The fine folks at GFI Software asked me to take their GFI WebMonitor software for a spin, see what I thought, and write about my experiences. In exchange, they offered to hook me up with a gift certificate as a small token of their appreciation. Having wanted to check out this software for many months anyway, it was a no-brainer for me, but note as mentioned above, this is a compensated review. GFI WebMonitor is software designed to protect your clients from browsing unsafe sites, downloading infected files, or other Internet based activities that could lead to bad things like an HR incident or an RIAA nasty-gram.
There are three standalone versions available, a WebFilter edition that does URL filtering, a WebSecurity Edition that does anti-x, and a UnifiedProtection Edition that combines the functions of URL filtering and malware protection. Seeing as how I am such a TMG fan boy, we’re going to put the GFI WebMonitor for ISA/TMG version through its paces. This version acts as a plug-in module for Microsoft ISA Server and TMG Server products, and offers the same security as the UnifiedProtection Edition.
Pre-game
Better safe than sorry is a motto I hold near and dear to my heart, so before we got started, I took a snapshot of my TMG box, since it runs as a virtual host on my Hyper-V install. That way, if I make a mistake, or want to go back and try something different, I can just revert to snapshot.
- In the Hyper-V Management Console, browse to your VM, and on the Actions pane, choose Snapshot.
- This will take a snapshot of your guest’s virtual disk, storing it in the same location as the main disk file.
Note: if you are doing this on your system and the TMG is also the connection to the Internet, you will lose connectivity momentarily as the snapshot is generated. You might need to do this after hours. <♫> The more you know </♫> - The GFI WebMonitor also needs a service account under which to run, so let’s set that up first. In ADUC, create a service account, set a complex password, and flag the password to never expire.
- Then make the account a member of the local administrators group on the TMG. The install will grant the rights to log on as a service.
Now you just need to download the software from GFI’s website.. Once downloaded, click Run to start the setup of WebMonitor.
The opening kick
The install is fairly straight-forward. Run it once the download has completed. We’ll forgo most of the pretty pictures in the interest of load times.
- You will see the UAC prompt for ConsentUI, and of course GFI does use signed code. Click Yes when you are ready to begin the install.
- The installer extracts the files needed, and then starts the install wizard.
- I like this bit. The installer can check for updates before it even begins.
- You have to agree to a fairly standard License Agreement, the click Next.
- Here, you are presented with what amounts to a DACL to control who can access the Web interface. It automatically populates local host, external, and internal ip.addrs, and the currently logged on user. It will also accept CIDR notation for your internal network if you wish.
- After hitting Next, you are prompted for your user information.
- Hitting Next again, you have to feed in the credentials for the service account we configured at the beginning of this process.
- GFI WebMonitor likes to send emails of important events, alerts, etc. Enter a from address, a to address (I recommend a d/l instead of a single user) and the FQDN of your SMTP relay. You can send a test message right now to verify your settings before moving onward.
That looks like this.
- Confirm installation directory, then click Next, then click Install. You will lose Internet connectivity for a short time during the install, but it will return. Again, you might want to plan on doing this during a maintenance window.
- You will see a cmd line screen pop up as the service account is granted the right to logon as a service, and after a few moments, the install will complete.
RDP will disconnect momentarily at this point, so expect that if you are remoted into your server. Once RDP and the Internet are both back online, your install is done. GFI WebMonitor automatically connects to the Internet to download updates to its URL database, and its anti-malware engines. And yes, I do mean engines in the plural. This baby can run three different a/v engines at once if you are so inclined.
What have we got at the end of the first quarter
One of the things that I liked the most about the install is that, while GFI WebMonitor is now installed and working, it did not require any more immediate configuration on my part. Antivirus engines started up, definitions downloaded, URL databases updated, but I did not find myself with a brick and users complaining about blocked sites. I have to opt in to blocking things, which means I can take a measured approach instead of incurring the wrath of my colleagues. This is good. To administer GFI WebMonitor, you can launch the admin console from the start menu on your TMG server. Doing so presents you with a fairly typical Windows based hierarchical tree of functions, like so.
The console is fairly intuitive, with the dashboard probably being the first place to look and see what is going on. You can see your licensing status, a bandwidth histogram, totals for bandwidth, connections, etc. and any hits on quarantined or blocked downloads. All are hyperlinked if you want to see more about a particular detail.
Working our way further down the left-hand menu, we see that there is a lot in here about monitoring. You can view active or past connections, see hidden downloads (those that did not prompt the user for action) see what users and/or websites are taking up the most bandwidth, who spends all day surfing the web, etc. Don’t be surprised at how much Facebook shows up in these reports!
Setting up a strong defense
Even without activating any block categories, GFI WebMonitor has some strong out of the box protection with WebFilter, and WebSecurity.
WebFilter Edition
First up is WebFilter, and Web Filtering Policies. Remember, you can just license the WebFilter capabilities if you are comfortable with other anti-malware solutions and just want to control Internet access based on your policies.
GFI WebMonitor’s WebGrade Database is a regularly updated download list of websites, categorised across the sorts of things you would expect any good Acceptable Use Policy would address. Categories include pr0n, drugs, alcohol and tobacco, dating, gambling, etc. Note that none of these are blocked by default…it is up to you to implement the proper blocked categories based on your AUP.
You can create different policies for different users/groups/ip.addrs (though I would not recommend that) and set up notifications if you really want to be the Internet Police. You can also set exceptions in the event you have a customer who is categorised in a blocked group, find a mis-categorised site, etc.
Why don’t I recommend different policies? A couple of reasons learned from experience actually. First, you really want to apply this sort of thing consistently from C-level leadership down to part-time hourly employees. If you don’t, you are just asking for someone to file suit should they be terminated for policy violations that others are not held to. Second, simple administrative overhead. You have more important things to do than decide who are the Internet haves and have-nots. You can find yourself burning days of your time trying to set up different policies for different groups.
The database checks for updates on a scheduled basis, and you can query it with a particular URL if you want to see how a site is categorised.
WebSecurity Edition
Next up is WebSecurity Edition, with Download Control Policies, Virus Scanning Policies, and Anti-Phishing. This is also an option to license on its own if you want to completely avoid the role of Internet Police. I have worked for organisations where that was the decision by senior management. Personally that is one I support fully. Managers should be paying enough attention to their teams to know if recreational use of the Internet is a problem or not.
All file types are permitted by default. You can edit the default policy for all users, or create specific policies for certain users, groups (requires authentication) or ip.addr ranges. While most file types I can think of are already defined, you can create others to suit your needs if necessary by creating a new type and specifying the mime mapping.
Of less value is the IM Control Policy. At this time it only can deal with AIM and MSN, so I don’t see this as a valid control of IM on its own. You can either permit it all, or block it all, but just remember if you opt to block how many of these protocols can use HTTP, and the web based clients are out there like Meebo, Palringo, et al. You might find this a sisyphean task. Personally, I think you are better off embracing a corporate solution like Jabber or Office Communications Server, and implementing gateways to the public services.
Virus Scanning Policies
In addition to controlling downloads, you can also define Virus Scanning Policies. The WebSecurity edition comes with two engines licensed and enabled, BitDefender and Norman. You can license Kaspersky if you want a third. The default policy scans almost all file types (including unknown) by default using both engines, and most types will display a new dialog to web users when they go to open a file, as shown below.
Each file type can be defined on its own, and you may need to remove the display of the download and progress status if you are supporting iPods, AVG antivirus clients, Firefox plugins, etc. If your users begin to complain about failed downloads, check the Hidden Downloads list in the Monitoring section. These clients (or the software they are using) may not be able to interpret/display the Secure Download dialog, so you can remove that option as shown below. Find the file type in question, edit it, and clear the checkbox next to “Display download progress and status.”
Anti-Phishing Engine
WebSecurity also maintains a list of known phishing sites, which is updated regularly. Even if you are not blocking sites by category, this protection will help prevent your users from following links to known phishing sites.
Going into overtime
I did run into a problem with iTunes and iPods. While probably not a huge concern on your network, on mine, iPods are mission critical, and iTunes is a necessary evil. Currently, downloads from iTunes, or from the iTunes store directly to iPod devices fails. The file types are properly defined and permitted, but installing apps hangs until the device finally gives up, and attempts to connect to streaming video on YouTube all fail with a “The server is not correctly configured.” message and a general fail. On a trace you can see that as soon as the request for the video is sent by the client, the TMG throws a series of RSTs at the iPod, killing the connection. I’ve not been able to figure out a way around that, but not to worry. GFI WebMonitor includes a Whitelist and a Blacklist option to either exempt or ban as necessary.
Adding to the Whitelist can be by Site, User, or Client IP. I could not get the iPods to work by whitelisting apple.com, youtube.com, etc, but I could add the client ip.addr and all was well after that.
So here’s the postgame wrap up
After putting GFI WebMonitor through its paces and testing everything I could, it’s time to give it a grade. We’ll look back at the install, what state we were in once the product was installed, how it performed on the network, and what kind of protection it provided. On a scale of one to five Domos, where in all my experiences only Microsoft’s SMS 2.0 so unworthy (so far) as to rate a one, and five is set aside for truly nerdvana like experiences, here’s how GFI’s WebMonitor 2009 (plug-in edition for ISA and TMG) stacks up.
Install: 
As detailed in the beginning of this post, the install was fairly straightforward and uneventful. The product installed, didn’t complain about things, trigger antivirus or open program warnings, or throw obscure errors. I probably should have expected to lose RDP and Internet connectivity, but since there wasn’t a warning about this before the install, I have to hold back one Domo.
Out of box functionality: 
Whenever you install a new security product, you can usually expect one of two things after you hit finish. You either have a brick, or you have another dozen steps to follow before you can actually start using the product. I was very pleasantly surprised this time to see that neither was the case. The product installed, and everything just worked. I really wanted to give this product five Domos, since it opted to install with the antimalware and antiphising protections enabled, and block lists disabled, but as mentioned above, it broke some iPod functionality. In some SMB environments that may never come up, but in others I truly believe that iPod/iPad/iPhone devices are going to become significant players…and it doesn’t matter whether or not supporting an iPhone on your wi-fi network is a business critical function or not. If the CEO wants it to work, you are going to have to make it work.
Performance: 
Calling my TMG install underpowered is being generous. It’s just barely to spec, and yet it handles my small client load without issue or complaint. Adding GFI WebMonitor made no perceptible difference to performance on the box, or through the box accessing the Internet, downloading files, using IM, etc. The system memory load for GFI WebMonitor exceeded that of TMG, but total CPU cycles consumed barely registered, even when downloading files that needed to be scanned by a/v.
Protection: 
With not one but two antivirus engines enabled, an anti-phishing engine, categorised block lists that update daily, and all of this without having to touch a single client, I give GFI WebMonitor a full five Domos. This is what web security is supposed to be…easy to implement, controlled at the server, and transparent to the user. All my clients are protected; not just the ones I can manage through AD.
Game MVP:
The Client IP Whitelist enabled me to add the iPod devices and bypass all the protections of GFI WebMonitor. While there is no way I want to do this as a long term solution, I also would not want to uninstall the entire product because one small thing had issues. Being able to whitelist my devices put them in no worse a situation than they were in before the install, and let me continue on with the protection for the rest of the network. Again, maybe iPods aren’t as key in your environment…consider an application server that encountered an unknown issue and you can see where this could save the day. I’ve been working with GFI Support, and they are sending me a patch shortly that should take care of this.
Overall rating:
Four and half Domos out of five, which is a stellar performance. I strongly recommend this product, and will even budget a purchase of it for myself.
When it comes to information security, a defense in depth (sometimes called a layered defense) approach is your best bet. There is no silver bullet, but by implementing multiple defenses in various points between your data and the bad guys, you are best suited to protect your users and your data. GFI WebMonitor is an excellent choice for the small to medium business looking to add content, anti-phishing, and anti-malware layers to their network’s armour. You get great protection, a small footprint, and it takes very little administrative overhead to implement and maintain. To quote my good friend Al, “It’s all about the Pentiums.”
Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=qpMvS1Q1sos
If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, we’ll share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.
RetroHack is happy to consider requests for reviews, including software, hardware, and technology books. Please use the contact form (link above in the menu bar) to get in touch if you would like to submit a product for review.
RT @retrohack: New #retrohack post: plug it in, turn it on, rest easy. gfi webmonitor rocks! http://bit.ly/aMvmF4
RT @GFISoftware: RT @retrohack: New #retrohack post: plug it in, turn it on, rest easy. gfi webmonitor rocks! http://bit.ly/aMvmF4
Plug it in, turn it on, rest easy. GFI WebMonitor rocks! http://retrohack.com/gfi-webmonitor-reviewed/
RT @retrohack: New #retrohack post: plug it in, turn it on, rest easy. gfi webmonitor rocks! http://bit.ly/aMvmF4
Plug it in, turn it on, rest easy. GFI WebMonitor rocks! http://retrohack.com/gfi-webmonitor-reviewed/
RT @GFISoftware: Plug it in, turn it on, rest easy. GFI WebMonitor rocks! http://retrohack.com/gfi-webmonitor-reviewed/
[...] Pro Tweets Plug it in, turn it on, rest easy. GFI WebMonitor rocks! http://retrohack.com/gfi-webmonitor-reviewed/ GFISoftware – Tue 03 Aug 7:44 All Things [...]
how to remove it yar.I m tired of it.GFI sucks.Plz tell me the process to download at a client without using this programm.
Usman,
I have to disagree with you on GFI…I’m really quite pleased with the product. However, if you want to let a client bypass the protection (NOT recommended,) here is what to do, assuming your WebMon is your default gateway.
1. Create a DHCP reservation to ensure the client always has the same ip.addr, and then release/renew to make sure your client has that ip.addr.
2. Launch the GFI WebMon console
3. Browse down to Whitelist (third item down)
4. Add a client ip entry for the ip.addr you reserved for your client.
This will allow the client to make all connections, bypassing any filter lists or a/v screening of downloads.
Ed
And as a follow-up, GFI development provided me with a hotfix for the issue with iPods/iPhones and iTunes running on Windows clients. It was as easy as stopping services, replacing a DLL, and starting services again, and worked a champ.
I expect this will be incorporated into the next maintenance release, and made available as a download patch very soon.
The Webmonitor version which runs on ISA is bad! You get loads of problems with user authentication and end up disabling various things which makes Webmonitor about as useful as a random number generator.
Which is kind of an ironic comment considering you probably use services seeded by a random number generator every day. I cannot directly speak to the ISA plugin, since I use it on TMG, but the products code bases are so close to one another that I am really surprised you ran into problems. I have never had to change user auth or disable anything other than to whitelist iPods for the app store and YouTube, and that problem was patched pretty quickly after I reported it.
is it possible to allow an application that doesn’t send along authentication info ?
I can now only allow it if I add the ip addresses of the application servers or when I turn off integrated authentication.
Ok but then GFI is of no use anymore, because all the policies are bypassed for the other applications as well
Hi Eric,
I’m not sure I understand the question. I have SharePoint published to the Internet, and I have the rule setup with authentication at the TMG server, and I made no changes to the configuration when I installed GFI. Can you elaborate on your setup and what you are trying to do?
Ed
Hi Ed,
I have 1 special application, which is installed (like any other application) on both of my Application Servers (XenApp 5.6). The application does a connect to virtualearth.net to get GIS info. I don’t manage to get it through the proxy server where GFI is installed.
The only way I managed to do it was by turning off proxy authentication or by adding the ip addresses of my application servers in the ip exception list of GFI.
I only want that particular application to bypass the proxy authentic, the other appliations still must authenticate.
I tried to add the ip addresses of the application servers follewed by the port numbers but I’m not sure of the port number this particular application uses.
I sincerely hope this clarified a bit
Eric
Yes it does, as I thought your issue was with published applications, not with access from the inside to the outside. Try this.
1. Create an Access Rule defining your XenApp servers as the source, and the virtualearth.net servers as the destination.
2. Permit the appropriate protocols (I assume http and https, but I don’t know this. Never used their service.)
3. Place it at the top of the rules, or as close to the top as you can. Remember rules are parsed, so we want this access rule processed before any other outbound permit.
4. You might need to craft that rule to exempt it from any inspection, defining a new protocol on HTTP. See this TechNet post if steps 1-3 don’t work, and please report back to this comment thread with the results.
Thanks
Ed
Thanks a lot Ed!!
Big smile!!!
I put some Firewall Access Rules on my Sonicwall Network Security Appliance like you suggested, and yes
You were really a great help!
Glad to help out. Merry Christmas!
Ed
News Update: plug it in, turn it on, rest easy. gfi webmonitor rocks! http://ow.ly/1bGWPG
Hi there,
I have this little problem with GFI WebMonitor, regarding authentication method, when I choose basic authentication, every time the client pc browse the internet, it needs credentials, which is my username and password is needed, is there any solution to change it with their own username and password? Hope to receive any feedback from you guys… Thanks…
Darrell
That is what basic authentication will do…prompt you each time. Worse, if you are not using SSL then you are transmitting those creds in cleartext. If you need authentication for outbound access, use Integrated instead. For IE and Chrome, that will auth in the background and you won’t be prompted. For FF, you may still see a pop up box, but the creds will be encrypted.
HTH
Ed
hey i am unable to stream videos on my iphone under the GFI monitor Domain.. is there any setting required at GFI or on my iphone to work it???
Probably, first whitelist your iPhone to see if it works, and if it does (which is likely) contact GFI Support to discuss. They sent me a patch which fixed the issue with my Apple iThings; it might be that you need that patch. Sorry, but I cannot tear down and reinstall my instance just to see if the patch was incorporated into the latest binary.
HTH
Ed
Ed, First great Post – I really like GFI Web monitor Do you know if there is a way to make the MGT console available to a system on the internal network? I tired using the IP address with the port with no success. I to have it integrated with TMG
Thanks D. To hit the admin console from another machine, see this GFI KB. You have to setup your browser to use the TMG as your web proxy.
this did not work for me because i am on a school laptop lol