Kaspersky Web Traffic

Security 6.1
Proof of Concept guide

Kaspersky

26.03.2020
Contents

Introduction ................................................................................................................................................................... 2
Who should use this guide? ...................................................................................................................................... 2
What is Kaspersky Web Traffic Security? ................................................................................................................. 2
What's new ................................................................................................................................................................ 3
Application architecture ............................................................................................................................................. 4
Prepare the environment .............................................................................................................................................. 6
Review KWTS requirements ..................................................................................................................................... 6
Download the required files ....................................................................................................................................... 6
Configure network ..................................................................................................................................................... 6
Demo environment description.................................................................................................................................. 6
Deployment and configuration ...................................................................................................................................... 8
Deploy KWTS ............................................................................................................................................................ 8
Activate KWTS ........................................................................................................................................................ 20
Enable KSN (optional) ............................................................................................................................................. 22
Configure LDAP integration..................................................................................................................................... 23
Configure built-in proxy server authentication ......................................................................................................... 26
Configure Single Sign-On (SSO) ............................................................................................................................ 27
Capability scenarios.................................................................................................................................................... 31
Web protection ........................................................................................................................................................ 31
Web control ............................................................................................................................................................. 32
SSL decryption ........................................................................................................................................................ 34
Role Based Access Control (RBAC) ....................................................................................................................... 37
Cluster mode ........................................................................................................................................................... 39
Appendix A: HAProxy configuration file for the HTTP load balancing ....................................................................... 50
Appendix B: PoC completion checklist ....................................................................................................................... 51
Introduction
Who should use this guide?
This guide is built to help you quickly deploy and configure Kaspersky Web Traffic Security 6.1 (KWTS) for
evaluation. It guides you through detailed scenarios in a proof of concept environment to help you better
understand how KWTS works. These instructions provide an evaluation method for the most common KWTS use
cases.

The guide is intended for use primarily by KL’s presales engineers and 3rd parties wishing to evaluate the product.

It is assumed that the reader will:

1. Have a prior knowledge of Internet access management and corporate network infrastructure.

2. Be an experienced network administrator or technical reviewer.

3. Be familiar, at least at a conceptual level, with proxy servers, such as Squid.

What is Kaspersky Web Traffic Security?

Kaspersky Web Traffic Security is a solution designed for protecting HTTP-, HTTPS-, and FTP traffic passing
through a proxy server.

The application protects users of a corporate network when accessing web resources. For example, it deletes
malware and other threats from the data stream that enters the corporate network via the HTTP(S) and FTP
protocols, blocks infected and phishing websites, and controls access to web resources based on web resource
categories and content types.

The application is developed for corporate users.

Kaspersky Web Traffic Security:

• Protects the IT infrastructure of your organization from most modern malware and encrypting ransomware
thanks to machine-learning algorithms and operating system data emulation technology.

• Blocks access to infected and phishing websites.

• Uses Kaspersky Security Network data to obtain information about the reputation of files and web
resources, ensure that Kaspersky Lab applications react to threats faster without waiting for an application
database update, and reduce the likelihood of false positives.

• Integrates with Kaspersky Private Security Network (hereinafter also referred to as KPSN) to access
reputation databases of Kaspersky Security Network and other statistical data without sending data from
their computers to Kaspersky Security Network.

• Scans encrypted traffic with certificate replacement on the proxy server side.

• Performs content filtering of incoming and outgoing files based on the URL, file name, MIME type, size,
type of source file (the application can determine the true format and type of the file, regardless of its
extension), and checksum (MD5 or SHA256).

• Lets you restrict access to various categories of web resources (hereinafter also referred to as "web
categories"), for example: Gambling, lotteries, sweepstakes; Adult content; Internet for children; Prohibited
by laws of the Russian Federation.

• Lets you configure application settings and manage the application through the web interface.
 • Lets you monitor the application status, the web traffic processed by the application, the number of
scanned and detected objects, most recent threats, blocked users and URLs in the application web
interface.

• Lets you create workspaces for configuring individual rules for processing traffic of departments of
organizations or managed organizations (for Internet service providers).

• Lets you configure access permissions of administrators for working with managed organizations.

• Lets you investigate incidents involving Internet access by searching and viewing events.

• Adjusts traffic processing conditions in cases when traffic processing does not match the defined rules.

• Updates application databases from Kaspersky Lab update servers or custom resources (HTTP servers,
shared network folders) according to schedule or on demand.

• Integrates with Microsoft Active Directory to assign roles and manage access and protection rules.
Supports NTLM- and Kerberos authentication in Active Directory for access to the web interface.

• Publishes application events to a SIEM system that is already in use in your organization over the Syslog
protocol. Information about each event is sent to a separate syslog message.

• Lets you access application information over the SNMP protocol.

• Lets you deploy an ISO image of an operating system with the pre-installed application (including the proxy
server).

• Lets you configure proxy server settings through the application web interface (when using an ISO image).

What's new
Kaspersky Web Traffic Security 6.1 has the following new features:

• Distribution kit modified. Kaspersky Web Traffic Security is delivered as:

o Rpm/deb package.

o ISO image of an operating system with the pre-installed application (including the proxy server).

In both cases, installation on physical and virtual servers is supported.

• Traffic processing rule settings updated.

• You can now configure role-based user access to specific workspaces.

• Proxy server settings can now be managed through the application web interface (only for ISO image
installation.

• The system of roles within a cluster was modified:

o The separation of Worker server and Master server roles has been discontinued.

o Components for managing application settings and processing traffic are combined into a single
package.

• Block page functionality was expanded:

o New macros were added.

o A separate block page for a workspace can now be configured.

 • Integration with Kaspersky Anti Targeted Attack Platform (KATA) was added. Two modes were
implemented:

o Send files from user traffic to KATA (connect KWTS as an external KATA system).

o Receive information about objects detected by KATA (use information about KATA detections in traffic
processing rules).

• You can now configure the time zone and time synchronization of the server over the NTP protocol (only
for ISO image deployment).

• The web category Cryptocurrencies and mining was added.

• You can now generate reports on application operation events.

• Detection of phishing and malicious links is now distinguished.

• A new type of object Malicious link was added in protection rules.

More details about new features are available in Online Help.

Application architecture
Depending on the distribution kit the application architecture may differ slightly. Since in this guide KWTS is used
as an appliance with the built-in proxy server, then the KWTS architecture is as follows.

Figure 1. KWTS Architecture and operation scheme.

The numbering in the figure corresponds to the following steps of traffic processing:

1. A user requests access to a web resource. This request is relayed to the server that has the application
installed.

2. The built-in proxy server accepts the request and relays it to the application's ICAP server so that it can be
scanned according to the traffic processing rules.

3. If access to the web resource is allowed according to the scan results, the built-in proxy server sends the
request to this web server on the Internet.

4. The web server hosting the requested web resource sends a response to the built-in proxy server.
 5. The built-in proxy server sends the web server response to the application's ICAP server so that the
response can be scanned according to the traffic processing rules. The scan result is returned to the built-
in proxy server.

6. The built-in proxy server sends the response to the user's computer. Depending on the actions defined in
the application, the user may see the following pages:

a. If access to the web resource is allowed, the requested web page is displayed.

b. If access to the web resource is prohibited, the block page is displayed.

c. If the Redirect action was applied, the user sees the web page to which the redirect was
configured.

If traffic processing requires two or more servers with the application installed, all servers are combined into a
cluster. One of the servers in the cluster should be assigned the Control node. The other servers in the cluster will
be assigned the Secondary node role. The difference between a Control node and Secondary nodes is that
application settings can be modified on the node with role Control. They are distributed from the node with role
Control to all nodes with role Secondary in the cluster. Then each cluster node exchanges data with the Active
Directory server independently.

Figure 2. KWTS in a cluster mode.

You can find more information about the application architecture operation algorithms in Online help.
Prepare the environment
Review KWTS requirements
You can find the list of all requirements for KWTS 6.1 in the dedicated article in Online help.

Download the required files

Please visit https://support.kaspersky.com/kwts6#downloads to download the following software required for KWTS
6.1 evaluation:

• ISO: kwts-6.1.0-4762-inst.x86_64_mlg.iso.

• For Linux (deb): kwts_6.1.0-4762_amd64.deb.

• For Linux (rpm): kwts-6.1.0-4762.x86_64.rpm.

Configure network
If you installed the application from an RPM or DEB package, to ensure correct operation of Kaspersky Web Traffic
Security you must first configure the ports on servers that have the application installed and on corporate LAN
routers used for relaying traffic. If you deployed the application from an ISO image, all the ports required for
operation are already configured.

In this guide, the application is deployed from an ISO image.

For the application deployed from the RPM or DEB package please open the ports from the following article:
https://help.kaspersky.com/KWTS/6.1/en-US/189764.htm.

Demo environment description

This demo environment has been created in a public cloud. The information about virtual machines and user
accounts used in this environment is below:
Table 1. Demo environment

FQDN OS IP Purpose
Windows Server Domain Controller with the DNS
wins2019s.demo.lab 10.0.0.1
2019 Standard role.

Client VM. Used for the KWTS web

Windows 10
win10pro64.demo.lab 10.0.0.2 configuration and capability
Professional
scenarios demonstration.

KWTS appliance with the Squid

kwts.demo.lab CentOS 10.0.0.3
proxy server. Control node.

KWTS appliance with the Squid

kwts2.demo.lab CentOS 10.0.0.4
proxy server. Secondary node.

haproxy.demo.lab Ubuntu 18.04 10.0.0.5 HAProxy load balancer.

Table 2. Accounts

Account Purpose
[email protected] Domain administrator + KWTS administrator.

[email protected] Domain user. Used for certain capability scenarios.

[email protected] Account for the LDAP integration.

Default KWTS administrator’s account for the KWTS

Administrator
configuration using the KWTS Web Console.
Deployment and configuration
Deploy KWTS
Kaspersky Web Traffic Security can be deployed from an ISO image or from an RPM or DEB package. In this
guide we will demonstrate how to deploy Kaspersky Web Traffic Security from an ISO image. Detailed instructions
how to deploy Kaspersky Web Traffic Security from an RPM or DEB package are available in Online Help.

In order to install Kaspersky Web Traffic Security for demo (Proof of Concept) purposes, it is necessary to upload
an ISO file to virtual data storage of the hypervisor and create an empty virtual machine with the following
parameters:

• CPU: 8 (minimum 4)

• RAM: 8GB

• HDD: 200GB.

For a production environment use the parameters from the hardware and software requirements. Instructions how
to create and prepare a VM for the KWTS installation:

• For VMware vSphere

• For Microsoft Hyper-V

• For Microsoft SCVMM.

Mount an ISO disk mage to the created VM and run this VM.

In the welcome window of the

Setup Wizard, press OK.
Select a language.

Accept the terms and conditions of

the License Agreement.
Accept the terms and conditions of
the Privacy Policy.

Read the recommendations on

default protection settings and
press OK.
If your VM does not meet the
hardware requirements, then you
will see the following warning.
Press OK.

Select a disk drive for the system

installation.
Confirm that you chose a correct
drive and wait for the unpacking
system to the disk.
After unpacking you should press
any key and the system will reboot.

Specify the fully qualified domain

name of the machine and press
OK.
Select the network interface and
press Yes in the confirmation
window.

In the Interfaces window press

Continue …
In the Routing window it is
necessary to configure network
routing.
In the Interface field, select the
network interface of the default
route.
The dhcp value will be set in the
Gateway field. The gateway IP
address will be assigned by the
DHCP server.

If you want to define a static IP

address for the gateway:

In the Gateway field, press Enter.

A confirmation window opens.

To configure a static configuration,

press Yes.

The Interface gateway

configuration window opens.

In the Gateway field, enter a static

IP address for the gateway and
press OK.

In the Routing window press

Continue …
Configure the DNS settings. If you
want to use DHCP, then in the Use
DHCP field select Yes.

Otherwise select Search list and

press Enter.

Specify the search list, primary and

secondary DNS server and press
OK.
Review the settings and press
Continue …

Specify a password for the KWTS

web interface local administrator.
Review the IP address of KWTS
and in the confirmation window
press Yes.

Specify the port used for interaction

with other nodes of the cluster and
click OK. In the confirmation
window, press Yes.
It is recommended to use the
default value of 9045.

In the confirmation window press

Yes.
Save the server certificate
fingerprint that is displayed in the
final window of the Configuration
Wizard.

When adding a server to the cluster

through the application web
interface, you will need to compare
this fingerprint with the fingerprint
displayed in the web interface.

You can get access to this

fingerprint any time you connect to
this VM.

Connect to the domain controller

and open DNS Manager (Server
Manager – Tools - DNS).

Create the New Host (A or AAAA)

record and the New Pointer (PTR)
record for KWTS in the Forward
Lookup and the Reverse Lookup
Zones.

Close the DNS Manager.

Switch to the client computer and

run a web browser.

In the address bar enter the KWTS

address in the following format:
https://<IP or FQDN of KWTS>

In the Warning window click

Advanced and proceed to the
KWTS address.
Enter the Administrator’s
credentials and click Login.

During the first connection it is

necessary to add the KWTS node
to a cluster. It will operate as
control node.

Click Create new cluster.

The KWTS Dashboard opens.

Switch to the Settings tab.
In the middle column select
General – Server time and specify
your Country and your Time zone.

Click Save at the bottom of the

page to save the settings.

After completing this step, you have successfully installed Kaspersky Web Traffic Security.

Activate KWTS

In the KWTS Web Console go to

Settings – General – Licensing
and add an activate code in the
right pane.

You will see the message that the

activation code applied
successfully. Check the activation
status on cluster node. To do that
click Go to Nodes.
In the Nodes section click on the
Control node and the Node
information will appear in the right
pane.

In the Traffic processing section

make sure the database update
started.
Otherwise wait for a while or run
the database update manually. To
do that:
1. Go to Settings – External
services – Database
update.
2. In the upper part of the
Settings window, click
Update databases.

After the database update

completes you will see a message
that it is necessary to restart the
KWTS node.
Reboot the node by clicking
Restart.

In the confirmation window click

Yes.
 Wait for the KWTS node to restart
and refresh the web page.

Go to Nodes – select the Control

node. In the right pane in the
Traffic processing section make
sure the license is valid and the
databases are updated.

After completing this step you have successfully activated Kaspersky Web Traffic Security.

Enable KSN (optional)

To protect the user's computer more effectively, Kaspersky Web Traffic Security uses data that is received from
users around the globe. Kaspersky Security Network is designed to collect such data.

Kaspersky Security Network (hereinafter also referred to as KSN) is an infrastructure of cloud services providing
access to the Kaspersky Lab online knowledge base containing information about the reputation of files, web
resources, and software. The use of data from Kaspersky Security Network ensures faster responses by
Kaspersky Web Traffic Security to objects that are not yet listed in anti-virus application databases, improves the
performance of some protection components, and reduces the likelihood of false positives.

In the KWTS Web Console go to

Settings – External Services –
KSN/KPSN.

In the right pane select Kaspersky

Security Network (KSN) – read
the terms and conditions of
participating in KSN.

If you choose to participate in

Kaspersky Security Network, in the
KSN Statement section, view the
Kaspersky Security Network
Statement and select one of the
following options:

• If you accept the terms and conditions, select the I agree to participate in KSN check box.
• If you do not accept the terms and conditions, clear the I agree to participate in KSN check box.

If you want to participate in Kaspersky Security Network and agree to submit statistics of your usage of
Kaspersky Security Network to Kaspersky Lab, select the Send KSN statistics to improve the threat
detection rate check box.
If you choose to participate in Kaspersky Security Network and agree to submit statistics of your usage of
Kaspersky Security Network to Kaspersky Lab, in the Additional KSN Statement section, read the
Supplementary Kaspersky Security Network Statement and do the following:

• If you accept the terms and conditions, select the I agree to send KSN statistics check box.
• If you do not accept the terms and conditions, clear the I agree to send KSN statistics check box.
Click Save.

After completing this step you have successfully configured participartion in KSN.

Configure LDAP integration

If you are configuring integration with a domain whose name contains the root domain .local, you must
complete the following steps to prepare the operating system for successful connection with the LDAP
server.

1. Check the status of the avahi-daemon service. To do so, execute the command:
systemctl status avahi-daemon

2. If the service is running, stop it. To do so, execute the command:

systemctl stop avahi-daemon

3. Disable automatic startup of the service. To do so, execute the command:

systemctl disable avahi-daemon

Before proceeding to the LDAP integration make sure that the KWTS time does not differ from your LDAP
server.

Connect to the domain controller

and in the Server Manager run
Tools – Active Directory Users
and Computers.
Select your domain and create a
new user.
Specify a full name and the user
logon name. In this guide the user
logon name is: control-kwts.

Specify the user’s password and

set the necessary password
options, e.g. check the Password
never expires option.

On the next step click Finish to

close the wizard.

Run the Command Prompt as

Administrator.
Create a keytab file by executing
the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of

the Control node>@<realm uppercase Active Directory domain name> -mapuser <your
username>@< realm uppercase Active Directory domain name > -crypto <encryption
type> -ptype KRB5_NT_PRINCIPAL -pass <password of the just created user> -out
C:\<filename>.keytab

In this guide the command with the following parameters is used:

C:\Windows\system32\ktpass.exe –princ HTTP/[email protected] -mapuser control-

[email protected] -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass * -out C:\control-
kwts.keytab.

You can read more information about the ktpass utility by this link.
Transfer this keytab file to a place accessible from the computer where you run the KWTS Web Console.

In the KWTS Web Console go to

Settings – General – Licensing
and add an activate code in the
right pane.

You will see the message that the

activation code applied
successfully. Check the activation
status on cluster node. To do that
click Go to Nodes.

Specify a name of the connection,

select the keytab file created on
previous steps and fill the Search
base (Base DN), e.g. in this guide
it is dc=demo, dc=lab.

Click Add.

Click Synchronize now and then

Go to Nodes.
 Click on the control node and in the
right pane check the LDAP cache
status.

After completing this step you have successfully configured LDAP integration.

Configure built-in proxy server authentication

Since KWTS shipped as an appliance contains built-in proxy server it is necessary to configure user authentication
on KWTS. KWTS supports either Kerberos or NTLM authentication. In this guide Kerberos authentication is used.
In order to authenticate users on KWTS proxy it is necessary to configure proxy settings on workstations and
authentication in the KWTS Web Console.

On the client machine click on the

search bar, type “proxy” and open
Proxy settings.

Turn on the Use a proxy server

setting and specify your KWTS
address. Leave port 3128 by
default.

Save the settings and close the

proxy settings.

Open a web browser and connect

to the KWTS Web Console.

Enter your credentials.

Go to Settings – Built-in proxy

server – Authentication and in the
right pane under the
Authentication type section click
Set up near to Kerberos.
 Enable Kerberos authentication and
specify the keytab file created
during the Configure LDAP
integration step.

Save the settings and close the

window.

Open a new tab in the browser and

visit several websites.

Switch back to the KWTS Web

Console.
Go to Events and click Search to
view the last 500 events.

Make sure you see the full user

name.

After completing this step you have successfully configured a user authentication on the KWTS built-in proxy
server.

Configure Single Sign-On (SSO)

When Single Sign-On technology is enabled, users are not required to enter their application account credentials to
connect to the web interface. Authentication is performed using the domain user account. In this guide the
Kerberos authentication is used. Information how to configure the NTLM authentication is available in Online Help.

Open a web browser and connect

to the KWTS Web Console.

Enter your credentials.

Go to Settings – Application
access – Single Sign-On login
and in the right pane under the
Kerberos authentication section
enable the Use Kerberos option.
In the Keytab file field specify the
the keytab file created during the
Configure LDAP integration step.

Save the settings.

Go to Users – select Superuser
and in the right pane click Assign
role.

Add a domain account. In this guide

it is the Domain Administrator.

Note, that if you’re using the

Domain Administrator account, it is
necessary to specify A with the
uppercase, i.e. Administrator.

Save the settings and close the

KWTS Web Console.

It is necesarry to add the KWTS Web Console address to the Local Intranet zone of your browsers. For Google
Chrome, Microsoft Edge and Internet Explorer do the following:

Open the Control Panel –

Network and Internet – Internet
Options.
Switch to the Security tab, select
Local Intranet and click Sites.
Clear Automatically detect
Intranet network.

Add the KWTS Web Console

address and close the Local
intranet and Internet Properties.

For Mozilla Firefox do the following:

Open Mozilla Firefox. In the

address bar type about:config
and search the following setting:
network.negotiate-
auth.trusted-uris.

Add the KWTS Web Console

address next to the setting.
Re-open the web browsers and
connect to the KWTS Web
Console.
Make sure the credentials were not
requested and you are working
under the domain account you are
signed in to Windows.

After completing this step you have successfully configured Single Sign-On.
Capability scenarios
Web protection
In this scenario we will demonstrate that KWTS can protect against web threats.

Evaluation steps:

1. Check the Default protection policy.

2. Make sure that KWTS blocks test malicious file.

Expected result: test malicious file will be blocked by KWTS.

Step 1. Check the Default protection policy

Open a web browser and connect to the KWTS Web Console. Enter your credentials if SSO is not configured.

Go to Settings – General –
Default protection policy.

In the right pane make sure that the

Default protection policy is
configured to block malware,
phishing and other malicious
links/objects.

Step 2. Make sure that KWTS blocks test malicious file

Go to
http://www.eicar.org/download/eicar.com

Make sure the download attempt

has been blocked by KWTS.

Make sure that you use http instead

of https If SSL Bumping is not
configured.

Go to
http://www.kaspersky.com/test/aphish_h
and make sure has been blocked by
KWTS.
 Switch to the KWTS Web Console.

Go to Events and in the Traffic

section set a filter showing events
for a certain period of time with the
Block action.

Make sure you see the events

related to the websites you have
tried to access.

After completing this scenario you know that KWTS can protect against web threats.

Web control
In this scenario we will demonstrate that using KWTS you can configure users’ access to the Internet.

Evaluation steps:

1. Configure an access rule to block social networks for a certain user’s group.

2. Check if the social networks are blocked for the user’s group.

Expected result: access to social networks will be prohibited.

Step 1. Configure Web Control to block social networks

Open a web browser and connect to the KWTS Web Console. Enter your credentials if SSO is not configured.

Go to Rules – Access – click Add

group.

Specify the rule group name and

click Add.

Select the newly created rule group

and click Add rule.
 Specify the following parameters:
Action: Block.
Initiator: LDAP: group
canonicalName is equal to
domain.com/groups/groupname.

In this guide [email protected] is a

member of
demo.lab/Users/Internet users.

Traffic filter: Category is equal to

Social networks.

Rule name: Block social

networks.

Enable the rule and click Add.

Note that user’s primary Active Directory group (usually Domain Users) cannot be used as value for LDAP
group canonical name.

Step 2. Check if the social networks are blocked on protected VMs

Sign in as a user for which you

configured the access rule. In this
guide it is [email protected] and try to
access https://www.facebook.com/
and https://www.twitter.com . Make
sure they’re blocked.

Since the SSL/TLS decryption is not

configured you will see the message
that this site can’t be reached.

Try to access www.google.com .

Make sure the access to the page is
provided.
 Switch to the KWTS Web Console.

Go to Events and in the Traffic

section set a filter showing events for
a certain period of time with the
Block action.
Instead of adding a filter condition by
the Action you can also apply the
filter with other conditions, e.g. by a
Rule type.

Make sure you see the events

related to the websites you have
tried to access.

After completing this scenario you know that using KWTS you can configure users’ access to the Internet.

SSL decryption
In this scenario we will demonstrate how to configure KWTS in order to decrypt SSL/TLS connections.

Evaluation steps:

1. Add a certificate for intercepting SSL connections to KWTS.

2. (Optional) Configuring exclusions in traffic processing rules.

3. Make sure that KWTS can scan encrypted connections.

Expected result: KWTS will block test malicious link and show a block page.

Step 1. Add a certificate for intercepting SSL connections to KWTS

Open a web browser and connect to the KWTS Web Console. Enter your credentials if SSO is not configured.

Select the Settings → Built-in

proxy server → SSL section. In
the right pane click Add certificate.
 Select a type of the certificate,
specify the organization name in
the Organization field and the
domain name of the server for
which the certificate is being
generated in the Common name1
field and click Add.

In this guide it is a self-signed

certificate and further instructions
will be provided for the self-signed
certificates.

More information about certificates

and managing certificates for
intercepting SSL connections are
available in Online Help.

Click on the certificate to view its

information.
Click on P7B Chain to download
the certificate with the p7b
extension.
Click Set active.

Now it is necessary to add this certificate in the Trusted Root Certification Authorities store on every computer,
which will be used to access the Internet. If the domain infrastructure is used, then it can be done via Group
Policies (alternative link).

The Mozilla Firefox browser uses its own certificate storage. For details about importing a certificate to
the Mozilla Firefox storage, please refer to the instructions by the following link.

If the domain infrastructure is not used, then it is necessary to install this certificate to the Trusted Root
Certification Authorities store on every computer manually.
Switch to a domain workstation, run cmd and in the command line execute the following command:
gpupdate /force

1 You can find the information how to specify the common name by this and this links.
 Switch back to the KWTS Web
Console.
Select the Settings → Built-in
proxy server → SSL section.
In the right pane in the Default
action field select Bump and
switch on the TLS/SSL connections
decryption.
Click Save.

Step 2. (Optional) Configuring exclusions in traffic processing rules

During processing of HTTPS traffic, the result of application of the Block and Redirect actions differs from the
result of application of these actions to HTTP traffic. The user will not see a block page and will not be redirected to
the specified URL. Instead, the connection is terminated.

In order for the Block and Redirect to be applied correctly, you need to enable decryption of TLS/SSL connections
and add the CONNECT method to exclusions or create a bypass rule for it. If there are no traffic processing rules
that allow CONNECT requests, the connection will be terminated.

In this guide, we will create an exclusion for the CONNECT method in an access rule.

Go to Rules – Access.
Select a rule created during the
Web control demonstration and
click Edit.

Switch to the Exclusions tab and

click + Add exclusion.
In the Traffic filter section click
+Rule criteria and select
HTTP Method is equal to
CONNECT.
Click Save.

Step 3. Make sure that KWTS can scan encrypted connections

Sign in as a user who is a member of the group specified in the access rule on the previous step. If you did not
perform the Step 2, then you can perform the following actions with any user account.
 Try access www.google.com .
Make sure the certificate is valid,
issued by the domain name of the
server for which the certificate was
generated and there are no
warnings.

Try access a test link for checking

web protection
https://www.kaspersky.com/test/wmuf.
Make sure it is prohibited and you
see a block page.

If you configured the exclusion on

the Optional Step 2, then try to
visit https://www.facebook.com/and
make sure, that you see the block
page.
Note, that during the Web control
demonstration there was no block
page for the websites accessed by
HTTPS. Connection was
terminated only.

After completing this scenario you know that using KWTS you can scan encrypted connections.

Role Based Access Control (RBAC)

In this scenario we will demonstrate that using KWTS you can configure RBAC.

Evaluation steps:

1. Assign the Viewer role to a domain user.

2. Make sure that this user can only view the settings.

Expected result: the domain user can only view the dashboard, application settings etc.

Step 1. Assign the Viewer role to a domain user

 Open a web browser and connect to the KWTS Web Console. Enter your credentials if SSO is not configured.

Go to Users.

Select the Viewer role and click

Assign.

You may also create your own roles with the detailed configuration of permissions. To do that click Add in the
Roles section, then specify a role name and assign necessary permission to the role.

Specify a domain account.

Step 2. Make sure that this user can only view the settings

Sign in as the domain user who you

assigned the Viewer role to.

Sign in to the KWTS Web Console.

Make sure you see the Dashboard

and all the information on the
different tabs and sections.

Go to Settings – General –
Protection settings and make
sure that you cannot edit the
parameters.

Check other sections and make

sure that you cannot edit them.

After completing this scenario you know that using KWTS you can configure RBAC.
Cluster mode
Kaspersky Web Traffic Security 6.1 has the cluster mode support. Using this mode, you can centrally manage all
the nodes within the cluster, access events from all cluster nodes from one place and configure fault tolerance if a
load balancer is used2.

In this scenario we will demonstrate that you can configure KWTS in the cluster mode with load balancing.

Evaluation steps:

1. Deploy and configure the additional KWTS instance.

2. Deploy and configure HAProxy.

3. Power off the KWTS control node and check the Internet access.

Expected result: Internet access will not be disrupted and all protection settings will be synchronized with the
secondary node.

Step 1. Deploy and configure the additional KWTS instance

Deploy an additional KWTS instance in accordance with the appropriate section.

Open a web browser and connect

to the KWTS Control node Web
Console.

Go to Nodes and in the right corner

click Add node.

Fill the information about the new

node and click Next.

2 You can read more about application operation with load balancing in Online Help.
Check the entered values and the
certificate fingerprint and click
Confirm.

After this step the node will be

added to the KWTS cluster as
secondary node.

Click on the new node.

In the appeared pane you will see

the errors while the databases are
updating.

Wait for the database update.

On the same pane click Go to

manage node.
Log in to the KWTS Secondary
node Web Console as a local
Administrator.

Restart the Secondary node and

switch back to the KWTS Control
node Web Console.

In the Nodes section you will see,

that there is no SPN for Kerberos
Single Sign-on.

It is necessary to update the

previously created keytab file for
the KWTS Secondary node and
upload this file to the KWTS Control
node Web Console.

Connect to the domain controller

and open DNS Manager (Server
Manager – Tools - DNS).

Create the New Host (A or AAAA)

record and the New Pointer (PTR)
record for the KWTS Secondary
node in the Forward Lookup and
the Reverse Lookup Zones.

Close the DNS Manager.

Run the Command Prompt as
Administrator.
Create a new keytab file by
executing the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of

the node>@<realm uppercase Active Directory domain name> -mapuser <your
username>@<realm uppercase Active Directory domain name> -crypto <encryption type>
-ptype KRB5_NT_PRINCIPAL -pass <user password> -in <Path to the previously created
keytab file> -out C:\<filename>.keytab –setupn -setpass

In this guide the command with the following parameters is used:

C:\Windows\system32\ktpass.exe –princ HTTP/[email protected] -mapuser

[email protected] -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass * -in
C:\control-kwts.keytab -out C:\control-kwts2.keytab -setupn -setpass.

Switch to the KWTS Control node

Web Console.

Go to Settings – Application
Access – Single Sign-On login. In
the Kerberos authentication
section replace the old keytab file
with the new one.

Make sure there are 2 entries in the

keytab file now.

Click Save.

Go to Settings – Built-in proxy

server – Authentication.

In the Authentication type section

click Set up near to Kerberos.
 Replace the old keytab file with the
new one.

Make sure there are 2 entries in the

keytab file now.

Click Save.

Perform the steps described in the

Configure Single Sign-on section to
add the KWTS Secondary node
address to the Local intranet zone.

Switch to the KWTS Control node

Web Console.

Go to Nodes and make sure the

Secondary node is synchronized
and there are no error messages.

After completing this step you already configured the KWTS cluster mode. All the settings are synchronized,
centralized management and access to events is configured.

Step 2. Deploy and configure HAProxy

At this step we will configure load balancing for KWTS. All the steps will be performedon Ubuntu 18.04. If you
use another Linux distribution3, please refer to the documentation of this distribution.

3 You can find the instructions for other Linux distribution if you use a deb/rpm KWTS package at Online Help.
Connect to the domain controller and
open DNS Manager (Server
Manager – Tools - DNS).

Create the New Host (A or AAAA)

record and the New Pointer (PTR)
record for the HAProxy computer in
the Forward Lookup and the
Reverse Lookup Zones.

Close the DNS Manager.

Switch to the Linux computer.

Run Terminal and execute the following command to elevate privileges:
sudo su
After that install HAProxy by executing the following command:
apt-get install haproxy

In this guide we will configure HAProxy in the TCP mode for demo purposes with basic configuration, but you
can also configure the HTTP mode.

Open the HAProxy configuration file with a text editor, e.g. Nano by executing the following command:
nano /etc/haproxy/haproxy.cfg
 Do not change existing lines. Just add the following lines to the configuration file and save it 4:

frontend haproxynode
bind *:3128
mode tcp
default_backend backendnodes

backend backendnodes
balance <balancing method>
server <KWTS FQDN> <IP:Port> check send-proxy
server <KWTS2 FQDN> <IP:Port> check send-proxy

And the optional lines if you want to view the HAProxy statistics via web:

listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth administrator:Pa$$w0rd

For instance, in this guide the configuration file is as follows:

frontend haproxynode
bind *:3128
mode tcp
default_backend backendnodes

backend backendnodes
balance roundrobin
server kwts.demo.lab 10.0.0.3:3128 check send-proxy
server kwts2.demo.lab 10.0.0.4:3128 check send-proxy

listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth administrator:Pa$$w0rd

4 More information about HAProxy configuration is available at http://www.haproxy.org/#docs.

Save the changes and close the file.

Restart the HAProxy service:

service haproxy restart

Check the service is running:

service haproxy status

Switch to the domain controller and

run the Command Prompt as
Administrator.

Create a new keytab file by

executing the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of

the HAProxy node>@<realm Active Directory domain name in uppercase> -mapuser <your
username>@<realm Active Directory domain name in uppercase> -crypto <encryption
type> -ptype KRB5_NT_PRINCIPAL -pass <user password> -in <Path to the previously
created keytab file> -out C:\<filename>.keytab –setupn -setpass

In this guide the command with the following parameters is used:

C:\Windows\system32\ktpass.exe –princ HTTP/[email protected] -mapuser

[email protected] -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass * -in
C:\control-kwts2.keytab -out C:\control-kwts3.keytab -setupn -setpass

Switch to the KWTS Control node

Web Console.

Go to Settings – Built-in proxy

server – Authentication.

In the Authentication type section

click Set up near to Kerberos.

Replace the old keytab file with the

new one.

Make sure there are 3 entries in the

keytab file now.

Click Save.

Go to Settings – Built-in proxy

server – Common.

In the Load balancing section select

PROXY protocol header and add
the IP address of the HAProxy to the
Trusted load balancers list.

Save the settings.

On the client machine click on the

search bar, type “proxy” and open
Proxy settings.

Turn on the Use a proxy server

setting and specify the address of
HAProxy server. Leave port 3128 by
default.

Save the settings and close the

proxy settings.
 Try to access different websites, e.g.
https://www.kaspersky.com .

Make sure, that sites are accessible.

After completing this step HAProxy will perform load balancing of the requests to KWTS between 2 KWTS
instances.

Step 3. Power off the KWTS control node and check the Internet access

Power off the KWTS Control node.

Sign in as a user for which you

configured the access rule in the
Web control scenario. In this guide
it is [email protected] and try to
access https://www.google.com .

Try to access
https://www.facebook.com/ and
https://www.vk.com . Make sure
they’re blocked.
Also, you can check events in the
KWTS Web Console.

Power on the KWTS Control node and connect to its Web Console.
Go to Events and add the additional
condition:
Action is equal to Block.

Make sure you see the events

related to recent attempts to visit
https://www.facebook.com/ and
https://www.vk.com.

Go to Reports and in the right pane

click Generate report.

Open the generated report and

check the information.

(Optional) If you performed the

required configuration you can view
the HAProxy statistics.

Open a web browser and enter the

IP address and the port defined
during the HAProxy configuration.
Enter the credentials.
In this guide it is 10.0.0.5:32700
and administrator:Pa$$w0rd
Check the HAProxy statistics.

After completing this scenario you know KWTS can be used in the cluster mode with load balancing for
centralized administration, centralized access to events and for fault tolerance.
Appendix A: HAProxy configuration file for the HTTP load
balancing
Minimum configuration for the HTTP load balancing:

1. Leave existing configuration as is

2. Add the following lines to the /etc/haproxy/haproxy.cfg file:

frontend haproxynode

bind *:80

mode http

default_backend backendnodes

backend backendnodes

balance <balancing method>

option forwardfor

server <KWTS FQDN> <IP:Port> check

server <KWTS2 FQDN> <IP:Port> check

Appendix B: PoC completion checklist
# Task Success criteria Notes

1 Prepare the environment

PoC environment meets all the imposed

1.1 Review KWTS requirements
requirements.

1.2 Download the required files All required files are downloaded.

All required network ports are open in the right

1.3 Configure network
direction.

2 Deployment and configuration

Successful connection to the KWTS Web

2.1 Deploy KWTS
Console.

License is applied and databases are

2.2 Activate KWTS
updated.

2.3 Enable KSN KSN is activated.

2.4 Configure LDAP integration Connection to a LDAP server is established.

Configure built-in proxy server Domain usernames are displayed in the

2.5
authentication KWTS events.

User credentials are not requested the KWTS

2.6 Configure SSO Web Console if you are signed in Windows as
a domain user.

3 Capability scenarios

Test malicious file and a test phishing link are

3.1 Web protection
blocked.

3.2 Web control Access to social networks is prohibited.

KWTS blocks a test malicious link and shows

3.3 SSL decryption
a block page.

Role Based Access Control Domain user cannot edit the application
3.4
(RBAC) settings.

Internet access is not be disrupted and all

3.5 Cluster mode protection settings are synchronized with the
secondary node