Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Transparent Proxy with WebSense

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Transparent Proxy with WebSense Page: [1]
Login
Message << Older Topic   Newer Topic >>
Transparent Proxy with WebSense - 20.Nov.2006 1:26:20 AM   
progzoom

 

Posts: 3
Joined: 20.Nov.2006
Status: offline 		Dear all,

Does anybody know how to configure a transparent proxy (Once user connected to the server, he does not need to put proxy server into the web browser) server with integration with Websense web filter?

Since currently I have installed the websense and configured the proxy, under the ISA management > Configuration > Add-Ins > Web Filters , I can see "WsISAFilter" added. But just that if the proxy is not typed in the web browser, I still can go through some pornographic web pages.

Any ideas to the problem?

Thank you very much in advance!

Joe Chan
Post #: 1
RE: Transparent Proxy with WebSense - 4.Jan.2007 1:22:35 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline 		I'm running ISA 2004 with Websense (but not as a transparent proxy)  By transparent proxy I assume you have routing setup in your network that routes all HTTP based traffic (route based upon Destination Ports 80, 443, etc..) to your ISA Proxy server. 

Have you looked at setting up WPAD? (closest thing to a transparent proxy, that I'm aware of) but needs to run in a windows environment.  I think that a Transparent Proxy and Proxy integration with Websense are two seperate things, and therefore should be addessed individually.

Are you saying that if you don't set any proxy settings in the browser, you can access content that should be filtered by Websense?  Are you certain that the requests are being proxied by ISA.  (by way of logging/monitoring the traffic, from ISA, to confirm that it's indeed going through ISA?)  I ask because your relying on the routing of your network to send the traffic to the proxy, and you have not provided much information regarding the setup of you transparent proxy architecture.

I'll try to help you out, but it may take a few posts.

(in reply to progzoom)
Post #: 2
RE: Transparent Proxy with WebSense - 4.Jan.2007 9:16:56 PM   
progzoom

 

Posts: 3
Joined: 20.Nov.2006
Status: offline 		Dear abqtech,
 
Thank you for your reply and kindly help. Please see my replies:

I'm running ISA 2004 with Websense (but not as a transparent proxy) By transparent proxy I assume you have routing setup in your network that routes all HTTP based traffic (route based upon Destination Ports 80, 443, etc..) to your ISA Proxy server.

[progzoom] Yes, I set the gateway of the clients' machines to be the IP of the ISA server.

Have you looked at setting up WPAD? (closest thing to a transparent proxy, that I'm aware of) but needs to run in a windows environment. I think that a Transparent Proxy and Proxy integration with Websense are two seperate things, and therefore should be addessed individually.

[progzoom] Could you provide more details on WPAD? Is that a separate product or built-in already in ISA?

Are you saying that if you don't set any proxy settings in the browser, you can access content that should be filtered by Websense?
 
[progzoom] Yes, I can still access those non-80 port traffics. The WebSense can block those 80 port traffics.

Are you certain that the requests are being proxied by ISA. (by way of logging/monitoring the traffic, from ISA, to confirm that it's indeed going through ISA?)

[progzoom] From logging/monitoring, I can see those non-80 port traffics, thus I assume the ISA should handle them but just don't pass those traffics to the WebSense Add-In

I ask because your relying on the routing of your network to send the traffic to the proxy, and you have not provided much information regarding the setup of you transparent proxy architecture.

I'll try to help you out, but it may take a few posts.


[progzoom] Surely no problem, your kindly help is much appreciated.

(in reply to abqtech)
Post #: 3
RE: Transparent Proxy with WebSense - 5.Jan.2007 3:19:34 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline 		For more on WPAD see: http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx

What does your Websense implementation look like?
...For example is your websense server on a different host than your ISA Server?  Is the websense Filtering Service & Filtering Plug-in installed on your ISA Server?  How is websense integrated a How have you configured objects within ISA and what ISA Access rules are configured to allows traffic to Websense?  By default the websense block service runs on TCP 15871 on your ISA Server, have you configured an access rule to allow that?
What Network Agents (IP Subnets) are configured withing the WebSense?

Are you running ISA 2004 Standard or ISA 2004 Enterprise?
What version of Websense are you running?

What application and web filters are enabled within ISA?

(in reply to progzoom)
Post #: 4
RE: Transparent Proxy with WebSense - 6.Jan.2007 9:45:57 AM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline 		If your users are in an Active Directory environment, use GPO's to define the proxy server and prevent users from changing it.

(in reply to abqtech)
Post #: 5
RE: Transparent Proxy with WebSense - 10.Dec.2007 5:10:54 AM   
PeteSt

 

Posts: 15
Joined: 20.Mar.2007
Status: offline 		Hi abqtech,

You really seem to have a good handle on Websense with ISA.  I have just configured this at my work.  I enabled port 15871 & 15868 outbound local host/internal to internal, and it appears to work fine.  Can you tell me if this is all the rules required for ISA integration with Websense..?

Thanks in advance,
Pete

(in reply to tonygauderman)
Post #: 6
RE: Transparent Proxy with WebSense - 27.Dec.2007 1:35:14 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline 		The Websense plug-in traffic communicates over TCP Outbound 15868
The Websense filtering traffic communicates over TCP Outbound 15871
The Websense Policy Server traffic communicates over TCP Outbound 30600, 30602, 40000,55805,55806
And should be accounted for in a All Users rule that allows source and destionation as the Internal IP's of your ISA Servers (assuming you have an array in ISA 2006 EE) and Websense server.

(in reply to PeteSt)
Post #: 7
RE: Transparent Proxy with WebSense - 27.Dec.2007 1:39:02 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline 		after further thought on a "transparent proxy" I believe in ISA vernacular Secure NAT should be interchangeable with transparent proxy, anyone care to comment?

(in reply to abqtech)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Transparent Proxy with WebSense Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts