SunScreen 3.1 Reference Manual

Common Objects

Common objects are the components or data objects that you use to make up policy rules. Before you write these rules, you add the common objects that you plan to use in the rules.

After the common objects have been added, they are stored in a database and can be used over again to create rule sets for additional policies.

Save Is Not Required With Certain Common Objects

The common objects:

Authorized user
Admin user
Jar signature
Jar hash
Proxy user

that appear in the administration GUI are automatically saved when they are edited or new objects are added. You do not need to save these objects. Once these objects are added or edited, the change applies immediately and cannot be reversed. The Save button in the administration GUI is greyed out to show that it is inactive.

Note -

Although the changes made to these objects are saved immediately, they do not take effect until a policy is activated. The administration GUI edits authorized users, which are authuser objects; proxy users, which are proxyuser objects; and Jar signatures and Jar hashes.

Service

Use the service common object to identify network services that a Screen will use to filter packets. The service common object has two subtypes, single service and service group.

Note -

Adding a new service with new values makes troubleshooting easier than editing the default values of a service.

Single Service

You add new network services and edit the filtering activities applied when a service is used in a rule. You add a new single service using the Service dialog box that appears when you select New Single Service from the Add New combo box in the Common Objects panel, shown in FIGURE 5-14.

Figure 5-14 Service Dialog Box for a New Single Service

You control the filtering activities by specifying what packet-filtering engine you want to use and the various discriminators and parameters applicable to that filtering engine.

FIGURE 5-15 shows the filter table of the Service dialog box for a new single service.

Figure 5-15 Service Dialog Box for a New Single Service with Expanded Filter Table

TABLE 5-15 describes the controls in the Service dialog box for a single service.

Table 5-15 Controls for Service Dialog Box for Single Service


Control	Description
Configuration Information
Name	Specifies the name of the service object.
Description	(Optional) Provides a brief description about the service object.
Screen	(Optional) Restricts the service so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Filter Table Information
Filter Table	Display the parameters for the single services. The Add Filter button Adds a row to the filter table so that you can define additional forward filters for the service. The Add Port button adds ports for use by the forward filter. This field becomes active when you click the port field of the filter table. The Delete button the highlighted row in the table. You click a row in the table to highlight it.
Filter	Identifies the state engine.
Port	Identifies the port number, program number, or type used by the forward filter.
Broadcast	Determines whether the rules in which the service is used allows communication to broadcast or multicast addresses. If you want the service to work for nonbroadcast addresses, you must enter a separate table entries for broadcast and nonbroadcast entries
Parameters	Overrides the default values the selected packet-filter state engine. Each state engine has a set of parameters; refer to Appendix C, Services and State Engines for default parameters values and their meaning.
Reverse	Determines whether the filter applies to packets originating from the host in the To address of a rule and going to the From address of a rule.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Displays the page of online help for this common object.

Service Group

Use the service group to group single services that you want to use together. FIGURE 5-16 shows the Service dialog box for service group.

Figure 5-16 Service Dialog Box for Service Group

TABLE 5-16 describes the controls in the Service dialog box for service group.

Table 5-16 Controls for Service Group Service Dialog Box


Control	Description
Name	Specifies the name of the service object.
Description	(Optional) Provides a brief description about the service object.
Screen	(Optional) Restricts this service group applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Services List	Identifies the services that do not belong to the service group. Refer to "State Engines" for a description of services.
Members List	Identifies the services that belong to the service group.
Add Button	Moves the service selected in the Services list to the Members list, making the service a member of the specified service group.
Remove Button	Moves the service selected in the Members list to the Services list, removing the service from the specified service group.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Address

Use the address common object to create address objects that define the source and destination address for a policy rule. If you are adding addresses, the Address dialog box that appears for a particular subtype is empty. If you are modifying an existing address, the Address dialog box displays the existing information. Address objects has three subtypes: host, range and group.

Host

Host is a way to associate an individual host's IP address with a name for the address object. FIGURE 5-17 shows the Address dialog box for adding a new host to the host subtype.

Figure 5-17 Address Dialog Box for New Host

TABLE 5-17 describes the controls in the Address dialog box for a new host.

Table 5-17 Controls for New Host Address Dialog Box


Control	Description
Name	Specifies the name for the address object.
Description Field	(Optional) Provides a brief descriptive note about the address object.
Screen	(Optional) Restricts this address so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
IP Address/Host Name	Specifies the IP address you want to associate with the address object identified in the Name list.
Lookup IP Address Button	If SunScreen has access to DNS or NIS, lets you look up host addresses by host name.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Range

Range associates a range of IP addresses with an address object name. For example, you can associate a name with a specified range of network IP addresses and use that name to filter traffic to all hosts on that network. FIGURE 5-18 shows the Address dialog box for adding a new range of addresses to the range subtype.

Figure 5-18 Address Dialog Box for New Range

TABLE 5-18 describes the controls for the Address dialog box for new range.

Table 5-18 Controls for New Range Address Dialog Box


Control	Description
Name	Specifies the name for the address object.
Description	(Optional) Provides a brief description about the address object.
Screen	(Optional) Restricts this range of addresses so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Starting IP Address	Specifies the starting IP address in the range.
Ending IP Address	Specifies the ending IP address in the range.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Group

Group is a way to group host addresses, address ranges and other address groups. By grouping addresses that use similar services and have similar actions, you can save time when creating rules. FIGURE 5-19 shows the Address dialog box for adding a new group to the group subtype.

Note -

Before you create an address group, you first define the address objects--single addresses, address ranges, or address groups--that you want to use in the address group.

Figure 5-19 Address Dialog Box for New Group

TABLE 5-19 describes the controls for the Address dialog box for new group.

Table 5-19 Controls for the New Group Address Dialog Box


Control	Description
Name	Specifies the name for the address object.
Description	(Optional) Provides a brief description about the address object.
Screen	(Optional) Restricts this address group so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Addresses	Displays the addresses objects that can to be used to create the address group.
Include List	Specifies the address objects that are currently included in the address group. Use the Add or Remove buttons to modify the list.
Exclude List	Specifies the address objects that are excluded from the address group. For example, you can create an address group that includes all addresses except as specified in the Exclude List. Use the Add or Remove buttons to modify the list.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Certificate

Use the certificate common object to configure the certificates for the Screen and for remote hosts that will communicate securely through the Screen.

Note -

Changes to the certificate object that pertain to loading into SKIP take effect immediately without having to be saved. You cannot use the Cancel Changes button to undo the changes you made. Changes to the certificate object as stored in the common objects do not take effect immediately and must be save and only take effect when the policy in which they are used is activated. For example, in adding a new certificate, (the certificate is created and loaded immediately into SKIP, but the name has not been saved as part of the common objects and must be saved. Renaming a certificate only affects the common objects and must be saved.

Generate Screen Certificate

Generate screen certificate generates a certificate for the Screen. FIGURE 5-20 shows the Certificate dialog box .

Figure 5-20 Certificate Dialog Box for Generate Screen Certificate

TABLE 5-20 describes the controls for the Certificate dialog box for generate Screen certificate.

Table 5-20 Controls for the Certificate Dialog Box for Generate Screen Certificate


Control	Description
Name	Specifies a name for the certificate.
Description	(Optional) Provides a brief description about the certificate object.
Screen	Specifies the Screen that recognizes the certificate object. The default is All.
Installed On	(Optional) Specifies the Screen on which the certificate is generated.
Radio buttons	Specifies the strength of encryption that the Screen uses.
Generate New Certificate	Generates the certificate. The Certificate ID field displays the certificate's certificate ID.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Associate MKID

Associate MKID, also called the certificate ID, assigns a name to a certificate that exists on another machine. Associate a certificate ID for encrypted communication between two screens or between a screen and an Administration Station. FIGURE 5-21 shows the Certificate dialog box for Associate MKID .

Figure 5-21 Certificate Dialog Box for Associate MKID

TABLE 5-21 describes the controls for the Certificate dialog box for associate MKID.

Table 5-21 Controls for Associate MKID Certificate Dialog Box


Control	Description
Name	Specifies the name for the certificate ID object.
Description	(Optional) Provides a brief description about the MKID or certificate ID object.
Screen	Specifies which Screen recognizes the certificate ID object. The default is All. Specifying a Screen allows you to define packet-filtering rules that encrypt traffic between any two machines, not just between an Administration Station and a Screen. Specify the Screen only if you are using Centralized Management. A common object or policy rule applies to all Screens unless you choose a specific Screen.
Installed On	(Optional) Used only if you later remove this certificate object from the common objects. At that time, the SKIP identity that is installed on the Screen will be removed from the parameter.
Certificate ID	Specifies the certificate ID (hash value) for the certificate that you generated on the other system.
Radio Buttons	Specifies the strength of encryption that the Screen uses.
Generate New Certificate	Generates the certificate. The Certificate ID field displays the certificate's certificate ID.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Certificate Group

Certificate group is a way to group single certificates that you want to use together. FIGURE 5-22 shows the Certificate dialog box for certificate group.

Figure 5-22 Certificate Dialog Box for Certificate Group

TABLE 5-22 describes the controls in the Certificate dialog box for certificate group.

Table 5-22 Controls for Certificate Group Dialog Box


Control	Description
Name	Specifies the name of the certificate object.
Description	(Optional) Provides a brief description about the certificate object.
Screen	Specifies which Screen recognizes the certificate object.
Available Certificate List	Identifies the certificates that do not belong to the certificate group. Refer toAppendix C, Services and State Engines for a description of services.
Group Members List	Identifies the certificates that belong to the certificate group.
Add Button	Moves the certificate selected in the Available Certificates List to the Group Members list, making the certificate a member of the specified service group.
Remove Button	Moves the certificate selected in the Group Members list to the Available Certificates list, removing the certificate from the specified certificate group.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Screen

Use the screen common object to edit or add screen objects. You can edit miscellaneous Screen parameters, SNMP parameters, and mail Proxy parameters for screen objects that already exist. The algorithms used here are for centralized management only. FIGURE 5-23 shows the Screen dialog box.

Figure 5-23 Screen Dialog Box

In general, edit, rather than create, screen objects because they are automatically created during installation. Specifying a Screen enables you to define packet-filtering rules that encrypt traffic between any two machines, not just between an Administration Station and a Screen.

Note -

You must enter the name of the administrative interface of the Screen. The name must be the name of the administrative interface of the Screen as it is listed in the naming service or in the /etc/hosts file.

You must create a screen object if you are setting up :

A high availability (HA) cluster
A centralized management group (CMG)

You create or edit a screen object using the Miscellaneous, Primary/Secondary, SNMP, and Mail Proxy tabs in the Screen dialog box.

Miscellaneous Tab

Figure 5-23 shows the Miscellaneous tab of the Screen dialog box and the parameters.

TABLE 5-23 describes the controls for the Miscellaneous tab of the Screen dialog box.

Table 5-23 Controls for the Miscellaneous Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the screen object.
Description	(Optional) Provides a brief description of the screen object.
Log Size	Sets the size of the log in megabytes.
Stealth Network	Specifies the network address for interfaces that are used as stealth interfaces. Set this parameter if you have used the interface object to designate any Screen interfaces as stealth interfaces.
Stealth Netmask	Specifies the netmask for interfaces that are used as stealth interfaces. Set this parameter if you have used the interface object to designate any Screen interfaces as stealth interfaces.
Allow Routing Traffic	Specifies whether the Screen sends or receives updates to the routing table using the RIP protocol.
Name Service	Specifies the name service (DNS, NIS, Both, or None) that the Screen will use.
Certificate Discovery	Specifies whether the Screen uses Certificate Discovery.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

SNMP Tab

The SNMP tab specifies the interval for SNMP timed status indicator traps and you can add, edit, or delete SNMP trap receivers.

Note -

Use the Action field of the packet-filtering Rule Definition dialog box to specify actions that generate SNMP alerts. The machine that receives SNMP trap alerts must not be a remote Administration Station.

FIGURE 5-24 shows the SNMP tab of the Screen dialog box .

Figure 5-24 SNMP Tab of the Screen Dialog Box

TABLE 5-24 describes the controls for the SNMP tab on the Screen dialog box.

Table 5-24 Controls for the SNMP Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the Screen object.
Description	(Optional) Provides a brief description of the Screen object.
SNMP timer interval (in minutes)	Specifies in minutes when an SNMP trap is emitted. Specifying a time here turns on the timed status indicator. Specify the time in 1-minute increments. If you do not set the interval as part of the screen object's `SNMP_TIMER`, these traps are not sent. You cannot configure this trap.
SNMP Receivers	Displays the list of SNMP receivers. You are limited to five receivers.
Add/Delete (Name/IP address)	Specifies the name or the IP address of the SNMP receiver that you want to add to list when you click the Add button. Specifies the name or the IP address of the SNMP receiver that you want to delete when you click the Delete button.
Add	Adds the SNMP receiver specified in the Add/Delete (Name/IP address) field to the list of SNMP receivers shown in the SNMP Receivers field.
Delete	Deletes the SNMP receiver specified in the Add/Delete (Name/IP address) field from the list of SNMP receivers shown in the SNMP Receivers field. Deletes the SNMP receiver highlighted in the SNMP Receivers field.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information
Help Button	Calls up the page of online help for this common object.

The following SNMP traps are supported:

As an action on a packet that matches a particular rule
As a default drop action on an interface
Time status indicator traps

The first two types include the following data:

interface - The SunScreen network interface number on which the packet was received.
interfaceName - The SunScreen network interface name on which the packet was received.
errorReason - The reason the alert was generated. (See the sunscreen.mib file for a complete list of reasons.)
packetLength - The actual length of the packet in bytes.
lengthLogged - The length of the data logged in bytes.
packetData - The packet data.

The SNMP timed status indicator trap uses the same receivers database as other types of SNMP traps. There is only one database with a maximum of five receivers. These receivers are specified as variable to the screen object.

To activate the timed status indicator traps, set the SNMP timer interval.

The following data are in the SNMP timed status indicator. These data cannot be modified and new data cannot be added:

cpuUsage - Average percentile CPU usage
memoryAvail - Current swap space available, in kilobytes
swapIn - Current swap ins
swapOut - Current swap outs
scanRate - Current scan rate
tcpUsage - Current number TCP connections in the SunScreen state table
ipUsage - Current number IP connections in the SunScreen state table
udpUsage - Current number UDP connections in the SunScreen state table
rootUsage - Disk usage of the root partition, /
varUsage - Disk usage of the var partition, /var
etcUsage - Disk usage of the etc partition, /etc
tmpUsage - Disk usage at the tmp partition, /tmp

Only these SNMP traps are supported. No get or set operations are supported.

Primary/Secondary Tab

The Primary/Secondary tab associates a certificate object with a Screen that is part of an HA cluster or a CMG. The High Availability choice (No, Primary, or Secondary) and the Primary Name choice determine the role a Screen has within an HA cluster and centralized management group (CMG). The settings you choose determine which other controls on the Primary/Secondary tab are active. FIGURE 5-25 shows the Primary/Secondary tab of the Screen dialog box .

Figure 5-25 Primary/Secondary Tab on the Screen Dialog Box

TABLE 5-25 describes the controls for the Primary/Secondary tab.

Table 5-25 Controls for the Primary/Secondary Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the Screen object. The entry in the Name field must be the same as the entry that exists in the `nameservice` lookup or in the `/etc/hosts` file. The IP address associated with this name must match the IP address of the administrative interface. The type of interfaces must be the same on all the machines in the HA cluster. This interface must be dedicated on each machine in the HA cluster with a dedicated network connection. For reasons of security, the HA network should not be connected to any other network. The HA primary Screen is always the Screen you administer whether it is the active or passive Screen.
Description	(Optional) Provides a brief description of the Screen object.
High Availability	Specifies whether the Screen is used for HA. If you are using it for HA, you can specify whether the Screen is a primary HA Screen or a secondary HA Screen.
Primary Name	Specifies the name of the primary Screen. This is the primary of this Screen if this Screen is an HA secondary, or the primary of a centralized management group if you want this Screen to be a CMG secondary.
Administrative IP	IP address of the Screen that is used for administration. This is the IP address or an address group that contains all interface addresses of the Screen.
Administration Certificate	Specifies the name of the Screen's Administration certificate.
High Availability IP Address	Specifies the IP address of the HA interface.
Ethernet Address	Generated by the system.
Key Algorithm	Specifies the key encryption algorithm that will be used. The options available depend upon the strength of the encryption installed.
Data Algorithm	Specifies the key encryption algorithm that will be used. The options available depend upon the strength of the encryption installed.
MAC Algorithm	Specifies the MAC (authentication) algorithm that will be used. The options are: none MD5 MD5-NAT
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Mail Proxy

The Mail Proxy tab allows adding, editing, or deleting domains known to distribute unsolicited electronic mail (spam). You can define spam domains if you use an SMTP proxy.

FIGURE 5-26 shows the Mail Proxy tab of the Screen dialog box .

Figure 5-26 Screen Dialog Box Showing the Mail Proxy Tab

TABLE 5-26 describes the controls for the Mail Proxy tab of the Screen dialog box.

Table 5-26 Controls for the Mail Proxy Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the Screen object.
Description	(Optional) Provides a brief description of the Screen object.
Spam Domains	Lists the domains that are distributing unsolicited electronic mail.
Add/Delete Host	Specify the domain that you want to add to the Spam Domains list when you click the Add button. Specify the domain that you want to delete from the Spam Domains list when you click the Delete button.
Add	Adds the domain specified in the Add/Delete Host field to the list of spam domains shown in the Spam Domains field.
Delete	Deletes the domain specified in the Add/Delete Host field from the list of domains shown in the Spam Domains field. Deletes the domain highlighted in the Spam Domains field.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Interface

The interface common object defines interfaces and specifies the actions a Screen should take when a packet that is received on that interface is rejected.

FIGURE 5-27 shows the Interface Definition dialog box .

Figure 5-27 Interface Definition Dialog Box

TABLE 5-27 describes the controls for the Interface Definition dialog box.

Table 5-27 Controls for the Interface Definition Dialog Box


Control	Description
Interface	Specifies the interface.
Type	Specifies the type of interface. The options are: ROUTING ADMIN DISABLED HA STEALTH
Screen	Specifies the Screen on which this interface physically resides. If you are using centralized management, you must complete this field.
Address Group	Specifies the source IP addresses for this interface.
Logging	Identifies the disposition of a packet, when a packet received on the interface does not match any rule. The options are: NONE - Do not log packets. SUMMARY - Record the first 40 bytes of the packet in the log. DETAIL - Record the complete packet in the log. If a packet matches a rule, it is disposed of according to the action for the rule it matches.
SNMP Alerts	Specifies whether the Screen should issue an SNMP alert message when a packet received on an interface does not match a rule. The options are: SNMP_NONE - Do not send an SNMP alert message. (This is the default.) SNMP - Send an SNMP alert message when a packet received on this interface is rejected. If a packet matches a rule, it is disposed of according to the action for the rule it matches.
ICMP Action	Identifies the ICMP rejection message that is issued if a packet received on the interface is rejected. In most cases, the Screen rejects packets by sending an ICMP Destination Unreachable packet with the reject code set as specified in the ICMP action on the interface. The one exception is the PORT_UNREACHABLE ICMP action. In this case, the Screen rejects TCP packets by sending a TCP RESET packet and other packets by sending an ICMP Destination Unreachable (Port Unreachable) message. The options for the actions are: NONE NET_UNREACHABLE HOST_UNREACHABLE PORT_UNREACHABLE NET_FORBIDDEN HOST_FORBBIDEN. If a packet matches a rule, it is disposed of according to the action for the rule it matches.
Comment	(Optional) Provides a descriptive note about the Interface object.
Router IP Address	(Optional) Specifies the router's IP address when the type of interface is STEALTH. This allows packets that have had their destination address changed, for example NAT or tunnelling, to be sent to a router. You can specify as many as five router IP addresses. If you have stealth interfaces, define the router that does the routing for the subnet for at least one of them.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Proxy User

The proxy user common object contains the mapping information for users of SunScreen proxies. The proxy user object has the subtypes single and group. FTP and Telnet rules reference the proxy user entries.

The proxy user object is automatically saved when it is edited or a new proxy user object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

Single

The single dialog box defines a new single proxy user.

If you want to use the authentication feature of the FTP and Telnet proxies, you must define an authorized user before you add a proxy user.

FIGURE 5-28 shows the Proxy User dialog box for adding a new single proxy user .

Figure 5-28 Proxy User Dialog Box for a Single Proxy User

TABLE 5-28 describes the controls for the Proxy User dialog box for a single proxy user.

Table 5-28 Controls for the Proxy User Dialog Box for a Single Proxy User


Control	Description
Name	Specifies the name of the proxy user.
Description	Adds a brief description of the proxy user.
User Enabled	Controls whether the user can log into the Screen. This function permits the administrator to refuse login privileges to someone who previously could log in without having to remove that person from the list of proxy users.
Authorized User Name	Selects the name of the authorized user to be used to authenticate this proxy user. Names in this list are generated when you add an authorized user object. If this field is empty, authorization is not required for this user.
Proxy User Group	Identifies the user group or groups to which the user belongs. If no groups are highlighted, user does not belong to any group.
Backend User Name	Identifies the user on a specific server. It defaults to the user name.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Group

The group is a way to group proxy users that have the same privileges. Group proxy users to save time when creating rules. Before creating a proxy user group, define the proxy user objects for that proxy user group. Group proxy users to save time when creating rules.

FIGURE 5-29 shows the Proxy User dialog box for adding a new group.

Figure 5-29 Proxy User Dialog Box for Grouping Proxy Users

TABLE 5-29 describes the controls for the Proxy User dialog box for grouping proxy users.

Table 5-29 Controls for the Proxy User Dialog Box for Grouping Proxy Users


Control	Description
Name	Specifies the name of the proxy group.
Description	Adds a brief description of the proxy group.
User Enabled	Controls whether this group of proxy users can log into the Screen's proxy. This function permits the administrator to refuse login privileges to a group that previously could log in without having to remove that group from the list of member users.
Proxy Users	Displays the proxy user objects that can to be used to create the member user list for the proxy user group.
Member Users	Specifies the proxy user objects that are currently included in the member users list of the proxy user group. Use the Add or Remove buttons to modify the member users list.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Authorized User

The common object authorized user specifies the users that are allowed to use the Telnet and FTP proxies.

The common object authorized user is automatically saved when it is edited or a new authorized user object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

FIGURE 5-30 shows the User dialog box for an authorized user object . This same dialog box also appears for the administrative user object.

Figure 5-30 User Dialog Box for an Authorized User

TABLE 5-30 describes the controls for the User dialog box for an authorized user object and for an administrative user object.

Table 5-30 Controls for the User Dialog Box for an Authorized User Object and an Administrative User Object


Control	Description
User Name	Specifies the login name of the authorized user.
Description	(Optional) Provides a brief description about the authorized user.
User Enabled	Controls whether the user can log into the Screen's proxy. This function permits the administrator to refuse login privileges to someone who previously could log in without having to remove that person from the list of proxy users.
Password	Specifies the login password for the authorized user.
Retype Password	Specifies the login password for the authorized user. The password typed in this field must exactly match the password you typed in the Password field.
SecurID Name	(Optional) Specifies the user's login name for SecurID authorization.
Real Name	(Optional) Identifies the real name of the authorized user.
Contact Information	(Optional) Displays information on how to contact the specified user.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Administrative User

The common object administrative user identifies the SunScreen administrators that have access to the Screen. This object refers to an authorized user; therefore, the administrative user object uses the same User dialog box that the authorized user object does.

FIGURE 4-32 shows the User dialog box for both an authorized user object and an administrative user object. TABLE 5-30 describes the controls for the User dialog box for both an authorized user object and an administrative user object.

The administrative user object is automatically saved when it is edited or a new administrative user object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

After you create an administrative user object, you grant administrative access by creating a rule in the Administrative Access tab of the Policy Rules panel. The name that you create for the administrative user object is the same name that you use when you create administrative access rules.

Jar Signature

The Jar signature common object identifies the Java archives (JARs) that you want the Screen to pass. JAR signatures apply only to the HTTP proxy.

The Jar signature object is automatically saved when it is edited or a new Jar signature object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

FIGURE 5-31 shows the Jar Signature dialog box .

Figure 5-31 Jar Signature Dialog Box

TABLE 5-31 describes the controls for the JAR signature dialog box.

Table 5-31 Controls for the Jar Signature Dialog Box


Control	Description
Name	Identifies the name of the certificate.
Master Key ID	Identifies the certificate ID.
Load Jar Certificate Button	Loads the certificate used to authenticate the Java archive. This procedure requires that your browser can allow local access to files.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Jar Hash

The HTTP proxy can be set up to filter the Java applets based on the hash value of the Jar file.

The Jar hash object is automatically saved when it is edited or a new Jar hash object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

FIGURE 5-32 shows the Jar Hash dialog box .

Figure 5-32 Jar Hash Dialog Box

TABLE 5-32 describes the controls for the Jar hash dialog box.

Table 5-32 Controls for the Jar Hash Dialog Box


Control	Description
Name	Identifies the name of the certificate.
Master Key ID	Identifies the certificate ID.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Time

The time common object specifies the time of day and the day of the week that a rule applies.

FIGURE 5-33 shows the Time dialog box .

Figure 5-33 Time Dialog Box

TABLE 5-33 describes the controls in the Time dialog box.

Table 5-33 Controls for the Time Dialog Box


Control	Description
Name	Specifies a name for the time object.
Description	(Optional) Adds a descriptive note about the time object.
Screen	Specifies the Screen that recognizes the time object.
Table for the Time Parameters	Sets the time of day and the day of the week for this time object. Use the Add button to add a row to the table and the Delete button to remove a row to the table Day column contains a choice list of the days of the week plus EVERYDAY and *. Start Time column contains a choice list of the hours in a day using the 24-hour clock with midnight denoted as 00. Time Start column contains a choice list of the minutes in an hour in 5-minute increments. End Time column contains a choice list of the hours in a day using the 24-hour clock with midnight denoted as 00. End Time column contains a choice list of the minutes in an hour in 5-minute increments.
Add Row Button	Adds a row to the table so that you can set time parameters for this time object. To cover more than one day, but less than everyday, add a row for each day and choose the day that you want for each row
Delete Button	Deletes a highlighted entry in the table.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.