+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
Internet Related/Filtering/Firewall Thread, Transparently Filter Using Websense in Technical; Originally Posted by FN-GM In this setup there are no Cisco routers at all. All i need is a blanket ...
  1. #16

    Join Date
    Apr 2009
    Location
    Spokane, WA (USA)
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by FN-GM View Post
    In this setup there are no Cisco routers at all. All i need is a blanket filtering on the whole network. Can i just install websense on a server and point the clients to use it as the default gateway and it will work?
    Yes, websense simply applies a default policy to all users and computers unless otherwise configured. You do need to have something passing the info to the server. Default gateway is probably fine for that. If they know how to get around a DHCP default gateway then you're probably going to need more complex protection anyhow.

  2. #17

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Quote Originally Posted by Innovation_Dan View Post
    Yes, websense simply applies a default policy to all users and computers unless otherwise configured. You do need to have something passing the info to the server. Default gateway is probably fine for that. If they know how to get around a DHCP default gateway then you're probably going to need more complex protection anyhow.
    Use the firewall to only allow connections form the websense box will fix them getting round the DHCP.

  3. #18

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by FN-GM View Post
    Sorry i didn't see it. I tried that at my old place who use ISA 2004 and it let internet traffic go through the server but didn't filter it.
    To work like this it needs to be installed as a filter that applies to http traffic. I know that surfcontrol does this so I was sure that Websence would as they purchased surfcontrol ages ago. You may just need to make sure that the correct filter driver is installed. The filter connection can get messed up in ISA (at least in surfcontrol) though.

    It looks like you are after Websence content gateway from a quick look at their site which does offer transparent filtering

    http://kb.websense.com/al/12/1/artic...?aid=3123&bt=4
    http://kb.websense.com/al/12/1/artic...=4&r=0.1411859

  4. #19

    Join Date
    Aug 2008
    Location
    London
    Posts
    5
    Thank Post
    0
    Thanked 3 Times in 2 Posts
    Rep Power
    0
    Hi,

    Depends on your budget, but the Cisco ASA security devices support mandatory transparent HTTP/S filtering through a Websense server. The Juniper Netscreen range certainly do too, though not sure about the newer SSG stuff.

    ASA Specs: http://www.cisco.com/en/US/prod/coll...cd80285492.pdf

    The 5505 handles 4000 connections/sec and is about £400. You get a two user license for the SSL gateway with that too, which might be useful.

    The DC agent/Logon agent running on Websense will handle user identification.

    Feel free to give us a shout if you have any Q's about setting up Websense (and/or the ASA side of things). FWIW, I've found Websense v7 to be considerably more reliable than 6.x


    Chris.

  5. #20

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Cheers i have setup websense plenty of times on ISA just looking for other options.

  6. #21

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Quote Originally Posted by Innovation_Dan View Post
    Yes, websense simply applies a default policy to all users and computers unless otherwise configured. You do need to have something passing the info to the server. Default gateway is probably fine for that. If they know how to get around a DHCP default gateway then you're probably going to need more complex protection anyhow.
    Hi,

    When i do this i get no webtraffic going though at all. Do you have any suggestions please?

  7. #22

    Join Date
    Apr 2009
    Location
    Spokane, WA (USA)
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by FN-GM View Post
    Hi,

    When i do this i get no webtraffic going though at all. Do you have any suggestions please?
    Actually, now that I think about it I don't know that using DG to point at the websense server would work unless you did some kind of routing along side it. In the Cisco PIX setups we use at our sites, the PIX actually knows to pass the info to Websense and then get a response.

  8. #23

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Hi,

    I have finally got round to looking into this more.

    I have setup an ISA 2006 Server. I have given it 2 NIC's. One internal and the other connects to the external network. I have set the client Default Gateway to the server. The firewall rules work well, i can block URLS using ISA.

    However Websense doesn't the only way i can get it to work is by inputting the proxy server in the Web Browser.

    Does anyone have any suggestions. I am considering pushing a .pac file using DHCP put i would like to see if i can do it without this first.

    Thanks.

  9. #24


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,507
    Thank Post
    871
    Thanked 862 Times in 681 Posts
    Rep Power
    199
    If you can push a pac file, do so. Transparent proxying is generally not worth the hassle unless there is no other way round it.

  10. #25

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    I was hoping to do it without that, but it looks like i might have to.

  11. #26

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Just found using this method that you have to enable automatically discover proxy settings in IE. This is something that might not be enabled on all the laptops.

    Dam

  12. #27


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,507
    Thank Post
    871
    Thanked 862 Times in 681 Posts
    Rep Power
    199
    FN,

    This is the default setting - so shouldn't be too much of an issue.
    You might be able to perform some trickery on those users who don't get the proxy, so they get a page telling them what to do...

  13. #28

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    All working now thanks to this - ISA SecureNAT and Firewall Clients Can Bypass Websense Content Filtering Richard Hicks' ISA/TMG Blog

    On page 13 under the ‘Configuring the ISAPI Filter’ section you will see that in order to correctly filter SecureNAT and Firewall Clients you must create a file called ‘ignore.txt’ in the Windows\System32 folder. This file should contain the hostname or IP address of the ISA firewall that the filtering plug-in is installed on (note also that this entry should be in all caps).



SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Authenticate IIS against AD transparently
    By FN-GM in forum Web Development
    Replies: 19
    Last Post: 22nd September 2010, 11:53 PM
  2. Transparently Authenticate Outlook Web Access
    By FN-GM in forum How do you do....it?
    Replies: 2
    Last Post: 2nd July 2008, 02:18 PM
  3. Doh - filter - what filter
    By SimpleSi in forum General Chat
    Replies: 16
    Last Post: 28th January 2008, 11:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •