Having a seriousley annoying problem with Websense email filter updates - It cannot update through the ISA firewall at all. My version is Isa Standard 2006. I keep geting the this error in the log whenever i try to update however it works fine when i bypass the ISA. Can anyone shed any light on this error or has anyone else experience this error? Failed Connection Attempt MSA5000 6/23/2009 12:21:24 PM Log type: Web Proxy (Forward) Status: 1359 An internal error occurred. Rule: Web Access Only Source: Internal (192.168.16.83) Destination: External (static-204-15-69-70.websense.com 204.15.69.70:80) Request: GET http://204.15.69.70/cgi-bin/GenLiveUpdate.dll?GetFile&CF9A93CC14E22C19DB01C9C3E5A64DD13E705FE5D0EA1AB2BB377E7D29B72D585F21A7AE624387D785ADCE3C96321DB3E3EA4F30BA2D725FEC648B2A9DA40382578FE8B19967D5FEC7B658F7B840AA Filter information: Req ID: 056a5c0a; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous Additional information Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Object source: Internet (Source is the Internet. Object was added to the cache.) Cache info: 0x40020000 (Response includes the CACHE-CONTROL: PRIVATE header. Response should not be cached.) Processing time: 77969 ms MIME type:
Thanks for the reply! Yes, behind the firewall on our LAN. Nothing on the DMZ or anything like that. Websense technical support havebeen looking at it and they are pointing the finger at the isa firewall.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
It seems to me like either the HTTP filter is objecting to something or there is an authentication issue. Can you tell me if authentication is required on the access rule? Or if 'require all users to authenticate' is enabled for the web proxy listener?
Hi richard access rule is for all users and web proxy filter is set to not require all users to authenticate. I see you work for celestix..the box is an msa5000.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
MSA5000...excellent choice! I have a fair amount of experience with Websense content filtering software, but not with their e-mail filtering software. I've not encountered any issues with Websense content filtering software obtaining updates from Websense when accessing through an ISA firewall, so I have to assume that the e-mail software is doing something a little different (that obviously ISA isn't happy with).
At this point it would be helpful to have a network trace taken from the host that is requesting the updates. That would hopefully allow us to identify the offending communication and hopefully resolve the issue. In the short term we can deploy a workaround to allow communication to Websense to bypass the HTTP filter. This will require that you create a new custom protocol for HTTP without the HTTP filter bound to it. You'll then need to create a deny rule for standard HTTP as well. Follow the instructions here - http://blogs.technet.com/isablog/archive/2006/09/25/why-do-i-need-a-deny-rule-to-make-an-allow-rule-for-a-custom-protocol-work-correctly.aspx.
If you have any questions or you'd like some assistance configuring this access, feel free to drop me a note or call our support line and one of us will gladly help.
Hi richard i did the following Allow rule from email filter server to external without http/webproxy filtering enabled Deny rule from email filter server to external with http/proxy filter enabled.
And by joe its working!! so we've narrowed it down to the web proxy filter..am i ok to leave it like this? what could be the cause of this problem - problem with the proxy filter maybe?
Hi Tom Hwo would i go about doing direct access - i think i know but need to make sure. The onyl problem is, since its doign updates over many ip's it might be difficult to use the direct access unless im wrong of course.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
I think what Tom means by 'direct access' is from that host to that specific site only. You don't want other users to be able to access the Internet via that rule because the enhanced security provided by the HTTP filter has been disabled. So, for that specific access rule specify your Websense e-mail server as the source and *.websense.com (or a more specific URL if possible) as the destination.
I see what you and tom mean now. i'll try and make it more specific tomorrow then and see if still works ok. I'll post and let you both know if its ok. thanks
Ive ran into a bit of a problem When creating those allow and deny rules and turning off the http/proxy filter off it has also turned off the web proxy filter for all other rules with http also? From what i recall i thought each rule was independant of the other?
this is affecting our websense web filtering? thanks