I have a websense web security 7.7 integrated with a ASA. I have created a limited access filter for some users that only have access to office365 ( sharepoint, mail etc )I know that i need to block the IP´s for https but office365 has tons of IP blocks. Kan you allows HTTPS access for IP blocks, for example https://184.108.40.206/23?If no is there another way to do this? What product do you need to use domain names for https`? We evaluated cloud web security and there it worked.
To block a certain https site, please recategorize the URL and its IP address to a blocked category. You need to add 2 entries for a https site in the form of: https://www.xxx.com:443/ ( https://www.xxx.com/ ) https://x.x.x.x:443/ ( https://x.x.x.x/ ) Here www.xxx.com is the URL and x.x.x.x is the IP address of the site. Please make sure you add the port ID (443) and the forward slash to each entry. You can use nslookup to find the IP resolved from the URL. If multiple IPs are turned out, you need to add an entry for EACH of them.
Websense security gateway can block https directly by the url.
Well that was bad news :( Since office365 has so many IP´s it´s not realistic to do that.
You should be able to do it by Regex. I don't know what the string would be, but if you know regex it wouldn't be too difficult to do.
Thanks i might look in to regular expressions but it bothers me big time that websense can´t give me solution except recat a bunch of sites.
The response from Websense when I posed this issue:
#1 to reallocate each site as comes up by the https ip string
you can obtain
their ip's from
#2 allow the
category it is associated with "web based email"
#3 purchase V10K
that does ssl decrpyption
We have an ASA 5510 with Websense in Integrated mode with Cisco ASA. We created a group on the ASA containing all of the IP Addresses listed in Option 1 and added the 220.127.116.11-18.104.22.168 for *.outlook.com. When created a rule that tells the ASA to bypass Websense for the group we created.
Websense is not capable of unblocking ranges, but can do individual IP Addresses. We initially tried inputting the IP Addresses from the ranges into Websense, but it is incapable of accepting that amount of IP Addresses when you paste them in either (over 600,000). Websense is designed to block security risks. For big items like this that you are looking to allow, it makes sense to bypass Websense and let your firewall do the heavy lifting.
Hi , you realy need to look at our Gateway/Proxy solution that can handle HTTPS URL requests