Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Hello,
I am in puzzle to find out how this Cloud Web Security apply the policy to the user. My scenario is like this:
Company firewall is registered as Proxied Connection under the defined Policy, and AD synchronization client software is installed on the PC to synch the group and user information from AD with Hosted Web Security. In fact group and user information are successfully synched to the Hosted Web Security. and Web Endpoint software is installed on every end user PC.
Now my question is that, I need to assign different policy to the different group, like policy to managers, another policy to accountants, and other policy to support team. Do I have to define as many number of policy as number of groups? How about registering firewall as Proxied connection, do i have to add firewall as proxied connection in every policy. I am not sure how I can do this?
Another question is, how can I identify the users in Hosted Web Security. Do I always have to check the "Always authenticate users on first access" checkbox under Policy->Access Control. Web endpoint is so automatic, I read that web endpoint sends the user authentication information to the HWS, how Web endpoint gets the user authentication information, is there anyway to explicitly tell Web Endpoint that this is the user-A or user-g for authentication.
Thank you,
You can only populate a given public IP as a connection under a single policy.
The way you need to think about "policy" is as a convenient way to generate reports for a collection of user/locations.
Under a single "policy" you can define different content filtering policies. The differentiation between the groups of users is best done by putting users that get content filtering policy a into active directory group a. Hen put all the users that get content filtering policy b into a separate active directory group b. you can define different policies in the portal to each active directory group that s synced via directory sync client using exceptions in the database categories of interest in the portal.
I cannot tell from your description if you are using the directory synchronization client - I am guessing you are not. Sounds like you only have the endpoint client in play.
If the endpoint client is installed on a pc, it will map the logged on user to the default policy for your account if the user is not already populated in the portal - either manually or else via the directory synchronization client. It uses the ached credentials of the logged in user. I would recommend that you leave the always authenticate users on first access checked.
@Denee,
Thanks for the reply. Let me put it in another way, How does HWS transparently identify the users which coming from the network which is behind the Firewall, and firewall is registered as proxied connection under the single policy.
In access control tab under the policy, it is checked to choose "Authenticate only in these cases":
1. The connection is from an unknown IP address.
2. The requested site is in a Web category that requires user authentication.
In above case, all connections coming from the firewall is not going to be authenticated (because they are coming for the FW and FW is registered as proxied connection under the policy) and HWS is going to apply the policy which is defined for the proxied connection.
At the same time, when I looked up the Account Summary Report, users are listed as "Unspecified". I would like to see who is who in report file rather than showing every connection as "Unspecified".
Is there way to transparently authenticate the users who connect behined FW.
Another thing is, when I create the policy, and define the firewall as proxied connection.
Then I had 2 or 3 groups defined, and users are associated with it's group.
In Web Categories under the policy window, I setup the Category exception for the certain group to allow some web categories. But the thing is, every time user tries to access to the web site which is defined as allowed for that group under the category exception, WHS pulls out the login page to ask users to identify themselves.
I want transparent authentication to every user, dont want end users to input their email addr and password. Instead I want HWS to seemlesly identify the users and apply the right actions for the web categories accordingly.
Well.... I have to say that we require authentication for all of our categories, regardless of the public IP the user sources from. *IF* the users do not have the endpoint client installed (we are in the process of phasing in the endpoint client), then it is NTLM authentication; if they have the endpoint client, we use the built in authentication that comes with that. You may need to ask tech support to do things behind the scenes to permit roaming users... which means that if the user is normally associated with the site that has IP address 1.2.3.4 and they are temporarily working at a location with public IP 5.6.7.8, the user will get the same policy. But I suspect that should only be necessary if you are using different content filtering policies at different locations. I'd try authenticating users for all categories regardless of the IP address they are sourcing from if you want to have the ability to track usage at the user level. The web endpoint will utilize the cached credentials of the logged in user, and it will pass them as part of the encrypted/hashed ws-auth header that the endpoint client passes to the proxy server. Look at an HTTP request in a wireshark trace, if you drill down you should see this... If you have not enabled the setting that makes the endpoint client use port 80, you'll need to tell wireshark to interpret TCP 8081-8082 as HTTP. In short, what you are trying to do is achievable. I know, becuase we are doing it.. I suspect there is just something off with how you are configured.
Well.... I have to say that we require authentication for all of our categories, regardless of the public IP the user sources from. *IF* the users do not have the endpoint client installed (we are in the process of phasing in the endpoint client), then it is NTLM authentication; if they have the endpoint client, we use the built in authentication that comes with that.
You may need to ask tech support to do things behind the scenes to permit roaming users... which means that if the user is normally associated with the site that has IP address 1.2.3.4 and they are temporarily working at a location with public IP 5.6.7.8, the user will get the same policy. But I suspect that should only be necessary if you are using different content filtering policies at different locations.
I'd try authenticating users for all categories regardless of the IP address they are sourcing from if you want to have the ability to track usage at the user level.
The web endpoint will utilize the cached credentials of the logged in user, and it will pass them as part of the encrypted/hashed ws-auth header that the endpoint client passes to the proxy server. Look at an HTTP request in a wireshark trace, if you drill down you should see this... If you have not enabled the setting that makes the endpoint client use port 80, you'll need to tell wireshark to interpret TCP 8081-8082 as HTTP.
In short, what you are trying to do is achievable. I know, becuase we are doing it.. I suspect there is just something off with how you are configured.
