I have a websense server doing filtering sitting in our DMZ. I also have our Cisco ASA firewall setup to query the websense server. All this does is filter traffic. It doesn't "monitor" the traffic so I'm unable to tell what sites people are visiting. How would I get this working? I don't want to put the websense server in-line with the firewall and the switch connected to it.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Websense question
- Thread starter mike2323
- Start date
On your Websense box or an additional box, install the reporting components for Websense. Websense doesn't need to be in your DMZ. You can safely place it on the internal network as all the ASA does is ask Websense whether or not to allow the traffic through. I have all the components for the Websense Enterprise on a single virtual machine (VMware ESX) with 30gb HD and 2gb RAM. About 300 users access use the system and it runs great.
The websense system will be serving two sites. One of our other offices has a point-to-point T1 to our office and from there we serve internet for them. I put the server in the DMZ as I thought that would be a good neutral area. The server does have a 2nd gigabit ethernet port.
What have other people done in this situation? Where did you place your websense system or what kind of trickery did you do on your routers or firewalls to route traffic over to the websense system for it to get visibility of what sites people were visiting?
I always keep my Websense servers on the internal network with the rest of my servers. With PIX/ASA, you have to set up a filtering rule. I use AD and the various agents to authenticate the users. All of the policies are based of AD groups. If detailed reporting is needed, I'll install the roting components. I've probably set up about 25 installs for various customers. This is the path I have always taken.
I've setup on the filtering rule on the ASA/PIX and the websense system does filter websites that I select out. The only thing that it isn't doing is listing any sites visited on the "monitoring" side. Placing the server in the internal network would be pointless so traffic from our other site never goes to the internal network. It goes from the router serving the point-to-point T1, through the ASA, and then out another router serving internet.
The traffic doesn't have to go "through" your internal network. The ASA only sends the URL to the Websense server and waits for Websense to tell the ASA whether to deny the traffic or not. The actual web surfing traffic does not get sent to the Websense server.
If a site is blocked, the user is redirected to a block page, which is on the Websense server. So if you don't want the remote site to have access to that server on the internal network, it might make more sense to keep it on the DMZ - but it is not necessary.
Regarding the "monitored" sites not showing up: do you have the Websense logging server and reporting server setup? When setup properly, Websense logs everything...literally. If you have logging and reporting setup and you still aren't seeing anything, Websense support should be able to help you figure that out. They have a pretty good FAQ on their web site, IIRC.
If a site is blocked, the user is redirected to a block page, which is on the Websense server. So if you don't want the remote site to have access to that server on the internal network, it might make more sense to keep it on the DMZ - but it is not necessary.
Regarding the "monitored" sites not showing up: do you have the Websense logging server and reporting server setup? When setup properly, Websense logs everything...literally. If you have logging and reporting setup and you still aren't seeing anything, Websense support should be able to help you figure that out. They have a pretty good FAQ on their web site, IIRC.
The traffic doesn't have to go "through" your internal network. The ASA only sends the URL to the Websense server and waits for Websense to tell the ASA whether to deny the traffic or not. The actual web surfing traffic does not get sent to the Websense server.
If a site is blocked, the user is redirected to a block page, which is on the Websense server. So if you don't want the remote site to have access to that server on the internal network, it might make more sense to keep it on the DMZ - but it is not necessary.
Regarding the "monitored" sites not showing up: do you have the Websense logging server and reporting server setup? When setup properly, Websense logs everything...literally. If you have logging and reporting setup and you still aren't seeing anything, Websense support should be able to help you figure that out. They have a pretty good FAQ on their web site, IIRC.
Exactly. The way the setup works is this: ASA get a piece of traffic, it then asks Websense if it should allow that traffic through, if Websense says yes, ASA lets it through. Placement of Websense does not matter in this respect as it does not route the traffic.
As far as the block pages go, you have a couple options with this. The manual has all the info you need on this.
If your deployment is less than 500 users and you have a decently powered machine, you can run the reporting comments on the same machine as the filtering components. The reporting components are a separate install, so you will have to run the setup again.
Websense's documentation is really good. You can find 99% of the info you need. There support is top notch to. If you have a current subscription (filtering wouldn't work if you didn't), give the a call or log onto their site to open a ticket.
I found a way to get this to work. The websense system has a second NIC. I can plug the second NIC into a switch where the router goes to the firewall. The internal router and second NIC will plug into the switch, then plug into the firewall. I'll have the switch SPAN the router port over to the second NIC port. That should give the websense server visibility to web traffic.
It sounds like you're trying to use the protocol analysis feature of Websense. Is that correct?
If so, the agent doesn't have to be on the same system as Websense. We had the agent running on a cheap laptop, reporting back through the firewall to the Websense server.
If so, the agent doesn't have to be on the same system as Websense. We had the agent running on a cheap laptop, reporting back through the firewall to the Websense server.
Yes. I'm trying to monitor all web traffic through the network agent. With the server in the DMZ I couldn't do that. All I could do is filter the traffic by integrating it with my ASA. I added in a switch and connected the second NIC on the websense system to monitor this. I had an extra 12 port 2950 for this.