Initial Configuration > Web Security initial configuration
|
See the Getting Started section of the TRITON - Web Security Help for an overview and initial configuration information.Also see the New User Quick Start Tutorial (which is offered the first time you log into TRITON - Web Security) for information about basic configuration.If you install certain components on Windows Server 2008, or if your network uses Active Directory 2008 to authenticate users, be aware of the issues listed below. In some cases, additional configuration steps are required.
If you run Websense User Service on Windows Server 2008, and your network uses a Windows NT Directory or Active Directory (Mixed Mode), Websense User Service must run as an account that has administrative privileges on the directory. This means that the User Service machine must be joined to the domain before performing the installation.See the Troubleshooting section of the TRITON - Web Security Help for instructions on checking and changing the User Service account. Look for the topic on changing DC Agent, Logon Agent, and User Service permissions.
If you run Websense User Service, DC Agent, or Logon Agent on Windows Server 2008, the Windows Computer Browser service on that machine must be running.
If Websense User Service is installed on Windows Server 2008, protocol block messages and popup usage alerts cannot be displayed at client machines.
If your network uses Active Directory 2008 to authenticate users, the Windows Computer Browser service on that machine must be running.
If you run Websense User Service on Windows Server 2008, Network Agent cannot send protocol block messages to users. The protocol requests are blocked, but no message is displayed.In addition, usage alert popup messages cannot be displayed to users. The alerts are generated, and other notification methods function normally.
All Websense tools and utilities installed on Windows Server 2008, and text editors used to modify Websense configuration files (such as websense.ini), must be run as the local administrator. Otherwise, you may be prevented from running the tool or the changes you make may not be implemented.
1. Open Windows Explorer to the bin subdirectory in the Websense installation directory (the default installation directory is C:\Program Files or Program Files (x86)\Websense\Web Security).
2. Right-click the relevant executable file, and then click Properties. Following is a list of files for which this should be done.
wsbackup.exe for Websense Backup and Restore
logserverconfig.exe for the Log Server Configuration utility
executable for any text editor used to modify a Websense configuration file (such as websense.ini)
3. In the Compatibility tab, under Privilege Level, select Run this program as an administrator. Then, click OK.If you installed Websense Logon Agent, you must create a logon script for clients that identifies them to Websense software when they log on to a Windows domain. The Websense Logon application, LogonApp.exe, provides a user name and IP address to the Logon Agent each time a Windows client connects to a Windows Active Directory or a Windows NT directory service. See Creating and running the script for Logon Agent.All Windows computers being filtered must have the Messenger Service enabled to receive protocol block messages from Network Agent. See the Protocol Block Messages topic in TRITON - Web Security Help for instructions.If you were unable to grant User Service, DC Agent, or Logon Agent administrator privileges during installation, do so now to ensure that they will function correctly. For instructions, see the Troubleshooting > User Identification topic on changing User Service, DC Agent, and Logon Agent service permissions in TRITON - Web Security Help.If you installed DC Agent, eDirectory Agent, Logon Agent After installation, follow the instructions in User Identification topic of the TRITON - Web Security Help to configure Websense software to use DC Agent to identify users without prompting them for logon information.If you installed Network Agent, use the Network Traffic Detector to test whether Network Agent can see the Internet activity that you want it to monitor. See the Network Configuration topic in TRITON - Web Security Help for instructions.If you installed Network Agent on a machine with multiple NICs, you can configure the agent to use more than one NIC to monitor and block requests. See the Network Configuration topic in TRITON - Web Security Help for more information. To configure a stealth mode NIC for monitoring, see Configuring a stealth mode NIC.If you installed the optional Remote Filtering components, some configuration is required. For instructions, see the Remote Filtering Software technical paper.When Websense software blocks an Internet request, the browser is redirected to a block page hosted by Filtering Service. The block page URL takes the form:http://<FilteringServiceNameorIPAddress>:<MessagePort>/cgi-bin/blockpage.cgi?ws-session=#########If Filtering Service is installed on a machine with multiple NICs, and Filtering Service is identified by machine host name rather than IP address, users could receive a blank page rather than a block page.
If you have an internal domain name server (DNS), enter the Filtering Service machine's IP address as a resource record in your DNS. See your DNS documentation for instructions.
1. On the Filtering Service machine, go to the Websense bin directory (by default, C:\Program Files\Websense\bin or opt/Websense/bin).
2. Make a backup copy of eimserver.ini in another directory.
3. Open the original eimserver.ini file in a text editor.
4. In the [WebsenseServer] section, enter the following command:Here, <IP address> is the IP address of the Filtering Service machine.
Do not use the loopback address 127.0.0.1.In addition to the items under Web Security initial configuration, perform these procedures if your subscription includes Web Security Gateway Anywhere.
1. Ensure that the Content Gateway and Data Security Management Server systems are running and accessible, and that their system clocks are synchronized.
2. Ensure the Content Gateway machine has a fully qualified domain name (FQDN) that is unique in your network. Host name alone is not sufficient.
3. If Content Gateway is deployed as a transparent proxy, ensure that traffic to and from the communication interface ("C" on a V-Series appliance) is not subject to transparent routing. If it is, the registration process will be intercepted by the transparent routing and will not complete properly.
4. Make sure that the IPv4 address of the eth0 NIC on the Content Gateway machine is available (not required if Content Gateway is located on a V-Series appliance). This is the NIC used by the Data Security Management Server during the registration process.
5. Open Content Gateway Manager: in TRITON - Web Security, on the Settings tab, select General > Content Gateway Access. Then click the IP address of the Content Gateway machine.Alternatively, using a supported Web browser, go to:
https://<wcg_IP_or_hostname>:8081where <wcg_IP_or_hostname> is the IP address or hostname of the machine on which Content Gateway is running. If Content Gateway is running on an appliance, use the IP address of the appliance's C interface.
6.
7. On the General tab, under Networking, enable Data Security (by selecting the On radio button to the right).
8. Select Integrated on-box and then click the Apply button (either at the top or bottom of the screen).A registration status link, Not registered, displays.
9. Click the Not registered link. This opens the Configure > Security > Data Security registration screen.
10. Enter the IP address of the Data Security Management Server.
11. Enter a user name and password for a Data Security administrator with Deploy Settings privileges.
12. Click Register. You are reminded to synchronize the system time between the proxy machine and the Data Security Management Server.
13. If registration succeeds, a Data Security Configuration page displays. Set the following configuration options.
a. Analyze FTP Uploads: Enable this option to send FTP uploads to Data Security for analysis and policy enforcement.
b. Analyze Secure Content: Enable this option to send decrypted HTTPS posts to Data Security for analysis and policy enforcement.These options can be accessed whenever Data Security is registered by going to the Configure > Security > Data Security > General page.
14. Click Apply.When you register the Websense Content Gateway policy engine with the Data Security Management Server, a Content Gateway module appears in the TRITON - Data Security System Modules screen.By default, this agent is configured to monitor Web traffic, not block it, and for a default violation message to appear when an incident is triggered. If this is acceptable, you do not need to make changes to the Content Gateway configuration. Simply deploy the new settings.If you want to block Web traffic that breaches policy and customize the violation message, do the following:
1.
2. Select the Content Gateway module in the tree view (click the module name itself, not the plus sign next to it).It will be listed as Content Gateway on <FQDN> (<PE_version>), where <FQDN> is the fully-qualified domain name of the Content Gateway machine and <PE_version> is the version of the Content Gateway policy engine.
3. Select the HTTP/HTTPS tab and configure the blocking behavior you want.
4. Select the FTP tab and configure the blocking behavior you want.
5. Click Save to save your changes.
6. Click Deploy to deploy your settings.
Even if you do not change the default configuration, you must click Deploy to finalize your Content Gateway deployment process.When Linking Service is installed, it automatically configures linking between Web and Data Security to allow Data Security access to user identification and URL categorization data.
2.
4. Click OK to save any changes.
5. Click Deploy to deploy your settings.
Initial Configuration > Web Security initial configuration
|