Configuring And Troubleshooting Websense Solutions For Filtering Off .
Configuring and Troubleshooting WebsenseSolutions for Filtering Off-Site UsersWebsense Support Webinar August 2010Support Webinarsweb security data security email security 2009 Websense, Inc. All rights reserved.
Goals And ObjectiveUnderstanding Websense filtering options for off-site usersRemote Filtering Server and Client Deployment considerationsInstalling and configuring Remote Filtering Server and ClientFirewall Configuration for Remote FilteringRemote filtering software upgrade information and compatibility guidanceTroubleshooting remote filtering softwareConfiguring hybrid filtering of off-site usersConfiguring client browsers to use a PAC fileIdentification methods for off-site usersTips for applying hybrid filtering to off-site users2
Webinar PresenterTitle: Technical Support SpecialistAccomplishments:– Over 3 years supportingWebsense productsEducation / Certifications:– B.Eng (Hons) Computer Systemsand Networks– CCNA– WCWSA – Websense CertifiedWeb Security AssociateRavi Desai3
Filtering options for off-site usersWebsense Remote Filtering- Requires Remote Filtering Server that resides insideyour firewall, and acts as a proxy to Websense FilteringService- Also requires Remote Filtering Client that is installedon each machine that will be filtered when usedoutside the network.- Client communicates with Remote Filtering Server- Communication between RF client and RF server isencrypted.4
Filtering options for off-site usersWebsense Hybrid Filtering5
Remote Filtering RequirementsRemote Filtering Server 7.5 RequirementsSupported operating systemsRed Hat Enterprise Linux 5, update 3 (32-bit)Red Hat Enterprise Linux 4, update 7 (32-bit)Windows Server 2008 SP2 (32-bit x86 only)Windows Server 2003 SP2 or R2 SP2Remote Filtering Client 7.5 is supported only on MicrosoftWindows operating systems:Windows 7 (32-bit only)Windows XP SP3Windows Vista SP26
Remote Filtering Server DeploymentInstall the RFS serverInside your organization’s outermost network firewallIn the DMZ outside the firewall that protects the rest of thenetworkOn its own, dedicated machineDo not install Remote Filtering Server on the same machineas Filtering Service or Network Agent.Install only one primary Remote Filtering Server for eachFiltering Service in your network.Secondary and Tertiary RF Servers can be installed to providefailover.Remote Filtering clients should be configured to connect tobackup servers in case of server failure.7
Remote Filtering Server Deployment8
How Remote Filtering worksRemote Filtering clientdetermines whether client isinside or outside the networkIf client is outside the network,request is sent to RemoteFiltering ServerExternal Clients attempt toconnect to the Remote FilteringServer on the heartbeat portThis port should be blocked onthe external firewallClient will then connect usingthe proxy port to the RF Serverin the DMZ.RF Server then forwards therequest to Filtering service9
How Remote Filtering worksFiltering Service evaluates therequest and sends response toRF server.If site is blocked, RF clientrequests and receives theappropriate block page.When client is inside thenetwork, the Remote filteringclient attempts to connect onheartbeat port.This is successful hence clientbecomes passive and does notquery Remote Filtering server.These requests are served bythe integration partner asnormal.10
Remote Filtering User IdentificationIf a user logs on using cached domain credentials,Filtering service is able to resolve the user nameIf users log on with a local user account then Filteringservice cannot resolve the username and Default Policywill be appliedManual Authentication can be enabled to prompt usersfor entering user information. In this situation correctuser based policy will be appliedIf user logs on using local account and manualauthentication is not enabled Default Policy applies.Remote filtering cannot filter based on IP or networks.11
Remote Filtering Server InstallationRun the installer, select Custom install and selectRemote Filtering Server.Enter Policy Server IP and port numberEnter External IP of Remote Filtering Server and portnumber.Enter Internal Communication port (HeartBeat)Enter and confirm passphraseEnter the Filtering service IP. If there is a firewall inbetween the RF server and Filtering service then enterthe translated IP or clear the check box.Enter installation path and finish install12
Remote Filtering Client InstallationRun the CPMclient.msifile to begin installationEnter the External IP andport number for PrimaryRF ServerEnter the Internal IP andport numberIf any Secondary orTertiary servers areinstalled enter thedetails.Enter the passphrase.13
Remote Filtering Client InstallationClient can also be deployed using third party tools. Referto installation document for more informationBefore installing the client on Windows Vista machines,User Account Control (UAC) must be disabled.14
Firewall ConfigurationOn the External firewall, Remote Filtering proxy portmust be opened for clients to communicate fromoutside with the Remote filtering serverHeartbeat port should be blockedOn the Internal Firewall, ports allowing communicationbetween Remote Filtering server and Filtering serverand Policy Server must be opened15868, 15871 for filtering and block page55806, 55880 for Policy Server and Broker. Also port40000 for secure communication.15
Upgrade and Compatibility GuidanceBefore upgrading the Remote Filtering Server to 7.5ensure that the Websense Filtering Service has beenupgradedRemote Filtering Server is backwards compatible withthe previous 2 versions of Remote Filtering ClientSo v7.5 Remote Filtering Server is compatible withRemote Filtering Client versions v7.1 and 7.0.xWe recommend that clients should also be upgraded tothe same version to ensure clients can use filteringenhancements available in the latest version16
Upgrade and Compatibility GuidanceTo upgrade Remote Filtering Server, run the installer and select optionto upgrade. Follow on screen instructionsTo upgrade Remote Filtering Client, the following methods can be usedManual upgrade: Use the v7.5 Remote Filtering Client Pack installer oneach client machine to upgrade the Remote Filtering Client. Thisupgrade method preserves existing Remote Filtering Clientconfiguration settings.Automatic upgrade with third-party tool: Use the v7.5 RemoteFiltering Client Pack and a third-party deployment tool to upgrade theRemote Filtering Client on client computers.For more information on the above methods please see RemoteFiltering document web/v75/remotefiltering/remote filtering.pdfFor Manual procedure, see page 32.For Automatic upgrade using Third-party deployment tool, see page 33.17
Troubleshooting Remote Filtering--No Remote Filtering clients are being filteredVerify that the correct Passphrase is being used whileinstalling the clientsVerify the parameters on Securewispproxy.ini file, thiscan be located in C:\Program Files\Bin directory on theRF ServerParameters entered on the RF client should match withwhat is entered in this file.The client parameters can be verified from registry bychecking the following registry keyHKLM\Software\Websense\Desktop Client\DesktopFiltering18
Troubleshooting Remote Filtering19
Troubleshooting Remote FilteringRemote Filtering Server logs errors in the RFSErrors.logfile in the Websense installation directory (C:\ProgramFiles\Websense or /opt/Websense, by default).To enable more detailed tracing:1.Open the Remote Filtering ServerSecureWispProxy.ini file2.Set TraceType All.3.Restart the Remote Filtering Server service ordaemon.4.A trace file called traceFile.log is created in theWebsense installation directory20
Troubleshooting Remote FilteringRemote Filtering client trace can also be useful introubleshooting problems1.Open the Windows Registry and navigate to:HKLM\Software\Websense\Desktop Client\2.Add a new string variable and called Trace Target witha value of 2.3.Restart the machine.4.A trace file called trace.log is created in C:\ProgramFiles\Websense\WDC\Debug, by default.21
Troubleshooting Remote FilteringRemote Clients do not receive Block page- Ensure that the firewall between Remote Filtering Server and theFiltering Service machine is correctly configured. Port 15871 must beallowed on the internal firewall.- Make sure Remote Filtering Client is not installed on the RemoteFiltering Server machine. This can use up all available connectionsmeaning remote clients cannot connect to RF Server.Clients with mobile data cards are not filtered on the default port (80)– Select another proxy port (such as 81 or 8082).– Modify the ProxyPort parameter in the Remote Filtering ServerSecureWispProxy.ini file to reflect the new port.– Install Remote Filtering Client using the new port or modify theregistry key related to Proxyport– Modify firewall rules to allow the port.22
Configuring Hybrid Filtering23
Hybrid Filtered Locations24
Hybrid Unfiltered Destinations25
Hybrid User Access Settings26
Hybrid User Access Settings27
Hybrid Shared User Data28
Hybrid Scheduling29
PAC file configurationClient browsers need tobe configured with thePAC file URL found on theHybrid Configurationoptions on the manager.Can be configuredmanually from InternetOptions- Connections LAN settingsConfiguration can also bedone via GPO30
Identification for Off site UsersIf users are coming from a filtered location they will beidentified via NTLM.If hybrid service receives an internet request from anunfiltered location users will be prompted for apassword.The password can be automatically generated ormanually created by the user by clicking on forgotpassword option.Authentication for roaming users supports basicauthentication method.31
Tips for applying Hybrid FilteringMake certain that the administrator email address foryour account is correct, and that messages sent to thataddress are read and acted on quickly.If you have multiple Directory Agent instances, makesure each is configured to use a unique, nonoverlapping directory context.Make sure that you have only one Sync Service instance,and that it is configured to send user information to thehybrid service at appropriate intervals.Add your organization’s webmail address as anunfiltered destination.32
Support Online ResourcesKnowledge Base– Search or browse the knowledge base for documentation, downloads, top knowledgebase articles, and solutions specific to your product.Support Forums– Share questions, offer solutions and suggestions with experienced WebsenseCustomers regarding product Best Practices, Deployment, Installation, Configuration,and other product topics.Tech Alerts– Subscribe to receive product specific alerts that automatically notify you anytimeWebsense issues new releases, critical hot-fixes, or other technical information. ask.websense.com– Create and manage support service requests using our online portal.
Webinar AnnouncementTitle: v7.5 Websense Web Security Jump Start:Configuration and SetupDate: September 15, 2010WebinarUpdateTime: 8:30 AM PDT (GMT -7)How to binars.aspx
Customer Training OptionsTo find Websense classesoffered by Authorized TrainingPartners in your area, visit:http://www.websense.com/findaclassWebsense Training Partnersalso offer classes online andonsite at your locationFor more information, pleasesend email to:readiness@websense.com
Questions?36
Understanding Websense filtering options for off-site users Remote Filtering Server and Client Deployment considerations . Title: v7.5 Websense Web Security Jump Start: Configuration and Setup Date: September 15, 2010 Time: 8:30 AM PDT (GMT -7) How to register:
This guide applies to Websense Web Security and Websense Web Filter, Version 7.1. References to Websense software or Websense Web Security include both products, unless otherwise indicated. Websense software consists of components that work together to monitor Internet requests, log activity, apply Internet usage filters, and report on activity.
Websense, Inc. Websense Crypto Module Java Software Version: 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 0.9 Prepared for: Prepared by: Websense, Inc. Corsec Security, Inc. 10240 Sorrento Valley Road San Diego, California 92121 United States
Unable to connect to the Log Database -Verify that the Websense Log Server service is running. -Check the account permissions for the SQL account. -If Websense Manager and Log Server service are installed on separate machines, run the Apache2Websense, ApacheTomcatWebsense, and Websense Log Server services with an Admin account.
today’s social, interactive Web while lowering costs across the enterprise. Based on the Websense TRITON architecture, Web Security Gateway consolidates real-time Web 2.0 security, enterprise-class DLP, and email security, both in the cloud and on-premises. Websense Web Security Gateway s
Introduction 6 W Websense Web Security and Websense Web Filter Other related documentation See the Deployment Guide before installing the Web filtering components for network layout. Use the Installation Organizer to record IP addresses, port numbers, keys, passwords, and other information needed during installation. If you have integrated Websense software with a firewall, proxy server, or .
EventTracker: Integrating Websense Web Security Gateway 15 The imported Websense WSG tokens are added in Token -Value Gr oups list. Please refer Figure 12 . Figure 14. Verify Websense WSG Flex Reports 1. Logon to EventTracker Enterprise. 2. Select the Reports menu, and then select Configura
Websense Content Gateway services may not start if port conflict exists Websense Content Gateway services (including Websen se Content Manager) do not start if there is a port conflict between Websense Content Gateway process
ASTM INTERNATIONAL Helping our world work better Standards Catalog 2016 www.astm.org Highlights in this issue: 24 ook of B Standards 2 uilding Codes B 9 nline TrainingO 6 MNL 43 - 3rd 13 Proficiency Testing Standards Books Journals and Software Training Laboratory QA Programs. What’s New from ASTM International ASTM Compass Your Portal for Standards, Testing, Learning & More Give your .
