Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Our HR group wants to block the "Social Networking" category, but allow Facebook and Twitter because it can be used for business marketing purposes. It has been challenging unblocking these sites because they appear to have dozens or hundreds of login servers that use HTTPS, and Websense requires us to put in the IP address to allow access to HTTPS sites.
This makes it so sometimes it works, and sometimes it doesn't, then someone calls in with a ticket, we look it up, and add another IP address to the list of dozens we already have.
Could there be a feature to unblock large sites like Facebook totally, including their HTTPS login pages? Websense already knows that they are in the Social Networking category, and you probably already know that they are Facebook or Twitter IP addresses, so give us a way to open these sites easily, please.
I opened a case with support, but it wasn't much help.
Yes, Facebook has too many servers, I think you should run nslookup to find all the facebook server IPs, and recategorize all those host IP URLs. You also can try enter an IP URL with a wildcard, please try the instructions in the following KB article for how to do it: Can I add wildcards in custom URL lists? http://www.websense.com/support/article/t-kbarticle/Can-I-add-wildcards-in-custom-URL-lists
Best regards
Susie,
While I appreciate that you used my regular expressions article, that article was supposed to be internal only.
We're going to need to remove that from customer view.
JACOB SLOAN, CCNA, WCSE
I am curious... WebSense "suggests" to their customers to use RegEx a LOT, yet you also state that "WebSense does NOT support RegEx".
What is the under-lying reason for this? Is there a licensing issue with RegEx, is WebSense just providing a disclaimer if something breaks on a customer install due to this, or some other reason? It would be really helpful if this became "supported" and WebSense could provide examples of the more common RegEx strings being used in the field...
I am also wondering about the "wildcard" URL matching, did that come out in 7.5, or will it be available in 7.6?
Susie Wang: Yes, Facebook has too many servers, I think you should run nslookup to find all the facebook server IPs, and recategorize all those host IP URLs. You also can try enter an IP URL with a wildcard.....
Yes, Facebook has too many servers, I think you should run nslookup to find all the facebook server IPs, and recategorize all those host IP URLs. You also can try enter an IP URL with a wildcard.....
I think the whole point of his post was there are TOO MANY IP addresses to recategorize, and they CHANGE all the time. We do (did) the same thing, trying to block "Social Networking", but allowing only FaceBook and MySpace for one Policy. We constantly had support calls that FaceBook was "Broken" again due to another IP address being added to the "HTTPS" list. This list seems to be dynamic, and changes all the time (do they use Akamai services to pick up the "best" or "closest" server?) We finally broke down, and just allowed all Social Networking for this specific policy, and let the departments know they had to police their clients...
I believe what this poster wanted was a way to put in the MAIN SITE in a recategorize, and WebSense will "know" the HTTPS IP addresses associated with that MAIN SITE, and allow them in addition, INSTEAD of we the customers having to identify EVERY HTTPS IP address, EVERY TIME, for all recategorized secure sites. (Maybe you could consider this a Feature Request).
Russ
Regular expressions are difficult to code and even a small mistake can have very large impact to both filtering and the performance of the filtering. If you are not very precise, the regular expression will match too much, or too little. In addition, the filter service can only do so many regular expressions before the filter service cannot perform well enough to handle the requests coming in. All the regular expressions as entered are tested against all the urls coming into the Filter Service, so you can see how lookups for the categorization become much more complicated as more regular expressions are used.
Bottom line: they can be used, and we expose it to customers so they can craft their own regular expressions, but Technical Support staff are not trained on how to create and troubleshoot regular expressions. This is the reason why I created the article that she referenced. It was to address internal questions about the regular expressions we had in the product.
Also, Facebook's https servers do change often, as do a lot of other https sites. This is one of the reasons why the Websense Content Gateway was created. With this software, we can decrypt the SSL session and get the actual URL to filter it correctly. Therefore, we don't need to know the ip addresses any longer. We just filter based on the URL.
However, if companies do not use the Content Gateway proxy, and use their existing integrations, that feature is not available to them, so they will need to recategorize by IP address as they have done so far.
Thank you very much for the explaination.. We really appreciate your replies on these forums. I guess it is time to upgrade....
^^
Thats why I posted this in the "Suggest a feature" area. :)
I wouldn't feel comfortable using the SSL decryption option within the web gateway either. I really don't want to get in the middle of any legal issues about decrypting people's SSL sessions.
Why can't websense just do a reverse lookup against the IP address (would work in most cases with Twitter and Facebook), or just allow the IP address? They already know that it is a social networking site, and they probably also know that it is for facebook. Give us an option to unblock "Facebook" as a whole.
In many cases, reverse IP lookups will fail to provide the correct information because these types of sites are on shared hosted servers, not dedicated to a single company. The Akamai network, for instance, spreads across multitudes of ip ranges, and hosts sites for millions of pages. If you do a reverse IP for one of those sites, you'll find it back to the Akamai network, not the site.
That's why WCG is the better option given the two.
I used to run SurfControl 5.5 for a few years prior to the websense buy out. It had a great many faults but the one thing it did do very well was following the session when it went to https. There was none of this add the IP address bunk and pray it stays the same. It is a shame that websense, this vastly more advanced and robust product can't do what lowly surfcontrol did. Websense, how about asking the old surfcontrol engineers how they did it. My 2 cents.
Here, here, well said!!! I'm going to add my pennies worth here and agree whole-heartedly as I'm having exactly this issue and I also found that this worked under SurfControl and it worked well!
As I've said in another post, it's funny how Websense bang on about being market leaders and how they've taken features from SC and integrated them. Really? Where?
This looks like yet another omission.
To be fair though, on a day-to-day basis and in general, our V10000 unit is much better than SC but it's such a shame that some obvious and essential features have been missed, like this, the real-time monitor, User Browse Time Activity Reports, etc.
I agree as well! I've been trying to get Websense to add some features that SurfControl always had. One is being able to use a HostName in Rules/Policies. I have alot of Apple MAC users who I have allow rules based on their Hostnames because their AD login doesn't picked up transparently. Not sure why they have been so lax in integrating any features from SC
@Rick586:
Surfcontrol features integrated into Websense:
1. The integrations of the hosted solutions and turning them into a hybrid service is now called "Websense Web Security Gateway Anywhere".2. Email Security that will soon be part of the Triton Manager in 7.6.
I am sure there are more, but those are the two I can think of real quick.
Anyone have luck getting facebook.com to work with regexpressions and keeping social networking blocked.
What I am trying to do is: Custom Policy that Allows Custom Category (Recategorized) to access facebook.com although social networking is blocked as a whole (blocked with continue page)
What I have tried:
Allowing the following sites:
http(s)://facebook.comhttp(s)://channel.facebook.comhttp(s)://static.ak.fbcdn.nethttp(s)://fbcdn.net
This seemed to partially work but users reported of incosistencies with the page's sometimes being blocked, reporting confirmed this:
I also tried putting a regex for
facebook.com
fbcdn.net
Under this Custom Group but then facebook.com was not recategorized. And therefore it was still getting blocked.
J Sloan wrote that with the Websense Content Gateway it should work without adding the IP Addresses, this is what I am running and I am not having luck.
I added a few different strings to the Unblock URL (Unfiltered URL) section of Websense Manager and this seems to have worked fairly well. I used the same method to allow access to YouTube and Twitter. I wasn't aware that use of regex was not supported by Websense since it appears under the Advanced section on many policies. So i suppose you can try the following out at your own risk:
^htt(p|ps)://.*facebook.com/.*$
http://static.ak.fbcdn.net
.*69.63.17[6-9]\.[0-9]{1,3}.*
.*69.63.18[0-9]\.[0-9]{1,3}.*
.*69.63.19[0-1]\.[0-9]{1,3}.*
