Product: GFI WebMonitor 2009
Product Homepage: GFI WebMonitor – Internet Monitoring
Being able to monitor and control user access to the Web is critical for today’s businesses, and GFI Software has a solution that can help you meet this need. Available as a standalone proxy version that works in most network environments or as a dedicated plug-in for organizations that have deployed Microsoft ISA Server, GFI WebMonitor is a comprehensive, policy-based Web monitoring, filtering, scanning and control solution that every organization should give serious consideration to implementing.
Installation and Configuration
The standalone version of GFI WebMonitor can be deployed in two different configurations: Simple Proxy mode and Gateway mode. Simple Proxy mode requires that your Internet gateway device supports either port blocking (configure the device to block HTTP traffic originating from the client computers on your network while allowing HTTP traffic originating from the GFI WebMonitor computer) or traffic forwarding (configure the device to allow outbound HTTP traffic originating from the GFI WebMonitor computer and to forward HTTP traffic originating from your client computers to the GFI WebMonitor computer). With Simple Proxy mode, the GFI WebMonitor computer requires only a single network interface card (NIC) and acts as a proxy server for the client computers on your LAN.
For this review I decided to test GFI WebMonitor in Gateway mode, which requires that the GFI WebMonitor computer has two NICs so it can act as a gateway between the private network where your client computers reside and an external network where your Internet gateway device resides. The computer that I used for this purpose was running Windows Server 2008 R2, and I began by installing the Routing and Remote Access (RRAS) role service and configuring RRAS for Network Address Translation (NAT). One NIC on my gateway server named SRV-GW was attached to the private network 10.0.0.0/8 where my Windows 7 client computers resided; the other NIC was attached to the external network 172.16.0.0/16 where my Internet gateway device (a DSL router) resided. Once NAT was configured on the gateway computer, I verified that the client computers on the 10.0.0.0 network could browse the Web by routing traffic first through the gateway computer and then through the DSL router.
I then installed GFI WebMonitor on the gateway computer, accepting all the defaults. The Getting Started Guide made this easy, but be sure that the service account you specify for GFI WebMonitor has the Log On As A Service user right, otherwise the GFI WebMonitor and GFI Proxy services would not start. Once the installation completed, the Configuration Wizard launched in order to walk me through the steps of configuring GFI WebMonitor. Using this wizard, I selected the Gateway Mode option (Figure 1):
Figure 1: Selecting the Gateway mode configuration option
The final wizard page indicated that GFI WebMonitor would be listening for HTTP traffic on 10.0.0.1 over port 8080 (Figure 2):
Figure 2: Viewing Web proxy settings on the gateway server
These settings are important because once GFI WebMonitor is installed on your gateway computer, the client computers on your private network would not be able to browse the Web unless they have their Internet Explorer proxy settings configured to use these settings. Since there were only a handful of Windows 7 computers on my private network, I decided to manually configure the IE proxy settings on these machines by opening Internet Options from Control Panel and clicking LAN Settings on the Connections tab (Figure 3):
Figure 3: Configuring Web proxy settings on the client
For large environments, you can use Group Policy to configure IE proxy settings on your client computers using the Proxy Settings policy node found under:
User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection
For simple environments you can also use Web Proxy Autodiscovery (WPAD) which is enabled by default in GFI WebMonitor.
One minor problem I encountered was that my client computers still could not browse the Web even though their IE proxy settings had been configured appropriately. The culprit here turned out to be Windows Firewall with Advanced Security, and after I created a new port rule that allowed inbound TCP traffic on port 8080 my client computers were able to successfully browse the Web through the gateway computer.
Monitoring and Controlling Web Activity
Once GFI WebMonitor was installed and configured, I found the user interface very intuitive and easy to use. Figure 4 shows the GFI WebMonitor admin console with the Dashboard node selected, which displays a graphical and statistical view of the Web monitoring, security and filtering activity on the gateway server. By selecting a node from the left-hand navigation bar, you can view more detailed information concerning each feature in the left-hand viewing pane of the console.
Figure 4: The Dashboard node of the GFI WebMonitor admin console
To access detailed monitoring statistics, select the Monitoring node as shown in Figure 5. Using this node and the various sub-nodes beneath it, you can access in real-time the active HTTP connections from clients on your network, view a list of recent connections, display bandwidth consumption statistics, see which sites are most popular with your users, and more.
Figure 5: Web monitoring options you can choose from
For example, Figure 6 shows that two client computers have IP addresses 10.0.0.100 and 10.0.0.101 are currently downloading large files from the Internet. By clicking on the red X button for one of them you can stop the download from finishing.
Figure 6: Terminating a download over HTTP
As another example, the Top Sites node under Bandwidth Consumption lists the top ten Web sites your users are accessing by bandwidth used (see Figure 7). Note that Drudge Report, a popular news site, is one of these most-used sites.
Figure 7: Viewing top sites according to bandwidth used
The Drudge Report Web site has a clean and simple design, and this means that the above statistic that users have consumed 701.42 KB of bandwidth visiting the site may be somewhat misleading, so let’s check out another node called Top Time Consumption to get an idea of how much time users might have been wasting, visiting this site (Figure 8). Of course “wasting” is a relative term here-if your organization is a media company then Drudge Report may be one of the most valuable sites your employees will need to access in order to stay on top of current events. I myself personally “waste” at least an hour a day on this site when I should be working on other things!
Figure 8: Viewing sites according to time consumed by users
Drudge is near the top in terms of surf time, so let us dig deeper and see if it is only one user who has been visiting the site or several. To do this, simply click the www.drudgereport.com link to drill down and show additional detail for the site (Figure 9):
Figure 9: Site access history for www.drudgereport.com
We can see that several users have been accessing this site. If it was only one user, we could notify Human Resources and they could warn the user. Since the site seems to be popular with users however, we decide after consultation with the HR and Legal departments to create a policy that blocks users from accessing the site. To do this, we will add an item to the Blacklist, a feature of GFI Monitor that lets you block sites, users or IP addresses from being accessed regardless of any other you may have policies configured. To create a Blacklist item, select the Blacklist node in the navigation bar, select Site from the drop-down list, type the URL of the site you want to block, click Add to add the site to your Blacklist, and then click Save Settings. Figure 10 shows the result after adding www.drudgereport.com to the Blacklist on our gateway server.
Figure 10: The blacklisted site will be blocked from access by all users
Now let us see what happens when one of the users on our network tries to open the blacklisted site in Internet Explorer (Figure 11):
Figure 11: What a user sees when she tries to visit a blacklisted site
Checking the Activity Log node several hours later reveals that the user on computer 10.0.0.102 has repeatedly tried to access the blocked site (Figure 12). Evidently this particular has an addition to current events!
Figure 12: The Activity Log shows items that have been blocked or quarantined
In addition to blacklisting sites, you can also use GFI WebMonitor to set up whitelists of sites, users and IP addresses that are excluded from all other policies you may have configured. You can create two types of whitelists using GFI WebMonitor: permanent and temporary. You might use a temporary whitelist for example to temporarily approve access to a particular site for some business reason. Whitelists and Blacklists override any more granular policies that you configure using WebFilter and WebSecurity as described later in this article.
The WebFilter component of GFI WebMonitor provides you with more granular control over managing the Internet access of users, groups and IP addesses on your network. WebFilter does this by combining Web filtering policies, which you can create, with the WebGrade Database, which stores and implements Web filtering policies and optionally allows URLs not found in the database to be looked up in a global Internet database maintained by GFI Software. Figure 13 shows the Default Web Filtering Policy which applies to everyone at all times and allows all URLs to be accessed.
Figure 13: The Default Web Filtering Policy
Let us say we want to create a Web filtering policy to block certain types of content. To do this, click Add Policy and type a name and description on the General tab of the new policy (Figure 14):
Figure 14: Creating a new Web filtering policy
Notice that the above new policy applies all day and night, seven days a week. One of the cool features of Web Filter is that you can perform time-based filtering by configuring policies to apply only on certain days and at certain times if needed.
Now click the Web Filtering tab and select the types of content you want to block or quarantine (Figure 15):
Figure 15: Blocking unacceptable content
The Exceptions tab lets you exclude or include specific sites (Figure 16):
Figure 16: Adding exceptions to the policy
The Applies To tab lets you apply the policy to users, groups or computers (IP addresses). We will apply the policy to a particular user named Jacky Chen (Figure 17):
Figure 17: Applying the policy to a specific user
The Notifications tab lets GFI WebMonitor use the SMTP server you specified during installation to notify an administrator (and optionally the user also) when the user tries to perform an action that violates the policy (Figure 18):
Figure 18: Sending notifications when the policy is violated
Clicking Save Settings and selecting the Web Filtering Policies node again displays the new policy (Figure 19):
Figure 19: The new Web filtering policy
Figure 20 shows what happens when Jacky tries to access an online auction site-an action that is blocked by the Web filtering policy we just created.
Figure 20: The Web filtering policy at work
The WebSecurity component of GFI WebMonitor provides scan and usage control restrictions such as controlling downloads, Instant Messaging, virus scanning, and anti-phishing protection. WebSecurity integrates three popular virus scanning products: Kaspersky, Norman and BitDefender (Figure 21).
Figure 21: Integrated anti-virus products included with GFI WebMonitor WebSecurity
Let’s see how WebSecurity can be used to prevent one common anxiety among network administrators, namely the ability for users to download executable files from the Web.
The Default Download Control Policy applies to everyone at all times and has no restrictions on the types of files users can download (Figure 22).
Figure 22: The Default Download Control Policy
To prevent any users on our network from being able to download .exe files, open this Default Download Control Policy for editing by clicking on it, then select the Download tab (Figure 23).
Figure 23: List of file types you can allow/block/quarantine
If you only wanted to prevent certain users, groups or computers from being able to download certain types of files, you need to create a new Download Control Policy instead of editing the Default one.
Now click the Executable item in the list of file types, and let’s select Block And Quarantine so that the user will be blocked from downloading executable files and these potentially harmful downloaded files can also be stored in quarantine for further examination (Figure 24).
Figure 24: Blocking and quarantining executable files
Click Save Settings to update the Default Download Control Policy. Now when a user tries to download an .exe file, for example from a warez site, a message similar to the one shown in Figure 25 is displayed:
Figure 25: The user is prevented from downloading an executable file
By using the Quarantine feature of GFI WebMonitor, you can view items that have been quarantined and either delete them or approve future download attempts for the item (Figure 26):
Figure 26: Viewing quarantined items
After examining in some detail many of the powerful capabilities of GFI WebMonitor 2009, my conclusion is that this is an excellent product and I give it an unqualified “two thumbs up”. I found GFI WebMonitor easy to install, configure, and use, and I hope this review has whet your appetite for this product. You can deploy GFI WebMonitor in either an Active Directory or workgroup environment, and if you have Microsoft SQL Server available you can even configure GFI WebMonitor’s Reporting feature to log the statistics it gathers to a SQL database so you can further drill down into what’s happening on your network using Crystal Reports or some other analysis tool.
For more info about GFI WebMonitor 2009, go to http://www.gfi.com/internet-monitoring-software. You can also download a free 30-day trial at http://www.gfi.com/pages/webmon-selection-download.asp. To find out more about GFI WebMonitor’s internet monitoring capabilities visit http://www.gfi.com/internet-monitoring-software. GFI WebMonitor is also available in a version that offers web security and access control for ISA Server/TMG Server. A free 30-day trial of both versions can be downloaded from http://www.gfi.com/pages/webmon-selection-download.asp
In conclusion, I would like to finish off this review with my seal of approval by giving GFI WebMonitor 2009 a 5 star rating for the overall feel and functionality of the product.
WindowSecurity.com Rating: 5/5
Get more information about GFI WebMonitor 2009