Integrating Data Security with Existing Infrastructure > Working with Web proxies

Working with Web proxies

Applies to

Data Security v7.6.x

In this topic

Overview

Blue Coat Web proxy

Limitations

Deployment

Network integration

Configuring the Blue Coat integration

Policy setup

Squid open source Web proxy

Deployment

System setup

Configuring Squid for ICAP

Configuring the protector for ICAP

ICAP server error and response codes

Overview

If you want Websense Data Security to work with a Web proxy to monitor HTTP, HTTPS, and FTP traffic, we recommend that you use the Websense Content Gateway Web proxy. Websense Content Gateway includes a Data Security policy engine on box and streamlines communication with the TRITON Management Server.

If you have Websense Web Security Gateway or Web Security Gateway Anywhere, the Content Gateway proxy is included in the solution.

Websense Data Security also supports the following Web proxies:

Blue Coat

Squid open source

These proxies integrate with Websense Data Security over ICAP, an industry-standard protocol designed for off-loading specialized tasks from proxies.

Blue Coat Web proxy

Blue Coat provides protocol support for HTTP, HTTPS, and FTP.

The integration solution described in this section is the recommended one. Other configurations can be implemented, but should be tested prior to deployment.

Limitations

The solution does not support FTP GET method for request modification.

The solution does not support HTTP GET method for request modification.

The solution is limited to scan files of 10MB. The system is capable of generating an error if a file exceeds that size.

In the described deployment caching is not in effect (Blue Coat SG does not cache PUTs and POSTs). However, you should exercise care if a response mode configuration is used.

Deployment

This deployment recommendation describes a forward proxy: a Blue Coat SG appliance connected to a Websense protector using ICAP. The Blue Coat SG appliance serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with rules that route data to the Websense ICAP server.

The Websense protector receives all traffic directed to it from the Blue Coat appliance for scanning,

The following diagram outlines the recommended deployment:

The deployment solution can be used in 2 modes:

Monitoring mode

Enforcement mode

You can change the mode as required.

Enforcement mode

In this mode, the Blue Coat SG appliance requires Websense Data Security to authorize each transaction before allowing the transactions to be posted or uploaded to their intended destination. This is the recommended mode of operation for the solution as it provides the most security.

Monitoring mode

In this mode, the transactions that are redirected by the Blue Coat SG appliance are analyzed by Websense Data Security, which can then generate audits for confidential information usage as well as generate notifications for administrators and information owners. However, in monitoring mode, the Websense ICAP server universally responds to all redirected transactions with Allow.

Network integration

The solution consists of 3 components:

Websense protector

Websense TRITON Management Server

Blue Coat SG appliance

The Websense - Blue Coat ICAP integration component resides on the protector, and acts as a relay between the Blue Coat SG appliances and the TRITON Management Server as shown below:

Configuring the Blue Coat integration

System setup

Refer to Data Security for instructions on installing Websense Data Security. Refer to relevant Blue Coat documentation for more information on installing the Blue Coat appliance.

After connecting the systems, follow instructions to configure network parameters and other properties.

Configuring Blue Coat

The Blue Coat Proxy SG can be configured with its basic information. You will need several pieces of information to configure the Proxy SG:

1.	IP address and netmask of the main interface

2.	Default gateway IP address

3.	DNS server IP address

4.	Console user name and password

5.	Enable password

6.	IP address and netmask of the ICAP interface

Items 1-5 enable you to set up the initial configuration of the Proxy SG by following the steps configure the Proxy SG with a direct serial port connection in your Blue Coat installation guide.

Once you have completed those steps, you can configure the second interface on the Proxy SG for use with the Websense ICAP server.

First, log on to the Proxy SG management console following the instructions in the Blue Coat installation guide. Then configure Adapter #1 with the IP address and netmask of the ICAP interface using the steps in the Adapters section of your Blue Coat configuration guide. (Adapter #0 is configured during the serial port configuration)

HTTPS forward proxy configuration

To enable ILP scanning of HTTPS posted documents, the Proxy SG must be configured for HTTPS forward proxy.

To configure the HTTPS forward proxy, follow the steps in these sections of your Blue Coat configuration guide:

1.	Setting up the SSL proxy in transparent proxy mode

2.	Creating an issuer keyring for SSL interception

3.	Downloading an issuer certificate

You can find this guide in the Documentation section of your Blue Coat account (https://bto.bluecoat.com).

Configuring the protector for ICAP

You configure the ICAP support on the protector in TRITON - Data Security.

1.	Open TRITON - Data Security, and go to Settings > System Modules.

2.	Under the protector you want to configure, select the ICAP server.

For more information, see the section "Configuring ICAP" in TRITON - Data Security Help.

Configuring the ICAP service on Blue Coat

This section describes how to configure the Proxy SG to communicate with the Websense ICAP server on the protector.

This procedure assumes the Proxy SG is operating minimally with initial configurations, and you are logged on to the Blue Coat Management Console. If you have multiple protectors with ICAP servers, you must create a unique Proxy SG service for each one.

To configure the Proxy SG ICAP service:

1.	Select Configuration > External Services > ICAP.

2.	To add a new service:

a.	Click New.

The Add list item window appears.

b.	In the Add ICAP Service field, enter an alphanumeric name.

c.

Click OK.

3.	In the Services list, select the new ICAP service name and click Edit. The following screen appears:

4.	On the Edit ICAP Service window, configure the following options.

Field	Description
Service URL	This includes the URL schema, the ICAP server host name or IP address, and the ICAP port number. For example, icap://10.1.1.1:87. You can distinguish between encapsulated protocols using different service URLs.
Maximum number of connections	The maximum number of connections at any time between the Proxy SG and the ICAP server. This can be any number between 1 and 65535. The default is 5.
Connection timeout	The number of seconds the Proxy SG waits for replies from the ICAP server. This can be any number between 60 and 65535. The default timeout is 70 seconds.
Notify administrator	Check the Virus detected box to send an email to the administrator if the virus scan detects a match. The notification is also sent to the Event Log and the Event Log email list.
Method supported	Select request modification for this service. Also select Client address and/or Authenticated user.
Send	Optionally, check one or more of these options to specify what is sent to the ICAP server.
Sense settings	Optionally, click this to automatically configure the ICAP service using the ICAP server parameters.

5.

Click OK.

6.	Click Apply.

Policy setup

This section describes how to configure the Proxy SG policy to redirect traffic across the ICAP service.

For full details of managing Data Security policies, refer to "Creating Custom Policies" in TRITON - Data Security Help.

The procedure in this section assumes the Proxy SG is operating with initial configurations and ICAP configuration, and you are logged on to the Blue Coat Management Console.

To configure the Proxy SG ICAP policies:

1.	Select Configuration > Policy >Visual Policy Manager.

2.	Click Launch.

3.	In the Visual Policy Manager, select Add a policy.

4.	Add a content layer.

a.	Click the Web Content Layer tab.

b.	Click Add Rule.

5.	Enter a policy name, and click OK.

6.	Right click the Action option and select Set from the menu.

7.	Under Show, select Set ICAP Request Service Objects.

8.	Click New > Set ICAP Request Service.

9.	Enter a name for the ICAP request service.

10.	Select Use ICAP request service, choose a service from the drop-down list, and click Add.

11.	Click OK twice.

12.	Click Install policy.

Configuring HTTPS policies

To configure an HTTPS policy, follow the steps in these sections of your Blue Coat configuration guide:

1.	Using the SSL intercept layer

2.	Using the SSL access layer

You can find this guide in the Documentation section of your Blue Coat account (https://bto.bluecoat.com).

Recommended Blue Coat filtering rules

The table below lists filters that should be applied to the Blue Coat policy layer before the data is sent to the protector's ICAP server.

Protocol	Filter	Condition
HTTP	GET	Allow always
HTTP	POST < 10MB	ICAP REQMOD
HTTP	POST > 10MB	Block/Allow always
HTTP	PUT < 10MB	ICAP REQMOD
HTTP	PUT > 10MB	Block/Allow always
HTTPS	GET	Allow always
HTTPS	POST < 10MB	ICAP REQMOD
HTTPS	POST > 10MB	Block/Allow always
HTTPS	PUT < 10MB	ICAP REQMOD
HTTPS	PUT > 10MB	Block/Allow always
FTP	PUT < 10MB	ICAP REQMOD
FTP	PUT > 10MB	Block/Allow always

Squid open source Web proxy

Squid provides protocol support for HTTP, HTTPS, and FTP. It integrates with Websense Data Security over ICAP, which is supported in Squid-3.0 and later.

Deployment

This deployment recommendation describes a forward proxy: a Squid Web proxy server connected to a Websense protector using ICAP. Squid serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with rules that route data to the Websense ICAP server.

The Websense protector receives all traffic directed to it from the Squid server for scanning,

The following diagram outlines the recommended deployment:

The deployment solution can be used in 2 modes:

Monitoring mode

Enforcement mode

You can change the mode as required.

System setup

Refer to Data Security for instructions on installing Websense Data Security, and refer to the relevant Squid documentation for more information on installing the Squid Web proxy.

After connecting the systems, follow instructions to configure network parameters and other properties.

Configuring Squid for ICAP

Set up your Squid proxy to send requests to the ICAP server that is part of the Websense protector.

This example is for Squid-3.1:

icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
adaptation_access service_req allow all

This example is for Squid-3.0:

icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
icap_class class_req service_req
icap_access class_req allow all

For full ICAP configuration details for Squid, see http://wiki.squid-cache.org/Features/ICAP?highlight=%28faqlisted.yes%29.

Configuring the protector for ICAP

You configure the ICAP support on the protector in TRITON - Data Security.

1.	Open TRITON - Data Security, and go to Settings > System Modules.

2.	Under the protector you want to configure, select the ICAP server.

For more information, see the section "Configuring ICAP" in TRITON - Data Security Help.

ICAP server error and response codes

Response Condition	Websense Block Decision	Control Exceeds Size Limit	Error Condition
Condition	"pana_response"	"huge_content"	"pana_error"
Error Code	500	500	512
="X-Response-Info"	PA-block		PA-error
="X-Response-Desc"	Websense blocked
Plain URL	/usr/local/spicer/etc/blockmessageexample.plain
Markup URL	/usr/local/spicer/etc/block-messageexample.markup

Integrating Data Security with Existing Infrastructure > Working with Web proxies