Follow us on Twitter...
Stay up to date with the latest news, special offers and advice from CensorNet on Twitter... we are Tweeting regularly!
Access downloads, trial keys, docs and resources.
The following diagrams provide example deployment options and indicate where the CensorNet server should be located on the network. Please contact Technical Support to discuss your implementation in more detail.
Sideways mode is the most common way to deploy CensorNet, using it as a true HTTP proxy. The CensorNet server (physical or virtual) is placed on the network, side by side with other computers and servers. To pass traffic through the CensorNet server, the web browsers on the computers are configured to use the CensorNet as a proxy server.
The browser configuration is secured by group policy and re-enforced by firewall rules preventing any access to port 80 and 443 unless it originates from the CensorNet server, thus avoiding proxy bypass. The CensorNet server also has a trust relationship with the Active Directory domain so that single sign on authentication can be achieved.
For this mode two network cards are required and it is advisable to use a physical rather than a virtual machine (due to the way virtual NIC’s handle promiscuous mode). The CensorNet server is placed directly in the data path of the network - between the main switch and the gateway device. The CensorNet server acts like a bridge, transparently intercepting port 80 and 443 traffic (HTTP and HTTPS) whilst allowing other traffic to flow over the bridge normally. Traffic is intercepted in both directions. As the bridge is transparent, the CensorNet server only requires one IP address for management and there is no need to alter the gateway address on your networked computers.
Inline mode is particularly useful if you want to “catch all” traffic and/or you don’t have the ability to configure the web browser proxy settings via group policy. User identification can be achieved using our Active Directory Agent service, which runs on the Active Directory server, or desktop LoginAgent tool which can be run from a Windows login script.
It is possible to use a combination of sideways and inline modes where the CensorNet server is configured as per the “inline mode” diagram above, but it also has a trust relationship with the Active Directory server that can be used to perform single sign on for computers that have their browser proxy settings configured. In this way, you can guarantee user authentication for computers on the network but still allow guest computers to connect and be filtered.
In all of the examples above it is possible to use our RemoteWorker client, which allows you to extend your Internet access policy to remote computers who may be connected via 3G, Wi-Fi or other temporary Internet connections. The purpose of the RemoteWorker client is to provide filtering for roaming users and standalone computers that are not part of the corporate network (maybe located in a remote office).