
Incoming
Overview
Firewall Incoming Information
Description Tool for configuring incoming connections on the firewall.
Package Name cc-firewall
Configuration Page Network Firewall Incoming
Configuration
Unlike other firewalls you do not need to open a port on the incoming page if you're
forwarding the the port to an internal server on your LAN or on your DMZ.
You can also open up ports to allow for remote management of your ClarkConnect system. For
example, you can open up port 22 to allow for SSH access and port 81 to give access to
Webconfig.
Select Firewall Incoming in the web-based administration tool. There are three ways to add an
incoming firewall rule:
● select a standard service in the Standard Services drop down
● input a single port number in the Port Number box.
● input multiple consecutive ports in a port range in the Port Range box.
Page 55 of 214
ClarkConnect Administration Manual
Outgoing
Overview
Firewall Outgoing Information
Description Tool for blocking or allowing (depending on mode) outgoing
connections on your network.
Package Name cc-firewall
Configuration Page Network Firewall Outgoing
Configuration
From the Firewall Outgoing page, you can block or allow certain kinds of traffic from leaving your
network depending on the mode/policy.
As of ClarkConnect 4.0, it is now possible to reverse the meaning of rules created from the
Firewall Outgoing page. The language used in the following documentation has been altered to
reflect this change. Users of older ClarkConnect versions can only allow all outgoing traffic by
default and then selectively block certain hosts and services. See Choose an Outgoing Mode
below for more details.
Note: If you want to block peer-to-peer file sharing programs like Kazaa and Limewire, you will
also want to check the Peer-to-Peer section of the user guide.
Page 56 of 214
ClarkConnect Administration Manual
Note: These are the two Outgoing Traffic policies available as of ClarkConnect 4.0.
As of ClarkConnect 4.0, the Block/Allow by Destination form has changed slightly. The standard
services drop-down box has been removed and merged into the Destination Ports form illustrated
above.
Page 57 of 214
ClarkConnect Administration Manual
Troubleshooting
Links
Peer-to-Peer
Overview
Peer-to-Peer Information
Description A tool to block peer-to-peer traffic.
Package Name cc-firewall-p2p
Configuration Page Network Firewall Peer-to-Peer
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
The following applications can be blocked and/or throttled:
● eDonkey, eMule, Kademlia
● KaZaA, FastTrack
● Gnutella
● Direct Connect
● BitTorrent, extended BT
● AppleJuice
● WinMX
● SoulSeek
● Ares, AresLite
For some protocols, the peer-to-peer blocker will only halt the initial connection to other systems. In
other words, a system that is already connected to a peer-to-peer network will not get blocked. If
you are sanity checking this tool, please disconnect the peer-to-peer client.
Troubleshooting
The world of peer-to-peer networks is fast paced and constantly changing. If you find that your
peer-to-peer software is not getting blocked, then feel free to post your feedback on the online
forums:
Page 58 of 214
ClarkConnect Administration Manual
Links
● IPP2P Web Site
Port Forwarding
Overview
Port Forwarding Information
Description Tool for forwarding ports to systems on your local network.
Package Name cc-firewall
Configuration Page Network Firewall Port Forwarding
Configuration
If you run servers behind your ClarkConnect gateway, you can use the Port Forwarding page to
forward ports to a system on your local area network. In the example below, two port forwarding
rules are configured:
● A web server (port 80) is running on the LAN at 192.168.4.10
● SSH (port 22) is also running on 192.168.4.10. Since port 22 is already used on the
gateway, we specify an alternate port (2222). We then configure our SSH client to use port
2222 to connect directly to 192.168.4.10 from the Internet.
Page 59 of 214
ClarkConnect Administration Manual
Troubleshooting
In order for port forwarding to work properly. the target system on your local network must have
the default gateway set to ClarkConnect system. In the adjacent screenshot, the configuration for a
Windows system is shown. The default gateway in this case is 192.168.1.1 (the IP address of the
ClarkConnect system).
Security
Intrusion Detection
Overview
Intrusion Detection Information
Description An advanced intrusion detection system.
Package Name cc-snort
Configuration Page Page Network Security Intrusion Detection
The intrusion detection package is included with ClarkConnect to make users more aware of some
of the daily hostile traffic that can pass by your Internet connection. The software is able to detect
and report unusual network traffic including attempted break-ins, trojans/viruses on your network,
and port scans.
Page 60 of 214
ClarkConnect Administration Manual
Services
New exploits are discovered everyday. The intrusion detection software maintains a uses a list of
2000+ rules. You can receive automatic updates by subscribing to the Intrusion Detection Updates
service.
Configuration
The intrusion detection system includes a daily report. Do not panic when you see alerts in this
daily report. In fact, it would be quite unusual not to see anything reported. Hostile traffic is a
normal part of today's Internet and it is one of the reasons firewalls are necessary. You can find
more information about the report here.
Intrusion detection does require some horsepower. If you find your system sluggish,
you might want to consider disabling the software.
Links
● Intrusion Detection Reports
● Sourcefire website
● Snort Intrusion Detection website
Intrusion Prevention
Overview
Intrusion Prevention Information
Description An advanced intrusion prevention system.
Package Name cc-snortsam
Configuration Page Page Network Security Intrusion Prevention
The intrusion prevention system blocks suspected attackers from your system.
Services
New exploits are discovered everyday. The intrusion detection software maintains and uses a list
of 2000+ rules. You can receive automatic updates by subscribing to the Intrusion Detection
Updates service.
Configuration
The Intrusion Prevention system displays a list of IP addresses that have been blocked due to
inappropriate network traffic.
Page 61 of 214
ClarkConnect Administration Manual
Description
SID
The SID corresponds to the Intrusion Detection ID that triggered the block. This is a hyper-link that
can be followed to reveal more information about the specific conditions that were matched.
Blocked IP
This is the IP address that triggered the block. If this IP address should not be blocked, you can
add it to a "don't block" list by clicking on Whitelist under Action.
Date / Time
The date/time fields show when the block occurred.
Time Remaining
The remaining block time is listed last. The IP address will be unblocked when this reaches 0.
Action
A blocked host can be added to a Whitelist so it will not be blocked in the future. You can also
remove a blocked host using Delete.
Whitelist
If there are IP addresses in your Whitelist they will be listed below the Active Block List. You can
delete an entry by choosing Delete under Action.
Troubleshooting
If you find the snortsam software taking a long time to startup on your system, make sure the DNS
Servers configured for your ClarkConnect system are working properly.
Links
● SSH Brute Force Attack
● FTP Brute Force Attack
Account Manager
Users
Overview
User Manager Information
Description Tool to add and manage users on the system.
Package Name cc-users
Configuration Page Account Manager All Accounts Users
Keywords LDAP
Page 62 of 214
ClarkConnect Administration Manual
The user manager page allows you to add, delete and manage users on the system.
Configuration
User Overview
The first thing you will see on the user manager page is a summary of existing users. This
summary includes the username, name and the enabled options for each user. Depending on the
platform/version you are using, you may see a dialog box indicating how many mailbox accounts
are in use and how many are available. The Enterprise Edition allows you to purchase additional
mailbox licenses to increase the number of users who have can send/receive mail on the server.
In the screenshot shown, user tim has access to all the available services while user veruca only
has access to e-mail and the file server.
User Information
Every user must have the following information configured:
● Username - a username (lowercase only)
● First name - the user's first name
● Last name - the user's last name
● Password and Verify - a password
Depending on your ClarkConnect version, you may also see additional fields, for example
telephone number, address, title, etc.
User Options
The following options are available in the user configuration. Note: the option will not appear if the
related software is not installed on the system.
File Server Folder - grant access to home directory on the File Server
FTP Server - grant FTP Server access
Mailbox - grant Mail Server - SMTP
access PPTP Server - grant PPTP VPN
access Proxy Server - grant Web Proxy
access Web Server - grant Web access for Flexshare
Shell Access | If an administrator needs to enable Secure SHell (SSH) access for a user's account,
Page 63 of 214
ClarkConnect Administration Manual
this needs to be done at the command line in versions 4.0 and later. See the "Tips and Tricks"
section below for more information.
Links
● Aliases
Groups
Overview
Group Manager Information
Description Tool to add and manage groups on the system.
Package Name cc-users
Configuration Page Account Manager All Accounts Groups
The group manager page allows you to add, delete and manage groups on the system.
Configuration
The first thing you will see on the group manager page is a summary of existing groups.
Use the "Add Group" form below the summary of existing groups to add a new group.
Page 64 of 214
ClarkConnect Administration Manual
Once you have added a new group, or if you click on the "Edit" link next to an existing group, a
new form will appear providing information specific to the group you created/edited.
Use this form to make changes to the users belonging to the group and/or to change the
description of the group name.
System Tools
Overview
Backup and Restore Information
Description A simple backup and restore tool for configuration files.
Package Name cc-backuprestore
Configuration Page System Settings Backup/Restore
The backup/restore feature lets you take a snapshot of all the configuration files and save them to
a separate system for safe keeping. If a ClarkConnect system needs to be restored, you can re-
install the ClarkConnect system and then restore all the configuration settings from the backup.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
The backup/restore tool saves all the configuration information available through the web-based
interface:
● Usernames and passwords (4.0 or higher)
● Network configuration
● Firewall configuration
● Software configuration (for example, content filter)
The backup/restore settings tool does not save user data, logs or mailboxes. Use the LAN/Backup
and Recovery tool for backing up data.
Page 65 of 214
ClarkConnect Administration Manual
If you have installed third party applications on your system, you will need to take extra steps to
save configuration data.
Troubleshooting
During the restore procedure, the original network settings will be restored, but not activated.
Consider this scenario:
● The system settings on a live ClarkConnect gateway have been saved.
● Due to a hard disk failure, ClarkConnect was temporarily replaced with a basic router.
● ClarkConnect is re-installed on another server while connected to your LAN.
● The restore procedure is then used on the newly installed ClarkConnect system.
The network settings are now in limbo. The restored network configuration is expecting to be
connected as a gateway, but the system is temporarily running as a standalone system on your
LAN. In this scenario, you will either need to put the system back into its role as a gateway, or,
reconfigure the network.
Date
Overview
Date Information
Description Tool to set the date, time and timezone.
Package Name cc-webconfig
Configuration Page System Settings Date
The date configuration tool allows you to select your time zone as well as enable/disable automatic
time synchronization.
Configuration
Time Zone
It is important to have the correct time zone configured on your system. Some software (notably,
mail server software) depends on this information for proper time handling.
Time Synchronization
Keeping your system time accurate is recommended, so we suggest having the automatic time
update enabled.
Page 66 of 214
ClarkConnect Administration Manual
Overview
Encrypted File System Information
Description Encrypted file system manager.
Package Name cc-dmcrypt
Configuration Page System Settings Encrypted File System
The encrypted volume module allows the creation of encrypted volumes that can be used to
protect confidential data from unauthorized access in the event the server is physically removed
from the premise or a portable mass storage device is lost/stolen while in transit.
Data is stored in an encrypted format when a volume has not been mounted. Mounting a volume
requires the password. With a strong password, gaining access to the decrypted data (i.e. usable
information) is impossible in the event the volume is unmounted. A volume is unmounted whenever
a server is restarted (i.e. a shutdown, loss of power etc.) and must be mounted by an administrator
having both Webconfig access and the volume password. It is important to note that this module
does not provide protection against unauthorized access to data when a volume is mounted (i.e.
the state the volume would normally be in during every day use). This module does not replace the
need to maintain software updates, use of a properly configured firewall, IDS/IPS etc.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Page 67 of 214
ClarkConnect Administration Manual
Volume Name
A unique name that describes the volume (i.e. ArchivedMail, ExternalUSB etc.)
Mount Point
The location the volume will be accessible. By default, the mount point is created in
/mnt/dmcrypt/<VolumeName>
Storage Device
The physical device location.
Size
The size (in MB) of the encrypted volume. Keep in mind, encrypted volumes have an encryption
overhead approximately equal to 1-5% of the total defined size of the volume.
Password
The password required to mount the encrypted volume.
Verify Password
Re-enter the password to verify.
Troubleshooting
Page 68 of 214
ClarkConnect Administration Manual
Links
● DM-Crypt Project Home Page
Language
Overview
Language Information
Description Tool to set the language and locale.
Package Name cc-webconfig
Configuration Page System Settings Language
You can change the language used by ClarkConnect from this configuration page.
Running Services
Overview
Running Services Information
Description A tool to view and manage services running on the system.
Package Name cc-webconfig
Configuration Page System Settings Running Services
This configuration page gives you a bird's eye view of the services (also known as "daemons") on
your system.
Overview
Shutdown and Restart Information
Description A shutdown and restart tool for your system.
Package Name cc-webconfig
Configuration Page System Settings Shutdown/Restart
Overview
SMTP Relay/Notification Information
Description Allows applications to send reports, alerts, notifications etc. via e-
mail through the configured SMTP relay without having a local
Page 69 of 214
ClarkConnect Administration Manual
Installation
This module is installed only when a module dependent on the Mailer class is installed. To install
manually, run:
# apt-get update
# apt-get install cc-mailer
Configuration
Configuration of the SMTP relay is access under System Tools SMTP Relay.
SMTP Host
The hostname of the SMTP server to connect to.
Port
The port to used to send the initial connection request on. SMTP usually uses port 25.
SSL/TLS
Encryption protocol to use when connecting to the host server.
Username
A valid username to authenticate to the server.
Password
A valid password to authenticate to the server.
Page 70 of 214
ClarkConnect Administration Manual
Test Relay
Once you have decided on the SMTP server to relay through and obtained and entered the
settings necessary, it is time to test the relay to ensure e-mails can get through. Click on the Test
Settings link. A form will be displayed requiring the input of a valid e-mail address. Enter an
address that you can easily verify receipt of the test message that will be sent.
Examples
Field Value
SMTP Host antivirus.pointclark.com
Port 2525
SSL/TLS None
Username
Password
Field Value
SMTP Host smtp.gmail.com
Page 71 of 214
ClarkConnect Administration Manual
Port 465
SSL/TLS TLS
Username pcn.developer@gmail.com
Password *****
Links
● SwiftMailer
Overview
SSL Certificate Information
Description Allows the creation, signing, renewal and revocation of SSL
certificates for implementing cryptography using SSL (v2/v3) and
TLS (v1) protocols.
Package Name cc-ssl
Configuration Page System Settings SSL Certificate Manager
SSL certificates are the de-facto standard for encrypting information sent over a network and can
also be used to provide authentication, as in the case of SMIME email signature signing.
This module provides an administrator with the ability to create a Certificate Authority (CA) which
can then be installed as a trusted CA on any operating system, browser or mail client in order to
encrypt/decrypt (and/or sign emails) communications between two computers. Creating your own
CA and using it to sign certificates is termed "self-signing".
The SSL Certificate Manager module can also create Certificate Signing Request (CSR)
certificates. The contents of a typical CSR certificate are shown below:
A CSR is an unsigned copy of your certificate which can then be sent to a Trusted CA to be
signed. The CSR will be used by the Trusted CA to generate your signed x509 SSL certificate
(CRT). The Trusted CA sends back the signed certificate which may look similar to the CSR, but
Page 72 of 214
ClarkConnect Administration Manual
is not.
Whether your CRT was self-signed or signed by a Trusted CA, it now represents the public part of
a public/private key (certificate) pair. The private half of the key (usually ending in .key or -key.
pem) was generated automatically during the CSR creation and should never be sent across an
untrusted network (i.e. the Internet). Unless this key was intended to secure another server, it
should not be moved from its directory of origin (/etc/ssl/private).
Installation
This module is installed by default and should not be un-installed. SSL certificates are used by the
Webconfig User Interface.
Configuration
The module will force you to create a CA prior to allowing the creation of certificates requests,
signed certificates or PKCS12 files. The form to create the CA is presented when no CA is found
on the server (in the /etc/ssl directory) and is shown in a screenshot below. A brief description and
suggested defaults is provided in the following sections.
Page 73 of 214
ClarkConnect Administration Manual
Key Size
This is the RSA key length. 1024b (default) is a good compromise between security and speed.
Anything below 1024b can theoretically be cracked by brute force techniques. Note, this is the RSA
key size and will not impact, for example, the encryption strength of a web browsing session
(typically 128b, but could be 40b or 256b) that is dictated by the capabilities/settings of both the
client web-browser and server.
Common Name
The common name in the certificate authority can be anything. Generally speaking, you will want
this to be descriptive of the purpose of the certificate as a trusted root certificate. An example might
be Point Clark Networks Root Certificate Authority.
Organization Name
Typically the company name or person responsible for the CA. Example - Point Clark Networks
Ltd.
Organization Unit
In larger organizations, the organization unit might be a department within the company, such as
IT Department.
City
The organization's city - for example, Toronto.
State/Province
The organization's state or province - for example, Ontario or ON. Leave blank if this does not
apply.
Page 74 of 214
ClarkConnect Administration Manual
Country
The organization's country - for example, Canada. The module will automatically convert the
country to the 2-letter ISO-3166 country code.
E-mail
The e-mail address of the person responsible for the CA within the organization - for example,
certificates@pointclark.net.
Once a Certificate Authority has been created on your server, you will see a summary of the CA
and any certificates you have created. If you have only just created your CA, you obviously won't
have any signed certificates or PKCS12 files and your summary will look similar to the screenshot
below.
Use the form below the three summary tables as illustrated above to create either a certificate
request or signed certificate. For those new to SSL and encryption, it may not be immediately
obvious as to the difference.
Certificate Request
The certificate request is a pre-cursor to creating a signed certificate. It represents the public half of
the private/public key pair used in RSA encryption. All signed certificates originate from a
certificate request. A certificate request does not have an expiry date associated with it, but does
have all the other fields associated with a signed certificate (common name, organization name
etc.). A certificate request is cannot be used in cryptography and must be signed (usually from a
trusted CA for an annual fee) in order to be useful.
Signed Certificate
As the name implies, this is a public certificate (the public half of the RSA private/key pair) that has
been signed (verified) by a Certificate Authority (CA). The CA's service to the certificate holder and
to anyone viewing the certificate is as a 3rd party validation as to the authenticity of the certificate
owner. For example, if the certificate is to be used on an encrypted website (HTTPS), the CA will
take measures to verify the owner of the domain against the certificate request being presented to
be signed. A signed certificate has both a not-valid before and non-valid after timestamps that was
attached to the certificate when the CA signed the request.
Page 75 of 214
ClarkConnect Administration Manual
Notice how the Term field disappears when you selected Use a Trusted CA option - this is by
design, since certificate requests do not store expiry dates.
Selecting the Self-Sign option will use the CA you created during the initializing of the SSL module
to sign a certificate request that is temporarily created during the creation process.
In the example below, we sign our own certificate whose intended use will be to sign e-mail
originating from "Joe Developer" at Point Clark Networks.
Page 76 of 214
ClarkConnect Administration Manual
Two differences to note from the creation of a certificate request example above. First, there is an
additional Term field - this field indicates the expiry date from the date of creation. For
convenience, some users may want to set this to 25 years (essentially no expiry), but lesser terms
may be desired for some applications. Second, additional fields named Import Password for
PKCS12 and Verify Password for PKCS12 are visible. The Personal Information Exchange
Syntax Standard (also called PKCS12) file is a convenient format to install certificates onto client
machines for use in validating e-mail signatures. The file is protected with a password since the
PKCS12 file contains both the private and public keys associated with the SSL signed certificate.
This request needs to be downloaded and sent (typically via e-mail or a web form) to a Trusted
CA. Click on the View link to view the contents of the certificate, including the part a Trusted CA
requires.
Page 77 of 214
ClarkConnect Administration Manual
At this point, you have two options to download the certificate request. First, use the Download
link to save the entire PEM file to your local machine. The second option is to simply select the
PEM Contents text starting from and ending (and including) the tag with your mouse, and "cut-
and-paste" this into an e-mail to be sent to a Trusted CA or a web form for submittal.
Once you receive the signed certificate back from the Trusted CA (a process that make take up to
48 hours), return to the SSL Webconfig page, click on View again, and this time, select Import
Signed Certificate from the available Actions. A web form will be displayed allowing you to
"paste" the certificate contents.
Page 78 of 214
ClarkConnect Administration Manual
Once "copied-and-pasted" into the form, click Save. Your certificate is now imported and ready for
use.
To create a PKCS12 file, you should already have a signed certificate under management with the
appropriate e-mail that will match the user's signature (ie. e-mail address). The screenshot below
shows one certificate (Joe Developer's) - in addition to the root CA - for the purpose of signing
Page 79 of 214
ClarkConnect Administration Manual
To start the PKCS12 creation, click on the View link next to the certificate. Details of the certificate
along with several actions which can be executed on the signed certificate will be displayed, similar
to below.
If you do not see the Create PKCS12 option, it is because it already exists on the system. Return
to the main menu and look under the PKCS12 Files table.
Since the certificate already exists, you only need to provide the password and verification that will
be used to secure the PKCS12 file.
Page 80 of 214
ClarkConnect Administration Manual
Clicking on the "Create" button will create the PKCS12 file using the password supplied and list it
for download under the PKCS12 section. See the next sub-section for information on downloading
and installing the file to your computer.
Click on the Download link next to the PKCS12 you wish to download to your local machine
(computer). Depending on your OS and browser, you will see a dialog box similar to the one shown
below.
If access is from the machine where the file will be installed, you can choose the "Open With"
which uses the PFXFile binary in Windows. If you will be e-mailing or making the file available to
download via alternative ways (ie. FTP), you'll need to "Save to Disk" to save a copy of the
Page 81 of 214
ClarkConnect Administration Manual
Thunderbird
Before starting, make sure you have downloaded or received your PKCS12 file and saved it to
your local machine. If you have not yet done this, see instructions provided in the above sections.
Open the Thunderbird mail client and click on Tools Account Settings. Click on the Security
summary under your account. You should see a form similar to the screenshot provided below.
Click on View Certificates under the Certificates section. Under the Your Certificates tab, click
on Import. Use the file manager dialog pop-up to select the PKCS12 file you saved to your
computer earlier. At this point, you may be prompted to created a master password for the security
device. Choose a password you can remember but also difficult for anyone to guess. You will need
to use this password each time you close and re-open Thunderbird to send a signed or encrypted
e-mail.
You will then be prompted for the password for the PKCS12 file you are about to import. This is the
Page 82 of 214
ClarkConnect Administration Manual
password that was used during the creation of the PKCS12 using the ClarkConnect SSL Manager
module. You should now see your certificate installed under Your Certificates.
You're not quite done - note how the Purposes field indicates Issuer Not Trusted. What you did
not see happen transparently when installing the PKCS12 file is the import of a trusted CA under
the Authorities section. You need to explicitly confirm what purpose Your Certificate can be used
for. Click on the Authorities tab and scroll down until you find the Certificate Authority that was
used to sign the certificate used to create the PKCS12 file. When you find your CA in the list, click
once to highlight it and then click on the Edit button. A pop-up dialog box will be displayed as
shown below.
Place a check mark in each checkbox, and click OK. Go back to the Your Certificates - you
should now see the message Issuer Not Trusted has been replaced with Client, Server, Sign,
Encrypt. Close the Certificate Manager dialog window and click on either of the Select buttons in
the Digital Signing or Encryption sections. You will be prompted to select a certificate from a
drop down box which will likely just have the one certificate you installed. Select it, and click OK.
Close the Account Settings dialog window by clicking OK.
Page 83 of 214
ClarkConnect Administration Manual
Congratulations - you can now sign e-mail and receive encrypted e-mail if senders use your public
key to encrypt the message.
Outlook/Outlook Express
Outlook and Outlook Express uses the Windows OS certificate manager to perform message
signing and encryption/decryption. The following help section describes how to install a PKCS12
file onto Microsoft's XP platform.
Click on Start Control Panel and select Internet Options from the menu system. Select the
Content.
Working in the Certificate dialog box pop-up, select the Personal tab and click on the Import
button. An Import Wizard will start up, taking you the process in steps. Click Next to continue.
Click on the Browse button and find the PKCS12 file that you saved to your system. Note, you
may have to the default file type from X509 to Personal Information Exchange to see the proper
extensions. Click Next to continue. The wizard will then ask you for the password. Enter the
password you used in the ClarkConnect SSL Manager module when creating the PKCS12 file. It's
also a good idea to check off both check boxes for additional security.
Page 84 of 214
ClarkConnect Administration Manual
Keep the default location to store the certificate - Personal Store. Click Next to continue. Click
Finish to complete the PKCS12 install. Unlike Thunderbird, Microsoft automatically enabled the
uses for the certificate.
Page 85 of 214
ClarkConnect Administration Manual
Congratulations - you can now sign e-mail with Outlook and receive encrypted communications
from people using your public key.
Renewing a Certificate
Certificates that have been self-signed by the locally created Certificate Authority can be renewed
at any time. Click on the View link, followed by the Renew button under the action options. A form
similar to the one below will allow you to select the term to extend the original certificate in addition
to re-issuing a new PKCS12 file with password.
When renewing a certificate that was not self-signed, a new certificate request will be created
which can then be sent to a Trusted CA for signing and subsequent import.
Troubleshooting
There are really only two fields in the certificate generation process that can get you into trouble -
Common Name and E-mail. These fields are explained below in relation to the two typical
applications of SSL certificates (web and email).
Web/FTP
E-mail Field
Typically, this field would be the e-mail address of the web master or some alias referring back to
support.
Example
Website URL: https://secure.clarkconnect.com/webapp/
Common Name = secure.clarkconnect.com
E-mail = accounts@pointclark.net
E-mail Signing/Encryption
Common Name
The common name is typically the full name of the individual.
Page 86 of 214
ClarkConnect Administration Manual
E-mail Field
This field must match exactly the e-mail address of the sender who intends to include a signed
signature and/or receive encrypted communications.
Example
E-mail Address of Sender: joe.developer@pointclark.net
Common Name = Joe Developer
E-mail = joe.developer@pointclark.net
Links
● OpenSSL
● Public Key Cryptography
● CA Cert
● Certificate Authorities
Webconfig
Overview
Webconfig Information
Description Webconfig settings.
Package Name cc-webconfig
Configuration Page System Settings Webconfig
The Webconfig settings page allows you to change the look and feel of the web-based interface.
Configuration
A variety of templates are available for the web-based administration tool; select the one that most
appeals to you.
Modules
Database
MySQL
Overview
Database Information
Description MySQL relational database.
Package Name cc-mysql
Configuration Page Software Database MySQL Setup
The Webconfig UI for MySQL provides login configuration/management to the phpMyAdmin web
Page 87 of 214
ClarkConnect Administration Manual
interface...a separate UI that allows full control over your MySQL databases.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
myPhpAdmin
Once you have set the database master password, you can login to the phpMyAdmin
administration interface. Use:
Username: root
Password: <YOUR PASSWORD>
Where <YOUR PASSWORD> is the database password.
Links
● MySQL home page
● phpMyAdmin home page
Antispam
Overview
Antispam Information
Description Antispam for mail servers.
Package Name cc-spamassassin
Configuration Page Software Mail Antispam
The antispam software works in conjunction with your mail server. The software identifies spam
using a wide range of algorithms on e-mail headers and body text. ClarkConnect also includes
greylisting and additional blacklists -- both are effective tools that can be used to detect spam.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Page 88 of 214
ClarkConnect Administration Manual
If you want to discard spam before it reaches mailboxes, you can configure the mail discard policy.
For example, you can discard spam marked with high probability (or higher) by using this tool.
Subject Tag
● Use Subject Tag - enable/disable e-mail subject tag when e-mail is marked as spam
● Subject Tag Threshold - spam score required to trigger a change in the e-mail subject
● Subject Tag - the subject tag to use when e-mail is marked as spam
A subject tag can be added to messages marked as spam. For instance a spam message with the
subject "Premier Invest0r Rep0rt" will be transformed into "[SPAM] Premier Invest0r Rep0rt". This
feature makes it easy for end users to identify and filter spam.
● White List - a list of e-mail addresses that should never be marked as spam
● Black List - a list of e-mail addresses that should always be marked as spam
The antispam engine includes both white and black lists. The white list is used to mark e-mail
addresses that send non-spam, while the black list is used to mark e-mail addresses that are
known spam.
Among others, newsletters and legitimate e-commerce e-mail can sometimes be marked as spam.
The e-mail addresses for these messages can be added to the white list to prevent the message
from becoming marked as spam.
E-mail addresses in the white and black lists can use the * wildcard character to match any
characters. For instance, *@example.com and *.gov will mark all e-mail from the example.com and
.gov domains.
Page 89 of 214
ClarkConnect Administration Manual
Improving Effectiveness
Spam Training
You can improve the effectiveness of the antispam engine by following training the antispam
engine.
Links
● SpamAssassin website
Antispam - Quarantine
Overview
Antispam - Quarantine Information
Description Antispam for mail servers.
Package Name cc-dspam
Configuration Page Software Mail Antispam - Dspam
The Dspam antispam system tracks e-mail by mailbox. In other words, the antispam system bases
its decisions on individual spam databases for each user on the system.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Since the Dspam antispam solution requires specific details about mailboxes and aliases, the
software is not available on systems configured as a mail gateway. For example, a message
destined to sales@example.com forwarded to an Exchange server may end up in Mary and
David's mailbox. It is not possible for the Dspam system to determine this information in mail
gateway mode.
Configuration
Signature Location
The antispam system tracks important elements and statistics on every e-mail message that you
receive. This information is then stored as a "signature" -- basically a unique identification number.
To train the antispam system (see next section), this signature must be included in an e-mail. You
can track these signatures either in the body of the message, or in the message header.
Headers
● advantage: does not clutter the body of e-mail messages
● disadvantage: message must be forwarded as an attachment to train the antispam system
Body
● advantage: message can be forwarded (no attachment) to train the antispam system
Page 90 of 214
ClarkConnect Administration Manual
Subject Tag
Select the subject tag used to mark any messaged deemed to be spam.
Links
● Dspam
Antispam - Training
Overview
You can improve the effectiveness of the antispam systems on your ClarkConnect system by
identifying:
● Messages that were spam, but not identified as such
● Messages that were innocent, but identified as spam (false positive)
With a week or two of diligent training with these messages, you can expect to see a more
effective antispam engine.
Installation
At least one of the antispam engines must be installed on your system.
● SpamAssassin
● Dspam
Training
There are two ways to train the antispam systems on your ClarkConnect system: webmail and
mail-forwarding.
Webmail
Training the antispam system via webmail is simple and more effective. Simply select the
messages that you wish to process and press either the Report as Spam or Report as Innocent
buttons (see screenshot). You will then be shown a confirmation message before the actual
processing takes place.
Page 91 of 214
ClarkConnect Administration Manual
E-mail Forwarding
Training via e-mail forwarding is available in version 4.1 or later.
Training via e-mail forwarding is not as effective since information is lost when you forward a
message. If you decide to use this method, there are two e-mail addresses used for training:
● train.notspam@example.org -- e-mail address for messages incorrectly identified as spam
● train.spam@example.org -- e-mail address for spam that was not identified as such
In order to use this style of spam training, messages must be forwarded as an attachment (see
screenshot).
Links
● Dspam
Antivirus
Overview
Antivirus Information
Description Antivirus for mail servers.
Package Name cc-clamav
Configuration Page Software Mail Antivirus
The antivirus system scans mail messages as they pass through your mail server.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Page 92 of 214
ClarkConnect Administration Manual
Configuration
Mail Policies
When configuring the antivirus system, you must make some mail policy decisions. There are three
types of policies available:
● Bounce bounce the e-mail
● Discard - silently discard the e-mail
● Pass Through - send e-mail with warning (original sent as an attachment)
Links
● ClamAV web site
Aliases
Overview
Aliases Information
Description Mail server aliases tool.
Package Name cc-postfix
Configuration Page Software Mail Aliases
Mail aliases allow you to route extra e-mail addresses (for instance sales@, info@, etc) to one or
more e-mail addresses. This tool can also be used to create mail distribution lists - for example,
staff@example.com can be used to send e-mail to all users on the system.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Page 93 of 214
ClarkConnect Administration Manual
Configuration
Add Mode
When you first click on the "Mail Aliases" navigation link, current aliases set up by domain will be
displayed (along with Edit and Delete options) and a form below this list provides the fields
required to add a new alias. In other words, you are in "add mode".
As an example, if you wanted to create an email alias mapping veruca.salt to a user that you had
created on the system named 'veruca', enter "veruca.salt" in the "Alias" field and select "veruca"
from the "Available" mail accounts list, then click "Add".
There is no limit to how many mailbox accounts an aliased name can be sent to. For example, if
you wanted all three people to receive all email sent to the address "sales@yourdomain.com", you
could add the alias "sales" and select the three users on the "Available" list. Multiple users can be
selected by holding down the "Control" key on your keyboard while clicking on the user in the list.
Edit Mode
To enter "edit mode", you must have at least one alias present. Click on the "Edit" link next the
alias you wish to edit. The form below will now display which of the available recipient's are set-up
as aliased (highlighted) and which are not (listed as available but not highlighted). Select/deselect
amongst the available recipient names using the "Control" key and your mouse and click "Update"
to save your settings.
Page 94 of 214
ClarkConnect Administration Manual
Troubleshooting
If you are working with multiple domains on your system (i.e.
virtual domains are being used), make sure to select the
correct domain from the drop down list prior to starting your
edits.
Links
● Adding users to the server
Mail Archive
Overview
Aliases Information
Description Mail archival system for mail servers.
Package Name cc-archive
Configuration Page Software Mail Archive
The Mail Archival System logs all incoming and outgoing e-mail passing through the gateway to a
central database. This module can be used to meet regulatory compliance or assist an
organization to enforce internal policies for e-mail use in the workplace.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
This module is only available for ClarkConnect Office/Enterprise Edition, 4.2 and
above.
Page 95 of 214
ClarkConnect Administration Manual
Configuration
On first configuring the mail archiver after installation, a warning will be displayed prompting the
user to initialize the database. This is perfectly normal and should be done before continuing.
A table containing three form tabs is displayed as indicated in the screenshot above.
● Mail Archive Settings - General configuration settings
● Current Statistics - Data and actions relating to the current database
● Search Statistics - Data and actions relating to the search database
An explanation of the difference between the Current and Search databases will be explained
below.
Archive [Enable/Disable]
Enables or disables the archiving of email passing through the SMTP server.
Policy
Allows an administrator to archive all email passing through the server or restrict (exempt) certain
users, as required. Set this to "All messages" to archive email for every user. Select "Filter
messages" to configure a filter to archive only some users email.
Page 96 of 214
ClarkConnect Administration Manual
Configure (Policy)
A configure link will be displayed when "Filter messages" is selected as the policy. Click on this link
to 'fine tune' which users' email should be archived.
Discard Attachments
The "Discard Attachments" drop down option is only available when the "Policy" is set to "All
messages" - otherwise, discarding of attachments is done in the 'Configure' page.
To save on storage space (and assuming attachments are not required to be archived either by
corporate policy or law), select "Always". Otherwise, select a level in which attachments should be
discarded (i.e. "Never", > 1MB etc.).
Files which are identical but attached to different e-mails as attachments only consume the size of
the file, not N x the size of the file, where N is the number of emails going through the archive
system with the same attachment.
Auto Archive
Auto archive controls the movement of archive data from the "Current" database to an archived
file. This allows the email archive to be easily moved from the server to a storage medium (for
example, another server, a USB Mass Storage Device, a tape drive etc.) for safe storage. All
emails that have been archived to this file can be retrieved and searched at a later date, if required.
Use this field to provide consistent archive files for a give period (i.e. weekly or monthly) or of a
certain size (i.e. a DVD etc.).
Encrypt Archives
The transition of data from the database to a dump file can be encrypted to prevent unauthorized
access. This can be extremely important (and may be required by law) if e-mails contain
confidential information.
Twelve characters was chosen as a length to ensure the security of the encrypted
Page 97 of 214
ClarkConnect Administration Manual
file. If a smaller password is desired, you can override this setting in the
/etc/archive.conf file by setting the 'encrypt-password-length' parameter.
The dual-database system is designed for maximum scalability. A single database could quickly
become of such enormous size that an administrator would be continually adding drive storage
space to accommodate the email archives. By giving the user the ability to take certain sized (or
certain periods of time) snapshots from the current database and allowing one or more to be
loaded to the 'Search' database, searching for past emails can be done quickly and efficiently
without the overhead of hundreds of GB of disk space.
Performing a Search
To view how many emails and the approximate size of the archive in the 'Current' database, click
on the Current Statistics tab.
Click on the Search button. A new form will be displayed allowing you to enter your search criteria.
Page 98 of 214
ClarkConnect Administration Manual
Using the add links you can customize your search using a maximum of five (5) criteria using
either AND or OR logic (Match all vs. Match any). The results from your search will be displayed in
the results table below.
All prior restores will be listed in the Archives table. Rows with a green status mean the link is
intact (archive exists on the server). Rows with a red status icon indicate the link is broken. If you
need to restore from a file whose status is red (broken link), you will need to use Flexshare and the
storage device where the archive was moved to in order to re-establish the link.
Simply click on the Restore button to start a restore to the Search database. Once complete, you
can Search the database as normal.
Page 99 of 214
ClarkConnect Administration Manual
Performing a Search
To navigate to the Search Database, go to the Mail Archive page and click on the Search
Statistics tab. If there is data that you wish to search in the database (given the statistics you may
find that there is data, but you do not remember which file archive it originates from - in this case, it
is advised to reset the database and start again), click the Search button. A search form will be
displayed - the same as occurs when you are searching the Current Database.
You can toggle between searching the Current and Search databases by selecting the appropriate
radio button in the search form.
Enter your search criteria and click Search. Any hits (results) will be displayed in the
table below.
Viewing/Restoring E-mails
Once an e-mail has been found using a search procedure, click on the View link next to the e-mail
of interest. A new page will be displayed containing the email body contents.
Original Header
It is sometime of interest to view the original e-mail header. This information is stored in the archive
database and can be viewed by clicking on the Original Header link (a '+' icon).
The screen capture below displays an e-mail view with the headers expanded.
Sending
To resend the email (either to the original recipient or a separate user), click on the Resend E-
mail link. A new form will appear allowing you to resend the email.
Resending the e-mail uses the SMTP relay module...make sure it has been
configured correctly to send outgoing mail through your local mail server or your
ISP.
Advanced Users
# cat /etc/system/database
password = AAAAAAAAAAAAAAA
reports.password = BBBBBBBBBBBBBB
zoneminder.password = CCCCCCCCCCCCCCC
archive.password = PASSWORD
dspam.password = DDDDDDDDDDDDD
The email archive database password is keyed on 'archive.password'.
Next, you'll need to access the MySQL console in a slightly different manner than the default
MySQL server.
/usr/share/system-mysql/usr/bin/mysql DBNAME -uUSER -pPASSWORD
Where:
DBNAME = archive_current or archive_search
USER = archive
PASSWORD = the password retrieved from the /etc/system/database file
Troubleshooting
Links
Using Flexshares
Overview
Greylisting Information
Description Greylisting and filters for mail servers.
Package Name cc-filters
Configuration Page Software Mail Filters
Greylisting and mail filters are extra tools to prevent spam from reaching your users' mailboxes.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Greylisting
Greylisting can dramatically reduce the amount of spam reaching your mailboxes. When the
service is enabled, a mail message that is not recognized will be gently rejected. If the mail
message is legitimate, the sending mail server will re-attempt subsequent deliveries and the
ClarkConnect server will then accept it. For the most part, spammers do not bother with the second
delivery attempt and this results in less spam. The parameters that you can use to fine tune the
greylisting engine are described below.
Status
State of the greylisting engine.
Delay
The amount of time that must pass before a subsequent delivery attempt is allowed.
Blacklists
ClarkConnect provides extra mail blacklists to protect against spam. You can enable or disable this
blacklist at any time.
Links
● Postgrey
● SA-Blacklist
Maildrop
Overview
Maildrop Information
Description Fetchmail/maildrop software to fetch mail from external servers.
Package Name cc-fetchmail
Configuration Page Software Mail Maildrop
The fetchmail package can conveniently retrieve mail from other servers allowing the
'centralization' of e-mail on a single server.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Any number of servers can be added to the maildrop list using the "Add Maildrop Entry" form. The
interval polling time can be configured from 1 minute up to 3 hours.
Field Description
Server The server name. For example, gmail.com.
Protocol The server protocol. Currently, POP3, IMAP and APOP protcols are
supported. If you do not know the protocol, you can have the system auto-
detect by selecting 'auto'.
Username This is the username on the source server.
Password This is the password on the source server.
Local User This is the username of a mail account configured to receive mail on the
server you are configuring.
Keep on Server Enable this checkbox to leave a copy of the mail on the server.
Active Enable this checkbox to start polling the remote server for mail to fetch.
As with any other POP3 or IMAP connection, your username and password for the
mail account on the destination mail server will be passed in clear text.
Troubleshooting
Have a look at the system logs if you are having problems. The fetchmail daemon logs to
/var/log/maillog. Ignore any entries you see similar to:
Links
● Fetchmail Home Page
Overview
POP and IMAP Information
Description Mail access for desktop mail clients.
Package Name cc-cyrus
Configuration Page Software Mail POP and IMAP
ClarkConnect provides both POP and IMAP servers for providing mail delivery to desktop clients.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Server Configuration
We strongly suggest using the secure protocols if possible. Keep in mind, you will need to generate
an SSL Certificate to enable the secure protocol.
Push E-mail
Some mail clients support the push e-mail feature (also known as the IMAP Idle feature). With this
feature enabled on both the server and client, e-mail will appear in your mailbox as soon as it
arrives. This feature is most useful on wireless and hand held devices. The following mail clients
are known to support push e-mail (IMAP Idle):
● Thunderbird - Many platforms
● Chattermail - Palm Treo
● FlexMail - Windows Mobile
Next, click on the "Advanced" tab, and ensure the "This server requires a secure connection
(SSL)" checkbox is enabled.
Troubleshooting
Do not forget to open up firewall ports for e-mail. You only need to open the POP or IMAP ports if
you plan on picking up your mail from outside your local network. The default ports are listed
below:
● POP - 110
● Secure POP - 995
● IMAP - 143
● Secure IMAP - 993
Links
● Dovecot Secure IMAP Server
● Setting up a Mail Server - SMTP
● Adding Users
● Adding incoming firewall rules
Overview
Mail Server - SMTP Information
Description SMTP/MTA mail server.
Package Name cc-postfix
Configuration Page Software Mail SMTP Mail Server
You can manage your own mail server. There are a number of reasons this might be
advantageous:
● Ability to have a customized user and domain name - ie. anyone@anydomain.com
● Mailboxes limited only by hard disk storage capacity and your own administration settings
● Alias support - i.e. sales@yourcompany.com can be sent to bob@yourcompany.com and
joe@yourcompany.com
● No waiting around for new users to be added
● Custom antispam control
● Antivirus support
● Privacy
● Full control
Services
Point Clark Networks provides an MX backup service for mail servers. Please visit the Gateway
Services page for details.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
General Settings
The Hostname does not have to be related to the e-mail domains that you host. It can be ANY
valid Internet name for your machine. For example, you may wish to have a dedicated mail server
on your network. In this case, you might want to name this machine mail.yourdomain.com. This
would be the Hostname you would enter.
The Primary Domain field indicates the domain name this server will act as an SMTP/Mail server
for. If you have a single domain name that you receive mail for, enter the domain here.
If SMTP Authentication field is set to on, any client attempting to send mail through the server will
require a username/password before accepting mail for delivery.
The Maximum Message Size sets the maximum size of an individual mail message. Most Internet
service providers (ISPs) block mail larger than 10 or 20 MB, so do not expect to have larger
messages delivered to outside users. Due to the way e-mail systems work, an attached file may be
50% larger once attached.
The Catch-All setting can be used to catch mis-addressed e-mail and deliver it to a specific user
account. We highly recommend avoiding this feature for the following reasons:
● Your system will scan all messages for viruses and spam instead of bouncing the message
right away. This means more system resources (CPU, RAM) are required.
● Your system will attract more spam. Spammers will avoid invalid e-mail addresses, but
setting a catch-all user means all e-mail addresses to your domain are valid.
Ensure the "Use name and password" setting is checked and enter the username of the mail
account in the username field. The password will be requested by the mail client application on the
first attempt to send mail. There will be an option to save it to the "Password Manager" so that you
do not have to enter each time you send mail through the server.
Make sure the "My server requires authentication" is checked. Click on the "Settings" button to
enter the details of your username/password.
Setting the Catch All User to an valid user on the server will pass all mail sent to an "Unknown
user" to this account. To bounce mail addressed to an invalid recipient, set to Return to sender.
Trusted Networks
A trusted network is a list of networks that are allowed to send mail through the SMTP server.
Dynamic IP's should not be added to this list. It is important that you do not make an error with this
parameter. The default setting allows any user with a 192.168.x.x address send e-mail through the
server. If you use a 10.x.x.x address, you should add 10.0.0.0/8 to the list of trusted networks.
In addition, if you are subscribed to the ASP Antivirus service and want to scan your user's
outgoing mail, you should enter the following: antivirus.pointclark.com
This address points to a cluster of three (or more) mail servers. The change is required since the
newer version of Postfix included with ClarkConnect supports only one outbound relay host.
Additional Domains
Destination Domains
If your company/organization has multiple domains and you wish to receive email sent to any user
for any of the domains, enter additional domains to the Destination Domains list. For example, if
our primary domain was setup to be "pointclark.net" and we wanted all emails sent to the following
registered domains to be valid:
● pointclark.com
● pointclark.org
● clarkconnect.com
● clarkconnect.org
we would add the bulleted domain list above to the "Destination" domains list.
Virtual Domains
Use the "Virtual Domains" list if you are using ClarkConnect as an SMTP server for multiple clients.
By adding to the Virtual Domains list rather than the Destination Domains list, you will have
complete control over which user receives mail for a particuliar domain.
Troubleshooting
Firewall
Do not forget to open up firewall ports for your e-mail server: port 25 on the firewall configuration
page.
ISP Blocking
Some ISPs are known to block SMTP (port 25) traffic to residential broadband connections in an
attempt to cut down on SPAM originating from their network. If you think your configuration is set-
up correctly and you suspect your ISP is blocking SMTP traffic, try a port scan.
Virtual Domains
If you are using the server to provide mail service to multiple domains (virtual domains), it is
advisable to set up all domains on the system as virtual and enter a false domain (ie.
placeholder.com) in the "Primary Domain" field. Otherwise, all users would have access to the
domain listed in the primary domain field.
Links
● Setting up a POP/IMAP server
● Postfix Documentation
● Adding incoming firewall rules
● Setting up your Mail Server - Flash Tutorial Series]
Webmail
Overview
Webmail Information
Description Web-based mail system.
Package Name cc-horde
Configuration Page Software Mail Webmail
A web-based e-mail solution ideal for allowing users 'on the road' and without a mail client to
access mail on the server using any computer connected to the Internet.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
This module is described as the "Web Access Module" under Webconfig's "Software
Modules" list.
Accessing Webmail
● The webmail system runs on port 83 on the HTTPS protocol. To access the system type
https://192.168.1.1:83/ or https://yourdomain.com:83/
● If webmail access is required from the Internet, please allow connections to port 83
(webmail) on the firewall .
● Web-based mail requires the IMAP server to be running.
● Users will receive a pop-up warning in their web browser similar to that shown below. This
is normal and does not diminish the fact that the connection is encrypted and secure. If
desired, you can customize and manage the secure certificate using the SSL Certificate
Manager.
Vacation / Auto-Reply
The webmail system includes a vacation / auto-reply system. To access this feature:
● Login to your webmail account
● Click on Mail Filters in the menu
● Select the Vacation filter
Links
● Horde Web Site
● Adding incoming firewall rules
File Services
Flexshare
Overview
Flexshare Information
Description A file collaboration utility.
Package Name cc-flexshare
Configuration Page Software File Services Flexshare
Flexshare is a flexible and secure collaboration utility which integrates four of the most common
methods of accessing files or content:
● Web (HTTP/HTTPS)
● FTP (FTP/FTPS)
It is an extremely powerful and versatile tool that has many uses. The example below (a
hypothetical engineering consulting firm Eng-123 and its client OEM-XYZ) describes a Flexshare
and a typical working environment.
By adding Flexshare's FTPS (secure FTP) access and configured to require a username/password
for read-only permission, the project manager of OEM-XYZ can have access to the drawings at
any time from anywhere on the Internet. The increase in productivity by allowing real-time access
to the CAD drawings keeps the project on track and negates having to e-mail CAD files which are
often large and not ideal for e-mail transfers.
In the event Eng-123 and OEM-XYZ want to track schedule 'snapshots' of an OpenOffice Calc
document or notes on the design phase in PDF format, Eng-123's administrator configures
Flexshare's email upload access. Both companies can now send signed/encrypted emails to a
single email address where the attachment (a .ods or .pdf file extension in this case) is
automatically stripped from the email and stored on the server. These same files can then be
accessed by web, FTP or file share and provides the added benefit of having a historical view of
the entire project.
Nearing the completion of the project, OEM-XYZ's sales/marketing team make a request to have
an assortment of images created from the CAD software's rendering engine from 3D wire-frame.
Flexshare's web access, set-up with unrestricted access, gives the sales team the images they
need to begin pre-selling - with just a browser and a URL provided.
The above illustrates just one possible use of Flexshares. Much simpler Flexshare's can be
created for every-day tasks common to any small business such as hosting and updating a
website, creating user-restricted file shares or using e-mail as a simple file transfer utility.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
You will also need to install one or more of the following modules to enable functionality for the
following services:
● Web access - cc-httpd
● FTP access - cc-proftpd
● File access - cc-smbd
● E-mail upload - cc-postfix, cc-cyrus
Configuration
Share Overview
Once the system user has been updated with the password provided, you will be presented with
the Flexshare Overview.
The first table lists the shares you have currently defined, allowing you to quickly view which
access methods are enabled in addition to overall Flexshare status (either enabled or disabled).
You can Edit, Delete and Toggle the status of each Flexshare using the Action links in the right
hand column. Of course, if no Flexshares are defined, the Action links will not be visible.
The second table allows you to define (create) a new Flexshare. See Creating a New Flexshare
below.
Editing a Flexshare
You can make edits/changes to any defined Flexshare at any time. A newly created Flexshare will
have no access points enabled, so you will want to configure at least one service (Web, FTP,
Filesharing or E-mail) to take advantage of the share you have created.
To begin editing a Flexshare, you'll need to select which access point you want to modify.
Select the appropriate tab and use the help sections below to guide you through each type of
access point and the options that are available.
Changes will take place immediately upon clicking the Update button if the share is
enabled.
Web
Configuring Flexshare's Web access enables anyone (or authorized users only) to use a web-
browser to navigate to a website in order to view content, interact with a dynamic web page (for
example - a PHP or CGI enabled online store) or download files from an index listing.
One of the most common uses of Web access it to configure a Flexshare to define
settings for a company website.
The rest of this section will describe the different settings that will modify the behaviour of a Web
accessible Flexshare.
Enabled
Indicates the current status of the Web Access for a Flexshare. Note, even though the Web
Access point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status..
Last Modified
A timestamp indicating the last time a change was made to the Web Flexshare configuration.
Server Name
The server name (domain name) that will be used to access this Flexshare. If the default ports are
being used (ie. 80 for HTTP or 443 for HTTPS), this parameter is locked to the Server Name field
defined in the Web Server configuration. If custom ports are used, you can set this parameter to
take advantage of Apache's Virtual Host capability.
Server URL
This field (actually a hyperlink for convenience) indicates the URL which will be used to access the
share.
Accessibility
Accessibility allow you to restrict which interfaces incoming requests to the share are allowed from.
Setting this field to LAN Only essentially makes your Flexshare accessible from your Intranet only.
If set to All, make sure you have added the appropriate incoming firewall rule if the
server is the gateway, or forwarded the appropriate port on your firewall.
Show Index
If Show Index is set to Yes, browsers will display a listing of all files if there is no index page (ie.
index.html, index.php etc.). This is normally only desirable if using the Flexshare as a file access
service (similar to FTP). If you are running a website, this option should definately be set to No.
Require Authentication
If set to Yes, upon first connecting to the server, a user (ie. web client) will be prompted with a
login dialog pop-up where they will enter their username/password. Before gaining access to the
Flexshare, the username/password will be confirmed as a valid account on the server. In addition,
the user must belong to at least one group that has been given access to the share as defined
in the Group Access field (see below).
Group Access
Displays a list of all user-defined groups on the system (note, not system groups). A user
requiring authentication must belong to at least one group that is enabled to access the Flexshare
(checkbox in a checked state) in order to gain access to the share.
Enable PHP
Enables the execution of PHP script on the server. Any file with a .php/php4/php5 extension will be
Enable CGI
Similar to the PHP field above, but pertaining to CGI script. CGI script, however, is isolated to the
/cgi-bin sub-directory (ie. http://beaker.lan/flexshare/sales/cgi-bin/store).
FTP
Configuring Flexshare's FTP access enables anonymous or authorized users only (or both) to use
an FTP-client to connect via File Transfer Protocol in order to upload and/or download files to the
server. The FTP protocol, while outdated, is still a prominent service today and is particularly useful
for handling large files.
One of the downsides of the FTP protocol is that it uses separate ports to control
data flow and transmit payload data which causes conflicts with firewalls (both
server and client side).
Enabled
Indicates the current status of the FTP Access for a Flexshare. Note, even though the FTP Access
point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status.
Last Modified
A timestamp indicating the last time a change was made to the FTP Flexshare configuration.
Server URL
The FTP URL (or domain name) used to access the service. This parameter is defaults to the
Server Name field defined in the ProFTP Server configuration. If you are having difficulty
accessing the Flexshare, see the troubleshooting section at the end of this section.
Unlike the Apache web-server, the ProFTP FTP-server lacks true virtual host
capability, restricting the server domain to a single entry. As a result, the ProFTP
server default ports for FTP and FTPS have been set to 2121 and 2123 respectively
to allow users/administrators to continue to the default configuration file for FTP for
their own custom use (ie. users home directories etc.).
Require Authentication
If set to Yes, non-anonymous authentication is required. Before gaining access to the FTP
Flexshare, the username/password will be confirmed as a valid account on the server. In addition,
the user must belong to the group that owns the share.
Group Greeting
A greeting that is displayed once when a user authenticates and has access to the FTP Flexshare.
Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined groups on the system (note, not system groups). A user
requiring authentication must belong to at least one group that is enabled to access the Flexshare
(checkbox in a checked state) in order to gain access to the share.
Group Permissions
Depreciated in 4.2 and above
Files uploaded via FTP to the server require to constraints:
● Ownership (user and group)
For authenticated connections, the first constraint is satisfied by using the username of the user
logged in and the default system group Flexshare. This allows tracking who originally uploaded
the folder, yet the generic Flexshare allows anyone who has access to the share to be able to
read (and possibly overwrite) the file.
The second constraint is dealt with by setting FTP's UMASK directive. This setting is handled by
the Group Upload Attributes parameter.
The options contained in each drop-down box contain three characters. The characters are defined
as:
● Hyphen - No permissions
● r - Read
● w - Write
● x - Execute
Allow Anonymous
Allows anonymous FTP access. Users only have to provide the username anonymous and
(usually) their e-mail address to gain access to the share. Use anonymous when you are not
providing access to restricted files and you do not want/need to create individual accounts on your
server to authenticate against.
Anonymous Greeting
Same as Group Greeting except applied to the anonymous login.
Anonymous Permissions
Same as Group Permissions except applied to the anonymous login.
File
Configuring Flexshare's File access (SAMBA) enables public or authorized users only (or both) to
connect via file sharing in order to move files from desktop to the server and vice-versa.
Enabled
Indicates the current status of the File Access for a Flexshare. Note, even though the File Access
point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status..
Last Modified
A timestamp indicating the last time a change was made to the File Flexshare configuration.
Comment
Allows a comment or description of the fileshare to be displayed to other computer clients
accessing the share.
Public Access
Set Public Access field to Yes if you want to allow anyone on the Local Area Network (LAN)
access to the Flexshare.
Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined< groups on the system (note, not system groups). A user
requiring authentication must belong to at least one group that is enabled to access the Flexshare
(checkbox in a checked state) in order to gain access to the share.
Permissions
The Permissions field determines what type of access group members (or public if set) they have
to files on the share.
Configuring Flexshare's E-mail access allows the uploading of files to the server. This is
accomplished by simply attaching one or more files to the an e-mail and sending it to the
corresponding Flexshare e-mail address. To place restrictions on who can upload files, mandatory
digital signatures combined with group lists and a separate Access Control List (ACL) are imposed.
Enabled
Indicates the current status of the E-Mail Access for a Flexshare. Note, even though the E-Mail
Access point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status..If disabled, all email
sent to the Flexshare will automatically be deleted, regardless of the Save Attachments setting.
Last Modified
A timestamp indicating the last time a change was made to the E-mail Flexshare configuration.
Email Address
The e-mail address that users will use to upload files to the Flexshare.
Write Policy
Allows you to control overwrites if a file already exists.
Save Attachments
Setting this field to Require Confirmation keeps messages (and their attachments) in the queue.
Any file attachments will only be saved when confirmed.
Set this field to Automatically poll at 5 minute intervals to have the server initiate a check for
new messages and save the attachments automatically to the server. These files will then be
immediately accessible by the other Flexshare access methods.
Restrict Access
Set this to Yes to match an address to a system user or the ACL.
Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined groups on the system (note, not system groups). A user sending
an e-mail with attachment(s) to the Flexshare address must belong to at least one group that is
enabled to access the Flexshare (checkbox in a checked state) in order for the file(s) to be saved.
If it is determined the e-mail sender does not have access to upload files, the e-mail will be
deleted.
E-mail ACL
Add e-mails to the E-mail ACL (Access Control List) to allow non-system accounts access to
upload files to the server via e-mail.
Require Signature
Signing e-mail using digital signatures is the only way to verify e-mail is originating from the
address it claims to be sent from. Enabling this feature will discard any e-mails and the associated
attachments which are not signed.
It is a trival task to spoof the From Address contained in an e-mail header. Take
advantage of 4.0's SSL Certificate Manager and use signed certificates to validate
the sender's address.
Deleting a Flexshare
Deleting a Flexshare that is
currently defined can be
done from the Overview
page. Click on the Delete
link next to the share you
wish to delete. A form
similar to the one shown
below will be displayed
requesting you to confirm
your intention to delete the
share. Checking the Delete all files and remove share directory will do exactly that - make sure
you no longer need any files in the share directory and all sub-directories or have backups located
elsewhere.
Use the Disable share function instead of Delete in the event you want to remove
share access temporarily but not lose all your configuration settings.
Advanced Configuration
Custom Paths
In some cases, it is desirable to host a Flexshare in a location other than the default path
(/var/flexshare/shares/SHARENAME). For example, a mounted USB Mass Storage Device or an
encrypted filesystem. In this case, edit the file /etc/flexshare.conf using an editor or a utility like
SCP. The parameter key is named FlexshareDirCustom. The format of the value is name:path.
For multiple entries, each definition is separated by the pipe (|) character. The following is a valid
entry example:
FlexshareDirCustom=Iomega:/mnt/dmcrypt/Iomega|USB:/mnt/usb
The above would provide two additional paths to the drop down list of any Flexshare...The first
(Iomega) mounts an Iomega REV drive with an encrypted file-system to the path
/mnt/dmcrypt/Iomega. The second is an example of a mounted USB drive at /mnt/usb.
Troubleshooting
Firewall
Remember to open up appropriate ports on your firewall if your intention is to allow access from
outside your network. Some common ports for Flexshare access services are listed below.
The problem stems from the fact that ProFTP does not support virtual domains and is attempting to
resolve the system hostname in order to determine which configuration to use. If you have an entry
in your /etc/hosts file mapping your system hostname to your internal IP, users logging in from
outside the network will experience the problem described above. To fix the problem, use
Webconfig and navigate to "Network Hosts and DNS Server". Remove the entry that maps your
server hostname to the internal address (ie. 127.x.x.x or 192.168.x.x or 10.x.x.x). Once you have
done this, goto the ProFTP configuration and stop and then restart the service.
Access
Not all access methods have the same capabilities because of the protocol/design of individual
services. The table below illustrates the capabilities of the four access services available to the
Flexshares you have created.
Links
● ProFTP - List of Directives
● FTP - Active vs. Passive
● SAMBA Man Page
FTP Server
Overview
FTP Server Information
Description A full-featured FTP server.
Package Name cc-proftpd
Configuration Page Software File Services FTP
Configuration
The default configuration for ClarkConnect system allows read-only anonymous FTP to the /var/ftp
directory and full access to valid user accounts. Advanced configuration of the FTP server can be
done in one of two ways:
● Creating and configuring a Flexshare (Version 4.0 and up only)
● Editing the /etc/proftpd.conf configuration file. See the links section below for details.
Links
● ProFTPd home page
● List of Directives
● FileZilla - An Open-Source FTP client for Windows
Windows-Samba
Overview
File Sharing / Samba Information
Description Samba file sharing system for Windows.
Package Name cc-samba
Configuration Page Software File Services Windows File Sharing
Your ClarkConnect system provides file serving capabilities for a Windows network. Among other
tasks, you can use the software for backup file storage, and sharing printers.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Basic Configuration
The basic configuration for the Windows/Samba file server is straightforward -- at the very least,
you will want to change the Name, Workgroup and Comment. If you are using Windows PCs, you
will be able to see your ClarkConnect box through your Network Neighborhood.
Name
The name of the system as it appears on Windows Networks.
Workgroup
The Windows Network workgroup. If you are configuring your system as the primary domain
controller (PDC) then this is also the name of the domain.
Comment
The comment is a short description for the system.
Status
Toggle this field to enable/disable PDC mode.
Administrator
Select a user account for PDC administration. This account will be used to add computers systems
to the domain.
Logon Fields
Review the Samba documentation for configuring the Logon fields.
Advanced Configuration
For some installations, you may need to fine tune the Windows/Samba file sharing software.
Please review the Samba documentation before changing these settings.
Security Type
If you are using ClarkConnect as a PDC, this should be set to Domain, otherwise it should be set
to User. If you want to disable user authentication, you can set this option to Share (not
recommended).
Domain Master
If you do not have a Windows server running on your network, you may want the ClarkConnect
system to act as the Domain Master (in other words, the "boss" of the Windows Network). You
should also set the OS Level to 50 or higher.
Local Master
In most cases, this should be set to Automatic.
OS Level
See the Domain Master section.
Troubleshooting
Overview
LAN Information
Backup/Reco
very
Description Client/server backup and recovery.
Package Name cc-bacula
Configuration Page Software File Services LAN Backup/Recovery
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Supported Media
ClarkConnect's implementation of the Bacula backup/restore software is customized to support a
limited selection of hardware.
● The server's hard disk - obviously not recommended for server backup
● Iomega REV (35GB and 70GB) with the following interfaces:
● IDE/ATAPI
● USB
● SATA
● USB Mass Storage Device (USB drives, memory sticks etc.)
● Another workstation on the LAN
● DVD (beta)
Configuration
Bacula's Webconfig overview provides links to actions and other reporting or configuration
information that might be of interest. A status window displays the latest messages originating from
the Bacula Director - the main daemon responsible for orchestrating backups and restores.
If you are a novice user and looking to use this module to simply make backups of the server to a
supported storage media device, you can do everything you wish with the options listed in the
Basic section.
As you become more familiar with the software you will quickly realize the full potential Bacula
offers for complete network disaster recovery implementation. The advanced section provides links
to some of the features that you will need in setting up new clients, creating new file sets,
configuring schedules etc.
The Webconfig utility that provides the Graphical User Interface (GUI) is not the only method of
interacting with the Bacula daemons. Bacula has its own, shell-based, console which advanced
users will find extremely useful for situations where the GUI does not support a specific
feature/function of Bacula.
This manual will describe the features and functionality of the Webconfig GUI that should provide
the majority of users with the ability to backup, validate and restore files from any number of client
machines on the local area network. For circumstances where it is necessary to access more
advanced features, please refer to the Bacula console (or Webconfig's virtual console) and
sections of the online Bacula manual.
Basic Configuration
Backup Server
This option will begin a wizard which will take the user through backing up the server to an
appropriate device. Although a server backup can be done to the local hard disk, this option
provides no disaster recovery and only provides a measure of safety against accidental deletion of
files by the user/administration.
In addition to listing any removable devices like USB MSD or Iomega REV RRD's, an option to
backup to a Windows desktop on the LAN is possible. Use this option to provide recovery in the
event of a hard disk failure or loss of just the server. Similar to the file option, this does not protect
against a disaster that the destruction or loss of both the server and client machine on the LAN (i.e.
fire, theft etc.).
Backup Client
Kicks off a wizard that will take you through the backup of a client on the LAN.
Restore Server
Begin a wizard that will restore a full backup to the server provided you have the bootstrap file
(BSR) and physical media containing the volume where the backup was stored to.
Restore Client
To restore a client on the LAN that has been backed up to the server, use the WX-Console (for
Windows) or B-Console (for Linux/Unix) user interface to restore.
Device Controls
Used if you need to mount/unmount or eject removable media.
You do not need to add your main hard disk as a storage device, even though it will
be listed in the auto-discovery process. Use the "File" type instead.
Advanced Configuration
Global Settings
Enable the "Email on Edit" setting to automatically e-mail a set of your current Bacula configuration
files to the admin contact (see "Director Daemon Settings" section below).
The configuration files can be saved to the backup medium just as any other file. However, having
these files to start with greatly simplifies the recovery process should the files be lost in a hard
drive failure or other incident. Having the latest configuration files avoids a sort of 'chicken and the
egg' scenario.
Use the "Email all files" link to send all current configuration files immediately. You should make
sure the mailserver setting is set correctly in the section below prior to attempting to mail out a set
of files.
Name
The director's name. We recommend adhering to the Bacula's convention of using the system
name appended with "-dir". This directive should not require changing after the intial set-up.
Address
The director's address. This should be changed to a fully qualified domain name or IP address. It
should not be left as the default setting 'localhost' as client machines will fail on backup.
Examples of an address or FQDN include:
● 192.168.1.1
● gateway.lan
● mydomain.com (preferred)
Port
The port the director daemon listens on. By default, port 9101.
Password
This is the director's password that is used to authenticate to a client or storage device.
Operator e-mail
This address receives notifications for required interactivity - for example, replacing a removal
media drive or labeling a tape.
Admin e-mail
This address receives all notifications relating to the general 'health' of the system.
Mailserver Address
If you do not run an SMTP server on the machine you have installed the Bacula director on, you
will need to specify the mail server address in this field (for example, your ISP's mailserver). If you
are running an SMTP locally, leave the default setting, 'localhost'.
Database Password
Bacula uses a MySql back-end to track and manage files and directories that are backed up or
restored. This field will change the password used to access this database.
Name
The file daemon's name. We recommend adhering to the Bacula's convention of using the system
name appended with "-fd". This directive should not require changing after the initial set-up.
Port
The port the file daemon listens on. By default, port 9102.
Name
The storage daemon's name. We recommend adhering to the Bacula's convention of using the
system name appended with "-sd". This directive should not require changing after the intial set-up.
Port
The port the file daemon listens on. By default, port 9103.
The screenshot above shows one client (the default server) with a new client about to be created
(MP3-Collection-fd).
Name
The client's name. We recommend adhering to the Bacula's convention of using the system name
appended with "-fd". This directive should not require changing after the intial set-up.
Address
The client's address. See the Director's Address for recommended entries.
Port
The port the client file daemon listens on. By default, port 9102.
Password
This is the client's password that the director daemon uses to authenticate.
File Retention
Defines the length of time that Bacula will keep File records in the Catalog database. When this
time period expires, and if AutoPrune is set to yes Bacula will prune (remove) File records that are
older than the specified File Retention period. Note, this affects only records in the catalog
database. It does not effect your archive backups.
Job Retention
Defines the length of time that Bacula will keep Job records in the Catalog database. When this
time period expires, and if AutoPrune is set to yes Bacula will prune (remove) Job records that are
older than the specified File Retention period.
Auto Prune
If auto prune is set to "Yes" (default), Bacula will prune the files and jobs from the catalog
according to the retention times (see above). If disabled, your catalog will continue to grow in size
on each backup, since older data will not be removed (pruned).
After you add a client, you will need to download the Bacula Client specific for the Operating
System (OS) running on the machine. For example, if you are running Windows(TM) XP, you will
need to go to SourceForge and install the Win32 for the appropriate version.Note: To determine
the version installed on your system, use "rpm -qi cc-bacula".
Before you begin to download and install the client software, you'll need to determine what version
you need. If you are familiar with command line Linux, you can query the RPM using the "-qi"
options. An alternative and simple method is to get your local backup server running, and click on
the "Current Status" link.
Once the page updates with the current status information, look to the second line to get the
version information.Windows XP
Now that we know which version we are looking for (in the case of the above example, version
1.36.2), we need to find the appropriate client download. Bacula is an Open Source Software
package developed and maintained on the SourceForge listing - http://sourceforge.net/index.php.
A simpler way of searching for the correct packages might be to go directly to the Bacula Home
Page and look for the "Current Files" link. This link will take you to the exact location - Bacula on
SourceForge.net.
Scroll down to the Windows section (Win32), ensure you are looking at your version list (1.36.2 in
our example), and click on the "Download winbacula-1.36.2.exe" link to start the download.
Depending on where you have your browser set to save downloads, find the file and run the
executable by double clicking on the icon. Confirm the first few steps of the install wizard and
pause when you are asked to select an install location. You can choose to install in any directory
you wish, however, for the purposes of this manual, we are going to assume you create a new
directory so that the location appears as "C:\Program Files\Bacula".
As you continue on through the installation, two configuration files will be displayed. You will need
to edit them according to the information you provided during the setup of the director and client -
specifically:
bacula-fd
Director {
Name = Director's Name
Password = Client's Password
}
FileDaemon {
Name = Client's Name
FDport = 9102
WorkingDirectory = "C:\\Program Files\\Bacula\\working"
Pid Directory = "C:\\Program Files\\Bacula\\working"
}
Note: WorkingDirectory and Pid Directory may differ from above, depending on the "Destination
Folder" selected during install (see above).
Messages {
Name = Standard
director = Director's Address = all, !skipped
}
bconsole
Director {
Name = Director's Name
DIRport = 9101 (by default Director's Port)
address = Director's Address
Password = Director's Password
}
wx-console
Director {
Name = Director's Name
DIRport = 9101 (by default Director's Port)
address = Director's Address
Password = Director's Password
}
Linux (Mandrake)
Once you have
determined the
Bacula version
installed on your
ClarkConnect
server (see
above), you'll
need to download
the client
packages for your
Linux distribution.
In this example,
we will be
installing/configuring the client on Mandrake 10.1 Community Edition. You only need the bacula-
client package...not the full install, since the director and storage daemons will be running on
ClarkConnect.Having downloaded the RPM, install it on your system (as root).rpm -ivh bacula-
client-1.36.1-3.i586.mdk101.rpmPreparing... ###########################################
[100%] 1:bacula-client ########################################### [100%]Bacula will
install the relevant configuration files in the /etc/bacula directory. You will need to edit the same
two files listed in the Windows configuration section above, namely:
● bacula-fd.conf
● bconsole.conf
To start the client daemon, type:
# /etc/rc.d/init.d/bacula-fd start
Mac OSX
TODO
Adding a Schedule
To add a schedule, enter a unique schedule name and click 'Add'. A schedule default template will
be created and the edit schedule form will be displayed (see Editing a schedule).
Editing a Schedule
Each schedule definition can have an unlimited number of 'events' associated with it. An event is a
combination of a backup level (Full, Incremental or Differential), a schedule definition (Every
Saturday, Monday through Friday etc.) and a time.
The fileset list in the screen capture above shows the two default entries in addition to three
uniquely named additions, one of which, the user has protected against deletion (the "Home"
fileset).
The "Database" checkbox defines whether a backup represents a set of files/directories (off) or the
data contained within a database (on). MySQL and PostgreSQL are currently supported.
The next section describes how to edit a fileset in order to achieve the desired backup results.
Advanced users should read the Bacula chapter dedicated to creating fileset
resources and may wish to consider editing via CLI to achieve the desired results.
The Bacula webconfig UI has two 'modes' to edit filesets - Regular and Database.
Regular Fileset
The regular fileset mode allows you to add include and exclude statements in order to define which
files you wish to back up and those you do not wish to backup. Any number of include statements
are allowed within a fileset definition, but only one exclude. Each include statement can have
unique options that work together to describe the files you wish to have backed up. The table
below describes the directives supported bia the User Interface (UI).
Compression
Use software compression (GZIP). If you are backup up to a device that supports hardware
compression, you are advised not to enable software compression.
Signature
Compute and store an MD5 or SHA1 signature with each file. Users are strongly advised to use
MD5 or SHA1.
IgnoreCase
When set to "Ignore", all regular expressions and wildcards will ignore differences based on upper
and lower case.
Exclude
When set to 'Include', all wild-cards and regular expression matches will include files and
directories to be backed up. If the 'Exclude' option is set, matching files and directories will not be
selected.
Wild
A wild-card string to match files or directories.
Wildfile
A wild-card string to match files only.
Wilddir
A wild-card string to match directories only.
Regex
A regular expression string to match files or directories.
Regexfile
A regular expression string to match files only.
Regexdir
A regular expression string to match directories only.
Database Fileset
The ClarkConnect LAN backup and recovery module allows you to backup two of the most popular
open-source database engines available:
● MySQL
● PostgreSQL
Backing up data stored in an SQL database must be done by 'dumping' the contents of the
database to file first. Backing up the files directly would result in data corruption as the content is
dynamically being updated.
This module simplifies database backup by providing a separate interface when the database is
enabled. This flag can only be enabled during the creation of a fileset (see "Adding a Fileset"
section above). A typical database backup configuration form is shown below.
Name
The Fileset name.
Compression
See above.
Signature
See above.
Type
The SQL engine. Currently, MySQL and PostgreSQL are supported.
Hostname
The IP address or hostname where the server is located. A database does not have to be running
on the localhost in order to be backed up.
Database Name
The name of the database
Username
A username that has rights to access this database. Leave blank if there is full access to any user.
Password
The database password. Leave blank if no password is associated with the database.
Port
The port the SQL service is listening on. The default ports for the two supported engines are listed
below.
● MySQL - 3306
● PostgresSQL - 5432
The restore template is unique in that Bacula only uses a single restore job which is then modified
at run-time for specific recovery operations. This uniqueness is described in more detail in the
"Type" section below.
Choose a unique name for your job that describes the action. You will be taken directly to the "Edit
Job" form to complete the remaining information that is required.
A typical job edit form looks like the screen capture below.
The following directives are supported by the Webconfig UI for the Bacula module:
Name
A unique name for the job.
Type
The job type. Valid options are:
Backup
Normally, you will have at least one backup for each client machine you backup. You will also have
the pre-installed backup for the MySQL catalog.
Restore
The restore type is restricted (via the Webconfig UI) to a single job definition. Since a restore
template is pre-defined, this option will not be available if you add a job if the restore template still
exists.
Verify
Verifies that the information stored in the database (which maps to the actual backup file(s)
matches that which resides in the directories at the current time, and reports differences, as
evident.
Admin
Runs an administrative (normally database related) job. See the Bacula manual for more
information.
Level
The level. Valid options are:
Full
Includes all files defined with the associated Fileset, regardless of whether or not they have
changed.
Differential
Includes all files since the last successful full backup. In practice this means that a full restore
requires just the last Full and the last Differential backup.
Incremental
Includes all files since the last successful backup (either Full or Incremental) . As a result, a full
restore requires the last Full backup and all successive incrementals.
Client
A valid client resource.
File Set
A valid file set resource.
Schedule
A valid schedule resource.
Storage Device
A valid storage device resource.
Pool
A valid pool resource.
Priority
Permits prioritization of jobs to determine which jobs run first. The higher the integer, the lower the
job priority.
Name
A unique name for the pool.
Type
The pool type. Currently, only backup pools can be configured.
Recycle
Specifies the default for recycling Purged Volumes. If a Volume is recycled, all previous data
written to that Volume will be overwritten.
Auto Prune
If AutoPrune is set to yes, Bacula will automatically apply the Volume Retention period (see below)
when a new Volume is needed and no appendable Volumes exist in the Pool. Volume pruning
causes expired Jobs (older than the Volume Retention period) to be deleted from the Catalog and
permits possible recycling of the Volume.
Volume Retention
Defines the length of time job records associated with the Volume will be kept. When this time
period expires, and if AutoPrune is set to yes, Bacula will prune (remove) job records that are
older than the specified Volume Retention period.
Label Format
If the Label Media directive in the storage resource is set to 'Yes', the label format directive must
be set and will automatically label the media during a backup with the specified format. For
example, a value of "File-", the following volumes will be created:
● File-0001
● File-0002
● File-0003
● ...
You can also use variable expansion. For example, all jobs running on Monday with "Weekly-
${WeekDay}" would result in:
● Weekly-Monday0001
● Weekly-Monday0002
● Weekly-Monday0003
● ...
The "File" device represents the local hard drive of the server Bacula is installed on. This is an
easy and efficient means to back up data located on machines on the Local Area Network. You
can even backup the server with this configuration, however, it is highly recommended that this
file image be synced to a desktop, or better still, burnt to CD/DVD or copied over the Internet (scp
tool) to a system outside the LAN.
The Iomega REV drive is an ideal backup storage media device for small businesses. The REV is
a hard disk drive offering greater storage capacity over CD-ROM and DVD formats. In addition, the
drive medium is removable, allowing unlimited storage capacity by adding drive units and having
the advantage of being able to move backup data off site in the event of disaster, theft or other
event that would result in loss of the storage medium. It is also fast - over 8 times faster than a
tape backup solution.
The backup and recovery module supports and has been tested using the ATAPI model Iomega
REV drive. USB, Firewire, Serial ATA and SCSI can be used, however, manual configuration may
be required through direct editing of the Bacula configuration files. If you have a choice, the ATAPI
(IDE) model is your best bet. For information on acquiring REV hardware, see the Related Links
section below.
The module supports the creation of multiple backup definitions so you are not limited the defaults
above. Additional file resources can be specified, and these do not necessarily have to be on the
LAN. A file resource could be specified that resides on another network. With the proper firewall
rules and configuration, a satellite office could backup data to the company headquarters, or vice
versa.
If you are considering backing up data across a public network (i.e. the Internet), it is important to
weigh in on the following fact - Bacula does not currently support data encryption at the time of
storage, so any traffic crossing a public network cannot be considered secure.
Besides supporting direct to file and the Iomega REV drive, the native Bacula module supports all
kinds of tape solutions and tape storage auto-changers. Keep in mind, however, that although the
Bacula project supports these devices, the ClarkConnect backup module may not interface with
these devices properly. Direct editing of the configuration may be required in addition to using the
Bacula text-based UI (bconsole) to backup to tape-based drives. For a list of supported tape
drives, see the Bacula hardware support list.
Choose a unique name for your storage resource that describes the device. You will be taken
directly to the "Edit Device" form to complete the remaining information that is required.
The following directives are supported by the Webconfig UI for the Bacula module:
Name
A unique name for the storage device.
Address
The address where the storage device resides on the network. This field can be a valid IP (internal
or external), FQDN or "localhost".
Although entering "localhost" correctly describes the location of the storage daemon
if running in parallel (ie. the same server) with the director daemon, it is ambiguous
(and will cause backups to fail) for machines on the Local Area Network. An IP
address (ie. 192.168.1.1) or a FQDN should be used.
Port
The port the storage daemons listens on. By default, 9103.
Password
This is the storage daemon's password that the director will pass to a client for authentication to
the storage device.
Device or Mountpoint
File
Add the full directory path where you would like Bacula to save backup images of your filesets.
DDS/DLT
Enter the device location. For example, "/dev/nst0".
Media Type
A generic descriptor of the type of storage device. Valid selections include:
● File - a local filesystem (HDD, USB memory stick etc.)
● Iomega REV - see here
● DDS - Digital Data Storage device (DDS-1 [2GB], DDS-2 [4GB], DDS-3 [12GB], DDS-4
[20GB])
● DLT - Digital Linear Tape, a magnetic tape storage device
Label Media
If enabled (set to "yes), the device will automatically label blank media. In other words, it will create
the backup file to write to without user intervention. For information on how to set the Pool resource
label format, click here.
If enabled, you must enter a value for the media label format in the Pool Resource.
If disabled (set to "no"), you will have to manually label media as required. For information on
labeling media using the "Device Actions" feature, click here.
Random Access
Devices that have linear access to storage medium (ie. a tape moving across a static head), set to
"No". Otherwise, set to "Yes".
Auto Mount
Set this directive to "Yes" to permit the Bacula daemon to examine the storage media and search
for a Bacula labeled volume.
Removable Media
Set this directive to "Yes" if the storage device uses media that can be removed from the server
(ie. a REV HDD, DAT, USB memory etc.).
Always Open
It is recommended that you set the "Always Open" directive to "Yes", making the storage media
always available to Bacula. This allows scheduled backups to be run without user intervention. If
set to "No", tape media will be rewound at the end of each backup.
As a result of the catalog's importance, the Webconfig utility was designed to give you three
common methods of recovering your catalog in the event it destroyed or corrupted:
● Catalog recovery by bootstrap file (BSR)
● Catalog recovery using locally stored image
● Catalog recovery by uploading an image
You will be given the option to choose which method you wish to use from the "Restore Catalog"
menu (see screenshot below).
A MySQL catalog can become large over time - very large. Depending on the number of clients
and files you backup on a regular basis, it is not uncommon to have a catalog that is in excess of
10-20MB in size. As such, method #1 above is the preferred method - backing the data in the
catalog database on a regular basis to whatever storage device you are using. The only difference
during recovery, is that you will use a bootstrap file (BSR) instead of using the catalog - a necessity
since you don't have the catalog.
● Ensure the backup medium containing the latest catalog data is in your storage device
● Click on the "Restore Catalog" link
● Select the "I want to use a bootstrap (BSR) file..." option
● You should have the latest BSR file for the catalog that was e-mailed to the administration
user. Retrieve it and save it to your local hard disk.
● Click on the "Browse" link and select the file you saved in the prior step
● Click on the "Continue" link
● A web dialog will be displayed asking you to confirm or cancel
● Click "Continue". The database import may take several seconds (or minutes if very large)
to complete.
Device Controls
Some devices require actions like ejecting a tape or removable HDD. You can perform these
actions through the webconfig utility using the drop-down list of supported actions in the "Device
Controls" page.
Mount
Mounts a filesystem at a specified mount point.For IDE and SCSI Iomega REV drives, the device
location will be auto-discovered - only a mount point needs to be specified.For tape systems, this
action will call an internal Bacula mount that ensures the device is available for Bacula to
read/write.
Unmount
Unmounts (or umounts) a device.
Eject
Ejects removable media from the device.
Label
Bacula uses labels in order to create volumes that are then associated through the use of pools.
This may sound complicated at first, but it is really not. For more information, see the Bacula online
manual concerning Pools, Volumes and Labels.
Rewind
Issues a rewind command. Only applicable for tapes.
Report
Virtual Console
The virtual console gives the administrator the ability to run Bacula commands via the webconfig
GUI rather than the Bacula console. The use of AJAX makes this interface seamlessly bridge the
divide between Bacula's console and the PHP webconfig form. Use of this feature should be done
with caution and only by those having a solid understanding of the Bacula console commands.
Performing a Backup
Under most circumstances, backups will be performed automatically by the Bacula scheduler
(provided you have created scheduled backup jobs). However, on occasion or by personal
preference, users may wish to manually initiate a backup job.A backup job must be defined as a
resource in order to initiate a manual backup. If you have not done so already, you will need to
define resources needed by a job definition (ie. FileSet, Pool, StorageDevice etc.), and define a
job.
Performing a Recovery
The first step in restoring your server is to install the ClarkConnect OS on your new (or repaired)
server. Download the latest ClarkConnect ISO matching your previous platform. It is advised (but
not required) to stay with your current version until the server is restored to its original state.
Register your server to the ClarkConnect Gateway Service network using the I am re-installing
an existing system option. For more information on system registration, click here.
Once registered, install the Bacula backup/restore module using the webconfig User Interface (UI)
on port 81 or via command line:
# Apt-get update
# Apt-get install cc-bacula
Having installed the Bacula module, use the UI and navigate to the LAN Backup/Restore page
that will be found under the Software heading. From here, you have three steps to a full restore:
● Upload the original Bacula configuration files
● Restore the Bacula file/directory database image
● Perform a full data restore
Click on the General Configuration link. You will see four sections:
● Global Settings
● Director Daemon
● File Daemon
● Storage Daemon
Click on the Upload Config Files link under the Director Daemon section. You will see a file
upload entry form similar to the screen shot below.
Click on the browse link next to the bconsole.conf file. Locate the bconsole.conf file on your local
computer, and select ‘OK’.
A Bacula database image (or dump file) can grow to a substantial size. Users are
cautioned that emailing this file to an account may not be practical or possible.
Restoring Data
Now that your configuration files and database image are restored, simply select and run restores
on any jobs containing filesets that require restoring on the local server. From the Bacula UI main
menu, select Restore. Since your configuration and database have been successfully restored,
you can select the Standard Restore form, completing the fields as required.
Client
The client to which the files should be restored. This should match the client where the files were
backed up from.
File Set
The file set that describes the files and directories to be restored.
Replace Policy
Allows the user to control whether newer files replace older ones or not. This is only applicable
when the Location parameter (below) is left blank.
Location
Specifies the location where Bacula should restore the files to. Set this field to a blank (null) entry if
you wish to restore files to their original location (caution, make sure your Replace Policy is
properly set).
Troubleshooting
Logs
Have a look in the system logs if you are having problems. The bacula daemons log to
/var/log/bacula.
Windows Firewall
Windows XP Personal firewall will block attempts made by the ClarkConnect server to backup a
Windows desktop on the LAN. Open port 9102 on the Windows firewall by going to Start
Security Center Windows Firewall and clicking on the 'Exceptions' tab. Add port 9102 and click
Update.
where:
● IP = IP address of Windows desktop
● NAME = your share name, as defined in the steps above
● MP = mount point on CC (i.e. /var/bacula/mnt/SueLaptop)
● USER = Windows username
● PASS = Windows password
Links
● Bacula Home Page
● Find an Iomega REV Drive Reseller
● Iomega REV Drive Home Page
● Bacula Client Downloads
Printing
Print Server
Overview
Print Server Information
Description A print server.
Package Name cc-cups
Configuration Page Software Printing Print Server
ClarkConnect includes the Cups - the Common Unix Printing System - as well as a large set of
printer drivers.
Configuration
Configuration of the printing system is done using the Cups web interface. You can access this
interface via the ClarkConnect web-based interface.
Supported Printers
Not all printers are compatible with Linux. The best resource is the Linux Printing Database. You
can find whether or not your printer is supported. If so, then follow the link from the web-based
administration tool to add your printer.
Links
● CUPS Home Page
● How to make Windows use CUPS IPP
Web Proxy
Access Control
Overview
Web Proxy Access Control Information
Description Time and user-based access control for the web proxy.
Package Name cc-squid-acl
Configuration Page Software Proxy and Filtering Access Control
Time-based Access Control allows an administer to enforce time-of-day web access to users or
computers (IP or MAC address) using the web proxy.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Deleting a time period will delete any access control rule that depends on the time
period definition being deleted.
In the sample screenshot below, we have created two time period definitions. The first defines a
lunch break on weekdays between 12:00pm and 1:00pm (13:00). The second covers the entire
day over a weekend (Saturday and Sunday).
Name
A unique name identifying the access control.
ACL Type
Sets the ACL rule type - allow or deny. Allow provides web access to the user/computer...Deny
forbids web access.
Time-of-Day ACL
References a unique time of day rule. The drop down menu will be empty and a link to create a
new time period will be displayed if no time definitions have been created.
Restriction
Determines whether the ACL rule will apply to the time period defined or all time outside of the
time period defined. For example, if you defined a time period name Lunchtime that was defined
as 12:00 - 13:00 from Monday to Friday and you wanted a specific rule to apply during the lunch
hour, select Within. Conversely, if you wanted a rule to be applied for all hours outside of the lunch
period, you would select Outside.
Method of Identification
Depending on your proxy configuration, up to three different methods of user/machine identification
are possible - username, IP address and MAC address.
Username
Username-based authentication is only available if you have User Authentication enabled. Users
must provide login credentials and have access to the proxy server (as defined by the User
Options configuration). Once logged into a proxy session, ACL rules based on username will
apply.
IP Address
To restrict web access to a particular computer or multiple computers (i.e. a computer lab), IP
address based identification can be used. A single IP address or a range of IP addresses
(separated by a dash) can be added. Valid entry examples include:
● 192.168.1.100
● 10.0.0.121
● 192.168.1.100-192.168.1.150
The IP address represents the address of the machine connecting to the proxy. Since the
computer is located on the LAN segment of the network, any IP address or range listed here
should be restricted to an internal IP address or range.
MAC Address
A MAC address is a unique identifier originating from a computer's network card. MAC addresses
can be a good alternative to IP addresses if an administrator does not lock down the network
settings of a machine which might allow a savvy user to get around an IP address-based access
control rule. A MAC address must be obtained from the machine and is dependent on the OS.
Linux
Open up a shell and type:
# ifconfig eth0
Where eth0 represents the network (Ethernet) card. The MAC address for the sample sample
output below comes after the HWaddr header and is 00:40:63:DA:E7:23:
Windows
To obtain the MAC address under Windows, click on the Start button and select the Run menu
option. Enter cmd in the run field. Once you are at the Windows command prompt, type:
and click enter. Find the MAC address next to the Physical Address field. Make sure you get the
MAC address of the correct device...there may be more than one if you have both a network card
ACL Priority
New ACL rules are added to the bottom of the list...that is to say, new rules begin with the lowest
priority.
The proxy server analyzes each rule in successive order...starting from the top and working
through each rule. The first rule to match a true condition stops the processing and allows (or
denies, depending on the rule type) access to the web.
In the example below, there are three rules...AllEmployees has the highest priority, followed by
LunchHourStaff and finally (lowest priority) HourlyEmployees.
Saturday - since it is a weekend, and through the creation of the AllEmployees rules, all IP
address on the LAN have be defined in the creation of the ACL, all computers on the LAN will have
access to the web, regardless of MAC or username based ACL's and regardless of whether it is
lunch hour (i.e. 12pm - 1pm) or not. In this case, the first rule (All Employees) applies (returns
true) and processing of further rules is not performed.
Monday @ 12:15pm - All users who are using computers whose IP's have been added to the
Monday @ 1:15pm - All users who are using computers whose IP's have been added to the
HourlyEmployees IP list will be denied access to the web.
This is because the third rule is applied since the first two
rules did not return a true statement. Any user who is using a
computer whose IP is not listed in the HourlyEmployees
rule will be allowed access to the web.
Troubleshooting
Links
● Squid Proxy website
Overview
Banner Ad and Pop-Up Blocker Information
Description The software blocks banner ads and pop-ups at the gateway.
Package Name cc-privox
Configuration Page Software Proxy and Filtering Web Proxy
The software filters cookies, ads, banners, pop-ups, and other unwanted Internet content.
Configuration
If you use ClarkConnect as a gateway, you can configure the banner ad blocker in transparent
mode. In other words, it is not necessary to change the settings for all the web browsers on the
PCs on your network.
● Step 1 - Install the required Web Proxy server
● Step 2 - From Web Proxy's web-based administration page, set the proxy to transparent
mode.
● Step 3 - From Banner Ad administration page, enable banner ad blocker integration.
Links
● Privoxy Home Page
Content Filter
Overview
Content Filter Information
Description A smart and robust web content filter.
Package Name cc-dansguardian
Configuration Page Software Proxy and Filtering Content Filter
The content filtering software blocks inappropriate websites from the end user. The software can
also be used to enforce company policies; for instance, blocking personal webmail sites like
Hotmail can decrease lost productivity at the office.
The filter engine uses a variety of methods including phrase matching, URL filtering and
black/white lists. Although the filter works effectively 'out-of-the-box', for best results, we
recommend subscribing to a service level the includes the 'Content Filter Update' service (see
Services link below). By keeping your blacklist up-to-date, you will be providing your LAN with the
most effective blocking solution against the 'churn' of sites that change daily.
Services
New sites appear, old sites disappear and current sites move around. By enabling the Content
Filter Updates service, you will receive regular updates to the filter lists. See website for more
details.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
The web-based administration tool gives you access to a number of configuration settings. The
filter must be run in parallel with the Web Proxy server.
Standard Mode
In standard mode, the web proxy operates on port 3128 and the content filter operates on port
8080. You must change the settings of all the web-browsers located on the local network to point
to one of the above ports in order to take advantage of proxy or filtering services. If users have the
technical knowledge and have access to the browser settings on their local machine, they could
potentially by-pass the proxy server and have full access to content on the Internet.
Transparent Mode
In transparent mode, all requests from the local network automatically pass through the web proxy
cache. The settings for the local machines do not need to be changed. By-passing the proxy is not
possible by changing browser settings on the local machine. Obviously, this is the preferred
configuration.
If you have a subscription to the "Content Filter Blacklist Update" service (enabled through your
ClarkConnect Gateway Service account) you can check to make sure the update service is active.
If the update service is activated, you will see a screen capture similar to that shown below.
Updates are pulled or pushed automatically from the ClarkConnect Gateway Service network
approximately every week.
By checking a box next to an extension, you are disallowing filtered users from accessing this file
type. If you wish an extension to be blocked and it is not listed in the available list, add it to the list
using the "Add a new extension type" form.
MIME types checked in the "Banned MIME Types" form will not be allowed to pass through the
firewall and to the computer making the request on the LAN, providing a more secure environment.
Groups
You can configure groups of IP addresses to simplify and organize workstation access to the web.
For example in an educational environment you can add all administrator/staff IP addresses to a
Staff group and add them to the Exempt User IP List.
Weighted Phrasing
The content filter system uses phrase lists to calculate a score for every web page. You can fine
tune your content filter scoring by specifying which phrase lists to use.
In general you will want the phrase lists you select here to correspond with the blacklists you are
using. At a minimum you will want to include the proxies phraselist to prevent your users from
bypassing the filter.
Note that more weighted phrases activated for the content filter mean that the filter
will take more time to look at each page. It is recommended that if you are using a
low powered server, you limit the number of weighted phrase lists you use and
instead use more blacklists.
If you have problems with some of the phraselists - that they're either blocking too strictly or not
enough, please send information to phrasemaster@dansguardian.org.
Blacklists
The content filter system uses black lists to block specific web sites. You can fine tune your content
filter black lists by specifying which lists to use. Note that these lists are updated weekly by the
Content Filter Update Service if you have subscribed to that service.
If you have problems with some of the phraselists - that they're either blocking too strictly or not
Configure Filter
Language - If your native language is supported by the DansGuardian content filter, you can
configure the filter to use your language when displaying block reports to your users and error
messages.
Sensitivity Level - The sensitivity level is an arbitrary scale that allows 'coarse' adjustment of the
phrase filter sensitivity. Increasing the sensitivity level means that fewer bad phrases/words will
cause the filter to block the page.
PICS Level - An Internet standard for rating web content. This setting will prove to be of minor
significance as sites self-administrate this parameter. As a general rule, the recommendation is to
disable this setting.
Reporting Level - Five options are available to customize what a user 'sees' when the filter blocks
a page:
● Stealth Mode - Site is not blocked...User's IP and site is logged
(/var/log/dansguardian/access.log)
● Access Denied - User's browser will receive an 'Access Denied' in place of the web page.
● Short Report - A short error message 'bubble' will be displayed like the one below:
● Full Report - Same as above, but the weighted limit and actual value will be displayed
(useful for fine-tuning the system).
● Custom Report - Uses the customizable HTML template located at
/etc/dansguardian/languages/[language] where language is the language you have
selected in the setting above. The HTML template file is template.html and the default
en_US language folder is /etc/dansguardian/languages/ukenglish.
Block IP Domains - Used to prevent users from circumnavigating the URL-based portion of the
filter by using IP addresses instead of URL's. Pages will still be filtered based on the other filtering
mechanisms: weightedphrases, mime types, file extensions etc.
Blanket Block - Most restrictive setting. All sites will be blocked with the exception of those listed
in the exempt list. Useful for kiosks/public terminals where a browser is used to access a company
site etc.
Links
● DansGuardian website
● URLBlacklist.com - used by the CCGS Service
Web Proxy
Overview
Web Proxy Information
Description Web proxy cache server.
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and
HTTP. The software not only saves bandwidth and speeds up access time, but also gives
administrators the ability to track web usage in the daily report.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
General Settings
Reset Cache
Use the reset cache button to delete all the files currently stored by the web proxy server.
Mode
The web proxy and content filter work together to filter web traffic on your network. The
combination of these two applications can operate in several different modes.
Off
This mode is typically used to either temporarily disable the web proxy service or implement a
custom proxy configuration file. Web traffic can still continue to flow un-proxied on port 80, while
access to port 3128 (web proxy) and port 8080 (content filter) are also available.
On
This mode is typically used to take advantage of the improved bandwidth usage and speed of a
proxy server. In transparent mode, all web requests from the local network automatically pass
through the proxy. No configuration changes are required on the workstations.
On + Content Filter
This mode is typically used to enforce content filtering without the need to make configuration
changes on the workstations. As soon as you enable this mode, all web traffic going through your
gateway goes through the content filter.
Example: Tivo personal video recorders (PVRs) are unable to connect via a proxy server. Adding
Tivo's network 204.176.0.0/14 to the proxy by-pass list solves the issue.
Reports
The Web Proxy Report includes statistics on top sites, number of hits, usage by LAN IP address,
daily traffic size, and more. You can view the report from the web-based administration tool.
FTP Proxy
From the Squid Web Proxy FAQ:
Question: Can I make my regular FTP clients use a Squid cache?
Answer: It's not possible. Squid only accepts HTTP requests.
Troubleshooting
If you see the message A configuration issue with your web browser settings was detected,
please make sure your browser settings match your proxy server configuration.
Links
● Squid Proxy website
Groupware
Groupware Configuration
Overview
Groupware/Collaboration Information
Description A groupware and collaboration module.
Package Name cc-groupware
Configuration Page Software Collaboration
Together with e-mail and the Flexshare module, a simple and secure environment can be created
within an organization or between trusted parties to collaborate together on common projects.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Service
Groupware is a collection of software and services tightly integrated to allow groups of users to
collaborate effectively. The groupware overview page reflects this dependence.
You may not have selected packages which provide additional features or
functionality. If a module is not installed, you can use the Software Modules utility to
look up and install modules that were not selected or available during the installation
process.
By default, the Community and Enterprise Editions include 10 accounts that have
groupware/mailbox functionality. The Enterprise Edition is upgradeable to 250 users
(in units of 5) by purchasing additional mailbox licenses from Point Clark Networks.
If this is your first time setting up the ClarkConnect user accounts, you will be redirected to the
server set-up page if you have not entered basic server defaults. Complete the global system
parameter set-up and return to the users page. You will see a summary similar to the screen
capture below.
Follow the instructions here to add accounts for those users will have access to the groupware
functionality of ClarkConnect.
Configuring Clients
Once accounts are set-up on the server, it is time to configure a user's individual mail client that
will be used to interface to the collaborative environment.
Microsoft Outlook
Make sure to close any running instance of Outlook before installing the Toltec
Connector.
Once you have downloaded the file, use Explorer to navigate to the directory it was downloaded to
and double click on the executable. A familiar install splash screen will be displayed.
Click Next to continue. After reading the License Agreement, select I accept the agreement and
click on Next. By default, the Toltec Connector will be installed in C:\Program Files\Toltec.
Generally speaking this default and the remaining defaults can be used to quickly complete the
install wizard.
Start Microsoft Outlook, select Help About Toltec Connector as displayed below.
Click on Load a License Key and select the directory where you have your key. If you haven't yet
purchased a key, you can purchase one through ClarkConnect's Online Store or directly from the
Toltec site.
Close the About dialog box and click on Outlook's Tools Options from the menu. You should
now see an additional tab labeled Toltec Connector.
Before you continue with the next step, ensure the ClarkConnect server's IMAP
service is enabled, an account has been created for the user's client you are
configuring and the ClarkConnect's IMAP server can be accessed from the system
are configuring.
Select Corporate or Workgroup mode and click on the Next button. Confirm your intention to
Under the Toltec Connector tab, click on the New button to create a new message store to map
to. Click Next on the first dialog box that appears informing you that you are about to start the next
wizard.
Most users will want to select the default message store (outlook.pst) from the list of available
message stores. If so, select Personal Folders (you may have renamed it to something more
"personal") and click Next.
Enter your server's hostname in the appropriate field, followed by your user account's username
and password (matching those used when you created a user on the server). Ensure the checkbox
for encrypting communications with TLS/SSL is enabled, then click Next to continue.
At the next stage a connect/protocol test will be performed. If everything is functioning properly,
you should see an output from this test which resembles the following screen capture. Click Next
followed by Finish to complete the set-up.
At this point, the Toltec connector has successfully been mapped to your Personal Folder.
client and the ClarkConnect IMAP service. As a result (and although it is counter-intuitive), you
should create a POP3 account to fetch mail from the server and setup an outgoing SMTP service
to send mail. If you were using POP3(S) with Outlook, you don't need to do anything. If you were
using IMAP or are using Outlook for the first time, you'll need to create a POP3 account with your
user settings matching the ClarkConnect server. The following sections explain how to do this and
how to detach (dis-associate) the Toltec mapping and re-assign it to another personal mailbox (pst
file).
Start Outlook and click on Tools E-mail Accounts. Select View or change existing e-mail
accounts. Click Next to continue.
You will be shown a list of all accounts you have created. If you recognize one as connecting via
POP(S) to your ClarkConnect server, you don't need to do anything other than to check that the
Toltec connector is mapped to it (see next section).
If you need to create a new account for sending/receiving e-mail from the ClarkConnect server,
click on the Add button. A number of options for account types will be listed.
Complete the mail account settings for the specific user. Use the Test Account Settings button to
see if you have configured your account and server correctly.
If you are using SSL encryption to receive or send mail (highly recommended), click on the More
Settings Advanced tab and select This server requires a secure connection (SSL) on the
Incoming and Outgoing servers as required.
POP3 with SSL encryption uses a different than POP3 - remember to open up port
995 instead of 110 if you enable SSL on the account.
Clicking Next will send you back to the account list where you should now see your entry.
If you remove a mapping, you will need to either remove the PST file or delete/re-
create the account on the IMAP server before mapping again - otherwise all entires
will be duplicated.
To attach the connector to another Message Store, follow the instructions above.
Mapping to multiple IMAP4 servers is possible but beyond the scope of this
document.
You can customize this behavior by selecting an object (for example, your calendar), and using
right-click Properties.
Select the Toltec folder. You will see a number of options to allowing you to synchronize data on
events or periodically.
Users who have a large number of messages (10000+ in a single folder) may only
want to synchronize manually to avoid processing delays.
Mozilla Thunderbird
Support for Thunderbird with Kolab groupware synchronization is currently in development (beta).
Please check back later.
As a simple test, we will assume at least two users on the server have been created to on the
server - in this example, Mary and David who work for Point Clark Networks. David is Mary's
assistant and regularly schedules her appointments and meetings for her. As such, he requires
Note, the administrator has been sure to give both Mary and David access to both the mail and
web user options.
Sharing a Calendar
The first configuration to be made is David's shared access to Mary's calendar. To do this, Mary
would open her mail client (Outlook in this case) and Right-Click on the Calendar object in the
folder list and select Properties.
Clicking on the Toltec tab displays a button labeled Folder Sharing Options. Mary clicks on this
button and adds David with the desired sharing privileges.
Once done and a synchronization has been performed, David will see Mary's calendar in his
Folder List.
At this point, creating meetings and appointments for Mary is straight forward. David simply select
Mary's calendar, and creates appointments or meetings on behalf of Mary. Mary's Outlook client
will synchronize with additions/changes made by her assistant in addition to keeping track of her
own entries.
Webmail
Upgrades to the Webmail module supporting groupware is scheduled for Q2, 2008.
Sharing/Accessing Files
Please refer to the Flexshare section of this manual.
Troubleshooting
If meeting requests are not working in Outlook 2000, you may need to set the default format to use
iCalendar (iCal). To do this, start Outlook 2000 and click on Tools Options Preferences
(tab). Click on Calendar Options and ensure the Send meeting requests using iCalendar by
default checkbox is enabled.
Manual Synchronization
You can synchronize data between your Outlook client and the server at any time by clicking on
the icon found in the Outlook menu bar.
Synchronization Progress
You can view the progress being made on synchronization between your Outlook client and the
server by Right-Clicking on the Toltec Icon in your Windows system tray and selecting View.
Links
● Kolab Groupware Project
● Toltec Groupware Connector
● Toltec Connector for Windows Download
● Toltec Installation Guide (PDF)
● Kolab Syncronization Plugin for Mozilla Thunderbird
● Purchase ClarkConnect Toltec Licenses
VPN
PPTP
Overview
VPN Server - PPTP Information
Description Virtual Private Network PPTP server.
Package Name cc-pptp
Configuration Page Software VPN PC-to-LAN
The PPTP server is a secure and cost effective way to provide road warrior VPN connectivity. The
PPTP VPN client is built-in to Windows 98, ME, 2000, and XP. No extra software is required and
ClarkConnect provides full password and data encryption.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
Domain
The default domain used by the PPTP client.
WINS Server
The Microsoft Networking WINS server used
by the PPTP client. Depending on your
network configuration, you may need to
specify the WINS settings in VPN client
configuration.
DNS Server
The DNS server used by the PPTP client.
● Make sure Require encrypted password, Require data encryption are selected (see
screenshot).
● Disable the NetBEUI and IPX/SPX protocols (unless you really need them).
● Click on the TCP/IP Settings button.
● Use the default gateway on the remote network (see screenshot). This may not be
necessary in some situations.
Configuring Windows XP
The PPTP client is built-in to Windows XP.
● Go to the Control Panel.
● Click on Network Internet Connections (this step may not be necessary.
● Click on Network Connections.
● Click on Create a New Connection to start the configuration wizard (see screenshot).
Troubleshooting
PPTP Passthrough
If you are connecting a desktop from behind a ClarkConnect gateway to a remote PPTP server,
then you need to have PPTP passthrough software installed and enabled on the firewall. This
software is included in ClarkConnect.
However, we do not recommend running PPTP Passthrough and a PPTP server simultaneously.
By default, the ClarkConnect gateway will automatically disable PPTP Passthrough when the
Firewall Incoming is configured to allow PPTP server connections. If you would like to run PPTP
Passthrough and a PPTP server simultaneously, follow the Force PPTP Passthrough
documentation.
the same PPTP server, then the connection should fail. Note: it is fine to have two people behind a
gateway connecting to different PPTP servers.
Some PPTP servers and gateways (including ClarkConnect) do make an exception for this
shortcoming. However, some PPTP servers may strictly follow the standard below:
"The PPTP RFC specifies in section 3.1.3 that there may only be one control channel connection
between two systems. This should mean that you can only masquerade one PPTP session at a
time with a given remote server, but in practice the MS implementation of PPTP does not enforce
this, at least not as of NT 4.0 Service Pack 4. If the PPTP server you're trying to connect to only
permits one connection at a time, it's following the protocol rules properly. Note that this does not
affect a masqueraded server, only multiple masqueraded clients attempting to contact the same
remote server."
Links
● PoPToP PPTP Server
● 128-bit Encryption for Windows 95/98
● PPTP handles 100s of users
IPsec
Overview
VPN Server - IPSec Information
Description Virtual Private Network tools for LAN-to-LAN connections.
Package Name cc-ipsec
Configuration Page Software VPN LAN-to-LAN
You can use the web-based administration tool to create a connection with other ClarkConnect
servers (on licensed systems, dynamic IP support is included).
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
If you are configuring a VPN connection between your local gateway and a remote gateway, then
configure the remote gateway first. Once the VPN is started on the remote system it will only be
accessible when the VPN connection is up. If run into trouble configuring the tunnel, you can use a
dial-up or other location to access the remote location.
From the web-based administration tool, click on Create in the Managed VPN Connections box.
You need to:
● Select the IP address of the remote connect
● Type in a pre-shared secret (password)
On the first connection or when an IP address changes, it may take a few minutes for the
connection to synchronize.
The two LAN networks at either end of the VPN connection must not overlap! If you need to
change the LAN IP address/network on your ClarkConnect server, please use the Administration
Console.
Sanity Checking
Start the IPsec server on both ends of the connection. Do not use Windows Network Neighborhood
to verify the VPN (there is a Howto on getting your Windows Network up and running). Instead,
make sure you can ping from:
● gateway to gateway
● gateway to remote PC
● remote PC to gateway
● remote PC to remote PC
If the connection fails, double check your network settings and restart your firewall. Look in the log
files -- /var/log/messages and /var/log/secure -- for error messages.
Interoperability
The IPsec protocol is an industry standard, but one with many of loose ends. This means that other
IPsec servers - though standards compliant - may not be able to connect to a ClarkConnect IPsec
server. If you are familiar with the command line environment, you may be able to successfully
connect a ClarkConnect system to a third party system. You can find more information in the
OpenSwan Interoperability Documentation.
Troubleshooting
● Make sure your firewall allows incoming connections for IPsec traffic
● The IPsec protocol does not pass through NAT-based routers. In other words, if your
external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based
router.
Entertainment
Photo Gallery
Overview
Photo Gallery Information
Description A web-based photo album.
Package Name cc-gallery
Configuration Page Software Fun Photo Gallery
Gallery is a web based photo album that provides you with the ability to create and maintain your
own online photo collection via an intuitive web interface.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
More information can be found on the Gallery page in the web-based administration tool.
Links
● Gallery website
Web
Web Server
Overview
Web Server Information
Description A powerful and popular web server.
Package Name cc-httpd
Configuration Page Software Web Web Server
ClarkConnect includes the Apache web server -- the same software that powers many of the
world's largest websites.
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
General
Global
The basic set-up of the Apache web server is installed by default. In the main configuration, you
need to specify two items:
Server Name
The server name is a valid
name (for example,
www.example.com) for your
web server. This name is
used on some infrequently
used error pages, so it is not
all that important.
generates a default certificate that is 100% secure. However, this certificate is not
verified by one of the web site certificate authorities (it costs at least $100 per year
to maintain a verified web site certificate). Your users will see the following warning
(or similar) when connecting to the secure web server.
You must use an FTP client (rather than a browser) if you would like to upload files to the server.
\\SERVERNAME\DOMAINNAME
Where:
Any user belonging to the group configured in the Group Access setting will have read/write access
Group Access
Select a group which will be used to grant access to users who should have access to make
modifications (uploads) to the website. If no groups have been created on your server, you will
have to add one first before configuring either FTP or file server based access.
Virtual Hosts
The web server includes support for "virtual hosts". This means your web server can be used for
hosting more than one web site.
Text Editor
Not the most efficient means, but certainly possible. Use your favorite text editor and start typing
away!
Example:
# vi /var/www/html/index.html
And add:
The set-up and configuration of these engines are beyond the scope of this help document. PHP,
however, is available as a module.
Installing the PHP Module
Troubleshooting
ISP Blocking
Some ISPs are known to block web (port 80) traffic to residential broadband connections in an
attempt to cut down on illegal sites hosted on their network. If you think your configuration is set-up
correctly and you suspect your ISP is blocking HTTP traffic, try a port scan.
Firewall Rules
A web server listens to client requests coming in on port 80 (HTTP) or 443 (HTTPS/secure). Did
you remember to open the correct port(s)?
Links
● Adding incoming firewall rules
● Apache Web Server Project
Reports
Current Status
Overview
Current Status Information Information
Description Disk load, system load, memory usage, and other system status.
Package Name cc-status
Configuration Page System System Information Current Status
Dashboard
Overview
Dashboard Information
Description The dashboard shows a big picture overview of your system.
Package Name cc-webconfig
Configuration Page Dashboard Overview
Intrusion Detection
Overview
Intrusion Detection Information
Description A report displaying summary information on the intrusion detection
system.
Package Name cc-snort
Configuration Page Reports Reports Intrusion Detection
The intrusion detection report provides a way to analyze hostile traffic arriving on your network
interfaces.
Logs
Overview
Logs Information
Description Log viewer.
Package Name cc-reports
The log report page allows you to view and filter detailed log files on your system.
SMTP Mail
Overview
SMTP Mail Report Information
Description A report displaying summary information on the mail server.
Package Name cc-postfix
Configuration Page Reports Reports SMTP Mail
Statistics
Overview
System Statistics Information
Description Historical information on system performance.
Package Name cc-mrtg
Configuration Page Reports System Information Statistics
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Statistics
The charts shown in the statistics page show the following information:
● Maximum value over the period (e.g. one day)
● Average value over the period
● Current value
Load
The system load is a measure of how the overall system is performing. A common misconception
is that the system load is a measure of CPU usage. However, a high system load can be caused
by excessive hard disk access or other types of bottlenecks in the overall system.
Two different trend lines are shown on this chart. The green line indicates the average system load
for a given 5-minute time period. The blue line indicates the average system load for a given 15-
minute time period.
A sustained load above 200 on the chart indicates an overloaded system (occasional spikes above
this number are normal).The system load displayed on the charts is multiplied by 100. For
instance, if you see a load of 53 in the chart, then the load is really 0.53.
Open Connections
This statistic shows the number of open network connections to your system. For instance, an end
user fetching their e-mail from the server will open one (or more) network connections. If your
system comes under an unwanted attack, you will likely see a large spike in open connections.
Processes
The number of processes running on your system.
Swap Memory
Swap memory usage is an indirect indicator of how well your system is managing RAM (physical)
memory. The green background in this chart (if shown) is the amount of swap memory available.
The blue line indicates the amount of swap memory used. If the blue line sustains a level of 75% of
the total swap memory available, then you need to take action:
● Disable unused software/services running on the system
● Investigate potential software bugs/issues
● Add more RAM
The intrusion detection system and content filter system use quite a bit of system resources.
On a Linux system, all unused RAM is used to optimize file access. Do not be
surprised to find your RAM usage at 95% or higher.
Uptime
The uptime charts how long your system has been running without a reboot.
Links
● MRTG Web Site
Web Proxy
Overview
Web Proxy Reports Information
Description A report displaying information on proxy and content filter usage.
Package Name cc-squid
Configuration Page Reports Reports Web Proxy
Reports are created through the ClarkConnect API using a dedicated MySQL database. This
makes extraction of the report logs simple to do in the event other report medium (ie. PDF) or
statistics are required.
Report Types
Overview
User/IP Summary
Domain Summary
Ad-hoc Summary
Web Server
Overview
Web Server Reports Information
Description A report displaying statistics for the web server.
Package Name cc-awstats
Configuration Page Reports Reports Web Reports
Installation
If you did not select this module to be included during the installation process, you must first install
the module.
Configuration
To access the Web Reports, you will need to set a password. In the web-based administration tool:
● Enter the password you wish for the reports and click on Update.
● In the Reports by Domain panel at the bottom of the screen, click on the domain report
you wish to view.
● A new window will appear asking for a username and password. Enter awstats for the
username and the password you assigned above.
Links
● Awstats Home Page