Websense not sending block requests correctly

rated by 0 users
Not Answered This post has 0 verified answers | 3 Replies | 2 Followers

Not Ranked
2 Posts
pianohacker posted on 20 Mar 2010 1:08 PM

I am having a heck of a time getting Websense Express to work. As our library does not own a switch anywhere near smart enough to have a span port, I'm currently using the following hack to get Websense to see the web traffic:

All patron web activity goes through a simple Squid caching proxy. This linux machine uses xtables-addons' -j TEE extension to iptables to send a copy of each packet to the Windows Server 2003 machine running Websense.

This is actually working, for the most part. Websense sees the traffic and sends a block request to the correct IP address. However, the HTTP 302 and TCP RST packets it sends out have the wrong MAC destination address; the auto InjectDestMACAddress setting sends them back to the proxy, where they are promptly ignored. Manually sending the packets to the MAC address of my router or the Windows server itself also does not get them to the client.

Is there a better way to do this?

|

All Replies

Top 25 Contributor
246 Posts
Moderator

You can run testlogserver to diagnose the traffic

Using TestLogServer with Websense Enterprise

http://www.websense.com/support/article/t-kbarticle/Using-TestLogServer-with-Websense-Enterprise

|
Not Ranked
2 Posts

Kate_Zhao:

You can run testlogserver to diagnose the traffic

Using TestLogServer with Websense Enterprise

http://www.websense.com/support/article/t-kbarticle/Using-TestLogServer-with-Websense-Enterprise

TestLogServer shows the blocked traffic, with the correct source and destination IPs. It looks like Websense really, really needs a dumb hub or span port attached to it. Can I put in a heartfelt request to fix this particular problem (incorrect MAC address on block requests in response to relayed traffic)?

Assuming that is a problem.

|
Top 25 Contributor
246 Posts
Moderator

Hi, would you please post your testlogserver result for further investigation?

|
Page 1 of 1 (4 items)