Afternoon, We are currently deploying Websense Endpoint to every device within our business as our new internet monitoring / restricting software. Prior to Websense we were using Webroot as our internet security software.
I am deploying Websense via Landesk and we have nearly 2000 machines to push to. Initially i installed Websense on our 400 or so office pc's and the installs went without issue. The problems arose when installing to our remote pc's. The installations run fine, but internet access is unavailable after Websense has been installed.
The only way to regain internet access is to create a new profile for the user. As soon as you create a new profile, internet browsing is available again, ie internet browsing requests are successfully proxying through Websense. The differences between the office pc's to the remote pc's are that they are on a different domain, and the office pc's are running Windows7, whereas the remote machines are on xp. Creating a new profile for each of the 800 remote pc's in order to get Websense working and restore internet access to each machine will take weeks. Looking at the FAQ, I was thinking we target the Websense default policy instead. Pls see 'How do I create Web Security policies?'
@ Each new Websense software installation includes a Default policy that controls Internet access for all clients not governed by another policy. It begins monitoring Internet usage as soon as you enter your subscription key. As a best practice, edit the Default policy first, to set the baseline for Internet access at your organization. Next, create custom policies as needed to provide the levels of access needed for different groups in your organization. This overall PDF below even drill deeper to firewall configuration for the 'Configuring security software for Data Security' and 'Choosing and Deploying Agents' that include via SMS (and SCCM) or GPO level. I did not drill deeper but may be a good start as it shared in pg91 some potential firewall conflicts as well. Here's an interesting update to the situation: At the same time that we've pushed Websense via Landesk, we have updated the same machines from IE7 to IE8 using WSUS.
IE updates to v8 without issue, but we still cant reach the internet through the browser. However, we have found a temporary fix: Having deployed IE8 via WSUS, when you open the browser for the first time you receive the IE8 runonce installation wizard. Complete the wizard, selecting the defaults. Then from a browser window select Tools Internet Options Connections LAN Settings and copy to the clipboard the Websense automatic configuration script entry.
Websense.com The use of a PAC file is highly recommended with explicit proxy deployments of Websense Web Security Gateway (for the Content Gateway -- web proxy -- component) and is required to support the hybrid web filtering feature of Web Security Gateway Anywhere.
Paste the above address into a new browser window, as if you were trying to browse to it like any other page (google etc). Close the browser window, open a new one and you have internet access restored!!!!! That is until you logoff the machine, then log back in, internet access fails once again. So assume policy is ok, with this situation shared, I was thinking if the GPO can also include the PAD or WPAD. But note - Web clients using Internet Explorer pick up the settings in this GPO the next time that group policy refreshes, which by default is every 90 minutes for clients, and every 5 minutes for Domain Controllers (or the next time a user logs off and on again). You can change the refresh interval in the default domain policy, or by going to a particular client and entering the following at the command prompt: gpupdate /force. If the GPO is not applying the settings to the browser, then it is possible that another GPO is being applied that contains different settings; raising the link order for the new GPO should resolve the problem.
Typically for proxying all the browser traffic, you can store a PAC file on the proxy and provide the URL for this file to your client browser config. If you have a proxy.pac file, copy it into the Content Gateway config directory. More info on using of PAD (best practice - and the potential hiccups) See this 'How to disable automatic proxy caching in Internet Explorer' When Internet Explorer uses an automatic proxy configuration script, a connection is opened with the proxy server if the processing of the script indicates that a proxy is to be used.
If the proxy server cannot establish a connection, the proxy server name is added to a link list of bad proxy servers so that it is not used for 30 minutes. If the automatic proxy configuration script contains a PROXY return that lists multiple proxy servers, the next proxy in the list is attempted until the list is traversed or a connection is established. If the list is traversed and no connection has been established, you receive a 'Page Cannot Be Displayed' error message in Internet Explorer. When a connection is established through a proxy server, the host name of the site and the proxy server name are cached. On future attempts to access the host name in the same session, Internet Explorer has cached information about which proxy to use. Therefore, all subsequent connections to the host are tried through the proxy that was used previously.
This means that if the proxy server name that is cached is unavailable during the same session, the automatic proxy configuration script is not re-processed, and you receive a 'Page Cannot Be Displayed' error message in Internet Explorer. You may want to disable the Automatic Proxy Result Cache to provide the proxy redundancy that you require. This will result in client-side processing of every GET request that is issued by Internet Explorer. As a result, Internet Explorer performance may be impacted depending on the logic of the Automatic Proxy Configuration Script and its size. Thanks for your suggestions they've been very helpful. We've made some progress! What we've found is that having installed websense and therefore lost the ability to browse the internet.
If from a browser window you go to Tools Internet Options Connections LAN Settings and deselect ' Use Automatic configuration script, then ok and close the window, internet access is restored. If you go straight back into the LAN settings window, the ' Use Automatic Configuration Script ' option is selected again, but the problem is still fixed, you still have internet access. So it seems that having installed Websense, the ' Use Automatic Configuration Script ' is selected, with the, but it is unable to initiate the entry. Deselect the option, select ok, it automatically reapplies the selection and entry and everything works ok.
Question is how can we automate this fix? Logging onto every machine to deselect ' Use Automatic Configuration Script ' having installed Websense will be very time consuming.
Hello, We are in the process of deploying Websense Websense V5000 G2 Appliance& Websense Web Security Gateway. I;m new to this product and I would like your opinion about the following questions I have in mind; I'm open to any suggestion.
Current Network Setup: Two Clustered Routers. Two Clustered NFS 'Nortel Application Switches' (Switched Firewalls). Two CheckPoint Firewalls. Behind the CheckPoint Firewalls we have an ISA Server with two interfaces, External 'DMZ' and Internal. The Internal Network has all the network defined and a Static Route Entry for each vLAN is defined in the ISA Server. And clients are having proxy configured in their web browsers. WebSense intended to replace the Nortel Application Switches and ISA Server, the CheckPoint will be replaced with Cisco ASA 5000 series.
Requirement: Where to place the WebSense? Is it possible to deploy it with External and Internal Interfaces? Will it worth doing the WCCP integration between WebSense and Nortel Passport 8600? Or with the Cisco ASA Firewalls? Currently we use Trend Micro IMSS, if it supports, will it worth shifting the email filtering to the WebSense?
Will it be possible to route certain internal network traffic to a specific WAN Connection in the Websense? Both actually.
Mutually exclusive, if you want optimal availability for your clients to work you wouldn't use websense at all, but even if you want to use websense you'll get better availability if you setup the clients in a manner where they can fail past the filter if it's not available for some reason, by either using a PAC file that says to bypass the proxy if it's not available or by setting WCCP to permissive mode where it will assume a resource is allowed if it doesn't receive a timely response from the websense box. LOL, my first reaction was also 'Best Practice for WebSense: Throw it out and get Fortigate.' Since that is off the table, the ASA firewalls will integrate will with WebSense for basic web content filtering, in my experience. The main things I didn't like about it were: 1. Licensing costs 2. Server software reliability issues 3.
Licensing costs 4. Difficulty in managing the software for complex designs and user setups 5.
Licensing costs I'm not familiar with using WebSense for anything beyond basic web content filtering (blocking porn websites etc.), so they may be more usable if you put them in some kind of proxy/gateway design. The way they usually bolt on to the ASA is as a sort of lookup database where the ASA inspects port 80 traffic and checks URLs against the websense server. If they are blocked, the ASA sends you to a block page.
If not, it is allowed through the firewall without fiddling. The fact that the firewall doesn't proxy the traffic out to anything is nice, weird websites that are not blocked don't have problems like I have seen happen with some proxy based designs. Other than that, good luck!
WebSense should be able to offer you some good implementation guides for whatever features you are purchasing. Oh and if you are getting new ASAs, be sure to check the new ASA-X line. Much better performance for about the same price as similar older models (that are still selling). Why not simply integrate it into the Checkpoint cluster and have them use Websense for content filtering? It's incredibly easy to setup. Alternatively, if you can get rid of websense and get a refund, and your CPs are relatively up to date (R75.40+), the web filtering/content filtering blade is fantastic, and significantly cheaper than the websense boxes will be.
If they aren't up to date though, I wouldn't bother. The new caching mechanisms/UI for the blade make or break that solution pretty easily. Hello, We are in the process of deploying Websense Websense V5000 G2 Appliance& Websense Web Security Gateway. I;m new to this product and I would like your opinion about the following questions I have in mind; I'm open to any suggestion.
Current Network Setup: Two Clustered Routers. Two Clustered NFS 'Nortel Application Switches' (Switched Firewalls). Two CheckPoint Firewalls. Behind the CheckPoint Firewalls we have an ISA Server with two interfaces, External 'DMZ' and Internal.
The Internal Network has all the network defined and a Static Route Entry for each vLAN is defined in the ISA Server. And clients are having proxy configured in their web browsers. WebSense intended to replace the Nortel Application Switches and ISA Server, the CheckPoint will be replaced with Cisco ASA 5000 series. Requirement: Where to place the WebSense? Is it possible to deploy it with External and Internal Interfaces? Will it worth doing the WCCP integration between WebSense and Nortel Passport 8600?
Or with the Cisco ASA Firewalls? Currently we use Trend Micro IMSS, if it supports, will it worth shifting the email filtering to the WebSense? Will it be possible to route certain internal network traffic to a specific WAN Connection in the Websense? Thinking about your requirements: The appliances don't do everything - you still need, at minimum, a SQL Server for the actual logging that takes place (aka who went to what); so I recommend somewhere on the internal side of the network. I recommend you off load all the management stuff (aka the Policy Broker, Policy Server, Triton Manager, RTM pieces, and log server) to their own boxes, best idea.
You can make them VMs. The appliance is not a firewall or router so the idea of inside/outside or internal/external interfaces doesn't work. Yes, use WCCP and IWA with the ASA.
Never used Nortel and I don't think it would support WCCP since in the back of my mind, I'm thinking WCCP is Cisco proprietary. No idea on the email side of the house. Since Websense isn't a router, you can't have it decide which way traffic goes. That is the job of your firewall or internal network gear.
Looks like you have lots of gear that do the same things; any reason for that? It is hard to go wrong by simplifying when it comes to this stuff, I've found. As much as I hate Websense (and I do), all content filtering stuff sucks in its own way.
The Version 7.6 and higher stuff actually works fairly well. The old 5.5 and 6.x releases had drama aplenty. The main things I didn't like about it were: 1. Licensing costs 2. Server software reliability issues 3. Licensing costs 4. Difficulty in managing the software for complex designs and user setups 5.
Licensing costs I fully agree with the licensing cost complaint. It isn't cheap by any stretch, but like lots of other vendors, you can get them to make you deals. IOW, don't buy it from CDW. Not sure about 2; I've been using it since version 5.5 and haven't had any real problems with it going TU on me by itself.
As for 4 - management. They have gotten much better, especially since the move to the proxy based solution, when it comes to identifying and managing users/policies/etc. The addition of the policy broker (which happened at version 7, IIRC) made this so so so much better than in the past. I'm actually fairly excited to see where this new director of engineering takes them; never thought I would say this after the last 8 years of using this thing. It sounds like the guy really knows his shit AND is committed to bringing them to where they should be when it comes to HA and the admin/management of the product.