Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Content Gateway Deployment > Content Gateway deployment issues
Content Gateway deployment issues
Deployment and Installation Center | Web Security Solutions | Version 7.8.x
Applies to:                                         
In this topic                                       
*
Web Security Gateway and Gateway Anywhere, v7.8.x
*
Proxy deployment options
*
User authentication
*
HTTPS content inspection
*
Handling special cases
Planning to deploy Websense Content Gateway as a proxy in your network should include physical requirements, such as:
*
data center location and space
*
power and cooling requirements for hardware
*
required rack space
*
connectivity to existing or extended network topology
Also consider:
*
Content Gateway system requirements (hardware and operating system)
*
Advantages and disadvantages of proxy network configuration options
*
User authentication and identification options
*
How to configure and use HTTPS content inspection
*
A plan for handling special proxy/client issues
Proxy deployment options
Websense Content Gateway is used in either an explicit or transparent proxy deployment.
With an explicit proxy deployment, client software, typically a Web browser, is configured to send requests for Internet content directly to Content Gateway.
In a transparent proxy deployment, client requests for Internet content are intercepted (usually by a router) and sent to the proxy. The client is unaware that it is communicating with a proxy.
Both options have advantages and disadvantages. See Content Gateway explicit and transparent proxy deployments for more information.
Management clustering
A Content Gateway deployment can scale from a single node to multiple nodes to form a management cluster. With management clustering, all nodes in the cluster share configuration information. A configuration change on one node is automatically propagated all other nodes. Transparent proxy deployments with WCCP can disable cluster synchronization of WCCP configuration settings.
See Clusters in Content Gateway Manager Help for information about configuring Content Gateway clusters.
IP spoofing
By default, when communicating with origin servers Content Gateway proxies client requests substituting its own IP address. This is standard forward proxy operation.
With transparent proxy deployments, and, beginning with version 7.8.3, explicit proxy deployments, Content Gateway supports IP spoofing.
IP spoofing configures the proxy to use:
*
The IP address of the client when communicating with the origin server (basic IP spoofing), or
*
A specified IP address when communicating with the origin server (range-based IP spoofing)
IP spoofing is sometimes used to support upstream activities that require the client IP address or a specific IP address. It also results in origin servers seeing the client or specified IP address instead of the proxy IP address (although the proxy IP address can be a specified IP address).
IP spoofing:
*
Prior to 7.8.3, is supported for transparent proxy deployments only
*
When enabled, is supported and applied to both HTTP and HTTPS traffic; it cannot be configured to apply to only one protocol
*
Is applied to HTTPS requests whether SSL support is enabled or not
*
Relies on the ARM, which is always enabled
*
Is not supported with edge devices such as a Cisco ASA or PIX firewall; When this is attempted, requests made by Content Gateway using the client IP address are looped back to Content Gateway
*
Does not support IPv6.
 
* 
Warning 
Deploying IP spoofing requires precise control of the routing paths on your network, overriding the normal routing process for traffic running on TCP ports 80 and 443.
With IP spoofing enabled, traditional debugging tools such as traceroute and ping have limited utility.
For complete information, see IP Spoofing in Content Gateway Manager Help.
User authentication
User authentication is the process of verifying a user via a username and password. Several types of user authentication are supported by Content Gateway.
User identification is the process of identifying a user based on the client IP address. Web Security solutions offer a robust set of user identification agents.
Content Gateway user authentication
Content Gateway can be configured for transparent user authentication -- with Integrated Windows® Authentication (IWA) or Legacy NTLM -- in which users are not prompted for credentials. Alternatively, Content Gateway can be configured for prompted (or manual) authentication, in which users are required to enter a username and password to obtain network access.
 
* 
Note 
Not all Web browsers support both transparent and prompted authentication modes.
See the v7.8 Websense Content Gateway Release Notes for specific browser limitations.
In the manual authentication process, Content Gateway prompts a user for proxy login credentials when that user requests Internet content. After the user enters those credentials, the proxy sends them to a directory server that validates the data. If the directory server accepts the user's credentials, the proxy delivers the requested content. Otherwise, the user's request is denied.
The issue of proxy user authentication is important in a deployment in which multiple proxies are chained. Authentication by the proxy closest to the client is preferred, but may not be possible given a particular network's configuration. Other issues include whether Content Gateway is chained with a third-party proxy and which proxy is designated to perform authentication. See In a proxy chain for more information.
Websense Content Gateway supports the following user authentication methods:
*
Integrated Windows Authentication (with Kerberos)
*
Legacy NTLM (Windows NT® LAN Manager, NTLMSSP)
*
LDAP (Lightweight Directory Access Protocol)
*
RADIUS (Remote Authentication Dial-In User Service)
Content Gateway supports both transparent and prompted authentication for Integrated Windows Authentication and Legacy NTLM. LDAP and RADIUS support prompted authentication.
Content Gateway also supports rule-based authentication. Rule-based authentication uses an ordered list of rules to support multiple realm, multiple domain, and other authentication requirements. When a request is processed, the rule list is traversed top to bottom, and the first match is applied.
Authentication rules specify:
1.
How to match a user.
By:
*
IP address
*
Inbound proxy port (explicit proxy only)
*
User-Agent value
*
A combination of the above
2.
The domain or ordered list of domains to authenticate against.
With a list of domains, the first successful authentication is cached and used in subsequent authentications. If IP address caching is configured, the IP address is cached. If Cookie Mode is configured, the cookie (user) is cached.
Rule-based authentication is designed to meet several special requirements:
*
Multiple realm networks in which domains do not share trust relationships and therefore require that each domain's members be authenticated by a domain controller within their domain. In this environment rules are created that specify:
*
Members of the realm (untrusted domain) by IP address or proxy port
*
The realm (domain) they belong to
*
Authentication when domain membership is unknown: Some organizations do not always know what domain a user belongs to. For example, this can happen when organizations acquire new businesses and directory services are not mapped or consolidated. The unknown domain membership problem can be handled in rule-based authentication by creating a rule for IP address lists or ranges that specifies an ordered list of domains to attempt to authenticate against. The first successful authentication is remembered and used in later authentications. If authentication is not successful or the browser times out, no authentication is performed.
*
Authentication based on User-Agent value: One or more User-Agent values can be specified in an authentication rule. Often this is a list of browsers. When the User-Agent value matches a rule, authentication is performed against the specified domain(s). If the User-Agent value doesn't match any rule and no rule matches based on other values, no authentication is performed (this is always true in rule-based authentication; if no rule matches, no authentication is performed).
See Content Gateway user authentication in Content Gateway Manager Help for detailed information.
Web Security user identification
You can configure user identification in the Web Security manager rather than use user authentication on the proxy. Methods of user identification include Websense transparent identification agents such as Logon Agent or DC Agent, which identify users transparently. Prompted authentication can also be configured in the Web Security manager. See User Identification in the Web Security Help for more information.
HTTPS content inspection
When you use Content Gateway SSL support, HTTPS traffic is decrypted, inspected, and re-encrypted as it travels from the client to the origin server and back. Enabling this feature also means that traffic from the server to the client can be inspected for Web 2.0 and uncategorized sites. The SSL feature includes a complete set of certificate-handling capabilities. See the Content Gateway Manager online Help for information on managing certificates.
Deploying Content Gateway with SSL support enabled may require the following modifications to your system:
*
Creation of trusted Certificate Authority (CA) certificates for each proxy to use for SSL traffic interception, and the installation of those certificates in each trusted root certificate store used by proxied applications and browsers on each client
*
In explicit proxy deployments, additional client configuration in the form of Proxy Auto-Configuration (PAC) files or Web Proxy Auto-Discovery (WPAD)
*
In transparent proxy deployments, integration with WCCP v2-enabled network devices, or Policy Based Routing.
 
* 
Note 
HTTPS content inspection can also affect system hardware resources like processing capacity and memory requirements.
When Content Gateway is configured to handle HTTPS traffic, you can specify categories of websites, individual websites, and clients for which decryption and inspection are bypassed. See SSL Decryption Bypass in Web Security Help.
Handling special cases
Any Content Gateway deployment must be able to handle web requests and web applications that are not compatible with the proxy or that should bypass the proxy. For example, requests for data from some internal, trusted sites could be configured to bypass the proxy, for system performance reasons. In explicit proxy deployments, a PAC file can be used to list the traffic that is allowed to bypass proxy inspection. In transparent proxy deployments, the proxy must be installed in a way that allows static bypass. See Static bypass rules in Content Gateway Manager Help.
See, also: Web sites that have difficulty transiting Content Gateway.

Go to the table of contents Go to the previous page Go to the next page
Content Gateway Deployment > Content Gateway deployment issues
Copyright 2016 Forcepoint LLC. All rights reserved.