SurfControl Web Filter Version                        April 2005


New Features in Version 5.0

License Information

Customer Issues Fixed
Known Issues


Welcome to version 5.0 of SurfControl Web Filter for Windows, Microsoft Proxy Server, and Microsoft ISA Server and SurfControl's Virtual Control Agent™ (VCA.

SurfControl Web Filter offers the most advanced filtering technology available for the corporate environment, easing the challenge of managing Internet usage in the workplace.  It can help you increase employee productivity, optimize network bandwidth, increase security and limit legal liability that occurs when corporations provide Internet access to their employees. Protect your employees and your company by promoting intelligent Internet use.

SurfControl Web Filter offers a complete set of tools for monitoring, filtering and reporting on Internet Access:


New Features in Version 5.0

SurfControl Report Central

A new web-based reporting engine, making it easier for users throughout the organization to run and schedule the reports they need. SurfControl Report Central also brings faster reporting and a new report showing the how much time a specific user spent at each category.

ISA 2004 Integration

Provides filtering, monitoring and reporting for Microsoft ISA 2004 as well as Microsoft ISA 2000.

Policy Override

The Microsoft ISA integration of SurfControl Web Filter allows a new rule type, Policy Override. Trusted users can be given responsibility to continue to view a page they believe has been incorrectly blocked. This activity is easily identifiable so abuse can be quickly caught.

New URL Database Categories

7 New categories have been added since version 4.5. These include Spyware, Downloads, Illegal Drugs, Phishing & Fraud and Business.

Active Directory Support

Browse your Active Directory tree from the SurfControl Rules Administrator. You can select users and groups from Active Directory for inclusion in your access rules. SurfControl Web Filter continues to support NT Domain and Novell NDS/eDirectory environments.

VLAN Support

Filtering, monitoring and reporting in VLAN environments.

Reduced Data Storage

The option to reduce the amount of information logged and stored, but still capture the relevant activity that you will want to include in reports.


Single Management Console

View, monitor and manage multiple SurfControl servers from a single location.

Faster and more resilient Data Handling

The way logged data is written to your MSDE or SQL database has been re-designed to vastly improve performance and increase resilience to database problems.


Block while categorizing

Pass-by products such as SurfControl Web Filter for Windows have many advantages for your network, such as zero latency and not being a point of failure. One risk is the "sneak peek" which can occur sometimes with any pass-by solution. This is when a user requests a site that is not allowed but is able to see the first page, but not any images. A new "Block while Categorizing" feature has been added that will minimize the risk of this happening.


Track User access by Workstation

Identify if a user accesses the web from different workstations.


Continuous VCA processing

The VCA will now run as a service, continually checking for new, uncategorized sites. In previous releases the VCA was a scheduled task. This new design will improve the turnaround time for the VCA categorization of a site that has never been seen before.

Processing of suspected corrupt flat files:

During a flat file update, any invalid files found will be quarantined in the following created folder:


Program Files\SurfControl\Web Filter\tmp\quarantine


A new command line tool – treatquarantined.exe can then be run which checks these files line by line to see if they correspond to the correct format. Any corrupt lines are left in the original file with clean lines written to a new file in the tmp directory and the corrupt file then deleted from the quarantined folder.


SurfControl strongly recommends that  you use the Scheduler to run the treatquarantined.exe command on a daily basis. For more information see Knowledge Base Article 1611 at:

License Information

SurfControl Web Filter will run as an evaluation version for 30 days. During the evaluation period, you can schedule and download updates to the URL Category List, so that you obtain the latest version for testing.

The VCA will run as an evaluation version until serialized, but categorization work performed during the evaluation period is not saved.


For complete installation and configuration information, please see the SurfControl Web Filter Installation and Configuration Guide. This is available as an Adobe Acrobat™ (PDF) document from

Customer Reported Issues Fixed In This Release

Issue Number



Add option for to create a report for "Yesterday"


Administrator does not handle SQL Server Permissions errors.


Installing SWF on server with teamed/mirrored NIC cards causes blue screen.


'Enable Username Support' can causes handle count to grow very large


Partial pages being delivered on first request even though there is a rule blocking access to them


Set all the SWF services to run as a valid user if windows authentication is selected during setup.


Default deny page setting is lost when renaming or adding a new deny object.


Poor grammar in Important Installation Information dialog


Change email notification label for the 'Catch up mode notification' check box


Real-time monitor isn't redrawing itself when you resize any column.


Feature Request to display Dropped packets counter in Performance Monitor


Importing rules when object has an apostrophe fails.


Invalid year value in 'From' Date Range of VCA report can cause Dr Watson.


Refresh function resets the data order in the Users window in the Monitor


Some countries missing from registration dialog.


Some VCA issues when operating on Database over 5GB.


Site host names longer then 70 characters prevent flat files from updating.


Delay in communication between EUM and Web Filter Service.


Apostrophe in user's 'real' name prevents friendly name from being obtained.


EUM agent puts high load on Domain Controller CPU when sending cache info.


Web Filter Installation Fails on ISA Server


Error thrown in a multiple domain environment which has the exact same group names in all the domains.


The netsurf1.inf file is not replaced when upgrading from 4.2 SP2.


MSN Messenger and Yahoo messenger objects missing in protocols and ports.


The appropriate value is not shown for the $CATEGORY variable in email notification messages for non-http traffic.


Unable to view users from other domains in the Rules Administrator.


Consecutive screens with same title in InstallShield


'Repair' seems to have a problem in fixing modified .exe files.


Browse Time Report exceeding stop time.


Group name containing an apostrophe is ignored during flat file import.


Problems when monitored users have the same friendly name.


Feature Request to include in the docs the details of fields in database tables.


Prevent the original URL Category List from being overwritten if the new uncompressed downloaded file is empty.


In rare cases ScScout.exe crashes when rule changes are committed.


Categorize all 'None' issue


Rules irregularity - rules not taking effect if delay between starting service and committing is >= 20mins.


Using hostnames in 'Who' objects doesn't work for pass through products.


Octal URL string padded with sufficient number of zeros is not blocked.


In large environments selecting Sites in Advanced Criteria of Reporting takes a long time to complete


Details missing form docs with regards to Netware EUM.


Documentation doesn't adequately describe report behaviour when users are in multiple groups.


In some cases customers with valid registrations will fail to download the URL Category List updates


Occasional incorrect page level categorisation when root has been updated in URL Category List.


In some cases on multi-processor servers Web Filter Server hangs when a blocking rule is enabled.


Feature Request to add precision bandwidth control types.


Feature Request to allow Real Time Monitor to be run remotely


Allowance notification is being sent when the rule is first hit, not when the allowance is exceeded.


Feature Request to send a notification when a specific file type is downloaded


Record that a user accesses the Internet from different workstations over time.


Feature Request for an option to make ISA to Fail Closed.


Feature Request to create a Deny Page with more than 1024 chars for ISA integration


Certain page activity strings in flat files cause Connections.page_id = -1.


URL Category List updates are being inadvertently blocked by customer policy


Using SurfControl Web Filter standalone in a Blue Coat environment could causing flood of excess network traffic.


Possible to by-pass web filter by obscuring urls with @@ on certain web browsers


Choosing Windows authentication in a WORKGROUP fails to control the SWF service.


Feature Request to purge database without needing to stop filtering.


Feature Request to record any object that causes a block regardless of Monitored Data settings


Multi threading and shared memory synchronization


Dual processor machines and problems in the service


Concurrent enumeration requests in Active Directory Users node


ISA Stop and Start can cause w3proxy.exe to fail


Policy Override and proxy server settings


Duration time calculations


Deleting user defined groups


Missing Hotkey for Allowance radio button


Hotkey issues on Rule Properties dialog box


Inconsistent manual commit failure


ISA timeout


ISA high load issue


Network Groups Update timeout


Committing manual categorizations


Changed default size of flat files


VCA updating issue


Inconsistent behavior when using user Defined Where Objects


Friendly names could be displayed in Privacy Version


Web Filter service hangs following high cpu usage


URLs in Precise Bandwidth Control objects


Purge Failing

Issue Number

Duplicate categories appearing after URL Category list updates



Known Issues


Issue Number



VCA results are not correctly updated in Monitor.


VCA categorizations incorrect when "Block Until Categorized" option is switched on.
VCA categorizations are incorrect when "Block Until Categorized" option is switched on. To avoid both these situations you should set the VCA machine's subnet to be unmonitored.
For 4729 ISA and MS Proxy Server platforms, you should create a new admin user for the VCA machine and then set that user to unmonitored.
13010 is only an issue for SurfControl Web Filter for Windows.


Problem monitoring proxy using SurfControl Web Filter for Windows.
If a user generates Internet traffic via a proxy, EUM reports this user name to the Web Filter server, which then monitors all proxy server hits with this user name. Any subsequent traffic going through this same proxy is recorded against the user logged into it. This can give the impression that a single user generated a lot of internal traffic.


Default upgrade path does not install VCA or give the choice to install.
The default upgrade path does not install VCA or give the choice to install.

To upgrade and install VCA, follow this procedure:

1. Start upgrade to V5.0.

2. On the "Select Upgrade Option" screen, uncheck "Keep Existing Settings" and click NEXT.

3. On the "Server Installation Options" screen, leave everything checked (VCA is one of these options) and click BACK.

4. On the "Select Upgrade Option" screen, check "Keep Existing Settings" and click NEXT.

5. Continue through the rest of the installation. VCA will be installed and existing settings are also kept.


Mobile Filter Clients can't upgrade via the web when "Offline Action" is set to block all.
Mobile Filter Clients can't upgrade via the web when "Offline Action" is set to block all

Forcing Clients to upgrade while "Offline Action" is set to "Block All" stops the client from upgrading via a web page as all internet activity is being blocked on the client machine.


Policy Override is not available within the Rules Administrator on the Remote Admin installation.
Policy Override is not available within the Rules Administrator on the Remote Admin installation.

This is because the client is the same across platforms and policy override is not supported by the pass-by platform.

There are only two available options on the Select Server Platform Type page during installation:

1. Windows 2000/2003 (Pass by) or Microsoft Proxy Server.

2. Microsoft ISA Server.


Need SQL Client Tools in order to create a database on a named instance of SQL Server.
Need SQL Client Tools in order to create a database on a named instance of SQL Server.

To create a database on a named instance of SQL Server using the SurfControl Create MSDE/SQL Server Database wizard you must have SQL Client Tools installed on your machine otherwise a series of errors are generated.


Upgraded User defined categories containing single category will be renamed.
Upgraded User defined categories containing a single category will be renamed to the name of the category they contain.

For example a user defined category 'MyCategory' containing 'sport' will be renamed to 'sport'. If 'sport' already exists one instance (depending on categorisation priority) will be renamed 'sport(1)'. Users who wish to avoid this should enter characters in the SmartScan window for categories they wish to keep prior to upgrade and then remove them afterwards.


When changing Spider Settings new folder is not used until application is closed and reopened.
When changing the Spider Settings file location in the Settings tab of the VCA application and applying the changes, this new location is not used until the application is closed and reopened.


Selecting Mobile filter database settings changes only take effect after a reboot.
When changing the SurfControl Mobile Filter database a reboot is required before the new database is used.


Mobile Filter Install doesn't check for the presence of Microsoft IIS.

The SurfControl Mobile Filter server can be installed successfully on a server that does not have Microsoft IIS installed, even though Mobile Filter will not work if IIS is not present.


Network Groups Update fails under NetWare scenario.

The following situation causes a problem:

The user(s) no longer exist(s) on the domain controller at the time a scheduled Network Group Update event was run AND their last connection was later than that configured in the dialog for automatically removing users after a given period of inactivity.


Under NT username handling, the user(s) is/are removed. However, under Netware handling, the user(s) is/are not removed and neither are their groups updated. The workaround to this is to manually delete the user(s) once you know that they should no longer be present.


Severe errors are caused when upgrading is cancelled while the SurfControl Database Updater dialog is in focus.
During product upgrades an option is available to update the database currently in use by Web Filter via a separate dialog (SurfControl Database Updater). If this is chosen the main InstallShield window remains active allowing the Cancel button to be selected. If the Cancel button is pressed on the main dialog and then the Update button selected on the SurfControl Database Updater dialog a severe error is generated - "ERROR: Unable to copy driver file to system directory". The Web Filter can be installed after this message has been closed. However, performing an uninstall of Web Filter throws another severe error - "ERROR: Timed out while waiting for Web Filter Service to respond". The Web Filter will continue to uninstall but the subsequent reboot will take considerably longer than usual.


Recording User Level share access.

If Windows 95/98 machines on the network are configured for User Level Share, when anyone goes to open a file from one of those machines, the domain controller records that the remote user logged onto the Windows 95/98 machine. This results in the browser activity from the Windows 95/98 machine being recorded under the incorrect user name. Windows NT domain controllers demonstrate the same behavior.


Remote Administrator with NDS.

When installing a Remote Administrator, users will be presented with the dialogs to set-up username support as in the Complete Product. The information from these dialogs is necessary to browse and display data at the user specified Context in the NDS Tree. The specified NDS Context should be the same as the one used in the Complete Product, but the username and password information can be different. If a different username is specified, this user should have the same rights to the NDS Context as the user specified in the Complete Product. In addition make sure you choose the same options for username monitoring in all installations.


NetWare EUM does not work with long filenames.

The NetWare NLM for Username support only supports 8.3 DOS directory formats; therefore, please copy the NLM into a 8.3 DOS directory.



The MSDE package included with SurfControl Web Filter is an English version, even when a translated version of Web Filter is installed.  If you require a translated version of MSDE, please download your chosen language version from the Microsoft Web Site, at


*** END OF FILE ***