Choose from several options for complete web, email and data security.
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security.
Running TRITON Enterprise v7.6.5 with the WCG in explicit proxy mode on a V10K G2.
All of our end users must belong to a particular AD group to be able to
use the Internet and we use IWA. Almost all desktops are on DHCP on
separate subnets from the servers.
We have some desktop applications that communicate with web services and sites on the Internet and do not pass credentials.There's no problem when these apps are installed on Citrix servers for general use because we have a Client group of the IP addresses assigned to the servers. Servers have their own policy with defined destinations. All other destinations are dropped.
But when the one-off apps are installed directly on desktops and do not send authentication, they get blocked. TCPDUMP shows proxy authentication is needed. We've used TCPDUMP on the WCG to look for a unique User-Agent but some apps don't have them. Or not all of the requests send a User-Agent.
I can't use Source IP in filter.config because the desktops are on DHCP. I can't give them reservations because people float from desktop to desktop.
If I add the URL into filter.config and set Source IP for all of the desktop subnets, it gets applied to everyone, of course. And the desktop app works. But when someone needs to get to the same URL via a browser, they get dropped into the Default Policy, which is set to block all Internet access.
Yes, it's crummy app design. Yes, the vendors are generally clueless even when you ask them to set a specific User-Agent. Yes, we even had one vendor tell us we need to fix this by putting a computer outside our firewall and having our users RDP to it. Yes, of course, several of them are using AWS and other hosted services such as Akamai and they don't really have a consistent destination IP address.
No, we cannot use a proxy bypass for these sites because of the inconsistent destination IP address. Yes, we must have extremely tight outbound policies because we're a bank.
This was a non-issue with the Microsoft ISA proxy because it processed rules in a top-down order. We could either apply authentication requirements or not to a given rule.
We have spent days trying to get some of these apps to work and no, changing them is not an option because they're how people do their jobs and the apps serve their needs quite well.
Any relief would be greatly appreciated.
This is an example of one of the URLS needed by an app for downloads and by people using browsers: https://cdr.ffiec.gov/public/
Your idea of adding the url into the filter.config is the correct way to approach this. Then in Triton specify the same url as either Unfiltered, or add it into a category that is allowed in the default policy. If a user goes to another url, WCG will apply IWA and they should get filtered as expected based on the group that they are in.
Sorry, I don't understand. The Default Policy is "Block All Categories". It covers people logged in with non-domain accounts for some reason or people who are not allowed Internet access. Are you saying I have to add a new User-Defined Category of "Unauthenticated Access", deny it in all policies, but then modify the Default Policy to allow just it?
Unfiltered URLs doesn't help either and from its description, it shouldn't: "Maintain a list of sites accessible to any client not governed by the Block All category filter or a limited access filter."
Yes change the "default" category set to block all categories instead of using the predefined "block All" category filter. Then the unfiltered URL's will work or you can create a new category and just allow that. Alternatively upgrade to 7.7 and you can use the exceptions.
I rarely use the "block all" predefined category because of this. All most all organisations have some URL's that everybody should be able to get to.
I'm doing something wrong because this is what I see:
But the Default Policy now uses my "Allow Unauthenticated Access" category instead of "Block All". Every category is set to Blocked except for my new one. It doesn't matter if I add dl3.checkpoint.com into my new category or into Unfiltered URLs, I get the same result. The Real Time Monitor shows my desktop IP address OK and shows it as Blocked.
In filter.config I've added checkpoint.com with a User-Agent of FDT_LIBCURL, which is what tcpdump shows. tcpdump does not show any authentication is needed. It shows the request to http://dl3.checkpoint.com and then the redirect to the Websense blocked page. <sigh>
hmm. should work. double check your policies. Maybe you have a policy defined for that network somewhere. I would also first test with your browser, so try it without the user agent, or tell your browser to spoof that user agent. Do you have Websense to prompt for authentication or use network policy if undentified?... if the former that could be a problem.
The only networks that are defined as Clients are the server subnets. Since I'm on a desktop subnet, my Client is an AD group. When I access it using a browser, the browser passes my AD credentials and access is allowed.
Authentication is transparent. I can't figure out where the Block All is applied. I only have a few policies and that Block All filter is not applied to any of them.
It's set to "Apply computer or network policy".
Well, this is quite concerning. I'm now logged in from home and when I went to double-check what I had done, absolutely NONE of my changes were in place. I had deleted an unused policy, renamed a filter, changed a filter's settings for permitted categories, changed the description of that filter and reset the filter for the Default Policy.
None of these changes were present. I religiously make one change at a time and click Save All just to avoid making too many changes at one time. Everything looked normal but absolutely nothing took.
I had been logged in for a few hours and switching between modules but the Save All button remained lit up until I clicked it. Anyway, now that I recreated everything, it appears to work as you said it should. At least with the one app that would not work before. I'll do more testing with other applications tomorrow.
Thank you very much!