Chaining Content Gateway with other ProxiesYou can configure the Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers for Websense Content Gateway to read either by manually editing a policy text file or defining the policy in a Blue Coat graphical interface called Visual Policy Manager.Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:action.Add[header name for authenticated user](yes)define action dd[header name for authenticated user]set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")end action Add[header name for authenticated user]action.Add[header name for client IP](yes)define action dd[header name for client IP]end action Add[header name for client IP]Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Websense Content Gateway as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts).In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:
1. In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.
2. Select the Web Access Layer tab that is created.
3. The Source, Destination, Service, and Time column entries should be Any (the default).
5.
6. In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.
7. Enter X-Forwarded-For in the Header Name entry field.
8. Select the Set value radio button and enter the following value:
9. Click OK.
10.
11. In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.
12. Enter X-Authenticated-User in the Header Name entry field.
13. Select the Set value radio button and enter the following value:
14. Click OK.
15.
16. In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.
19. Click Install Policy in the Blue Coat Visual Policy Manager.Microsoft Internet Security and Acceleration (ISA) server and Forefront Threat Management Gateway (TMG)Microsoft ISA server or Forefront TMG can be used as a downstream proxy from Websense Content Gateway via a plug-in from Websense, Inc. This plug-in allows Websense Content Gateway to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA server or Forefront TMG.
Websense-AuthForward.ISAPI32.zip for 32-bit ISA servers
Websense-AuthForwardTMG_Plugin-64.zip for 64-bit Forefront TMG
1. Unzip the package and copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA or Forefront TMG installation directory. (For example, for ISA the default directory is C:\Program Files\Microsoft ISA Server)For the ISA version, in addition to Websense-AuthForward.dll, install the following files in the ISA installation directory :
2. Open a Windows command prompt and change directory to the Microsoft ISA or Forefront TMG installation directory.
4. Verify the plug-in was registered in the ISA or Forefront TMG management user interface (For example, Start > Programs > Microsoft ISA Server > ISA Server Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.To uninstall the plug-in, run the following command in a Windows command prompt from the ISA or Forefront TMG installation directory.