                AVIRA WebGate v 1.1.1 [Linux]

              Copyright (c) 2004-2005 by AVIRA GmbH

                    http://www.avira.com

        Document last updated on: June 20, 2005      


Thank you for using AVIRA WebGate v 1.1.1. This document contains
important information and we strongly advise you to read the
entire document and the related documentation available for
this product.

Contents:
- Description
- Features
- System Requirements
- Install
- Configuration
- Update
- Uninstall
- Registration
- Known Issues
- Feedback & Technical Support
- Copyright 


* Description

AVIRA WebGate v 1.1.1 is an anti-virus solution which protects your 
network against viruses and other malicious software by scanning, 
filtering and if necessary blocking access to all unwanted programs 
from the Internet. AVIRA WebGate v 1.1.1 acts as a web proxy, scanning 
all incoming and outgoing HTTP and FTP traffic.

AVIRA WebGate security software consists in the following program 
modules:
- AVIRA Engine, the scanning and repairing module;
- AVIRA Updater connects to Internet and automatically updates AVIRA 
  programs;
- AVIRA Web Proxy Module supervises HTTP and FTP network connections.

* Features

- Intuitive installation and configuration;
- Real time web traffic scanner;
- Scans all data exchange with the Internet;
- Adware/Spyware Detection Support, in addition to the detection of 
  jokes, dialers and many forms of malware. This option has been 
  implemented in the antivirus engine for both on-access and  
  on-demand scan processes. Moreover, the AVIRA detection technology
  also recognizes Security Privacy Risk applications (SPR), Unusual
  Runtime Compression Tools and Double Extension Files;
- Webmail examination;
- Built-in archive support;
- Heuristic detection for both macro and Win32 viruses;
- Notification and reporting features;
- Non-privileged user mode increases system's security;
- Automatic Internet Update;
- Self Integrity Program Check.

* System Requirements

For a working installation you should consider these minimum 
requirements:
- Platform: i386
- Operating System: Linux with 2.2 Kernel and GLIBC 2.2 or better
- 8MB free harddisk space for product installation
- 100MB free harddisk space for the working directory 
  (1GB recommended, depending on the amount of data transferred)
- 32MB free memory space (64 MB recommended)


* Install

Login as root, change to the directory containing AVIRA WebGate install
files and run the install script.

  ./install

The script will do the following:
- copy files to /usr/lib/AVIRA
- copy configuration files to /etc
- create a link in /usr/bin (if desired)
- create links in rc.d directory (if desired)
- run a configuration script (if desired)

The install script will guide you through several steps, each time 
explaining what it is doing.

* Configuration

Network Configuration

There are different ways to integrate AVIRA WebGate into your existing
network topology. WebGate is able to work closely with other proxies,
but can also be used as a stand-alone proxy. The following three 
different configurations are possible:


 NetworkConfiguration 0:
 -----------------------

 +-----------+    +=========+    +----------+
 | client(s) |<-->| WebGate |<-->| Internet |
 +-----------+    +=========+    +----------+

In this configuration, WebGate works as a stand-alone proxy. WebGate
receives requests from the clients and forwards them to the 
appropriate server. The data received from Internet is always scanned 
and forwarded to the clients if they are clean.

In order for the data to be scanned, the clients will need to be 
configured to use WebGate as a Proxy (HTTP and FTP).

-> see also "Client Configuration" below


 NetworkConfiguration 1:
 -----------------------

 +-----------+    +=========+    +---------+    +----------+
 | client(s) |<-->| WebGate |<-->|  proxy  |<-->| Internet |
 +-----------+    +=========+    +---------+    +----------+

In this configuration, WebGate forwards the requests received from the 
clients to another proxy server. The data responses received from the 
proxy are always scanned before they are forwarded to the client. 
Thus, the data residing in the proxy cache are also scanned every 
time they are requested by a client.

The clients must be configured to use WebGate as a Proxy. In WebGate's
configuration file you must specify the proxy to which WebGate should 
forward the requests. If WebGate is installed on the same machine as 
the already existing proxy, it is easier to change the port of the 
existing proxy and to use the initial port for WebGate, thus the 
clients need no changes.

Note: In this configuration the proxy itself is not protected and 
viruses may be cached by the proxy.

-> see also "Client Configuration" below


 NetworkConfiguration 2:
 -----------------------

 +-----------+    +---------+    +=========+    +----------+
 | client(s) |<-->|  proxy  |<-->| WebGate |<-->| Internet |
 +-----------+    +---------+    +=========+    +----------+

In this configuration WebGate receives the requests from a proxy and 
forwards them to the appropriate server on the Internet. The received 
data is scanned and forwarded to the requesting proxy, thus the data 
received from Internet is scanned only once and it is cached by the 
proxy.

The proxy server must be configured to forward requests to WebGate 
(parent proxy). No changes are needed on the client machines if they 
are already using the proxy.

ATTENTION: IF A CLIENT REQUESTS DATA WHICH RESIDES ALREADY IN THE 
PROXY CACHE, THE CLIENT IS SERVED DIRECTLY BY THE PROXY. THAT MEANS 
THAT THE DATA WILL NEVER BE SCANNED AGAIN UNTIL IT EXPIRES. HENCE, 
THERE IS SOME RISK THAT A NEW VIRUS MAY BE CACHED BY THE PROXY AND 
FORWARDED TO THE CLIENTS, EVEN IF THE VIRUS DEFINITION FILE (VDF) HAS 
BEEN UPDATED.

-> see also "Proxy Configuration" below


WebGate can also be installed between two proxies.


AVIRA WebGate configuration

To configure AVIRA WebGate simply edit the file:

  /etc/aiwebgate.conf

You will find commented explanations of the various available 
settings. 
Email notification settings are located in AVIRA main configuration 
file:

  /etc/avira.conf

Once you have made the desired changes, you can restart WebGate with:

  /usr/lib/AVIRA/aiwebgate restart

You can also reload the configuration file without restarting WebGate 
with:

  /usr/lib/AVIRA/aiwebgate reload


You may customize the alert messages editing 
/usr/lib/AVIRA/alert/index.html.
This page will be displayed in the browser if an alert condition is 
found by AVIRA WebGate.


Client Configuration

Once AVIRA WebGate is running, web browsers will need to set WebGate 
as the HTTP/FTP proxy (NetworkConfiguration 0 and 
NetworkConfiguration 1).

Note: If you already have an HTTP/FTP proxy in your network and AVIRA 
WebGate is installed "behind" the proxy (NetworkConfiguration 2), then 
you will change your proxy's setting instead of the web browsers' (see 
"Proxy Configuration").


Proxy Configuration

If AVIRA WebGate is installed "behind" a proxy server 
(NetworkConfiguration 2) or between two proxies, then you need to 
configure the proxy to forward all requests to AVIRA WebGate (ie. to 
use WebGate as parent proxy).

* Update

If you are updating AVIRA software from a previous installation, simply
run the installation script:

  ./install

The installation script will identify a previous installation and 
automatically update necessary components.

Internet Updates are transferred through HTTP. If your machine is 
running behind an HTTP proxy server, you can configure AVIRA to use a 
proxy (and specify other updater options) by running:

     /usr/lib/AVIRA/configavira

or manually editing the /etc/avira.conf file. Updates can be handled in
two different ways:

1) Automatic Internet Updater
   During installation you have the option to install the Automatic 
   Internet Updater. This is a very simple daemon that runs in the 
   background and periodically executes the updating command ('avira 
   --update'). This program was designed for people who do not want to 
   worry about configuring scripts or cron jobs for updates. You can 
   manually start, stop or see the status of the updater daemon with:

   /usr/lib/AVIRA/aiupdater start
   /usr/lib/AVIRA/aiupdater stop
   /usr/lib/AVIRA/aiupdater status

2) Manual Updates (or cron jobs)
   Another way of doing updates is manually, running 'avira --update'. 
   This command will give you visual feedback, so you can monitor 
   the updating process. However, you can also automate it by putting 
   the command in a cron job or within a script. A typical cron job 
   entry (in /etc/crontab) would look like this:

   45 6 * * * root /usr/lib/AVIRA/avira --update -q

   This would make AVIRA check for updates every day at 6:45 (the -q 
   makes it run in quiet mode, without any output). You can also write 
   your own scripts which interpret the exit code to check if the 
   update was successful.
   Here is a simple script to demonstrate this:

------------------ BEGIN SCRIPT -------------------
#!/bin/sh

/usr/lib/AVIRA/avira --update -q
case $? in
  0)
    echo "AVIRA is up-to-date"
    ;;
  1)
    echo "AVIRA has updated itself"
    ;;
  *)
    echo "AVIRA had an error trying to update"
    ;;
esac
------------------- END SCRIPT --------------------

   If the updater is run as root, then it will safely and securely 
   reload the AVIRA WebGate process.

   Note: When running --update as root, it is best to give the full 
   path to the command. For example, you should call:

             /usr/lib/AVIRA/avira --update

         and NOT:

             avira --update

    If you do not include the full path you may get a warning from 
    AVIRA that it could not determine the path to the AVIRA directory.

   If you only want to check if new updates are available, even if you 
   are not logged in as root, you can use the --check option:

   /usr/lib/AVIRA/avira --check --update
   
   Whenever AVIRA makes an update it logs this information using 
   syslog. If you have specified a custom log file then it is also 
   logged into this file.
   Furthermore, if you have activated email notifications, an email
   message is sent each time an update was successful or in case there
   was an error (email messages are not sent if an update was not 
   needed).

* Uninstall

The uninstall script will remove the previously installed files. Login 
as root, go to the directory containing AVIRA WebGate install files 
(usually /usr/lib/AVIRA) and run the uninstall script:

  ./uninstall webgate

The script will do the following:

- remove the installed files from the /usr/lib/AVIRA
- remove the symbolic links in /usr/bin (if found)
- remove the init scripts links in the rc.d directory

Note: If more than one AVIRA product is found installed on the system, 
the uninstall script will not remove AVIRA core files (AVIRA Command 
Line Scanner and VDF files) or the Internet Updater.

* Registration

After purchasing the product from AVIRA Sales or from one of the 
nearest AVIRA Partners, along with the proof of purchase you will 
receive the Registration Code (RC), which is required to obtain the 
Activation Key (AK). AK is needed for the product to run with Update 
Service.

You can obtain the Activation Key only after registering with the RC at
http://register.avira.com within 30 days from the RC delivery date.

Activation Keys (AK) can be placed in any directory but we recommend 
you to put them in the /etc directory together with the AVIRA 
configuration files. Make sure that the key file has proper 
permissions. You need to specify the path to the AK on the License line
in your /etc/avira.conf file, for example:

   License YOUR-REGISTRATION-CODE /etc/your-activation-key

* Known Issues

- For security reasons, AVIRA WebGate does not offer proxy support for 
  the HTTPS protocol. To route HTTPS traffic you need to use a 
  separate proxy server.

- Fedora Core users with prelinking enabled may experience problems 
  with AVIRA's products. To see if prelinking is enabled on your 
  machine and how it can be disabled please read the relevant section 
  of the FAQ.
  
- On Fedora Core, RedHat and Mandrake Linux, the default maximum number
  of threads is less than 1024. For details on how to re-compile your 
  libc to support a higher number of threads, please refer to your 
  system documentation.

- Internet proxy settings for the updating procedure ("avira 
  --update") are taken from the avira.conf file but also from the 
  aiwebgate.conf file, if appropiate settings exist.
  
- When downloading large files through a slow connection, the browser
  may show no activity for large amounts of time because AVIRA WebGate
  forwards the response only after the entire file was downloaded and
  scanned. You may use the SendProgress feature to have a graphical 
  feedback in the client's browser on the progress of the download. See
  the comments in aiwebgate.conf for further information.

- When the product license has expired and you try to perform an 
  update, you may see that some permission error messages and a 
  self-update failure notice are logged instead of being notified that
  the product has expired.
  
- If you want to install AVIRA WebGate on the same system either with 
  AVIRA MailGate or with AVIRA for Sendmail-Milter, you may face 
  permission conflicts for /etc/avira.conf, due to different user and
  group settings between the two services. We recommend that you use
  a common group to run both services and change group ownership for
  avira.conf to this new group.
  
* Copyright

Copyright (c) 2004-2005 AVIRA GmbH. All rights reserved. No part of 
this material can be reproduced, in any way, by any means. The product
and the documentation that comes with the product are protected by 
AVIRA GmbH's copyright. AVIRA GmbH reserves the right to revise and 
modify its products according to its own necessities. AVIRA GmbH 
cannot be held responsible for any special, collateral or accidental 
damages related in any way to the use of this document.

* Feedback & Technical Support

Technical support is available at: support@avira.com.
Please do not hesitate to contact us if you discover any problems or if
you have any suggestions.
For commercial related issues please write to sales@avira.com.
AVIRA Website: http://www.avira.com