iPrism Technical Support FAQ's

iPrism Networking, Reporting, Access Policy, Auto-Login/Authentication and Filter List FAQs

Networking

  • What is causing my network to slow down after installing iPrism?
  • Should I place iPrism inside or outside of my firewall, proxy server, or NAT device?
  • I am installing iPrism in a network that has a firewall. Do I need to open any ports on the firewall?
  • Can I specify more than one DNS server in iPrism?
  • Should iPrism be my users’ new default route (gateway)?
  • Can the Proxy feature in iPrism be disabled for traffic passing through it?
  • I want to use iPrism as a Proxy server, what port should I use?
  • Can iPrism pass IPX/SPX or Appletalk traffic?
  • What do I do when I get an error message that iPrism could not resolve the website address?

What is causing my network to slow down after installing iPrism?

When properly installed iPrism should not negatively impact network performance. If after installing iPrism you are experiencing network performance issues the most common reasons are as follows:

Ethernet duplex mismatch between iPrism Ethernet interface and connected network devices: If iPrism is connected to a device set to a specific speed and duplex mode then iPrism should also be set exactly the same. Make sure there are no CRC or frame errors on the Ethernet port statistics on the devices iPrism is connected to.

Delay in reaching DNS server specified: Please make sure that the DNS server address specified in iPrism is reachable with minimum delay. iPrism uses DNS to resolve the URL name to an IP address and any delay in reaching the DNS server can slow down your network. We recommend using the same DNS servers as the workstations connected to iPrism use.

Network infected by virus: Virus-infected machines can send thousands of HTTP requests per second out to the Internet. This extraordinarily high volume of Internet traffic may overwhelm iPrism’s system resources and negatively impact network performance.

Should I place iPrism inside or outside of my firewall, proxy server, or NAT device?

Proxy servers, NAT devices and most firewalls hide IP addresses of workstations behind them. For this reason, iPrism should be installed on the LAN side of the firewall, proxy server or NAT device so that it can include IP address information in its reports and properly handle authentication of users.

I am installing iPrism in a network that has a firewall. Do I need to open any ports on the firewall?

For most installations, you only need to open port 80 for HTTP traffic. In some cases, you will also need to open TCP and UDP port 53 for DNS. In the event that you require troubleshooting assistance, a VPN session may be recommended by an iPrism support technician. To establish this VPN session with our server, port 25 must be open.

If you want to manage the iPrism from a workstation outside your firewall, you will also need to open the following ports:

TCP/1001 [Encrypted configuration protocol]
TCP/4474 [SQL protocol]

Furthermore, the IP address of the management workstation must be included in the co-management network range located on the Preference tab in the System menu.

Can I specify more than one DNS server in iPrism?

Yes, you can specify multiple DNS servers in iPrism. Please see:

Using iPrism with Multiple DNS Servers

Should iPrism be my users’ new default route (gateway)?

If you are installing iPrism in bridging or stand-alone mode, you should not make iPrism the default gateway for your workstations. iPrism installs transparently into your network without requiring IP address changes on your workstation or servers. However, if you are installing iPrism as a router, it will need to be your workstations’ default route.

Can the Proxy feature in iPrism be disabled for traffic passing through it?

You cannot disable the proxy feature in iPrism for workstations that you want to filter. However, you can use the ‘Proxy Exception’ feature in iPrism to designate particular workstations or servers NOT to use iPrism as a proxy, providing unfiltered access. Proxy Exceptions can be used based on source or destination IP addresses. To configure proxy exceptions, use the Proxy Exceptions tab in the Access menu.

I want to use iPrism as a Proxy server, what port should I use?

You can configure browsers to proxy to iPrism on port 3128. The iPrism’s proxy port settings can be change to a different value. Please note that the proxy port cannot be identical to the configuration port. Please see:

Changing iPrism’s Port Assignments

Can iPrism pass IPX/SPX or Appletalk traffic?

iPrism acts like a bridge for any non-HTTP or non-IP traffic. If parts of your network were running protocols such as the IPX/SPX suite, Appletalk, etc. successfully before the installation of iPrism, then iPrism will have no problem passing this traffic once it’s part of the production network.

What do I do when I get an error message that iPrism could not resolve the website address?

The iPrism returns a DNS error message when it cannot connect to the DNS server it is configured to use or the DNS server cannot resolve the hostname. If you get this error message, please verify if the DNS server specified in the iPrism is functioning by running a small test on your workstation. You can run this test on your Workstation’s Command (DOS) Prompt by entering the command nslookup. You can temporarily change the DNS server on nslookup by running this command on the nslookup prompt server <New DNS IP address>. If the DNS server cannot resolve hostnames then correct this problem first.

C:\nslookup
> server <DNS server IP address>

Reporting

  • Why am I not receiving reports or log files via email?
  • How do I get a Daily Report?
  • How do I get daily reports with details of URLs visited?
  • Why do my reports only go back so far?
  • Can I grant access to a specific user for generating reports?
  • How do I get reports based on user names instead of IP addresses?
  • Can iPrism export its log files?
  • When does iPrism export its log files?
  • How does iPrism calculate the duration on reports for a user?

Why am I not receiving reports or log files via email?

If you have not created a report yet, please refer to the following sections in the Admin Guide on how to create one.

Test to see if you are able to receive emails from iPrism:

Log into the iPrism Status applet.

Click on the Email tab.

Enter your email address and click on the Test button.

Check your email to see if you received the email from iPrism.

If you did not receive the email, enter the IP address of your mail server on the iPrism SMTP Relay field. See: Configuring SMTP Relay Settings

If you are able to receive the test email from iPrism but are still unable to receive your reports, check your email server logs for any errors or rejected email from iPrism. The email reports can be very large in size, which could cause it to be rejected by some email servers.

How do I get a Daily Report?

For iPrism v3.5, please see the links:

For information on sending reports automatically: Having Reports Sent Automatically

For information on generating iPrism’s predefined reports: How to Run a Predefined Report

For information on generating custom reports: Custom Reports

For iPrism v3.4, please see the links:

For information on sending reports automatically: Having Reports Sent Automatically

For information on generating iPrism’s predefined reports: Predefined Queries

For information on generating custom reports: Advanced Queries

NOTE: the time span for the Daily/Weekly report should not have a start date of “today” and end date of “now”.

How do I get Daily Reports with details of URLs visited?

In the Reports interface, create the Daily Report as usual in the Advanced Query screen. Choose Detailed Report from the Type field. Please note that detailed report entries are only available for those categories that are selected for monitoring in the ACLs. To learn more, see:

Detailed Report Results

Why do my reports only go back so far?

iPrism’s reports are stored based upon the number of URL requests, rather than time. iPrism’s report capacity is approximately 250,000 URL requests. If you have a model 1100 iPrism (released August 2002) then you will be able to store approximately one million URL requests. When iPrism’s logs fill up, iPrism will automatically rotate the log entries by overwriting the oldest entries in the beginning of the log file. If your network has a high amount of traffic (or if you are logging a lot of detail), the logs will not go back as far as they would if there is a small to medium amount of network traffic. To allow the maximum available space for meaningful logs, you may want to configure iPrism to NOT log image details. To do this: Configure iPrism -> Reports -> Preferences, then uncheck “Log image details”

Can I grant access to a specific user for generating reports?

You can delegate access to reports by creating internal users in iPrism and granting them the proper administrative privilege. You can also delegate report access rights to users based on their NT login name. To delegate the responsibility of creating reports to one of the internal users, you need to change his/her Admin Privileges to Reports Only or create and assign a new Admin Privilege with reporting capabilities.

How do I get reports based on user names instead of IP addresses?

In order to get reports based on user names, you must you must configure and enable authentication in iPrism. With authentication enabled, users are required to provide a valid user name and password when they access the Internet. iPrism can authenticate users created in its internal database or from an external server using LDAP or NTLM authentication.

Can iPrism export its log files?

Yes. iPrism can export its log files either by email, FTP or Syslog server. If you want to export log files by FTP, you will need to specify a user name and password in iPrism for a valid account on a FTP server. You can also setup real time logging on a Syslog server. You can configure these options under Reports -> Preferences in the iPrism configuration.

When does iPrism export its log files?

There is no set time when iPrism exports the log files. The log files are exported before iPrism rotates and overwrites the existing logs. A network that generates a lot of traffic will receive the log files more often than a network with less traffic.

How does iPrism calculate the duration on reports for a user?

Each time a web page is transferred by iPrism from the Internet to a workstation, the timestamp of the exact moment is recorded by iPrism. The time difference between two consecutive web accesses is calculated based on their respective timestamps.
iPrism will use this information as follows:

If the time difference is larger than 30 seconds, it accumulates 30 seconds Time-Spent for this workstation, otherwise it accumulates the time difference.

Accumulating all “access times” within a time frame yields a total value, which is Time-Spent show in the report.

For example:

t = 0s; user opens his browser and goes to his homepage

t = 10s; user clicks onto another link; he accumulates 10s for a total of 10s

t = 50s; user clicks onto another link; time difference between 2 and 3 is 40s; user accumulates 30s for a total of 40s

t = 55s; user clicks onto another link; he accumulates 5s for a total of 45s

t = 300s; user clicks onto another link; time difference between 4 and 5 is 245s; user accumulates 30s for a total of 75s

Access Policy

  • Why aren’t my users being blocked?
  • Why isn’t www.xyz.com blocked?
  • How do I block/unblock a website?
  • Can I block/allow Web access by IP address/Network range?
  • Can I block/allow Web access by user name?
  • Can I apply different access policies for different groups of users based on their name or NT group membership?
  • How do I set up LDAP with my XYZ Server?
  • How do I implement different Internet access policies at different times during the day/week?
  • Does iPrism only filter port 80?
  • How do I block Real Player, P2P programs & Chat?
  • Can iPrism block by file type?
  • Can iPrism block someone who is using AOL software?
  • Can iPrism filter email and/or viruses?
  • Can I install iPrism on networks running a proxy server?
  • Can iPrism intercept and filter traffic from workstations pointing to another proxy server?
  • Why are some of my internal networks unable to access the Internet after iPrism is installed?
  • Why does iPrism only filter some of my networks, but not others?
  • I am getting tons of emails from users requesting access to various blocked web sites. How do I stop getting “Request Access” email from my users?
  • Can iPrism block pop-ups?

Why aren’t my users being blocked?

In order to block users from web sites you must complete the following steps: (1) a Profile needs to be created containing an ACL with the categories you wish to block selected. (2) the Profile must be ‘attached’ to either a network (Access, Networks Tab) or a User Account (Users, Users Tab).

For general information about how ACLs and Profiles interoperate, see:

Managing Internet Access

For specific instructions on creating ACLs and Profiles, see:

Creating Access Control Lists (ACLs)

Creating Profiles

To view or change the profile assigned to a particular network, see:

Configuring Users and Authentication

Note: In the Networks tab (on the Access menu), you can see the profile applied to a network by selecting the network’s IP range and viewing the profile assigned in the Profile field.

Why isn’t www.xyz.com blocked?

iPrism allows you to select which categories of web sites are blocked, monitored and allowed. Our team of analysts review each site and assign it one or more category ratings (e.g. health, entertainment, finance, adult themes, pornography, etc.). Once a rating is assigned to a site, it is added to the iPrism database that is downloaded by iPrism each night. The iPrism administrator decides which categories they want to block, monitor and/or allow. For example, if they decide that they do not want to allow access to “porn”, “adult themes” and “games”, any sites in the iPrism database rated with those categories will be blocked.

You can check ratings of a web site in iPrism from the iPrism Status or Block/Unblock a Site menu.

Please refer to the following topics for more details:

Deciding What Gets Blocked

Managing Internet Access

Using iPrism to Block Other Sites

Submitting Sites to St. Bernard for Review

How do I block/unblock a website?

If you want to block or monitor a web site that is not listed in the URL database, you must create your own filter for the URL, called a “custom filter.” A custom filter lets you assign any URL to an existing filter category (e.g. adult, nudity, sports, etc.), or more typically, to one of iPrism’s local categories (local1, local2, etc.). You can also use this feature to override the rating for a URL in our database. For detailed instructions on creating a custom filter, see:

How to Create a Custom Filter

Can I block/allow Web access by IP address/Network range?

Yes. You can block/allow sites by Network address range or by single IP address. Refer to the following topic for instructions on how to do this:

Assigning Profiles to Networks (Workstations)

Can I block/allow Web access by user name?

Yes, to block/allow Internet access by user name, authentication must be configured and enabled. Once authentication is enabled, each user is prompted to provide a user name and password. iPrism verifies the user’s credentials and determines the profile associated with the user. iPrism then compares the profile to the rating of the URL being accessed to determine whether or not access is allowed.

iPrism can authenticate users created in its internal database or from an external server using LDAP or NTLM authentication. The type of authentication you are utilizing determines how you assign profiles to individual users.

For more information, see:

Configuring Users and Authentication

TechNote – NetWare 5.x LDAP Authentication

TechNote – External Authentication in iPrism Using NTLM

Can I apply different access policies for different groups of users based on their name or NT group membership?

In order to apply access policies based on user name, you must enable authentication in iPrism. Once authentication is enabled, each user is prompted to provide a user name and password. iPrism then verifies whether or not the user’s credentials are valid. iPrism can authenticate users created in its internal database or from an external server using LDAP or NTLM authentication.

Creating users in iPrism is only suitable for small networks. Networks with a large number of users should utilize LDAP or NTLM authentication. With LDAP and NTLM authentication, iPrism verifies user credentials against your existing user database to determine which profile to apply. LDAP is an industry standard protocol and is well supported by major vendors and operating systems including Windows 2000 and Novell Netware. You can also use NTLM authentication to apply profiles based on Windows NT or Windows 2000 group memberships.

For more information, please refer to the following topics:

NTLM Authentication

TechNote – Windows 2000 LDAP Authentication

TechNote – External Authentication in iPrism Using NTLM

How do I set up LDAP with my XYZ Server?

LDAP is an industry standard protocol and is supported by most major vendors and operating systems. Novell supports LDAP, and Active Directory on Windows 2000 is LDAP compliant by default. Windows NT supports LDAP only through Exchange server. If you’re using Windows NT/2000, we recommend you configure NTLM authentication. To get more details about LDAP and its setup, please refer to the following topic:

TechNote – Windows 2000 LDAP Authentication

TechNote – NetWare 5.x LDAP Authentication

How do I implement different Internet access policies at different times during the day/week?

Please refer to the following topic for information about how to configure different Internet access policies:

Managing Internet Access

Does iPrism only filter port 80?

By default, iPrism filters HTTP traffic on TCP port 80. However, iPrism can also be configured to filter HTTP traffic on other ports. If your network contains a proxy server, traffic can be filtered before it reaches the proxy server by configuring iPrism to filter the proxy port used by your proxy server. To configure iPrism to block HTTP traffic on a different port, refer to the following topic:

Filtering Traffic on Other Ports

How do I block Real Player, P2P programs & Chat?

You can block non-HTTP services by opening the iPrism Configuration screen and using the Services tab on the Access menu. For detailed instructions about this, see:

Blocking Non-HTTP Services

If the service you want to block is not in iPrism’s default list, you can manually add the service and then block access to it. For instructions on adding a new service, see:

How to Add a New Service

Can iPrism block by file type?

iPrism filters web sites based on the URL used to access the site. You can create custom filters that block certain types of files based on the file extension such as .jpg, .vbs, .exe, .zip, .mp3, etc. To read more on this topic, please refer to the Advanced Filter Creation sections of following topic:

Custom Filters

Can iPrism block someone who is using AOL software?

Yes, you can easily block these users. AOL instant messenger generally uses port 5190 and can be blocked by adding this service. Please follow the instructions in the following section of the Administrator’s Guide:

Blocking Non-HTTP Services

Can iPrism filter email and/or viruses?

iPrism filters web sites based on the URL used to access the site and does not examine the content of a file or email. However, iPrism can block access to Web based email services and block downloads of files by suffix (.vbs, .exe, .zip, etc.), which can help prevent viruses.

Can I install iPrism on networks running a proxy server?

Yes, iPrism can filter traffic on networks running a proxy server. You will need to configure iPrism to filter the port on which HTTP traffic flows to the proxy server. You may also need to specify an upstream proxy server in your iPrism configuration. Please refer to the following topic for more details:

Changing iPrism’s Proxy Port

Filtering Traffic on Other Ports

Setting Up a Parent Proxy

Can iPrism intercept and filter traffic from workstations pointing to another proxy server?

Yes, in bridge mode iPrism can filter HTTP traffic on any specified port. You will need to physically place iPrism in your network between your users and the proxy server so that HTTP traffic passes through iPrism.

Refer to the following topics for additional details.

iPrism as a Bridge

Filtering Traffic on Other Ports

Why are some of my internal networks unable to access the Internet after iPrism is installed?

This is usually due to the lack of static route entries in iPrism. You should add static routes in iPrism to allow iPrism to reach remote internal networks. Even if iPrism is installed in bridge mode, it needs to have routes to remote networks apart from the default route. Please refer to the following topic for details:

How to Add a Static Route

Communication With Other IP Networks

Why does iPrism only filter some of my networks, but not others?

iPrism profiles define the access policy and can be applied to networks based on network range or IP address. If a network is passing unfiltered, you should verify that the correct profile is applied to the network range. To check this, please connect to the iPrism main menu and do the following:

Click on the Configure iPrism button and log in.

From the Access menu, select the Networks tab.

Click on the network range that is not being filtered and check the profile applied to that network range. Make sure that the profile has a proper access policy setup. You can check the ACLs assigned to this profile from the Profiles tab.

Refer to the following topic for more information:

Blocking Subnets and Workstations

NOTE: If iPrism is in bridge mode, network ranges NOT specified in the Networks tab, under the Access menu, will not be filtered.

I am getting tons of emails from users requesting access to various blocked web sites. How do I stop getting “Request Access” email from my users?

From the iPrism Main Menu, click on ‘Configure iPrism,’ log in and follow the steps below:

From the Access menu, click on the Profiles tab.

Select the profile from the Profile List drop down menu.

Right click the ACL you want to remove the link from and choose Edit.

Clear the Request Access Link check box.

Select OK, then OK again in the Editing box.

Exit and save your changes.

NOTE: You can disable this feature on the ACL.

Can iPrism block pop-ups?

iPrism can block the contents of a pop-up if its category rating is blocked via a profile. However, iPrism will not prevent pop-up windows from displaying. There are some freeware programs available on the Internet to prevent the pop-ups.

Auto-Login/Authentication

  • Why isn’t my iPrism asking my users to authenticate when they go out to the Internet?
  • I have enabled HTTPS Authentication on my iPrism. The URL for iPrism’s authentication page says HTTP. Is it sending my users’ login credentials via clear text?
  • Why is my iPrism unable to join the NT or 2000 domain?
  • Why am I getting the error ‘The group was not found on the Domain Controller’ when I try to map my NT groups to an iPrism profile?
  • I have NTLM enabled and some users fail to get authenticated by iPrism. Why do they get an “invalid password” error?
  • I have NTLM enabled, with iPrism configured with Proxy Mode: Basic authentication. My users are asked to authenticate several times and then eventually get an ‘iPrism Access Denied’ page. Why is this?
  • Why is iPrism applying the incorrect profile to the user who logged into my PC?
  • When I log out of my workstation, am I also logged out of iPrism?
  • How do I assign iPrism administrative privileges to my NT/2000 groups?
  • I enabled Authentication on my iPrism, but I don’t see usernames in my reports.
  • How do I configure Auto-Login?
  • I enabled Auto-Login in iPrism, but users are still getting prompted to manually log in.
  • I don’t want to manually configure all my workstations for Auto-Login compatibility. Is there a way to automate this?
  • Does NTLM authentication support multiple domains?
  • Does Auto-Login support multiple domains?
  • Can I use Auto-Login in an LDAP authentication environment?
  • Why are some of my NT/2000 users unable to authenticate in iPrism?
  • Can iPrism use NTLM authentication in an environment running Windows 2000 in native mode?
  • Can I customize the iPrism login page?
  • Which takes precedence, the NTLM or the Network Profile?

Why isn’t my iPrism asking my users to authenticate when they go out to the Internet?

Although you may have configured authentication via NTLM, LDAP or imported a user database into iPrism, authentication must still be enabled for a network. Otherwise your users will not be challenged to authenticate. Please click on the link below for more details on enabling authentication for networks.

Choosing An Authentication Mechanism

I have enabled HTTPS Authentication on my iPrism. The URL for iPrism’s authentication page says HTTP. Is it sending my users’ login credentials via clear text?

No. Although iPrism’s authentication page is HTTP based, the users’ credentials are encrypted when sent from your workstation to iPrism.

Why is my iPrism unable to join the NT or 2000 domain?

The following may be the reason:

Make sure that a WINS server is reachable and that the WINS service is running.

Check the DOMAIN[1Ch] record in the WINS database (where DOMAIN is the name of the NT/2000 domain).

Check that the Windows 2000 domain is configured with Pre-Windows 2000 Compatible Access.

If you are not running WINS, the Domain Controller and iPrism have to be in the same subnet.

Please see the link below for more information on this topic:
TechNote – External Authentication in iPrism Using NTLM

Why am I getting the error ‘The group was not found on the Domain Controller’ when I try to map my NT groups to an iPrism profile?

Please check the following:

Make sure that your NT/2000 groups are global groups.

Windows 2000 groups are Pre-windows compatible.

Please see the link below for more information on this topic:
TechNote – External Authentication in iPrism Using NTLM

I have NTLM enabled and some users fail to get authenticated by iPrism. Why do they get an “invalid password” error?

Aside from the obvious reason of misspelling the password or having the Caps Lock on, iPrism is unable to support some special characters that Microsoft Windows supports.

The best way to find out if this is the case is to change the user’s password to normal ASCII and digits and re-test after 10 minutes to allow the changes in your Domain Controller to propagate to iPrism.

I have NTLM enabled, with iPrism configured with Proxy Mode: Basic authentication. My users are asked to authenticate several times and then eventually get an ‘iPrism Access Denied’ page. Why is this?

If you have Proxy Mode configured with Basic authentication enabled on iPrism and your browser is configured to proxy to iPrism, make sure to use a username that is in the format of “domain\username”. If you do not include the domain name, iPrism tries to authenticate the user from its internal user name database instead of querying the domain controller. Please see:

Enabling Authentication in iPrism

Why is iPrism applying the incorrect profile to the user who logged into my PC?

If you find that a user logged in to your PC is getting the same Internet access as you, although you are assigned to different Internet Access Profiles, the following may be the reason:

If authentication is not enabled, Internet access is based on the IP address of the workstation. Therefore, multiple people logging into the same workstation will all get the same level of Internet access.

If authentication is enabled, iPrism maps users to the IP address of your PC until the authentication times out or they manually log out. For more information on configuring authentication or logging out, please click the links below:

Enabling Authentication in iPrism
Ending an Authenticated Session (Logging Out)

When I log out of my workstation, am I also logged out of iPrism?

If you find that a user logged in to your PC is getting the same Internet access as you, although you are assigned to different Internet Access Profiles, the following may be the reason:

If authentication is not enabled, Internet access is based on the IP address of the workstation. Therefore, multiple people logging into the same workstation will all get the same level of Internet access.

If authentication is enabled, iPrism maps users to the IP address of your PC until the authentication times out or they manually log out. For more information on configuring authentication or logging out, please click the links below:

Enabling Authentication in iPrism
Ending an Authenticated Session (Logging Out)

How do I assign iPrism administrative privileges to my NT/2000 groups?

You map groups to iPrism privileges the same way you map groups to iPrism profiles. Please see the link below for more information on this topic:

Mapping Groups to Profiles

I enabled Authentication on my iPrism, but I don’t see usernames in my reports.

Although you may have authentication configured in iPrism (LDAP, NTLM, internal users), unless authentication is enabled, iPrism will not track by username. Therefore, the reporting is based on IP address. Authentication must be enabled on the networks defined in iPrism. For more information on enabling authentication, please click the link below:

Enabling Authentication in iPrism

How do I configure Auto-Login?

To better understand all the steps and requirements for enabling Auto-Login on your iPrism, please click the link below:

Tech Note: iPrism Auto-Login

I enabled Auto-Login in iPrism, but users are still getting prompted to manually log in.

This can be caused by a few different things:

iPrism configuration:

Under Access & the Network Tab, verify that the Auto-Login check box has been checked. The check box for Auto-Login should not be accessible unless HTTP/HTTPS has been selected for transparent mode.

On the workstation there are also a few possibilities:

You may be using a browser other than Internet Explorer (IE)

Workstations may be using iPrism as a proxy server (with their IE’s proxy settings set to proxy to iPrism).

The IP address of iPrism’s may not have been added to IE’s Local intranet zone – which is required for Auto-Login to operate. Please see the link below for more information on this topic:
Tech Note: iPrism Auto-Login

I don’t want to manually configure all my workstations for Auto-Login compatibility. Is there a way to automate this?

Yes, there is a way to “push” the setting out to all of your workstations’ Internet Explorer settings. This prevents you from having to go to each individual PC and manually adding the required entry. Please click on the following link for information on how to send all workstations the required settings:

Tech Note: iPrism Auto-Login

Does NTLM authentication support multiple domains?

Yes. NTLM authentication will support a multiple domain environment. iPrism can see other domains that trust the domain iPrism is joined to and will be able to authenticate users from the trusted domains. Please see the link below for more information on this topic:

TechNote – External Authentication in iPrism Using NTLM

Does Auto-Login support multiple domains?

Yes. Auto-Login will work in a multiple domain environment. Please see FAQ above for more explanation. Please see the following for more information on this topic:

TechNote – External Authentication in iPrism Using NTLM

TechNote – iPrism Auto-Login

Can I use Auto-Login in an LDAP authentication environment?

The Auto-Login feature does not work with LDAP authentication. The Auto-Login feature works only with NTLM. For more information on how to configure your iPrism to utilize NTLM and Auto-Login, please click the links below:

TechNote – External Authentication in iPrism Using NTLM

TechNote – iPrism Auto-Login

Why are some of my NT/2000 users unable to authenticate in iPrism?

If most of your users are able to authenticate in iPrism except for a few, please check the user’s access rights in Microsoft Windows. Users that are only permitted to login to specific Microsoft Windows workstations will not be able to authenticate in iPrism. Please modify the user’s account and add iPrism to the list of workstations that the user can log into.

Can iPrism use NTLM authentication in an environment running Windows 2000 in native mode?

Yes. In order for iPrism to authenticate users in an environment running Windows 2000, your domain controller has to allow anonymous connections to the Windows 2000 domain controller for pre-windows compatible access.

Can I customize the iPrism login page?

Yes. As of iPrism v3.4, the login page that users see while manually authenticating to the iPrism may now be customized to display your own custom text and graphics. Please click on the link below for more information on how to create your own custom iPrism login page:

Editing the Default Authentication Page

Which takes precedence, the NTLM or the Network Profile?

The NTLM Profile mapping takes precedence over the network profile mapping for every network that has authentication enabled. However, the NTLM Fallback Profile can be assigned a default value of “Use Network.” In that case, the profile based on the network range will be assigned to all groups that do not have a group to profile mapping. Please click on the link below for more information on how NTLM Profiles and Fallback Profiles work.

Mapping Groups to Profiles

Filter List

  • How do I find out if my iPrism downloaded the latest filter database?
  • Why doesn’t my filter list update nightly?
  • How do I download a filter list manually?
  • Why are all users getting the message, “Filter service expired” in their browsers?
  • Does Auto-Login work for LDAP?
  • How do I block Instant Messaging like AOL, MSN and Yahoo?
  • Why don’t my custom filters work?
  • How do I configure iPrism not to filter a workstation on my network?
  • How do I configure iPrism not to filter traffic going to a specific server?
  • How do I block a user from accessing the Internet except for one or a few web sites?
  • Is there a “real-time” way to see who is currently using the “Override” Admin Privilege?
  • How do I view a list of my custom filters?

How do I find out if my iPrism downloaded the latest filter database?

Go to the iPrism Main Menu, click on the Configure iPrism button and log in.

When the applet loads, click on the Reports menu and select the Security Log tab. Here you can see the filter list age. Although you should normally receive an incremental filter list everyday, you should not be concerned unless your incremental filter list is more than four days (96 hours) old.

Why doesn’t my filter list update nightly?

Please make sure that iPrism is configured to download the filter list automatically. This is documented in the following topic:

How to Schedule Daily System Updates

Check that your iPrism can connect to the Update Server by logging into the iPrism Status tool, Connectivity tab and click on the Connect button. iPrism should return a “Connection successful” on the message box.

How do I download a filter list manually?

This procedure is documented in the following topic:

How to Manually Update the Filter List

Why are all users getting the message, “Filter service expired” in their browsers?

This error message means that iPrism does not have a valid filter list. It is necessary to have a valid filter list in order for iPrism to properly pass web traffic otherwise users trying to access the Internet will receive this error message. There are a few possible reasons that might cause this problem:

There is no valid registration key, or the key has expired. See:

Registration Information

iPrism has not been able to successfully complete a filter update in the past 30 days. This is usually due to network and connectivity problems which prevent iPrism from performing the filter list download.

Check that your iPrism can connect to the Update Server by logging into the iPrism Status tool, Connectivity tab and click on the Connect button. iPrism should return a “Connection successful” on the message box.

Does Auto-Login work for LDAP?

No. Auto-Login can only be configured in an NTLM authentication environment. Please read our Auto-Login Tech Note for more details on the topic:

Tech Note: iPrism Auto-Login

How do I block Instant Messaging like AOL, MSN and Yahoo?

Blocking these Instant Messaging clients involves blocking specific services or ports as well as creating custom filters.

AOL IM
AOL IM uses a wide variety of ports and one of two possible IP addresses.

Log into the iPrism Configuration applet.

Click on the Access menu, Services (v3.212) or Other Protocols (v3.3) tab.

Click on the Add button.

Enter the following information in the appropriate fields.
a) Name: AOLIM1
b) Port Start: 0
c) Port End: 65535
d) IP Start: 64.12.161.153
e) IP End: 64.12.161.153
f) Block By: Destination

Check the Block Access box.

Click OK.

Create another service by repeating Steps 3 to 6 for IP address 64.12.161.185 with name AOLIM2.

Click on Exit, then the “Save and Exit” button.

ICQ IM
ICQ IM uses a wide variety of ports and one of three possible IP addresses.

Log into the iPrism Configuration applet.

Click on the Access menu, Services (v3.212) or Other Protocols (v3.3) tab.

Click on the Add button.

Enter the following information in the appropriate fields.
a) Name: ICQIM1
b) Port Start: 0
c) Port End: 65535
d) IP Start: 64.12.162.57
e) IP End: 64.12.162.57
f) Block By: Destination

Check the Block Access box.

Click OK.

Create two or more services by repeating Steps 3 to 6 for IP addresses 64.12.163.130 and 205.188.179.233 with names ICQIM2 and ICQIM3 respectively.

Click on Exit, then the “Save and Exit” button.

Yahoo! IM
FIRST: create a Service Port Block.

Log into the iPrism Configuration applet.

Click on the Access menu, Services (v3.212) or Other Protocols (v3.3) tab.

Click on the Add button.

Enter the following information in the appropriate fields.
a) Name: YahooIM
b) Port Start: 0
c) Port End: 65535
d) IP Start: 216.136.0.0
e) IP End: 216.136.255.255
f) Block By: Destination

Check the Block Access box.

Click OK.

Click on Exit, then the “Save and Exit” button.

NEXT: Create a Custom Filter.

Create a Custom Filter to block sc5.yahoo.com. Please review the following for the procedure to create Custom Filters.
How To Create A Custom Filter

MSN Messenger
FIRST: Enable the default MSIM Service Port Block.

Log into the iPrism Configuration applet.

Click on the Access menu, Services (v3.212) or Other Protocols (v3.3) tab.

Click on [MSN Messenger] from the Protocol List.

Click on the Block Access box.

Click OK.

NEXT: Create a Custom Filter.

Create Custom Filters to block messenger.hotmail.com and msgr.hotmail.com. How To Create A Custom Filter

Why don’t my custom filters work?

Custom Filters re-rerates the website to “local allow”, “local deny” or any other category specified while creating the Custom Filter. You then have to make sure that your Profile is configured to allow or block the category configured for that Custom Filter. Please refer to the following for more details on changing ACLs for Profiles.

How To Edit An ACL’s Settings

How do I configure iPrism not to filter a workstation on my network?

This can be achieved by creating a Proxy Exception in iPrism. It is used when you want web traffic from a particular workstation/server in your network to be unfiltered by iPrism. Traffic from the IP range specified will be passed by iPrism. Please note that this works only if iPrism is installed in Transparent bridging mode. Please follow the steps below to configure this type of Proxy Exception in iPrism.

Log into the iPrism Configuration applet.

Click on the Access Menu.

Click on the Proxy Exception tab.

Click on the Add button.

Enter the IP address of the workstation/server you don’t want to be filtered by iPrism in both the IP Start and IP End fields.

Change the Command field to “Don’t proxy from this network.”

Click on the OK button.

Click on Exit, then click the “Save and Exit” button.

How do I configure iPrism not to filter traffic going to a specific server?

This type of Proxy Exception is to be used when you do not want any of your users to be proxied or filtered when accessing a specific website/server. Traffic destined for the specified IP range will not be filtered or proxied by iPrism. If authentication is enabled in iPrism, it will not require authentication to the specified IP range. When the user browses back to any other Internet websites, the traffic is subject to filtering. Please follow the steps below to configure this type of Proxy Exception in iPrism.

  • Log into the iPrism Configuration applet.
  • Click on the Access Menu.
  • Click on the Proxy Exception tab.
  • Click on the Add button.
  • Enter the IP address of the server you want to access in both the IP Start and IP End fields.
  • Change the Command field to “Don’t proxy to this network.”
  • Click on the OK button.
  • Click on Exit, then click the “Save and Exit” button.

How do I block a user from accessing the Internet except for one or a few web sites?

Create a new Profile in iPrism to block all categories except “local1″ and “local allow.” How To Create A Profile

Assign the appropriate Network or Group to this new Profile. Assigning Profiles to Networks (Workstations)

NTLM Mapping Groups to Profiles

Save and Exit from the iPrism Configuration applet.

Create a Custom Filter for the website you want to enable access. When creating the Custom Filter, choose the “Select Category” option to rate it as “local1″ How To Create A Custom Filter

Is there a “real-time” way to see who is currently using the “Override” Admin Privilege?

Yes. Log into the iPrism Configuration applet. Next, go to “Access” and the “Override Management” tab.
How do I view a list of my current filters?

Connect to the Main Menu Adminstrator page. Click on the Block/Unblock Site button and log in. Once logged in, choose “View and Edit Current Filters.” Your current Custom Filters will be listed.

Miscellaneous

  • Where can I find the descriptions for each of the filtering categories?
  • Which category does this URL belong to?
  • What if a URL is not rated, or rated incorrectly?
  • How do I check the current software version on iPrism?
  • Where do I get the latest version of iPrism software for accessing the configuration applet?
  • Where can I find an updated Installation and Admin Guide for iPrism?
  • How much traffic/throughput can a single iPrism handle?
  • Can I customize the ‘Access Denied’ page?
  • Do I need to save my changes on iPrism before they take effect?
  • What should my HyperTerminal settings be if I need to connect to the console port of iPrism?
  • I forgot my password. What should I do?
  • I know my password, but what is my user login?
  • I forgot my iPrism’s IP address, what should I do?
  • I cannot access iPrism’s configuration from my browser. What should I do?
  • How do I get the ‘Override’ Link or the ‘Request Access’ Link to display on the ‘Access Denied’ page?
  • How can I perform backup/restore of configuration in iPrism?
  • How can I tell if my backup is compatible with my current iPrism version?
  • What are the specifications of iPrism like volts, amps and watts?
  • Does iPrism require service packs, upgrades or hot fixes?
  • How do I view of list of current hot fixes applied to my iPrism?
  • Will I need to reboot iPrism after installing a hot fix?
  • We are upgrading our iPrism hardware to a model 1200. Is there an easy way to transfer our current configuration and user information from one box to another?
  • How much memory and disk space does the iPrism model 1200 have?

Where can I find the descriptions for each of the filtering categories?

Please refer to iPrism Site Rating Category Descriptions

Which category does this URL belong to?

You can check which category a URL belongs to as follows:

Go to the iPrism web page Main Menu-Administrator, click on the Block/Unblock Site button and login.

Select Check Site Ratings

Enter the site’s URL in the Location field and click the Next button.

What if a URL is not rated, or rated incorrectly?

You can submit that URL to our iGuard team for review. If the URL is not rated or incorrectly rated, it will be re-rated and added to the database. This database is uploaded to your iPrism automatically during the nightly filter list update. To submit a URL for review, send the URL via email to url-review@stbernard.com

How do I check the current software version on iPrism?

In the iPrism Configuration applet, click on the Reports menu and click the About tab. See About iPrism Tab

Where do I get the latest version of iPrism software for accessing the configuration applet?

Access the iPrism via it’s ip address in a browser.

Where can I find an updated Installation and Admin Guide for iPrism?

The Installation Guide is available in PDF format at iPrism Installation Guide

The Administrator’s Guide is available in both HTML and PDF format and can be found on the iPrism Admin Guide page.

How much traffic/throughput can a single iPrism handle?

There are numerous factors involved in calculating the traffic handling capacity of iPrism and actual performance will depend upon Internet usage patterns. iPrism supports 10/100 full duplex NIC cards and can transparently bridge non-HTTP traffic (e.g. real audio, video stream, etc.) at up to 90 Mbps. Filtering performance depends on the web utilization level at your organisation. The newest hardware platform (released October 2003) can handle approximately 15Mbps of HTTP traffic.

Can I customize the ‘Access Denied’ page?
Yes, there are two ways to do this in v3.4. You can configure iPrism to use a web page from your web server as the access denied page or you can modify the existing access denied page via the HTML Template Manager. Please see the following topic for configuration details:
Changing the Access Denied and Authentication Pages

Make sure that your custom page utilizes absolute URLs rather than relative links. If you want the rating of a URL to be displayed on this custom denied page, please refer to the following:
TechNote: Custom Denied Pages
Do I need to save my changes on iPrism before they take effect?

Yes. Changes made in the configuration applet are not uploaded to iPrism unless they are saved. Once saved, iPrism takes about 15 seconds to apply and load the changes into memory. Web access may become unavailable for few seconds during reconfiguration.

What should my HyperTerminal settings be if I need to connect to the console port of iPrism?

You need the following settings on your HyperTerminal com port:

Speed: 9600 bits per second
Data Bits: 8
Parity: None
Stop bits: 1
Flow Control: None

I forgot my password. What should I do?

You can change iPrism’s password by connecting the console port to a workstation with a serial/console cable and open a HyperTerminal session (See “What should be my HyperTerminal settings if I need to connect to the console port of iPrism?” ). When the iPrism console menu appears follow the steps below:

Choose option 8, [Enter].

Enter the new password, confirm it, and hit [Enter].

Choose [Shift + S] to save and hit [Enter].

Hit [Enter] again.

I know my password, but what is my user login?

The Administrator account user name for iPrism always remains the same. It is ‘iprism’.

I forgot my iPrism’s IP address, what should I do?

Connect the console port to a workstation with a serial/console cable and open a HyperTerminal session (See “What should be my HyperTerminal settings if I need to connect to the console port of iPrism?” ). When the iPrism console menu appears, choose option 10 to display the current IP setup, which includes the IP address assigned to iPrism.

I cannot access iPrism’s configuration from my browser. What should I do?

If you are trying to access the iPrism configuration applet through its external Ethernet interface, you will need to add the IP range of your workstation in the co-management field. In addition, if iPrism is behind a firewall, you will need to open TCP port 1001 and 4474.

iPrism’s configuration applet is Java based. Web browsers sometimes have Java compatibility issues that can cause problems accessing the applet. We strongly recommend that customers use the configuration software application to configure iPrism. The configuration software can be downloaded from here:

iPrism Configuration Software

How do I get the ‘Override’ Link or the ‘Request Access’ Link to display on the ‘Access Denied’ page?

The display of these links is controlled as part of each ACL. These settings can be different for each ACL within a profile. Refer to the following:

How to Edit an ACL’s Settings

How can I perform backup/restore of configuration in iPrism?

Please refer to the following topic for details on how to backup and restore your iPrism configuration:

Backing Up and Restoring iPrism’s Settings

How can I tell if my backup is compatible with my current iPrism version?

You can check your current Software and Protocol version by logging into the Configuration applet and click on the Reports Menu, About tab.

iPrism backup files are named using the Software and Protocol version and the type of backup. The first four characters represent the software version of your iPrism.

What are the specifications of iPrism like volts, amps and watts?

The specifications are as follows:

Slim 1U high, rack-mountable size

Dimensions: 1.75″H x 17″ W x 13.5″D

Weight: 12.2 lbs

10 Base-T/100Base-TX Full Duplex Ethernet interfaces

AC Power: 115-230 VAC, 50-60 Hz, 6.0A @115V

Operating Temperature: 10 to 30 degree C

Does iPrism require service packs, upgrades or hot fixes?

Every product, from time to time, requires some form of service packs, upgrades or hot fixes to address a number of topics such as security, feature enhancements, or product customizations. iPrism is no different. As of iPrism version 3.4, iPrism manages this process with its HotFix Manager. For more information on how iPrism’s HotFix Manager works and if your iPrism requires a hot fix, please see:

Managing iPrism Updates with the HotFix Manager

How do I view a list of current hot fixes applied to my iPrism?

Using your web browser, connect to the Main Menu Administrator page. Click on the HotFix Manager button and log in. Once logged in to the HotFix Manager, the currently installed hot fixes will be listed under the “Installed HotFixes” window.

Will I need to reboot iPrism after installing a hot fix?

Yes. To enable HotFixes, iPrism must be rebooted after the HotFix has been installed.

We are upgrading our iPrism hardware to a model 1200. Is there an easy way to transfer our current configuration and user information from one box to another?

Yes, you can restore your version 3.3, 3.4 or 3.402 backup on to a model 1200 running version 3.5. Just create a new backup of your model 1000 or 1100 iPrism without the log files. When you go through the Installation Wizard of your new iPrism and you are asked to start a new configuration or restore from a backup, select the restore option and then provide your old backup. The iPrism will automatically reboot once the restore process in complete. At this point when you create a new backup of your new iPrism, it will be in v3.5 or the version that your new iPrism was shipped with.

How much memory and disk space does the iPrism model 1200 have?

The model 1200 iPrism has 512MB of memory and 1.2GB of hard disk space available for logs. The iPrism can hold up to 1.2GB of compressed logs.