Chaining Content Gateway with other Proxies

Applies to

Web Security Gateway v7.6.x

Web Security Gateway Anywhere v7.6.x

In this topic

Blue Coat ProxySG

Microsoft Internet Security and Acceleration (ISA) server and Forefront Threat Management Gateway (TMG)

Blue Coat ProxySG

You can configure the Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers for Websense Content Gateway to read either by manually editing a policy text file or defining the policy in a Blue Coat graphical interface called Visual Policy Manager.

Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.

Editing the local policy file

In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:

<Proxy>

action.Add[header name for authenticated user](yes)

 

define action dd[header name for authenticated user]

set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")

end action Add[header name for authenticated user]

 

action.Add[header name for client IP](yes)

 

define action dd[header name for client IP]

set(request.x_header.X-Forwarded-For,$(x-client-address))

end action Add[header name for client IP]

Using the Blue Coat graphical Visual Policy Manager

Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Websense Content Gateway as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts).

In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:

1.	In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.

2.	Select the Web Access Layer tab that is created.

3.	The Source, Destination, Service, and Time column entries should be Any (the default).

4.	Right-click the area in the Action column, and select Set.

5.	Click New in the Set Action Object dialog box and select Control Request Header from the menu.

6.	In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.

7.	Enter X-Forwarded-For in the Header Name entry field.

8.	Select the Set value radio button and enter the following value:

$(x-client-address)

9.

Click OK.

10.	Click New and select Control Request Header again.

11.	In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.

12.	Enter X-Authenticated-User in the Header Name entry field.

13.	Select the Set value radio button and enter the following value:

WinNT://$(user.domain)/$(user.name)

14.

Click OK.

15.	Click New and select Combined Action Object from the menu.

16.	In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.

17.	In the left pane, select the previously created control request headers and click Add.

18.	Select the combined action item in the Set Action Object dialog box and click OK.

19.	Click Install Policy in the Blue Coat Visual Policy Manager.

Microsoft Internet Security and Acceleration (ISA) server and Forefront Threat Management Gateway (TMG)

Microsoft ISA server or Forefront TMG can be used as a downstream proxy from Websense Content Gateway via a plug-in from Websense, Inc. This plug-in allows Websense Content Gateway to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA server or Forefront TMG.

Two versions of the plug-in are available, packaged in the following zip files:

Websense-AuthForward.ISAPI32.zip for 32-bit ISA servers

Websense-AuthForwardTMG_Plugin-64.zip for 64-bit Forefront TMG

The zip files are available on the MyWebsense Downloads page.

Install a plug-in as follows:

1.	Unzip the package and copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA or Forefront TMG installation directory. (For example, for ISA the default directory is C:\Program Files\Microsoft ISA Server)

For the ISA version, in addition to Websense-AuthForward.dll, install the following files in the ISA installation directory :

Microsoft.VC90.CRT.manifest
msvcm90.dll
msvcp90.dll
msvcr90.dll

2.	Open a Windows command prompt and change directory to the Microsoft ISA or Forefront TMG installation directory.

3.	From the command prompt, type

regsvr32 Websense-AuthForward.dll

(to register the 32-bit plug-in)

 

regsvr32 Websense-AuthForward.dll

(to register the 64-bit plug-in)

4.

Verify the plug-in was registered in the ISA or Forefront TMG management user interface (For example, Start > Programs > Microsoft ISA Server > ISA Server Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.

To uninstall the plug-in, run the following command in a Windows command prompt from the ISA or Forefront TMG installation directory.

regsvr32 /u Websense-AuthForward.dll

(to unregister the 32-bit plug-in)

 

regsvr32 /u Websense-AuthForward.dll

(to unregister the 64-bit plug-in)