Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Cisco Integration

Cisco Integration
Applies to
*
Web Filter v7.6
*
Web Security v7.6
In this topic
*
Overview
*
How Websense filtering works with Cisco products
*
Supported Cisco integration product versions
*
Installation of Web Filter or Web Security
*
Upgrading Websense Web Filter or Web Security
*
Migrating between integrations after installation
*
Network Agent enhanced logging
Related topics:
*
Configuring a Cisco Security Appliance
*
Configuring a Cisco IOS Router
*
Configuring a Cisco Content Engine
Overview
Web Filter and Web Security can be integrated with Cisco® Adaptive Security Appliance (ASA), Cisco PIX® Firewall, Cisco IOS routers, and Cisco Content Engine.
Integrating with a Cisco product involves the following components:
*
Filtering Service: The integrated Cisco product and Network Agent work with Filtering Service to filter Internet requests. For redundancy, two or more instances of Filtering Service may be used. Only one instance will be active at any given time—referred to as the primary server. URL look-up requests will be sent only to the primary server. For more information see the configuration chapter, in this supplement, for your Cisco product. Also see Cisco documentation for detailed explanations of configuration commands.
*
Network Agent: Manages Internet protocols that are not managed by your integrated Cisco product. Network Agent can also provide information for reports on bandwidth and block HTTP(S) internet requests based on bandwidth consumption.
If Network Agent is installed, you must define the IP addresses of all proxy servers through which computers route their Internet requests. See Network Configuration in the TRITON - Web Security Help for instructions.
*
Configure your Cisco integration: You must direct Internet requests through your Cisco integration product, and configure it for use with Websense software.
*
Configuring a Cisco Security Appliance discusses Cisco PIX Firewall and Adaptive Security Appliance (ASA)
*
Configuring a Cisco IOS Router discusses Cisco IOS router.
*
Configuring a Cisco Content Engine discusses Cisco Content Engine.
*
User authentication: If HTTP(S) or FTP authentication are enabled on Cisco ASA, IOS router or Cisco content, the Websense User Service component must be installed in the same domain (Windows), or the same root context (LDAP) as authenticated users, in order to get correct user information and provide it to filtering service component for accurate user-based filtering.
If you are using a Websense transparent identification agent or manual authentication, this configuration is not necessary.
How Websense filtering works with Cisco products
To be filtered by Websense software, a client's Internet requests must pass through the Cisco product.
*
If Websense software is integrated with a Cisco PIX Firewall or ASA, browser requests must go through the PIX Firewall or ASA to reach the Internet.
*
If Websense software is integrated with a Cisco Content Engine, client browser requests may be forwarded to the Content Engine transparently or explicitly. See Cisco Content Engine and browser access to the Internet.
When it receives an Internet request, the Cisco product queries Filtering Service to determine if the requested Web site should be blocked or permitted. Filtering Service consults the policy assigned to the user. Each policy designates specific time periods and lists the category filters that are applied during those periods.
After Filtering Service determines which categories are blocked for that client, it checks the Websense Master Database.
*
For HTTP, if the site is assigned to a blocked category, the user receives a block page instead of the requested site.
*
For HTTPS or FTP, if the site is assigned to a blocked category, the user is not allowed access and recieves a blank page.
*
If the site is assigned to a permitted category, Filtering Service notifies the Cisco product that the site is not blocked, and the client is allowed to visit the site.
 
* 
Note 
Before enabling Websense URL filtering, make sure there is not another URL filtering scheme configured, such as N2H2. There can be only one active URL filtering scheme at a time.
Supported Cisco integration product versions
See System Requirements for which Cisco products are supported for integration with Web Security or Web Filter.
Installation of Web Filter or Web Security
Install Web Filter or Web Security as directed in Web Filter or Web Security (software-based). When installing Filtering Service, be sure to do the following.
*
On the Integration Option screen, select Integrated with another application or device.
*
On the Select Integration screen, select one of the following and then click Next:
*
Cisco Adaptive Security Appliances
*
Cisco Content Engine
*
Cisco PIX Firewall
*
Cisco Routers
*
Do not install a transparent identification agent if you plan to configure user authentication through your Cisco product.
In a Web Security All installation, the Transparent User Identification screen is used to select a transparent identification agent. Select Do not install a transparent identification agent now if you will authenticate users through your Cisco product.
In a custom installation (or when adding components), on the Select Components screen, do not select any of the components under User identification if you will authenticate users through your Cisco product.
 
Upgrading Websense Web Filter or Web Security
When Websense software, already integrated with a Cisco product, is upgraded no additional configuration is necessary on the Cisco product. See Upgrading Web Security or Web Filter to 7.6.0 for upgrading instructions.
 
If you are upgrading your Websense deployment and changing your Cisco product, see Migrating between integrations after installation.
Migrating between integrations after installation
 
You can change the Cisco integration product (for example, change from a PIX Firewall to an IOS router) after installing Websense software without losing configuration data.
1.
Install and configure your new Cisco integration product. See Cisco documentation for instructions.
Ensure that it is deployed so that it can communicate with Filtering Service.
2.
Use the Websense Backup Utility to back up the Websense configuration and initialization files. See the TRITON - Web Security Help for instructions.
3.
Close all applications on the Filtering Service machine, and stop any antivirus software.
4.
Remove Filtering Service. SeeRemoving Web Security components for instructions.
5.
Restart the machine (Windows only).
6.
Use the Websense installer to reinstall Filtering Service. See Installing Web Security components for instructions.
7.
On the Select Integration screen, select the new Cisco product, and then follow the on-screen instructions to complete the installation.
The installer adds the new integration data to the Websense software configuration files, while preserving existing configuration data.
8.
Restart the machine (Windows only).
9.
Check to be sure that Filtering Service has started.
*
Windows: Use the Windows Services dialog box to verify that Websense Filtering Service has started.
*
Linux: Navigate to the Websense installation directory (/opt/Websense, by default), and use the following command to verify that Websense Filtering Service is running:
./WebsenseAdmin status
For instructions on starting Websense services, see Starting or Stopping Web Security Services.
10.
In the TRITON Unified Security Center, in the Web Security module, identify which Filtering Service instance is associated with each Network Agent.
a.
Using a supported browser (see System Requirements), go to
https://<IP address>:9443/triton. Where <IP address> is the IP address of the machine on which TRITON Unified Security Center is installed.
b.
Click the Web Security module button.
c.
Open the Settings tab.
d.
Go to Settings > Network Agent and click the appropriate IP address in the navigation pane to open the Local Settings page.
e.
Under Filtering Service Definition, select the IP address for the machine running Filtering Service. During the migration, the setting may have been reset to None.
f.
Log out of TRITON - Web Security.
For more information, see the information about configuring local settings in the Network Configuration section of TRITON - Web Security Help.
11.
If you stopped your antivirus software, be sure to start it again.
Network Agent enhanced logging
Network Agent can also provide information for reports on bandwidth information and block HTTP(S) internet protocols based on bandwidth consumption. However, bandwidth information is not recorded by default.
To configure Network Agent to record bandwidth information for reporting, or filter HTTP(S) or FTP requests based on bandwidth consumption, follow these steps:
1.
In a supported browser, navigate to: http://<IP address>:9443/triton (<IP address> is the IP address of the machine on which TRITON Unified Security Center is installed).
2.
Select the Web Security module button.
3.
Navigate to the Settings > Network Agent tab and select the appropriate IP address in the navigation pane to open the Local Settings page.
4.
Under Network Interface Card, click the appropriate NIC monitoring the relevant traffic.
5.
Under Integration, enable the Log HTTP requests option.
For information on configuring bandwidth blocking for category and protocol, please refer to the Bandwidth Optimizer section of the TRITON - Web Security Help.

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index
Cisco Integration
(c) 2011 Websense, Inc. All Rights Reserved.