Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Curious if anyone has any suggestions on this, we have a software-only deployment with a Triton server managing a series of filtering servers running Network Agent, User Service, Filter service, etc, and no WCG is involved.
At the same site as the Triton system, same network even, the filtering in testing against www.purple.com yields very inconsistent results, where often it is not blocked on the first attempt, but on subsequent ones is blocked with a block page, but then allows through again. Sometimes you can hit it multiple times and it blocks but then on the 8th or 9th try for instance it gets through.
The network agent is set to use the policy server on the same host, so there should be no network interference, etc. There seems to be no issue with processes on the system itself, and the SPAN serving network agent is set to watch the VLAN that includes the port; we are trying to arrange for some packet captures to see exactly what the filtering server is seeing, but in the case that we see all the packets we expect, does anyone have suggestions on more to check?
It is the mark of an educated mind to be able to entertain a thought without accepting it.
Aristotle
Are you watching Testlogserver or Realtime Monitor when running these tests? They'd shed more light on this, no need for a packet capture.
My guess is that Network Agent isn't seeing every request going out. As far as he's concerned he's consistently blocking your 7 attempts to purple.com, but you actually did it 9 times. I'm betting then when you use testlogserver / RTM you won't see the allowed attempts, only the blocked ones. As to what would be causing that I'm not sure, but it's for fear of stuff like this that I've always preferred using an actual integration with Websense and not rely solely on Network Agent in standalone mode. If you have a PIX / ASA firewall at the internet you can easily integrate it for HTTP/HTTPS/FTP and let Network Agent handle the other protocols. No fear of dropping / missing requests there.
Thanks for the reply - the packet captures are showing that it's not a WS problem but one related to the network itself somehow diverting or preventing the block pages from reaching the end points.
We have the same problem with a v5000 appliance connected with a software policy server.
Every thing was working fine antil 2 week ago. If you hit a blocked url it blocks but if you hit multiple times (9-10 times) on the 8th or 9th try for instance it gets through.
What is curious is that the appliance has dropped packets and We don't undestand why.
any suggestions ??
how are you integrating your v5k into the environment? Explicit proxy? WCCP? Network Agent only?
Network Agent Only.
:(
That's your problem.
Network Agent just sits on a span port and tries to interrupt traffic you want to block. It's a nice supplement to an integration (since most integrations can only handle HTTP/HTTPS/FTP) but it's not very good on its own as you're finding.
You have a v5000, which means you have WCG -- why aren't you using it? You know if you only use Network Agent you're not using WCG at all which means no HTTPS decryption, no content filtering, etc. You paid good money for that appliance and WCG and you're not really using them.
We only have Web Security licence (up to 5000 users).
Is there a relation between dropped packets and missed blocked pages ???
did you check the config.xml? You may need to inject the mac of the default gateway for the block page nic. Had a similar issue that drove us crazy for quite a while. Had the wrong MAC in the InjectDestMACAddress portion. Something to check.
CF
I don't think it's a MAC problem because the system work fine in normal conditions. The block page is correcty sent to the browser.
The filter misses to deny pages if you stress the filter with 3 or 4 browser requests a second. I stressed the filter system opening 10 new sessions holding the CTRL button and clicking very fast on non autorized link.
baldi
Network Agent is often diminished because it has to deal with a set of circumstances called the "race" condition. It has to get its packets to your workstations faster than the responses from the external server(s). Sometimes it can, sometimes it can't. This is why hardware firewall or proxy-based integrations are better in that they literally stop the flow of traffic for inspection, while Network Agent only works with a copy of your traffic and has very little time to work and block the packets it needs to.
JACOB SLOAN, CCNA, WCSE
It's a shame you spent the money on a v5k and couldn't get the WCG licensing too.
Do you have something else to integrate with, like a Cisco ASA? Anything would be better than just using Network Agent. Websense integrates with many products, hopefully you have something that can be leveraged.
Glitch:It's a shame you spent the money on a v5k and couldn't get the WCG licensing too.
Heh, at some point, we were giving away 5k hardware for renewals. They didn't have to get WCG subscription, which means they'd have the appliance for network agent or some integration.
We have a Fortigate firewall that could be integrated with WCCP.
What about the licence ?? we don't have any subscription for WCG. Is the Network Agent licence sufficient for the integration ???
WCCP isn't technically an integration -- it's a means for performing transparent proxy. In that case, the proxy server is the integration point. WCG is a proxy server, but if you don't have WCG you could technically stand up a free proxy server and integrate with that, but if you know nothing of proxy servers that's one heck of a hole to jump into.
Somewhere around here there's a list of all available integrations, I'd check if Fortigate is listed there separately or another product you have. Regular integrations are free (or come with your license)
