Protocols White List Dialog Box (Regular/Offline Profile)

Use this dialog box to define, edit, export, import and delete the online (regular) or offline Protocols White List. 

The Protocols White List lets you selectively allow network communication over any supported protocol regardless of existing protocol blocking settings. The white list is most effective in "least privilege" scenarios when you block all protocol traffic and then specifically authorize only what is required for employees to perform their daily job duties.

NOTE: Audit and shadow copying are not performed for data transfers allowed by the Protocols White List while whitelisted connections are audited. 

The white list consists of rules associated with the specified protocol. Each rule specifies users or groups the rule applies to and contains a set of parameters associated with it. These parameters fall into two categories: 

• General parameters that apply to all protocols.

• Protocol-specific parameters.

You can define the following general parameters for a white list rule:

• Protocol Specifies the protocol the rule applies to. The following protocols are supported: "Any", File Sharing, FTP, HTTP, ICQ/AOL Messenger, IRC, Jabber, Mail.ru Agent, MAPI, Skype, SMB, SMTP, Social Networks, SSL, Telnet, Web Mail, Windows Messenger, and Yahoo Messenger. With a white list rule created for "Any" protocol, you can allow client connections to the specified hosts and/or ports, regardless of the protocol used to establish connections. NOTE: Connections allowed by a white list rule created for "Any protocol" cannot be blocked by Basic IP Firewall rules.

• Name Specifies the name of the rule.

You can define the following protocol-specific parameters for a white list rule:

• Content Inspection Applies to all protocols except "Any", SSL, Telnet, and SMB. Specifies whether to enable content inspection for the white listed connection according to defined Content-Aware Rules. If this flag is disabled or no Content-Aware Rule is defined for this connection then content inspection is not performed.

• If this rule triggers Applies to the "Any" and SSL protocols. Specifies the following additional actions to be performed when the rule triggers:

• Send Alert: Specifies that an alert is sent whenever the rule triggers. DeviceLock sends alerts on the basis of alert settings. Before enabling alerts for a specific white list rule, you must configure alert settings in Service Options. 

• Log Event: Specifies that an event is logged in the Audit Log whenever the rule triggers.

• Hosts: Applies to the "Any", FTP, HTTP, ICQ/AOL Messenger, IRC, Jabber, Mail.ru Agent, MAPI, SMB, SMTP, SSL, Telnet, Windows Messenger, and Yahoo Messenger protocols. Specifies a list of allowed hosts for this rule. If this list is specified, these hosts will not be blocked. Hosts may be specified in any of the following formats:

• DNS name (for example, www.example.com). You can use the asterisk (*) wildcard character in DNS names (for example, *.example.com denotes that the host name is any server whose name ends in the specified name). CAUTION: Adding host names with wildcards to the white list for all protocols except HTTP does not guarantee that the white list rule will work as expected. Because DeviceLock uses the local Hosts file for host name resolution, a malicious user with local administrator rights can modify the Hosts file as required to bypass DeviceLock security policies. For example, if the white list allows HTTP access to gmail.com, a malicious user with local administrator rights can gain access to unauthorized www.ru by adding the "194.87.0.50    gmail.com" entry to the Hosts file. In order to minimize security risks, we recommend that you specify IP addresses instead of host names.

• IP address (for example, 12.13.14.15). You can specify a range of IP addresses separated by a dash (-) (for example, 12.13.14.18-12.13.14.28). You can also specify the subnet mask for the IP address using the following format: IP address/subnet mask width in bits (for example, 3.4.5.6/16). 

Multiple hosts must be separated by a comma (,) or semicolon (;). You can also press ENTER after each entry. You can specify multiple hosts in different formats described above (for example, www.microsoft.com; 12.13.14.15, 12.13.14.18-12.13.14.28). NOTES: When adding hosts to the white list, consider the following: 

If objects (images, scripts, video, Flash files, ActiveX, etc.) on a web page are downloaded from other hosts, you must add those hosts to the white list to load the web page correctly. 

If you specify hosts and do not specify ports, the hosts can be accessed through all available ports.

An application with an embedded SSL certificate (for example, Microsoft Office Communicator, Dropbox, iTunes Google contacts synchronization module, etc.) will fail to connect to its server when the NetworkLock module is active. The NetworkLock module becomes active when you define settings for protocols. To solve this issue, add the server host to the white list for SSL. You can use TcpView to look up the server host. Whitelisting a server host causes all SSL traffic between an application and the specified server host to bypass access control, audit, shadow copying and content filtering.

• Ports: Applies to the "Any", FTP, HTTP, ICQ/AOL Messenger, IRC, Jabber, Mail.ru Agent, SMTP, SSL, Telnet, Windows Messenger, and Yahoo Messenger protocols. Specifies the port or ports to open for this rule. If this list is specified, these ports will not be blocked. You can specify either a single port or an inclusive range of ports separated by a dash (-). For example, to open port 25, specify 25. To open ports 5000 to 5020 inclusive, specify 5000-5020. Multiple ports or port ranges must be separated by a comma (,) or semicolon (;). For example, 25, 36; 8080, 5000-5020. You can also press ENTER after each entry. NOTE: If you specify ports and do not specify hosts, users can access all hosts available through the specified ports.

• SSL Applies to the File Sharing, FTP, HTTP, ICQ/AOL Messenger, IRC, SMTP, and Web Mail protocols. Sets the SSL options. The following SSL options are available:

• Allowed Allows SSL connections.
• Denied Disallows SSL connections.
• Required Requires that all connections use SSL.

• Local sender ID(s): Applies to the ICQ/AOL Messenger, Jabber, Mail.ru Agent, Skype, Windows Messenger, and Yahoo Messenger protocols. Specifies a list of identifiers for local users who are allowed to send instant messages. If this list is specified, instant messages from these users will not be blocked. ICQ/AOL Messenger users are identified by numbers called UIN (for example, 111222, 23232323). Jabber users are identified by Jabber IDs in the following format: user@example.com. Mail.ru Agent users are identified by mail.ru e-mail addresses in the following format: user@mail.ru. Skype users are identified by Skype names. Windows Messenger users are identified by e-mail addresses in the following format: user@example.com. Yahoo Messenger users are identified by any of the following user ID types: Yahoo! ID (<username> or <username>@yahoo.com), Rocketmail (<username>@rocketmail.com), Ymail (<username>@ymail.com). Multiple user identifiers must be separated by a comma (,) or semicolon (;). You can also press ENTER after each entry.

• Remote recipient ID(s): Applies to the ICQ/AOL Messenger, Jabber, Mail.ru Agent, Skype, and Yahoo Messenger protocols. Specifies a list of identifiers for remote users who are allowed to receive instant messages. If this list is specified, instant messages to these users will not be blocked.

• Local sender Email(s): Applies to the MAPI, SMTP, and Web Mail protocols. Specifies a list of allowed e-mail senders for this rule. If this list is specified, mail from these senders will not be blocked. Use the following format for a sender address: user@domain.com. You can use the asterisk (*) as a wildcard character to specify a group of recipients. You can add the asterisk before or after the at sign (@) in an e-mail address. For example, to allow mail delivery from all users in a domain, type *@domain.com. Multiple e-mail addresses must be separated by a comma (,) or semicolon (;). You can also press ENTER after each entry. NOTE: When adding senders/recipients to the white list for Web Mail, consider the following: Messages sent from a Webmail application are kept in the Sent Items folder and can be forwarded to any address from any computer.

• Remote recipient Email(s): Applies to the MAPI, SMTP, and Web Mail protocols. Specifies a list of allowed e-mail recipients for this rule. If this list is specified, mail to these recipients will not be blocked. 

• Social Networks: Applies to the Social Networks protocol. Specifies a list of allowed social networking sites for this rule. If this list is specified, these social networking sites will not be blocked. 

• Web Mail Services: Applies to the Web Mail protocol. Specifies a list of allowed Web-based e-mail services for this rule. If this list is specified, e-mail messages sent through these mail services will not be blocked. 

To define the Protocols White List

1. In the left pane of the Protocols White List dialog box, under Users, click Add. The Select Users or Groups dialog box appears.

2. In the Select Users or Groups dialog box, in the Enter the object names to select box, type the names of the users or groups for which you want to define the Protocols White List, and then click OK. The users and groups that you added are displayed under Users in the left pane of the Protocols White List dialog box. To delete a user or group, select the user or group, and then click Delete.

3. In the left pane of the Protocols White List dialog box, under Users, select the user or group. You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them.

4. In the right pane of the Protocols White List dialog box, under Rules, click Add. The Add Rule dialog box appears.  

5. In the Add Rule dialog box, specify general and protocol-specific parameters for this rule. 

6. Click OK. The rule you created is displayed under Rules in the right pane of the Protocols White List dialog box.

7. Click OK or Apply.

To edit a white list rule

1. In the left pane of the Protocols White List dialog box, under Users, select the user or group for which you want to edit the rule. By selecting users or groups, you can view the white list rules applied to them under Rules in the right pane of the dialog box.

2. In the right pane of the Protocols White List dialog box, under Rules, select the rule you want to edit, and then click Edit.

      - OR - 

      Right-click the rule, and then click Edit. The Edit Rule dialog box appears.

3. In the Edit Rule dialog box, modify the rule parameters as required to meet your needs.

4. Click OK to apply the changes.

To export the Protocols White List 

1. In the right pane of the Protocols White List dialog box, under Rules, click Save. The Save As dialog box appears.

2. In the Save As dialog box, in the Save in box, browse to the location where you want to save the .pwl file. When you export the Protocols White List, it is saved in a file with a .pwl extension.

3. In the File name box, type the file name you want.

4. Click Save.

To import the Protocols White List 

1. In the right pane of the Protocols White List dialog box, under Rules, click Load. The Open dialog box appears.

2. In the Open dialog box, in the Look in list, click the location that contains the file you want to import. 

3. In the folder list, locate and open the folder that contains the file.

4. Click the file, and then click Open. You can import only one .pwl file at a time. 

To delete a white list rule 

• In the left pane of the Protocols White List dialog box, under Users, select the user or group to which the rule is applied. In the right pane of the Protocols White List dialog box, under Rules, select the rule, and then click Delete or right-click the rule, and then click Delete.