Webinar Information

1

Title: Common Configuration Methods for the Websense Content Gateway

Audio information:– This presentation incorporates STREAMING AUDIO.

– Use of speakers or headsets is required. If unable to hear streaming audio or it is choppy, a limited number of dial-in numbers are available.

Dial-in numbers:– U.S. dial-in numbers:

Toll free: 1-888-732-6202, pass-code: 321796

Toll: 1-719-457-1017, pass-code: 321796

– Find international dial-in numbers at:

• http://www.websense.com/October09_international

• Pass-code: 321796

web security | data security | email security © 2009 Websense, Inc. All rights reserved.

Support Webinars

Common Configuration Methods for the Websense Content Gateway

Websense Support Webinar - October 2009

Webinar Presenter

3

Title: Technical Support Lead

Accomplishments:

5 years supporting Websense products

Dept Trainer for Cisco integrations

For additional information:www.websense.com/support

Rick Conero

Goals and Objectives

Explicit proxy overview

Explicit proxy deployment methodologies:– Manual

– Group policy

– PAC file

– WPAD

Transparent proxy overview

Transparent proxy deployment methodologies:– Layer 4 Switch

– Policy-based routing

– Cisco WCCP (Web Cache Communication Protocol)

Demonstrations: GPO & WCCP

4

Explicit proxy

5

Simplest way to get requests to Websense proxy

Explicit means nothing is hidden

Modifies the HTTP traffic (request / response),

adding HTTP header data

Why or why not choose explicit?

Pro

Various methods to

implement:

– Via browser

– Proxy Auto-Configuration

(PAC) files

– Web Proxy Auto-Discovery

(WPAD) – IE 7+

Requires no other

network configuration

Easy for small network to

implement/troubleshoot

Con

Can be circumvented by

users (especially if

browser defined)

Hard to manage for

anything other than

small user base

Not all browsers support

all implementation

methods

6

Explicit proxy exceptions

7

Bypass the proxy

Manual

– Entire workstation

– Do not check Proxy Server in LAN Settings.

– On protocol basis

• Omit proxy address for associated protocol.

Automatic (PAC or WPAD)

– Exception rules in the downloaded scripts

• See previous PAC file examples slide.

Manually configure explicit proxy

8

Internet Explorer:

Tools -> Internet Options -> Connections (tab) -> LAN settings

Clicking “Advanced” allows you to specify more proxy options

No proxy – direct connection, default setting

Auto-detect – proxy automatically detect network settings.

Manual proxy configuration. Allows specification for HTTP, HTTPS, FTP, Socks, Gopher

Automatic proxy configuration URL. Address of PAC file.

Manually configure explicit proxy

Firefox:

Tools -> Options -> Advanced -> Network

– Connections – select Settings…

No proxy – direct connection, default setting

Auto-detect – proxy automatically detect network settings.

Manual proxy configuration. Allows specification for HTTP, HTTPS, FTP, Socks, Gopher

Automatic proxy configuration URL. Address of PAC file.

9

Enforce Proxy Settings through Group Policy

10

Access Active Directory

Users and Computers.

Right-click desired OU

and select Properties.

Select the Group Policy

tab.

Enforce Proxy Settings through Group Policy (cont.)

Click the Edit button

11

Click New and type a

desired name for the

Group Policy

Enforce Proxy Settings through Group Policy (cont.)

12

Navigate to User Configuration > Windows Settings

> Internet Explorer Maintenance > Connection.

Enforce Proxy Settings through Group Policy (cont.)

13

Double-click Proxy Settings.

Enforce Proxy Settings through Group Policy (cont.)

14

Check Enable proxy settings.

Clear the Use the same proxy server for all addressescheck box.

Use port 8080 for HTTP.

Use port 8070 for Secure.

Configure as follows:

Enforce Proxy Settings through Group Policy (cont.)

15

You can prevent users from modifying their proxy settings in your Group Policy.– Navigate to User Configuration > Administrative Templates > Windows

Components > Internet Explorer.

Enforce Proxy Settings through Group Policy (cont.)

16

Double-click Disable changing proxy settings.

Enforce Proxy Settings through Group Policy (cont.)

17

Select Enabled.

Click OK.

Explicit proxy auto configuration

18

PAC (proxy auto-configuration)

Allows you to script / program how the browser uses the

proxy

Can be used to make source / destination decisions

– Deploy to specific client subnets.

– Bypass proxy for trusted sites (internal subnets, specific

servers, etc.).

Can be useful for redundancy (e.g., bypass a proxy that is

down)

Internet Explorer by default will cache some PAC data. This

feature can be disabled per Microsoft KB 271361.

Explicit proxy auto configuration

PAC file examplefunction FindProxyForURL(url, host)

{

// Exclude specific hosts or domains

if ((host == "download.microsoft.com") ||

(dnsDomainIs(host, ".windowsupdate.com")))

{

return 'DIRECT';

}

// Only deploy to specific user subnets

if ( isInNet(myIpAddress(), "10.201.0.0", "255.255.0.0") ||

isInNet(myIpAddress(), "10.202.0.0", "255.255.0.0") ||

isInNet(myIpAddress(), "10.203.0.0", "255.255.0.0"))

{

if (url.substring(0, 5) == "http:") {return "PROXY 10.203.152.3:8080";}

else if (url.substring(0, 6) == "https:") {return "PROXY 10.203.152.3:8070";}

}

else

return "DIRECT";

}

19

Explicit proxy auto configuration

20

Enter PAC script into the Websense Content Gateway Manager.– Navigate to the Configure > Content Routing > Browser Auto-Config > PAC tab.

Explicit proxy auto configuration

21

WPAD (Web Proxy Auto-Discovery)

WPAD is a method for Web browsers to locate a PAC file automatically

and use this to configure the browser's Web proxy settings.

Automatic discovery is configured by means of a WPAD entry in DHCP

or DNS.

To use DHCP, the server must be configured to serve up the "site-local"

option 252 with a string value of http://wpad.mydomain.com.

Browsers look for http://wpad.mydomain.com/wpad.dat and attempt to

download instructions from that host.

You can configure your own Web server to host this file (and have DNS

point to that server), or you can have the proxy itself serve the file.

Explicit proxy auto configuration

WPAD DHCP Notes:

– The host for wpad.dat must be able to serve up a page.

– The wpad.dat must be located in the websites’ root directory

– The host must be configured to serve dat files with a MIME type of "application/x-ns-proxy-autoconfig".

– Only IE supports the use of DHCP for WPAD, all other major browsers support DNS.

– Any URL is acceptable provided no more than 24 characters are used after the domain name.

– Must monitor the network for rogue DHCP servers as they may be hosting a malicious PAC script.

22

Explicit proxy auto configuration

WPAD DNS Notes:

– Ensure DNS is always successful at the intended domain level as the browser will continue searching for wpad at each higher domain if the previous request doesn’t resolve. This security flaw can redirect a browser to any site; malicious or otherwise.

– For DNS lookups, the path of the configuration file is always wpad.dat.

– When hosting the wpad.dat on a virtual server, the headers are different depending which browser is used. It is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own

23

Explicit proxy auto configuration

24

Configure WPAD in the Websense Content Gateway Manager.– Navigate to Configure > Content Routing > Browser Auto-Config > WPAD.

– Enter the PAC script.

Explicit proxy auto configuration

25

Navigate to the Configure > Networking > ARM > General tab.– In the Network Address Translation (NAT) section, click Edit File to add

a special remap rule to the ipnat.conf file.

Explicit proxy auto configuration

26

Transparent proxy

Norm for medium to large enterprises

Completely transparent to workstation – nothing at the browser

Much more secure – user cannot circumvent.

Allows load balancing / redundancy via network devices (e.g., router protocols)

Requires ARM

27

Why or why not choose transparent?

Pro

Various ways to implement:

– Layer 4 switch

– Router running WCCP (2.0)

– Content-based routing

(includes both policy and

software based)

Requires no workstation

(browser) configuration

Centralized management

and control

Better support for load

balancing, redundancy, and

high availability

Con

Requires more network

devices

Potential increase in

deployment cost

Might be more difficult to

troubleshoot

– More complexity

– Specialized knowledge

28

Transparent proxy exceptions

29

WCGInterception Bypass – allows defined traffic to bypass the proxy

– Dynamic (adaptive)• When configured, clients/servers bypass on selected HTTP errors (i.e.

400, 401, 403, 405, 406, 408, 500).

• When configured, clients bypass if non-HTTP detected on port 80.

• Purged on restart.

– Static • Rules configurable by source address, destination address, or

source/destination pairs.

• Unlike dynamic, static rules saved in file, available on restart.

Network DevicesSwitch / Router / Firewall

– Create access list defining traffic to be redirected.

Layer 4 Switch

L4 switch – Not really switch (L2 type bridge) but makes decisions used to direct traffic based on content (not IP/TCP headers alone).

Allows load-balancing, high availability.

Requires ARM

30

Policy Based Routing

Software based Deployment

Requests forwarded to proxy by IP or port.

Performance impacting on the router.

Natively lacks load-balance and HA capabilities; but reliability can be added with a virtual IP.

31

PBR example configuration

ip access-list extended PROXY_TRAFFIC

deny ip host 10.0.0.2 any

deny ip host 10.0.0.3 any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq ftp

remark Implicit deny-all

route-map REDIRECT_TO_PROXY permit 10

description Policy to Send Traffic to Virtual IP

match ip address PROXY_TRAFFIC

set ip next-hop 10.0.0.1

interface GigabitEthernet0/1

ip policy route-map REDIRECT_TO_PROXY

32

WCCP

Provides load-balancing, scaling, fault tolerance and failsafe mechanisms.

Must use specific service IDs instead of “web-cache”

Requires ARM and specific configurations in WCG.

33

WCCP: Enable in WCG

Navigate to Configure > Basic > General tab

Click “On” for the WCCP Feature, then Apply & Restart the proxy

34

WCCP: Enable in WCG

Navigate to Configure > Networking > General tab

Click “WCCP v 2.0” then Apply & Restart the proxy

35

WCCP: Enable in WCG

36

WCCP: Enable in WCG

37

WCCP: Enable in Router

38

router# configure terminal

router(config)# ip wccp version 2

router(config)# ip wccp 0

router(config)# ip wccp 70

router(config)# interface gig 1/2

router(config-if)# ip wccp 0 redirect in

router(config-if)# ip wccp 70 redirect in

Deploying certificates

After Websense Content Gateway and Websense Web Security are installed and configured, and the latest database files have been downloaded (this was covered in last month’s webinar)

Distributing the public Trusted Root CA certificate

AD GPO method:

– http://www.unixwiz.net/techtips/deploy-webcert-gp.html

Novell Registry method:

– http://www.novell.com/coolsolutions/feature/18875.html

39

Demonstration

Live Demonstrations

– Explicit mode via GPO

– Transparent mode via WCCP

40

Webinar Announcement

41

Title: Configuration and Best Practices for

Websense V10000

Date & Time: Hosted from Sydney, Australia on

November 24, 2009, 1:00 P.M. AUS (EDT +11)

How to register:

http://www.websense.com/content/

SupportWebinars.aspx

Webinar

Update

Customer Training Options

To find Websense classes offered by Authorized Training Partners in your area, visit:http://www.websense.com/findaclass

Websense Training Partners also offer classes online and onsite at your location.

For more information, please send email to:

readiness@websense.com

Questions?

43