Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Stay informed on the latest security exploits, industry news, research, solutions, and more.
Websense,
I am running into an issue that I have been trying to work with support as well as our sales team on getting resolved to no avail. Here is the issue.... I bought 150 licenses for our ~130-135 nodes on our network. About 30% of our users are laptop users.Following best practices, our wired network, private WiFi and public WiFi are all on separate VLAN's - thus, separate IP ranges. Here is where I run into a problem with Websense due to a design flaw in the licensing (which makes absolutely no sense at all...).
Let's say I am plugged into our wired network and I get the IP 192.168.1.10. Then I get on the WiFi and I get 192.168.2.10. I have two IP addresses, but it is still a single user with a single "seat" or piece of hardware. So effectively, I have doubled the amount of licenses that I would consume which is a little ridiculous.This poses a problem for us with users who take their laptops to meetings and still need to be able to access the Internet. Is there a solution to this??
Thanks,Ethan
Have a DHCP scope that is fixed to be the same size as the Websense subscription. Have a short lifetime for the DHCP lease, say 1 hour. Make sure your servers are outside of this range and not monitored by Websense. Private WIFI and the wired LAN should be sharing the same IP ranges. Then, the public WIFI can use a small amount of address space, say 10 addresses in a dhcp pool.
These suggestions will break your user identification, but you can remedy that by using the Websense Content Gateway and use NTLM Authentication to correctly apply the policies to your users.
Use my suggestions, and you won't run out of subscriptions again.
JACOB SLOAN, CCNA, WCSE
Couple of things wrong with your recommendation...
1) It is not best practice to put your wired LAN and private WiFi on the same subnet. People who use phones would be on the public WiFi and not monitored. That being said, I am not going to break my network design solely to make Websense work.
2) When you have a DHCP lease time of even 30 minutes, you will continue to get the same IP as long as the machine is up - that is how DHCP works by design, so that you don't lose connectivity every time the lease renews... so I'm not sure what you're trying to accomplish by doing that.
3) As you said, they will break the user identification which completely defeats the purpose of having Websense to begin with.
4) I am really looking for a fix to this issue instead of a workaround. The bottom line is that I have 1 PC, 2 IP addresses due to two separate networks, and this is an issue that needs to be fixed by Websense.
We have run into this problem before, more with users having a workstation and a mobile device with Internet access. We have changed the way we describe the Websense licensing model to our customers. We now tell our customers from the beginning how the licensing works so there are no surprises later. If they have a situation like this then we take it up with Websense who usually come to the party with regards to pricing and we just up the clients license.
So if you want a proper fix for this, buy more licenses. Explain the situation to your Websense representative.
one more thing...
Don't use the word "licenses". Licenses refer to a purchase in which after purchase you can use the software for as long as you want with no time restrictions afterward.
Use the word "subscriptions", because that refers to a period of time in which the software functions. After that time period and you do not renew, the software does not function and is expected to not function.
mlpotgieter:So if you want a proper fix for this, buy more licenses.
I usually agree with your answers, but this one I am in 100% disagreement with... Why should I pay for twice as many "subscriptions" as I need just to satisfy mobile workers? I believe WebSense should be working HARD on a better way to identify each workstation/device, NOT just rely on IP addresses. They already have the "Logonapp.exe" which runs on the desktop, so if that plug-in is used, why can't something be added that can read the "workstation name" (Netbios?)
I also think that it is time for WebSense to be fully "DHCP Aware", so when a client changes networks, (thus, IP addresses), the software will still only use ONE subscription count.
(A crude example: Company A has 100 clients, they are all Laptops, and wired to the desktop. They are also "Highly mobile", so they unplug, and use their wireless NIC as they move from place to place. You would have the client purchase 200 subscriptions, and DOUBLE their cost. Why would a company want to do this? Also, suppose they "Plug in" to other offices that are on different networks? Now, they would TRIPLE the subscription count. And on it goes.....)
Workstation name doesn't work always. You've also got other operating systems to contend with, where netbios doesn't play any part of. Then, you've also got the problem where spoofing can be done to masquerade one workstation as another (more to do with those same OS's that netbios isn't inherently part of)
Even if we used MAC addresses, you've still got the problems of laptops using 2 subscriptions or more, based on the number of network cards they use per day.
Strictly speaking, the best method is also the most intrusive. If we had a client in which handled both xid for macs/linux/windows/osx, which also reported in and also handled the traffic leaving each workstation to be proxied with our Content Gateway, say something like the ISA's client software, that would resolve the situation, but that also means untouched devices would not get filtered and/or prevented from accessing the internet. this method would require that all customers have the content gateway which would necessarily increase the cost of all Websense subscribers even if they have no desire to have the proxy. The cost of the content gateway would likely be more than the 100 extra subscriptions that you've used in your crude example.
While all of this is great... Websense doens't take into account how easy it is to completely defeat their licensing model. Any junior level network admin would be able to create a NAT with a policy map that allows your network to function properly then NAT all outside traffic behind a virtual interface before it hits your edge device (thus double nat'ing) and essentially funnel all traffic down to one IP with a single MAC - nothing a few commands on EIGRP/OSPF couldn't alleviate.
Wouldn't that be nice?I could do it on a 6500 in about 5 minutes... and it would also keep all reporting fully intact with AD authentication, etc. While I'm sure that would be in violation of the license guideline, requiring me to buy a "subscription" because I designed a network properly is completely absurd.
The way to fix this is as suggested with either a client on the desktop, or to actually query machines out of AD with an LDAP query - very simple fix. For Mac/Linux there are other solutions out there; but, being that my background is Cisco/Microsoft maybe a client wouldn't be half bad. You could even do a simple WMI query and gather GUID information with aging that expires if you're using DC Agent's - which I assume most people are.
Ethan M. | CCNP | MCITP:EA | MCITP:SA
J Sloan: Workstation name doesn't work always. You've also got other operating systems to contend with, where netbios doesn't play any part of. Then, you've also got the problem where spoofing can be done to masquerade one workstation as another (more to do with those same OS's that netbios isn't inherently part of) Even if we used MAC addresses, you've still got the problems of laptops using 2 subscriptions or more, based on the number of network cards they use per day. Strictly speaking, the best method is also the most intrusive. If we had a client in which handled both xid for macs/linux/windows/osx, which also reported in and also handled the traffic leaving each workstation to be proxied with our Content Gateway, say something like the ISA's client software, that would resolve the situation, but that also means untouched devices would not get filtered and/or prevented from accessing the internet. this method would require that all customers have the content gateway which would necessarily increase the cost of all Websense subscribers even if they have no desire to have the proxy. The cost of the content gateway would likely be more than the 100 extra subscriptions that you've used in your crude example.
WebSense already has a "client" plug-in, with the "Logonapp.exe" logon agent, and the Remote Filtering agent. What is so hard about either modifying those, or creating a new one that can be pushed to all the workstations (at the discretion of the customer, of course). As the last posting stated, it would not be hard to query AD for some "unique" workstation information, even if he client is "one of the other OS" out there. And I don't really understand why you would need to use a Proxy or the Content gateway. Our Web Security Suite/Cisco ASA integration seems be able to identify: 1: The IP Address. 2: The AD Client name. 3: The Workstation Name. (These all show up on our customized block page). I know it would not be 100%, but WebSense could modify the Subscription counter to identify either the Client or Workstation, and even populate a table of recently used IP addresses for each device.
I know that I am frustrated with the way WebSense counts subscriptions, I recently ran an inventory scan (Multiple times over a couple months to identify all devices), and came up with a count of 1300 computers, more or less. We have a 1700 count subscription, and are constantly running past the "90% threshold", even exceeded that a couple of times. Since I am in the field a lot with my laptop, every time I plug in, I get a new IP address, and I have sometimes found over 20 "Subscriptions" used for my ONE laptop...
Sorry for the long post, and venting, but there HAS to be a better way to manage the subscription counts...
I can't give you details, but you need to talk to your sales person. Sales is the only people who can provide you a resolution to this issue.
I don't understand why it is not working as following:
No user identification: IP's are counted.User identification enabled: User identified at 9 with ip X, same user at 11 with ip Y and same user with ip Z at 12 => only one license counted ...
Hi,
If the Filtering Server is working then IPs will be counted. You will see the list of IP addresses that the Filtering Service has gathered since the last successful database update, or since the Filtering Service was restarted. Websense counted license base on IP addresses, not user name.
Kind regards
Best regards
So if I have 160 computers in a school with 119 user id's in an active directory network DIVIDED UP FOR STAFF AND STUDENTS and we have a 150 seats. Websense counts the license based upon ip address's ? When we bought this product I was informed that the SEAT count is based upon the user id from active directory not the computer IP address...... Am I wrong about how the seat is determined ???
Thanks
Websense Filtering Service waits for Lookup Requests to arrive. These Lookup Requests are contained in network TCP packets. Each TCP packet has a source IP and destination IP address. Each “unique source IP address” is considered a subscription. These Lookup Requests may be arrive from a firewall, proxy, or Websense Network Agent service.
Websense resets the subscription count to zero at midnight.
You can follow the article below to see a list of IPs being counted by Websense.
http://www.websense.com/support/article/t-kbarticle/How-do-I-get-a-seat-count-and-list-of-IP-addresses-for-my-Websense-users
Phil
Your licensed usage is based on how many unique IP addresses were filtered by Websense from midnight to midnight on a given day. That's how it's always been for the 7 years I've been a customer. Websense has always licensed their product on a per-filtered-device basis, and unique IP is the only way to really do that with any degree of accuracy.
If you have issues with single users consuming 2 licenses on wired and wireless connections, talk to your Sales rep.
