Web Filter and Web Security can be integrated with Cisco® Adaptive Security Appliance (ASA), Cisco PIX® Firewall, Cisco IOS routers, and Cisco Content Engine.
Filtering Service: The integrated Cisco product and Network Agent work with Filtering Service to filter Internet requests. For redundancy, two or more instances of Filtering Service may be used. Only one instance will be active at any given time—referred to as the primary server. URL look-up requests will be sent only to the primary server. For more information see the configuration chapter, in this supplement, for your Cisco product. Also see Cisco documentation for detailed explanations of configuration commands.
Network Agent: Manages Internet protocols that are not managed by your integrated Cisco product. Network Agent can also provide information for reports on bandwidth and block HTTP(S) internet requests based on bandwidth consumption.If Network Agent is installed, you must define the IP addresses of all proxy servers through which computers route their Internet requests. See Network Configuration in the TRITON - Web Security Help for instructions.
Configure your Cisco integration: You must direct Internet requests through your Cisco integration product, and configure it for use with Websense software.
Configuring a Cisco Security Appliance discusses Cisco PIX Firewall and Adaptive Security Appliance (ASA)
Configuring a Cisco IOS Router discusses Cisco IOS router.
Configuring a Cisco Content Engine discusses Cisco Content Engine.
User authentication: If HTTP(S) or FTP authentication are enabled on Cisco ASA, IOS router or Cisco content, the Websense User Service component must be installed in the same domain (Windows), or the same root context (LDAP) as authenticated users, in order to get correct user information and provide it to filtering service component for accurate user-based filtering.If you are using a Websense transparent identification agent or manual authentication, this configuration is not necessary.To be filtered by Websense software, a client's Internet requests must pass through the Cisco product.
If Websense software is integrated with a Cisco PIX Firewall or ASA, browser requests must go through the PIX Firewall or ASA to reach the Internet.
If Websense software is integrated with a Cisco Content Engine, client browser requests may be forwarded to the Content Engine transparently or explicitly. See Cisco Content Engine and browser access to the Internet.When it receives an Internet request, the Cisco product queries Filtering Service to determine if the requested Web site should be blocked or permitted. Filtering Service consults the policy assigned to the user. Each policy designates specific time periods and lists the category filters that are applied during those periods.After Filtering Service determines which categories are blocked for that client, it checks the Websense Master Database.
For HTTP, if the site is assigned to a blocked category, the user receives a block page instead of the requested site.
For HTTPS or FTP, if the site is assigned to a blocked category, the user is not allowed access and recieves a blank page.
If the site is assigned to a permitted category, Filtering Service notifies the Cisco product that the site is not blocked, and the client is allowed to visit the site.
Before enabling Websense URL filtering, make sure there is not another URL filtering scheme configured, such as N2H2. There can be only one active URL filtering scheme at a time.See System Requirements for which Cisco products are supported for integration with Web Security or Web Filter.Install Web Filter or Web Security as directed in Web Filter or Web Security (software-based). When installing Filtering Service, be sure to do the following.
Do not install a transparent identification agent if you plan to configure user authentication through your Cisco product.In a Web Security All installation, the Transparent User Identification screen is used to select a transparent identification agent. Select Do not install a transparent identification agent now if you will authenticate users through your Cisco product.In a custom installation (or when adding components), on the Select Components screen, do not select any of the components under User identification if you will authenticate users through your Cisco product.When Websense software, already integrated with a Cisco product, is upgraded no additional configuration is necessary on the Cisco product. See Upgrading Web Security or Web Filter to 7.6.0 for upgrading instructions.If you are upgrading your Websense deployment and changing your Cisco product, see Migrating between integrations after installation.You can change the Cisco integration product (for example, change from a PIX Firewall to an IOS router) after installing Websense software without losing configuration data.
1. Install and configure your new Cisco integration product. See Cisco documentation for instructions.
2. Use the Websense Backup Utility to back up the Websense configuration and initialization files. See the TRITON - Web Security Help for instructions.
4. Remove Filtering Service. SeeRemoving Web Security components for instructions.
6.
7. On the Select Integration screen, select the new Cisco product, and then follow the on-screen instructions to complete the installation.The installer adds the new integration data to the Websense software configuration files, while preserving existing configuration data.
Linux: Navigate to the Websense installation directory (/opt/Websense, by default), and use the following command to verify that Websense Filtering Service is running:
10. In the TRITON Unified Security Center, in the Web Security module, identify which Filtering Service instance is associated with each Network Agent.
a. Using a supported browser (see System Requirements), go to
https://<IP address>:9443/triton. Where <IP address> is the IP address of the machine on which TRITON Unified Security Center is installed.
b. Click the Web Security module button.
c. Open the Settings tab.
d. Go to Settings > Network Agent and click the appropriate IP address in the navigation pane to open the Local Settings page.
e. Under Filtering Service Definition, select the IP address for the machine running Filtering Service. During the migration, the setting may have been reset to None.For more information, see the information about configuring local settings in the Network Configuration section of TRITON - Web Security Help.Network Agent can also provide information for reports on bandwidth information and block HTTP(S) internet protocols based on bandwidth consumption. However, bandwidth information is not recorded by default.To configure Network Agent to record bandwidth information for reporting, or filter HTTP(S) or FTP requests based on bandwidth consumption, follow these steps:
1. In a supported browser, navigate to: http://<IP address>:9443/triton (<IP address> is the IP address of the machine on which TRITON Unified Security Center is installed).
2. Select the Web Security module button.
3. Navigate to the Settings > Network Agent tab and select the appropriate IP address in the navigation pane to open the Local Settings page.
4. Under Network Interface Card, click the appropriate NIC monitoring the relevant traffic.
5. Under Integration, enable the Log HTTP requests option.For information on configuring bandwidth blocking for category and protocol, please refer to the Bandwidth Optimizer section of the TRITON - Web Security Help.