sonar 3.5 - blue reef · pdf filehttp header control ... log in to the sonar management...

Sonar 3.5.3

Release Notes

December 2015

Copyright 2015 @ Blue Reef Pty Ltd. All rights reserved. This document is for informational purposes only. Blue Reef Pty Ltd assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, Blue Reef provides this document "as is" without warranty of any kind, including, without limitation, any implied warranties or merchantability, fitness for a particular purpose or non-infringement. In no event will Blue Reef be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data.

Sonar 3.5.3 Release Notes

3

Before You Start ................................................................................................................................. 4

Requirements ..................................................................................................................................... 4

Sonar 3.5.3 New Features and Enhancements ................................................................................ 5

Ethical SSL Solution ........................................................................................................................ 5

Transparent Proxy ....................................................................................................................... 6

Upstream Cache Tunnelling ........................................................................................................ 6

Ethical SSL Inspection ................................................................................................................. 7

SSL On-boarding ......................................................................................................................... 8

Transitive Trust ............................................................................................................................ 9

HTTP Header Control ................................................................................................................ 10

Acceptable Use Policy (AUP) Acceptance Expiry ...................................................................... 12

SMTP TLS ................................................................................................................................. 13

Reporting Enhancements .............................................................................................................. 14

YouTube Reports ...................................................................................................................... 14

Search Engine Reports ............................................................................................................. 15

Category Reports ...................................................................................................................... 15

Resolved Issues ............................................................................................................................... 16

Block Page URL Issue ................................................................................................................... 16

Domain Authentication Monitor ...................................................................................................... 16

Foreign Language in URL causing Null Pointer exceptions ........................................................... 16

SMTP Profile/Server changes not applying ................................................................................... 16

Database Pool Size Maxing Out .................................................................................................... 16


4

Before You Start

Before you install the latest version of Sonar, it is recommended that you read the

release notes and pay particular attention to sections marked by the following icon:

which indicates important setup / configuration information as well as any additional

notes or further explanation.

Requirements

Your current Sonar version must be at least 3.5.0 before you can update to Sonar

3.5.3. If you are using an earlier version, please contact our support team about your

options.

Checking your Sonar Version

The first three version numbers are displayed in the title bar of the Sonar management

console.

To view the release version:

Log in to the Sonar management console check the version number (as per below).

It is important to note that you must be running at least Java 7 in order to run both the Admin GUI and the Java Authentication Client. Any versions previous to this may experience some unexpected issues.


5

Sonar 3.5.3 New Features and Enhancements

Ethical SSL Solution

Sonar v3.5.3 features an Ethical SSL Solution specifically designed for schools who

understand that it’s part of their Duty of Care to teach students to use the internet

responsibly, and ultimately guide them on their journey to becoming good digital

citizens.

With this in mind, Sonar v3.5.3 introduces two key components - A fully transparent

HTTPS Proxy, and Ethical SSL Inspection. In addition to these, other key

enhancements have been made to help facilitate the solution. A brief overview is given

below, with detailed explanations of each on the following pages.

Improvements have been made to Sonar’s Transparent Proxy, now allowing

transparency for HTTPS as well as HTTP, without the need for SSL Inspection. As

such, Users no longer require any explicitly set proxy settings and all devices

(including those that are BYOD) are compatible.

Sonar can now perform Ethical SSL Inspection, giving the school granular control over

HTTPS sites whilst still maintaining an acceptable level of User privacy. In addition to

content inspection and re-writes, SSL Inspection also allows Sonar to run in-depth

reports on User activity.

As part of its Ethical SSL Solution, Sonar has introduced a seamless on-boarding

process, which allows BYOD devices to be guided through Acceptable Usage Policies

and be configured for SSL Inspection without the need for IT Support.

Sonar also introduces HTTP Header Control, which ensures that only safe content is

served from YouTube, Google, Bing and similar content-controlled sites. This allows

for greater control over access to Google Apps, allowing Users to only log in using

their email registered with the school and/or organisation.

The next pages will explain in detail the extent of these new features, and how they

can help your school.


6

Transparent Proxy

With v3.5.3, Sonar utilises the HTTPS/TLS Server Name Indication (SNI) header to

Transparently Proxy HTTPS without the need for SSL Decryption. The Transparent

Proxy also works seamlessly behind a Department or CEO Proxy, and BYOD Devices

do not require any additional configuration to work.

Previously, Blue Reef encouraged the use of WPAD or Proxy PAC files to take

advantage of Sonar’s Proxy capabilities. These required hosting a file on a local

server, and configure a DNS Record for WPAD.

Sonar’s Transparent Proxy no longer requires any extra configuration to be done

outside the Sonar device itself, providing a more unified, application-aware Proxy that

is compatible with all devices and services.

Upstream Cache Tunnelling

Sonar is now Application Aware! Sonar will detect and process non-Proxy aware

applications even if your school is behind an upstream proxy (such as CEO or

VicSmart). For example Skype’s iOS App does not detect nor support any Proxy

Settings but works seamlessly with Sonar’s Upstream Cache Tunnelling in place.

There is no required configuration to enable Upstream Cache Tunnelling. With the

upgrade to v3.5.3 it will available to use out of the box.


7

Ethical SSL Inspection

In addition to the Transparent Proxy, v3.5.3 introduces Ethical SSL Inspection and

Decryption. This provides three levels of Inspection:

Light – limited to Search Engines and Anonymous Proxies.

Medium – limited to Search Engines, Anonymous Proxies, Webmail, Chat

and Social Networking.

Heavy – Inspects all encrypted HTTPS traffic except Banking and Finance.

These three levels only provide a template of the type of traffic you want to inspect

within each Group on Sonar. Once configured, you can freely add or remove Filtering

Categories that you want to inspect, just like you would with Filtering Exceptions or

Block lists.

It is important to note that Sonar’s Ethical SSL Inspection does not have to be enabled to Transparently Proxy HTTPS Traffic. This feature is fully optional, and can be enabled, controlled, and maintained at a Group level.


8

SSL On-boarding

It’s a known fact that the use of SSL Inspection requires a Certificate to be installed on

the client device. While in a Windows Environment this can be easily achieved with

Group Policy, it is rarely as easy with BYOD Devices and other Operating Systems,

especially if the user is unfamiliar with the process.

Sonar’s On-boarding process is able to detect what device and operating system is

being used, and provides guided, easy-to-follow instructions on how to install the

Certificate on their device, without them having to contact IT Support.

Below is what a user will see if On-boarding is enabled in their Group Settings. Users

can choose to run an automatic installer to install the Certificates or do it manually.

BYOD handheld devices (such as iPhones or Android phones) however will have to

install the Certificate manually:

It is important to note that for the On-boarding instructions to appear, the initial page opened must be a HTTP site, as without the Certificates, we cannot redirect HTTPS to HTTP.


9

Transitive Trust

Sonar now has the ability to identify and block fraudulent sites with the Transitive Trust

feature.

What is Transitive Trust? Every HTTPS site you visit is usually signed and verified

with a valid SSL Certificate issued by a trusted party (usually a trusted root Certificate

Authority, or CA). If a site does not have a valid SSL Certificate, your browser normally

notifies you to let you know that the site is “untrusted” and may be harmful.

With Transitive Trust, Sonar is able to now verify the CA for the browser, and block

access to the fraudulent site to prevent any harmful activity from occurring.

The option to block or allow unsafe SSL Sites is configurable in Sonar’s Proxy Settings. Allowing access to unsafe sites will simply trigger the default browser warning for the user. Transitive Trust is a global setting, and cannot be configured per-group.


10

HTTP Header Control

With the introduction of SSL Inspection, Sonar gives you the power to ensure safer

content delivery across all major search engines and video streaming sites.

Due to Google and YouTube defaulting SSL in the past, enforcing safe search with

Sonar was a difficult task. Now, not only can Sonar guarantee safe content, it also

gives Administrators complete control over other web-based services such as Google

Apps, as well as Cookie control.

Some schools utilise Google Apps for work. This commonly means that they have to

open access to all Google services, thus allowing users to log into their personal

accounts as well. With HTTP Header Control, Sonar can now explicitly allow users to

log in only with their school account, and block all access to personal accounts. In the

example below, we restrict users to only allow them to log into their email accounts

that have the @bluereef.com.au domain. All other domains such as @gmail.com will

be blocked:


11

Safe Search Rewrites will once again work for all major browsing engines such as

Google, Bing and Yahoo. YouTube for Education will also be configurable. This can

be achieved by placing in the Header for YouTube, and the Education filter value they

provide you, as per the example below. This means any search request that a User

issues will only return results relating to YouTube Education:

Cookie Manipulation You can also deny logins altogether, using Cookie Manipulation. By leveraging this

technique, Sonar can grant access to sites such as YouTube, but prevent users from

signing into their personal accounts to access or upload other content.


12

Acceptable Use Policy (AUP) Acceptance Expiry

Previously, Sonar’s AUP functionality was quite restricted. You could only set the AUP

to appear on either a User’s initial login, or every time a user logs in.

Modifications have now been made to Sonar’s existing AUP system. The Acceptable

Use Policy is now able to be reset Daily, Weekly, Monthly or Yearly, in addition to the

First Logon and Every Logon options that were previously available.


13

SMTP TLS

Updates have been made to Sonar’s SMTP Mail Engine allowing it to use TLS by

importing a certificate. This will ensure that mail configurations such as hybrid Office

365 setups are able to pass mail in and out of Sonar’s Mail Engine for SPAM filtering

and Heuristic Checks.


14

Reporting Enhancements

There have been further enhancements made to Sonar’s reporting system, including

the addition of several new reports that can identify potential behavioural problems

and self-harm within the school and/or organisation.

YouTube Reports

Three brand new, detailed reports have been added to the Sonar Reporting Family.

Previously due to Google and YouTube encrypting their traffic, running reports on

what students were searching for on Google and YouTube during school hours was

impossible.

However, leveraging SSL Inspection, Sonar can now thoroughly report on all traffic

going through Google and YouTube, and effectively run detailed reports on where

students are going and the content for which they are searching.

Below is an example report of a User’s browsing and search queries through

YouTube, and the videos they have viewed:


15

Search Engine Reports

In addition to YouTube Reports, Sonar can run reports on Google search queries.

Google search reports can also be refined with the use of keywords and expressions.

The report below is an example of a report run on Google, using keywords relating to

self-harm.

Category Reports

The last report we’ve added to Sonar is the ability to run reports on Categories.

Previously, Sonar could run User reports to display which websites a User was

visiting, but could not run a report on a User for visits to a site under a single Category

(for example, a User going to websites categorised as “Nudity”). In the example below,

we have run a report on a User with the Category tag “News” to see all the News-

related websites they have visited:


16

Resolved Issues

Block Page URL Issue

Sonar had an issue where users could appear to change the Category of a website

displayed on the Block Page by editing the URL. This is no longer the case, as the

Block Page redirect link will now be a default URL.

Domain Authentication Monitor

Previously, when a Domain Controller with the AD Passthrough Agent installed was

rebooted, administrators had to manually go into Sonar’s GUI under Network

Authentication Servers Domain Authentication Monitor and re-enable the Monitor

manually for Active Directory logins to be successfully passed through Sonar. This has

now been changed to be a configurable task. You can enable either Automatic or

Manual Enablement in Sonar’s Proxy settings in the GUI.

Foreign Language in URL causing Null Pointer exceptions

It was discovered in Sonar v3.5.2 that if a foreign language character was entered into

a URL, for example, via a search query in Google or Bing, a Null Pointer Exception

would be thrown in Sonar’s Proxy. This has now been resolved.

SMTP Profile/Server changes not applying

There was previously an issue with Sonar’s SMTP service not properly applying profile

or server configuration changes when hitting “Apply” in the GUI. A full restart of the

SMTP engine was required to make any changes active. This has now been resolved

and hitting “Apply” within the GUI will now apply changes immediately.

Database Pool Size Maxing Out

There was an issue in Sonar v3.5.2 where Database connection pools were reaching

their limits, which resulted in browsing issues for Users. This has now been resolved.

sonar 3.5 - blue reef · pdf filehttp header control ... log in to the sonar management...

Documents