Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Here's the situation. I have Websense 7.6.2 installed with Microsoft ISA 2006 integration. In Active Directory, I have several groups, and users are assigned to one of those groups. In my policy configuration I associate that client to a particular set of filter rules. Now, about 50% or the users are not on actual desktop PCs, but thin clients (Wyse, HP ) that RDP to one of two server running Windows Terminal Services. However, once connected to the terminal server they log in with their AD password.
I have about 10 of the thin client workstations set up in public areas of our building, to allow members of the public access to certain websites (we are a county courthouse, and this allows the public access to various court documents, county records, and the like). These are controlled by a limited access filter where I have specified only those sites that I want people to be able to get to.
Now, some of the thin client users do not seem to be obeying the rules. Their IE network configuration is set in group policies, so they have to go through the ISA server as their proxy server. When I look at the Triton Unified Security Center, and click on the "Investigative Reports" and list them by user, I can see one of the biggest users (by hits) isn't an actual user, but the IP address of the main terminal server. This has made me wonder - is there a possibility that the thin client machines are not being identified to WebSense by the logged on AD users (and hence being subject to the rules that I've specified), but somehow being an anonymous user?
Any suggestions would be greatly appreciated.
Ken Ray
Webmaster
Clay County Circuit Court
Actually I might be wrong on this... you might also be able to fix this since you're using ISA as your integration (saw it after reading this thread http://community.websense.com/forums/t/7830.aspx)
You just need to make sure the ISA Server is your identification mechanism, but I'm not well versed in ISA integrations.
You are correct that ISA needs to be the authentication mechanism. Otherwise, DC Agent will loop all users of the TS under one user.
JACOB SLOAN, CCNA, WCSE
If I understand you correctly, all of your thin client users are surfing internet on the Terminal Server, not the thin clients. That means the internet traffic all comes from the Terminal Server IP, not the thin client IP. The problem then there is that Websense, in most integrations, is only designed for having 1 user per IP address. In Citrix Websense fixed this with a Citrix plugin, but I do not believe there is one for Terminal Server.
I fear your only real option is to filter by IP address and not by user. If you need to give different users different policies then separate them onto different servers, but aside from that I think you'd need to invest in a Websense Content Gateway and use its IWA / NTLM authentication method to tell multiple users apart on 1 IP address.
Ok, I can understand that. So I need to enable Integrated Windows Authentication on ISA, and I assume that ISA will pass the user identification information to WebSense as part of the web filter request. I assume that for this to work, all users will need to be using IE (which isn't a problem for us), so how do I turn this on in ISA? I've done some googling, but I haven't found a clear answer yet.
networks, internal, and somewhere in there is to require authentication. Check integrated and basic.
