Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
v7.8.3 Release Notes for Websense® Content Gateway : New in Websense Content Gateway v7.8.3
New in Websense Content Gateway v7.8.3
Topic 60096 | Web Security Gateway and Gateway Anywhere | 20-May-2014
 
Security
In some previous versions, a vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, due to incorrect memory handling in the TLS heartbeat extension. Version 7.8.3 of Websense Content Gateway does not contain the vulnerability (known as CVE-2014-0160 or Heartbleed).
Data Security analysis of web GET requests
Work has begun on a new feature so that the policy engine in Content Gateway can analyse both GET and POST requests for data. This enhances the ability to identify and block outbound malware communication. This feature will be completed in a future release.
 
Delay scanning data file updates
Content Gateway analysis uses a set of data files which are updated regularly by Websense Security Labs and made available on the Websense download server. Updates to these data files are independent of Websense Master Database updates. A data file check is done every 15 minutes, by default, and new data files are automatically downloaded for immediate use by the analytics.
A new feature, typically used for a backup system, has been added that allows you to configure a delay for the download of a new set of data files.
To use the new feature, navigate to the new "Scanning Data Files Update" section on the Scanning tab of the Configure >My Proxy >Subscription page. Then, select a Delay time from the drop-down list provided, keeping in mind that the longer the delay, the higher the security risk. Restart Content Gateway for the new delay time to take effect. Subsequent downloads will be held for that length of time.
When a delay time is in place, there may be up to 2 sets of data files present on the Content Gateway machine.
1.
The current set of data files that are being used by the analytics.
2.
The set of data files whose complete download is being delayed.
Once the delay period is met, the delayed database will be moved to the current set of files and the delay period will be applied to the next download.
Note that one of the available Delay time options is Suspend updates. It is not recommended that this option be used for an extended period of time. When Delay time is set to Suspend updates, a critical alarm is signaled as a reminder that updates have been suspended. The alarm is meant as a reminder to reset the Delay time value so we recommend you do not clear the alarm until you have changed the delay setting.
IP Spoofing available for explicit proxy
A new configuration option is now available allowing the use of IP Spoofing with explicit proxy.
Disabled by default, when IP spoofing is enabled, the proxy will use:
*
The IP address of the client when communicating with the origin server (basic IP spoofing), or
*
A specified IP address when communicating with the origin server
Navigate to Configure > Networking > ARM and locate the IP Spoofing section. Click Enabled under "IP Spoofing in Explicit Proxy Mode" to enable the option.
Range-based IP spoofing is also supported for explicit proxy. However, when Range-based IP spoofing is enabled, IP spoofing for transparent proxy is automatically enabled. Disable IP spoofing for transparent proxy if you don't want to use it.
Captive Portal
A new authentication method, Captive Portal, has been added to Content Gateway. Captive Portal may be especially helpful in handling mobile and other personal devices brought in to your Web Security Gateway networks.
Used with rule-based authentication, this feature:
*
Redirects users to a web portal page for authentication.
*
Supports captive, interactive (prompted) user authentication of IP addresses (users) that match the Captive Portal rule.
*
Can be used with LDAP and Legacy NTLM; IWA and RADIUS are not supported.
*
Handles credential caching and expiration per the global configuration; cookie authentication and caching are not supported.
*
Allows the authentication form (web portal page) to be customized to suit your needs.
*
Supports only basic authentication.
When adding an authentication rule (see Rule-Based Authentication in Content Gateway Help for details), a new option is provided. Navigate to Configure > Security > Access Control > Authentication Rules and click Enable next to Captive Portal to select the feature. Users who match the rule are redirected to the new web portal authentication page.
*
This option is disabled if an IWA domain is included in the Auth Sequence list.
*
When this option is enabled, an error message will display if an IWA domain is selected for inclusion in the Auth Sequence list.
Note that when Content Gateway receives an unauthenticated POST request from a user who matches a Captive Portal rule, it redirects the user to the web portal authentication page and does not record the POST data. After successful authentication, the original POST data must be input again.
 
* 
Note 
If the requested URL is configured for tunneling or bypass, no user authentication is performed.
When a rule is added with the Captive Portal option enabled, users are reminded that they can customize the pre-defined web portal page. Go to the new Captive Portal Page Customization tab of Configure > Security > Access Control. Edit the text and HTML to suit your needs. For example, you may want to include your company logo in place of the Websense logo.
The form must be a valid HTML document, defined with valid HTML syntax.
The following variables are used in the document to ensure that it is delivered to the users properly. It is recommended that you do not change their placement or usage.
*
%P is replaced with the protocol of the current transaction
*
%h is replaced with "redirect_host:8080"
*
%u is replaced with the URL request for the portal page
*
$$DOMAIN is replaced with the basic authentication domain defined in the configuration variable proxy.config.proxy.authenticate.basic.realm. (Refer to this section of Websense Content Gateway Help for more information.)
When you have entered all of the syntax, click Preview to preview the page you have created. When you are happy with the way the portal page looks, click Apply to save the content to a file. If you want to return to the default, pre-defined portal page syntax, click Restore to Default Page.
The customized Captive Portal page is saved to auth_form.html, which is stored in /opt/WCG/config. In addition, css and image files can be used to define the portal page. These must be stored in /opt/WCG/config/ui_files (css files) and /opt/WCG/config/ui_files/images (image files), by default. Add a variable to records.config to use a different name for the saved Captive Portal page or store the css and image files in a different directory.
 
Configuration Variable
Data
Type
Default Value
Description
proxy.config.auth.
form_filename
STRING
auth_form.html
Specifies the file that defines the Captive Portal authentication page.
Changing this file name is not recommended.
proxy.config.internal.
file.path
STRING
/config/ui_files
Specifies the location of any css and image files used to define the Captive Portal authentication page. The full default path is /opt/WCG/config/ui_files. Image files are located in an /images sub-directory.
If you wish to use your company logo:
*
Edit the src info and replace the png file name with your company logo file.
*
Copy your png file to /opt/WCG/config/ui_files/images.
 
* 
Note 
The css and image files also reside in /opt/WCG/ui/configure/auth_form and /opt/WCG/ui/configure/auth_form/images, respectively, for use by the Preview feature. Copy any new files to those directories to use Preview.
Domain list limit is now configurable
A domain list must be added on the Configure > Security > Access Control > Domains page of Content Gateway manager before authentication rules can be configured for rule-based authentication.
Currently, there is a default limit of 50 domains that can be added to this page. If you would like to change that limit, a new variable has been added to the Authentication basic realm section of the records.config file, located in /opt/WCG/config, by default.
 
Configuration Variable
DataType
Default Value
Description
proxy.config.multiauth.
domain.max
INT
50
Specifies the maximum number of domains that can be added or joined on Configure > Security > Access Control > Domains
 
Compressed file analysis
If user traffic passes through Websense Content Gateway, requested files are analyzed to define their type when all of the following are true:
1. A user requests a URL in a permitted category.
2. File type blocking is enabled for the category in the active category filter.
3. There is no file extension match in a blocked file type
A new feature has been added that will analyze the contents of a compressed file, if compressed files are permitted and a compressed file is selected for download. For example, if compressed files are permitted, but executable files are blocked, when a user attempts to download a compressed file, the contained files are analyzed. If the compressed file contains an executable file, the download is blocked based on the executable file type. Or if the compressed file contains a file that is determined to be malicious, the download is blocked.
 
* 
Note 
The .xz compressed file format is not supported.
New charts for network interface statistics
New charts have been added to the Content Gateway manager that will provide details about packets (including dropped packets and error packets), memory usage, and bandwidth.
Navigate to Monitor >Performance to view charts that show:
*
the number of bytes received and transmitted.
*
the number of packets received and transmitted.
*
the number of error packets received and packets dropped.
*
system memory.
Click on a graph to view the daily, weekly, monthly, and yearly on a single screen.
Platform Support
* 
Note 
IPv6 is not supported for FTP passive mode
Content Gateway runs on 64-bit platforms only.
 
* 
Important 
If you are planning to upgrade to version 7.8.3, and Content Gateway is currently hosted on a 5-series version of Red Hat Enterprise Linux, you must upgrade the operating system upgrade to Red Hat Enterprise Linux 6-series as part of the Content Gateway upgrade process. Red Hat Enterprise Linux 6.4 is recommended.
See Upgrading Websense Web Security solutions to find your upgrade procedure, which includes operating system upgrade instructions.
Content Gateway is certified on:
*
Red Hat Enterprise Linux 6 series, 64-bit, Basic Server
*
Kernel version for 6.5: 2.6.32-431 (not recommended with v7.8.3 Content Gateway)
*
Kernel version for 6.4: 2.6.32-358
*
V-Series appliances
Content Gateway is supported on:
*
Red Hat Enterprise Linux 6 series, 64-bit, Basic Server
*
Kernel version for 6.3: 2.6.32-279
*
Kernel version for 6.2: 2.6.32-220
*
Kernel version for 6.1: 2.6.32-131
*
Kernel version for 6.0: 2.6.32-71
*
The corresponding CentOS versions, including updates 3 and 4 (CentOS version numbers have a one-to-one correspondence with Red Hat Enterprise Linux version numbers)
Only kernels listed above are certified or supported. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:
/bin/uname -r
Websense, Inc. provides "best effort" support for the version of Red Hat Enterprise Linux and CentOS listed above. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion until the issue is deemed a Red Hat Enterprise Linux- or CentOS-specific issue, at which point you must contact Red Hat directly for assistance.
Websense recommends that the Red Hat Enterprise Linux version that will host Content Gateway be updated to the latest patch before running the version 7.8.3 Content Gateway installer.
Websense also recommends that Red Hat Enterprise Linux systems that host Content Gateway be registered with Red Hat Network and kept up-to-date with the latest security patches.
 
* 
Important 
You can update packages on your Red Hat Enterprise Linux installations and patch kernels if the underlying kernel upgrade does not change the kernel ABI.
 
* 
Important 
Content Gateway is designed to run on a dedicated machine and is not guaranteed to be compatible with other server applications installed on the same machine.
For a complete description of platform requirements, see Hardware requirements and Operating system and software requirements.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
v7.8.3 Release Notes for Websense® Content Gateway : New in Websense Content Gateway v7.8.3
Copyright 2016 Forcepoint LLC. All rights reserved.