Webinar Information - Forcepointkb.websense.com/.../October2009_WebinarSlides.pdf · Webinar...
-
Upload
nguyencong -
Category
Documents
-
view
219 -
download
3
Transcript of Webinar Information - Forcepointkb.websense.com/.../October2009_WebinarSlides.pdf · Webinar...
Webinar Information
1
Title: Common Configuration Methods for the Websense Content Gateway
Audio information:– This presentation incorporates STREAMING AUDIO.
– Use of speakers or headsets is required. If unable to hear streaming audio or it is choppy, a limited number of dial-in numbers are available.
Dial-in numbers:– U.S. dial-in numbers:
Toll free: 1-888-732-6202, pass-code: 321796
Toll: 1-719-457-1017, pass-code: 321796
– Find international dial-in numbers at:
• http://www.websense.com/October09_international
• Pass-code: 321796
web security | data security | email security © 2009 Websense, Inc. All rights reserved.
Support Webinars
Common Configuration Methods for the Websense Content Gateway
Websense Support Webinar - October 2009
Webinar Presenter
3
Title: Technical Support Lead
Accomplishments:
5 years supporting Websense products
Dept Trainer for Cisco integrations
For additional information:www.websense.com/support
Rick Conero
Goals and Objectives
Explicit proxy overview
Explicit proxy deployment methodologies:– Manual
– Group policy
– PAC file
– WPAD
Transparent proxy overview
Transparent proxy deployment methodologies:– Layer 4 Switch
– Policy-based routing
– Cisco WCCP (Web Cache Communication Protocol)
Demonstrations: GPO & WCCP
4
Explicit proxy
5
Simplest way to get requests to Websense proxy
Explicit means nothing is hidden
Modifies the HTTP traffic (request / response),
adding HTTP header data
Why or why not choose explicit?
Pro
Various methods to
implement:
– Via browser
– Proxy Auto-Configuration
(PAC) files
– Web Proxy Auto-Discovery
(WPAD) – IE 7+
Requires no other
network configuration
Easy for small network to
implement/troubleshoot
Con
Can be circumvented by
users (especially if
browser defined)
Hard to manage for
anything other than
small user base
Not all browsers support
all implementation
methods
6
Explicit proxy exceptions
7
Bypass the proxy
Manual
– Entire workstation
– Do not check Proxy Server in LAN Settings.
– On protocol basis
• Omit proxy address for associated protocol.
Automatic (PAC or WPAD)
– Exception rules in the downloaded scripts
• See previous PAC file examples slide.
Manually configure explicit proxy
8
Internet Explorer:
Tools -> Internet Options -> Connections (tab) -> LAN settings
Clicking “Advanced” allows you to specify more proxy options
No proxy – direct connection, default setting
Auto-detect – proxy automatically detect network settings.
Manual proxy configuration. Allows specification for HTTP, HTTPS, FTP, Socks, Gopher
Automatic proxy configuration URL. Address of PAC file.
Manually configure explicit proxy
Firefox:
Tools -> Options -> Advanced -> Network
– Connections – select Settings…
No proxy – direct connection, default setting
Auto-detect – proxy automatically detect network settings.
Manual proxy configuration. Allows specification for HTTP, HTTPS, FTP, Socks, Gopher
Automatic proxy configuration URL. Address of PAC file.
9
Enforce Proxy Settings through Group Policy
10
Access Active Directory
Users and Computers.
Right-click desired OU
and select Properties.
Select the Group Policy
tab.
Enforce Proxy Settings through Group Policy (cont.)
Click the Edit button
11
Click New and type a
desired name for the
Group Policy
Enforce Proxy Settings through Group Policy (cont.)
12
Navigate to User Configuration > Windows Settings
> Internet Explorer Maintenance > Connection.
Enforce Proxy Settings through Group Policy (cont.)
14
Check Enable proxy settings.
Clear the Use the same proxy server for all addressescheck box.
Use port 8080 for HTTP.
Use port 8070 for Secure.
Configure as follows:
Enforce Proxy Settings through Group Policy (cont.)
15
You can prevent users from modifying their proxy settings in your Group Policy.– Navigate to User Configuration > Administrative Templates > Windows
Components > Internet Explorer.
Enforce Proxy Settings through Group Policy (cont.)
16
Double-click Disable changing proxy settings.
Explicit proxy auto configuration
18
PAC (proxy auto-configuration)
Allows you to script / program how the browser uses the
proxy
Can be used to make source / destination decisions
– Deploy to specific client subnets.
– Bypass proxy for trusted sites (internal subnets, specific
servers, etc.).
Can be useful for redundancy (e.g., bypass a proxy that is
down)
Internet Explorer by default will cache some PAC data. This
feature can be disabled per Microsoft KB 271361.
Explicit proxy auto configuration
PAC file examplefunction FindProxyForURL(url, host)
{
// Exclude specific hosts or domains
if ((host == "download.microsoft.com") ||
(dnsDomainIs(host, ".windowsupdate.com")))
{
return 'DIRECT';
}
// Only deploy to specific user subnets
if ( isInNet(myIpAddress(), "10.201.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.202.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.203.0.0", "255.255.0.0"))
{
if (url.substring(0, 5) == "http:") {return "PROXY 10.203.152.3:8080";}
else if (url.substring(0, 6) == "https:") {return "PROXY 10.203.152.3:8070";}
}
else
return "DIRECT";
}
19
Explicit proxy auto configuration
20
Enter PAC script into the Websense Content Gateway Manager.– Navigate to the Configure > Content Routing > Browser Auto-Config > PAC tab.
Explicit proxy auto configuration
21
WPAD (Web Proxy Auto-Discovery)
WPAD is a method for Web browsers to locate a PAC file automatically
and use this to configure the browser's Web proxy settings.
Automatic discovery is configured by means of a WPAD entry in DHCP
or DNS.
To use DHCP, the server must be configured to serve up the "site-local"
option 252 with a string value of http://wpad.mydomain.com.
Browsers look for http://wpad.mydomain.com/wpad.dat and attempt to
download instructions from that host.
You can configure your own Web server to host this file (and have DNS
point to that server), or you can have the proxy itself serve the file.
Explicit proxy auto configuration
WPAD DHCP Notes:
– The host for wpad.dat must be able to serve up a page.
– The wpad.dat must be located in the websites’ root directory
– The host must be configured to serve dat files with a MIME type of "application/x-ns-proxy-autoconfig".
– Only IE supports the use of DHCP for WPAD, all other major browsers support DNS.
– Any URL is acceptable provided no more than 24 characters are used after the domain name.
– Must monitor the network for rogue DHCP servers as they may be hosting a malicious PAC script.
22
Explicit proxy auto configuration
WPAD DNS Notes:
– Ensure DNS is always successful at the intended domain level as the browser will continue searching for wpad at each higher domain if the previous request doesn’t resolve. This security flaw can redirect a browser to any site; malicious or otherwise.
– For DNS lookups, the path of the configuration file is always wpad.dat.
– When hosting the wpad.dat on a virtual server, the headers are different depending which browser is used. It is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own
23
Explicit proxy auto configuration
24
Configure WPAD in the Websense Content Gateway Manager.– Navigate to Configure > Content Routing > Browser Auto-Config > WPAD.
– Enter the PAC script.
Explicit proxy auto configuration
25
Navigate to the Configure > Networking > ARM > General tab.– In the Network Address Translation (NAT) section, click Edit File to add
a special remap rule to the ipnat.conf file.
Transparent proxy
Norm for medium to large enterprises
Completely transparent to workstation – nothing at the browser
Much more secure – user cannot circumvent.
Allows load balancing / redundancy via network devices (e.g., router protocols)
Requires ARM
27
Why or why not choose transparent?
Pro
Various ways to implement:
– Layer 4 switch
– Router running WCCP (2.0)
– Content-based routing
(includes both policy and
software based)
Requires no workstation
(browser) configuration
Centralized management
and control
Better support for load
balancing, redundancy, and
high availability
Con
Requires more network
devices
Potential increase in
deployment cost
Might be more difficult to
troubleshoot
– More complexity
– Specialized knowledge
28
Transparent proxy exceptions
29
WCGInterception Bypass – allows defined traffic to bypass the proxy
– Dynamic (adaptive)• When configured, clients/servers bypass on selected HTTP errors (i.e.
400, 401, 403, 405, 406, 408, 500).
• When configured, clients bypass if non-HTTP detected on port 80.
• Purged on restart.
– Static • Rules configurable by source address, destination address, or
source/destination pairs.
• Unlike dynamic, static rules saved in file, available on restart.
Network DevicesSwitch / Router / Firewall
– Create access list defining traffic to be redirected.
Layer 4 Switch
L4 switch – Not really switch (L2 type bridge) but makes decisions used to direct traffic based on content (not IP/TCP headers alone).
Allows load-balancing, high availability.
Requires ARM
30
Policy Based Routing
Software based Deployment
Requests forwarded to proxy by IP or port.
Performance impacting on the router.
Natively lacks load-balance and HA capabilities; but reliability can be added with a virtual IP.
31
PBR example configuration
ip access-list extended PROXY_TRAFFIC
deny ip host 10.0.0.2 any
deny ip host 10.0.0.3 any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
remark Implicit deny-all
route-map REDIRECT_TO_PROXY permit 10
description Policy to Send Traffic to Virtual IP
match ip address PROXY_TRAFFIC
set ip next-hop 10.0.0.1
interface GigabitEthernet0/1
ip policy route-map REDIRECT_TO_PROXY
32
WCCP
Provides load-balancing, scaling, fault tolerance and failsafe mechanisms.
Must use specific service IDs instead of “web-cache”
Requires ARM and specific configurations in WCG.
33
WCCP: Enable in WCG
Navigate to Configure > Basic > General tab
Click “On” for the WCCP Feature, then Apply & Restart the proxy
34
WCCP: Enable in WCG
Navigate to Configure > Networking > General tab
Click “WCCP v 2.0” then Apply & Restart the proxy
35
WCCP: Enable in Router
38
router# configure terminal
router(config)# ip wccp version 2
router(config)# ip wccp 0
router(config)# ip wccp 70
router(config)# interface gig 1/2
router(config-if)# ip wccp 0 redirect in
router(config-if)# ip wccp 70 redirect in
Deploying certificates
After Websense Content Gateway and Websense Web Security are installed and configured, and the latest database files have been downloaded (this was covered in last month’s webinar)
Distributing the public Trusted Root CA certificate
AD GPO method:
– http://www.unixwiz.net/techtips/deploy-webcert-gp.html
Novell Registry method:
– http://www.novell.com/coolsolutions/feature/18875.html
39
Webinar Announcement
41
Title: Configuration and Best Practices for
Websense V10000
Date & Time: Hosted from Sydney, Australia on
November 24, 2009, 1:00 P.M. AUS (EDT +11)
How to register:
http://www.websense.com/content/
SupportWebinars.aspx
Webinar
Update
Customer Training Options
To find Websense classes offered by Authorized Training Partners in your area, visit:http://www.websense.com/findaclass
Websense Training Partners also offer classes online and onsite at your location.
For more information, please send email to: