+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Internet Related/Filtering/Firewall Thread, Transparently Filter Using Websense in Technical; Our school gets Websense for free so we would like to take advantage of this. I would like to have ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444

    Transparently Filter Using Websense

    Our school gets Websense for free so we would like to take advantage of this.

    I would like to have filtering on the Guest and Student wireless network. I dont want it to use AD group or anything just filter all clients that connect. The devices that connect will be all different kinds such as Windows, Linux, Mac, iPhone and other mobiles etc.

    I would like it so that all users to connect up and go and are filtered. With my experience with Websense i used ISA with it but that meant i had to set a proxy address. This is something i dont want, it needs to be setup so it just works without any user intervention.

    Any Suggestions Please?

    Thanks

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    If you want it properly, your router needs to deny outgoing connections, and re-direct 80 and 443 (and anything else you want filtered access to, like 21) to your Websense box. On a Linux box this is easy, but I can't help you with a proprietary router.

    Alternatively, block outgoing connections and use something like DHCP option252 to push your proxy settings out. Anyone who has automatic configuration switched on will get the settings then, but that doesn't mean everyone, so still expect to have to do some manual configuration on this one. [ame=http://en.wikipedia.org/wiki/Wpad]Web Proxy Autodiscovery Protocol - Wikipedia, the free encyclopedia[/ame],

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by powdarrmonkey View Post
    If you want it properly, your router needs to deny outgoing connections, and re-direct 80 and 443 (and anything else you want filtered access to, like 21) to your Websense box. On a Linux box this is easy, but I can't help you with a proprietary router.

    Alternatively, block outgoing connections and use something like DHCP option252 to push your proxy settings out. Anyone who has automatic configuration switched on will get the settings then, but that doesn't mean everyone, so still expect to have to do some manual configuration on this one. Web Proxy Autodiscovery Protocol - Wikipedia, the free encyclopedia,
    Can you do this with Smoothwall Express?

    Need to avoid manual config, John suggested the DHCP method on MSN.

  4. #4

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,808
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    I'm thinking if it can be very very hard to stop pupils bypassing a proxy on a locked down AD controlled network, its going to be trivial to bypass any settings on an open one

    regards

    Simon

  5. #5


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    FN: I don't *think* you can do blocking outbound on express.

    Certainly step one is to lock down the net so anyone with "standard" settings gets denied.
    You *can* then do transparent filtering which works the same on all browsers but has HTTPS issues.
    The WPAD method works "out of the box" for windows machines, not sure on linux - depends on distro/setup, and similarly cant tell you right off the top of my head for iphone etc. but all these can be "manually" set up (stick poster with settings near WAP).

    The WPAD method can be combined with DHCP and DNS based advertisement for maximum coverage.

    Give me a call at some point if you want to mull over the whys and wherefores in more detail

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,072
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    It only has to be a proxy if you are still using the exceptionally outdated ISA 2000. 2k4 and 2k6 do it transparently just fine. If you are still 'using' 2k talk to your liscencing provider.

  7. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Thanks for all the comments, may call you tom.

    I can't lock these machines down.

    Nope we can use any version. How do i go about using it transparently please?

  8. #8


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    FN: are you using isa/websense as a gateway or as a standalone proxy?

  9. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by tom_newton View Post
    FN: are you using isa/websense as a gateway or as a standalone proxy?
    Nothing has been setup yet

    Thanks

  10. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Ah, ok. Well - if you want to go transparent, any filter you use should be set as the gateway.

    There are other ways (WCCP frexample) but these are not entirely pain free

  11. #11

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by tom_newton View Post
    Ah, ok. Well - if you want to go transparent, any filter you use should be set as the gateway.

    There are other ways (WCCP frexample) but these are not entirely pain free
    Ok does anyone have a guide on how to do this? How can this fit with the existing Smoothwall Express box?

  12. #12


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    You will definitely have to replace the SW express box - as it can't do the filtering job, and is your gateway at present. Either you replace it with an ISA/Websense or, of course, the arguably classier option SchoolGuardian - which will basically add to your existing infrastructure a transparent filter. Can let you have a play with that if you like?

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,072
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    Quote Originally Posted by FN-GM View Post
    How do i go about using it transparently please?
    As you have already asked this question and had it answered before I will simply repost the original :

    Quote Originally Posted by SYNACK View Post
    Without a proxy server in the configuration it will first hit the default gateway on the highest priority active network adapter and see if it can get the pages directly otherwise if it is set to automatically detect it will look for a proxy.

    You can setup ISA as a transparent firewall that should run your traffic through filtering but I have not set it up transparently with a proxy. To enable it as a transparent firewall just add a rule that allows HTTP/HTTPs access from the internal network to the external network. You must have it as the default gateway of either the workstations that are trying to connect to it or as the default gateway in your top level router so that any traffic that cannot be serviced locally is sent to the ISA server for routing.

  14. #14

    Join Date
    Apr 2009
    Location
    Spokane, WA (USA)
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    AFAIK you would only actually *need* to use ISA server if you're trying to use actual filtering policies on users or groups, and your users are using terminal services. ISA is used to pass authentication information from the TS to the Websense agents. If you're not using TS, then you shouldn't need ISA at all, and in fact ISA just complicates the whole thing tenfold.

    As for transparent filtering, it depends on how deep you're asking. If you're just asking in general, then there's plenty of responses here already. If you're asking "How do I configure websense for transparent filtering?" then that's a different matter.

    Websense first has to be set up in your network infrastructure as a mandatory sort of gateway. It can obviously only filter traffic that goes through it. Configuration is going to vary by hardware, but if you're using Cisco routers they can be configured for filtering directly to Websense.

    Within websense, you'll use various agent services to authenticate users, either the Network Agent or the Logon Agent if I remember correctly. These work to pass authentication info to Websense, and it should be transparent if you're on a domain setup and have set Websense to talk to your LDAP server.

    If you don't want to actually filter based on specific policies or groups, then you can set up the default filtering service to just apply to everyone. You can tell Websense to use the default policy if it can't authenticate the individual user or computer.

    As for Proxies and HTTPS filtering, that's a lot harder to set up. You basically need a switch that can mirror a port, and you have to set up a 2nd nic on the Websense server to watch the HTTPS traffic.

    Notes:

    1. I despise Websense. It's a house of cards to get running and keep up. Admittedly when it runs it's really powerful and hard to get around, but it seems like if you so much as look at the SQL server or ODBC connections you'll break the whole thing. It takes like 7 different services that are all interdependent.

    2. I've only really worked with Websense Enterprise, to YMMV.

  15. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by Innovation_Dan View Post
    AFAIK you would only actually *need* to use ISA server if you're trying to use actual filtering policies on users or groups, and your users are using terminal services. ISA is used to pass authentication information from the TS to the Websense agents. If you're not using TS, then you shouldn't need ISA at all, and in fact ISA just complicates the whole thing tenfold.

    As for transparent filtering, it depends on how deep you're asking. If you're just asking in general, then there's plenty of responses here already. If you're asking "How do I configure websense for transparent filtering?" then that's a different matter.

    Websense first has to be set up in your network infrastructure as a mandatory sort of gateway. It can obviously only filter traffic that goes through it. Configuration is going to vary by hardware, but if you're using Cisco routers they can be configured for filtering directly to Websense.

    Within websense, you'll use various agent services to authenticate users, either the Network Agent or the Logon Agent if I remember correctly. These work to pass authentication info to Websense, and it should be transparent if you're on a domain setup and have set Websense to talk to your LDAP server.

    If you don't want to actually filter based on specific policies or groups, then you can set up the default filtering service to just apply to everyone. You can tell Websense to use the default policy if it can't authenticate the individual user or computer.

    As for Proxies and HTTPS filtering, that's a lot harder to set up. You basically need a switch that can mirror a port, and you have to set up a 2nd nic on the Websense server to watch the HTTPS traffic.

    Notes:

    1. I despise Websense. It's a house of cards to get running and keep up. Admittedly when it runs it's really powerful and hard to get around, but it seems like if you so much as look at the SQL server or ODBC connections you'll break the whole thing. It takes like 7 different services that are all interdependent.

    2. I've only really worked with Websense Enterprise, to YMMV.
    In this setup there are no Cisco routers at all. All i need is a blanket filtering on the whole network. Can i just install websense on a server and point the clients to use it as the default gateway and it will work?

    Quote Originally Posted by tom_newton View Post
    You will definitely have to replace the SW express box - as it can't do the filtering job, and is your gateway at present. Either you replace it with an ISA/Websense or, of course, the arguably classier option SchoolGuardian - which will basically add to your existing infrastructure a transparent filter. Can let you have a play with that if you like?
    ah but that would cost wouldn't it?

    Quote Originally Posted by SYNACK View Post
    As you have already asked this question and had it answered before I will simply repost the original :
    Sorry i didn't see it. I tried that at my old place who use ISA 2004 and it let internet traffic go through the server but didn't filter it.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Authenticate IIS against AD transparently
    By FN-GM in forum Web Development
    Replies: 19
    Last Post: 22nd September 2010, 10:53 PM
  2. Transparently Authenticate Outlook Web Access
    By FN-GM in forum How do you do....it?
    Replies: 2
    Last Post: 2nd July 2008, 01:18 PM
  3. Doh - filter - what filter
    By SimpleSi in forum General Chat
    Replies: 16
    Last Post: 28th January 2008, 10:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •