Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Stay informed on the latest security exploits, industry news, research, solutions, and more.
Websense Web Security v7.6.5 on Win2008 R2, SP1, 64-bit
Hey all. I had a request to provide access to a single user for a single URL. The way I did this was to create a custom category with the URL defined within, then create a filter providing access only to that URL then a policy for that single filter granting access to the individual client. Unfortunately this provided a few issues. I learned that basing this policy on an existing filter alters the exisint filter any time changes are affected to the new policy. I also learned that the individual client must be added via the console Main / clients. I also learned that this method now only applies the new policy to the client & the exising filter that has everything blocked now has to be altered to mirror the basic blanket policy we created.
In researching documentation there was nothing clear cut that I could find that specifies how to do this for a single user. The documentation speaks to creating custom filters, categories and policies but not specifically in what order or what to do when a single user requires access to everything PLUS a URL that is blocked due to categorization.
The conclusion I've come to thus far is... 1. create a custom category containing the URL in question. 2. create a filter allowing access to the URL in question but based on the Block All filter. 3. create a policy allowing access only to the newly created category. For the client side operations - create an Active Directory group and assign the user to this group - assign the policy to the AD group just created.
Anyone have any suggestions - see any corrections or flaws with this logic. I'm still getting my hands dirty with Websense and was hoping for some clear documentation but so far, nothing. I'd appreciate any insight anyone has to offer.
Carter
CF
I'm a bit confused, but I believe you are just wanting to give 1 user access to one and ONLY one URL, right? If so just use a Limited Access Filter instead of a Category set. If it's not on the Limited Access Filter list, it gets blocked. No need to worry about categories and this doesn't mess with that one URL's categorization for others either.
Hey Glitch, thanks for the reply and sorry for the confusion. The goal is to provide the user access to the blanket policy AND an additional URL that no one else should have access to. We have a user who has been approved for access to dropbox.
Ahh ok, I've had a similar issue for the same reason.
In that case then yes -- you need to put it into a custom category and then block that category in all category sets except the one for the policy you'll give to that user. You'll want to create that new category set by copying the blanket policy, not the block all. This way you don't have to reconfigure it manually.
If I remember the Release Notes correctly, however, exclusions like this are now possible in 7.7 without going through all this, but I wouldn't jump on a major release that came out 3 days ago just for that.
Hey Glitch, thanks for the feedback. I'm still confused though (sorry). I'm guessing that copying the blanket policy in this case means that no changes would be made to the original. Couldn't I achieve my goal by doing the following: (lets use www.slideshare.net as the example)
Since the configuration is least restrictive this should allow the user access to everything that all domain users have access to under the blanket policy while at the same time allowing access to slideshare as per the policy.
What am I missing?
C
No, that's not quite right. A user only gets 1 policy applied to them, so with your steps the WS-Slideshare group will only have access to slideshare.net and nothing else. You need to give that group a policy that is the "blanket policy" with allowing the Slideshare category also allowed.
4. Copy the "blanket policy" category set, rename it to "Allow Slideshare".
5. Edit "Allow Slideshare" category set to permit the Slideshare category
Everything else can stay the same
Yes, a user gets only one policy applied to them at a time. IF you're applying policies in that manner. We are using Active Directory Groups, easier for administration.
The steps I've used work so I guess I'll stick with them. I was just curious to know if there was a better method. I think with the software Web Security we're only allowed "x" number of custom categories so once we reach that limit we can no longer accomodate our "special" users.
Caught the Webinar for WS v7.7 yesterday and it looks cool and actually speaks to this particular issue (which you mentioned in a previous post) but due to the issues I'm seeing in the forums at the moment, definitely recommended waiting before moving to this version. If they have a hotfix coming out around Sept for the HTTPS issue they'll probably have uncovered a few other things by that point in time. :)
Thanks for your help, I really appreciate the feedback & info.
Cheers,
It's never wise to jump on a major release of any production critical product. Let others be the early adopters and find the bugs that slipped through QA; I'll wait at least for 7.7.1 (or longer since I'll need a Win2k8 server first)
