New in Websense Content Gateway v7.8.4

Topic 60116 | Web Security Gateway and Gateway Anywhere | 26-Aug-2014

In some previous versions, the SSL module in Content Gateway included an OpenSSL version that includes the man-in-the-middle (MITM) vulnerabilities (CVE-2014-0224). Exploiting this vulnerability, an attacker that is capable of intercepting communications between a vulnerable client and server can exploit an MITM attack, allowing the attacker to transparently decrypt and modify traffic to and from both client and server. In version 7.8.4 of Websense Content Gateway, the vulnerable version of the OpenSSL libraries have been replaced with a fixed version.

Transparent Proxy supports IPv6

Support for IPv6 has been extended to transparent proxy deployments.

WCCP 2.01 is required to support IPv6. If you use a Cisco router, it must be version 15.4(1)T or later to support IPv6.

If Content Gateway is deployed on a Websense Appliance, IPv6 must be enabled on the Configuration > Network Interfaces > IPv6 page of the Appliance Manager.

WCCP GRE Packet Forward Method and Packet Return Method and Dynamic bypass are not supported for IPv6 addresses.

IP spoofing requires all IPs in the routing path to use the same format. That is, all IPs must be IPV6 or IPv4. A combination of IPv6 and IPv4 is not supported.

Range based IP spoofing is not supported for IPv6.

IPv6 is not supported for FTP passive mode with the transparent proxy.

IPv6 only clients do not display a block page correctly. The user is blocked from the site as expected but will receive a browser error rather than a block page. Dual-stack IPv6 clients receive the normal block page.

In support of this feature, a new column for IPv6 data has been added to the ARM Statistics provided on the Monitor > Networking > ARM page.

Captive Portal enhancements

The new authentication method, Captive Portal, added to Content Gateway in v7.8.3, has been enhanced to provide support for:

cookie authentication

HTTPS portal

In version 7.8.3, credential caching and expiration was handled per the global configuration. Captive Portal has been enhanced to support cookie-based authentication with cookie-enabled applications (browsers) on mobile devices. Note that most applications on mobile devices do not share cookies. For those applications, IP-based identification will be required.

See Authentication using Captive Portal and the Credential Caching section of Global authentication options in Content Gateway Help for more information.

Note that for web applications that use Ajax where Ajax is configured to prevent cookies, cookie-mode cannot support sites that include cross-origin requests (CORS) that rely on Ajax.

Support for Captive Portal Authentication is enhanced to use HTTPS. When an authentication rule is configured to use Captive Portal and a user matches that rule, an HTTPS page prompts for credentials and the authentication transaction is handled with HTTPS.

When adding an authentication rule (see Rule-Based Authentication in Content Gateway Help for details), two options are now available to enable the Captive Portal feature. Navigate to Configure > Security > Access Control > Authentication Rules and, next to Captive Portal, click

Enabled for HTTPS Authentication page to display the authentication page using HTTPS.

When HTTPS is used, a server certification is generated based on the internal root CA. To use this feature, you must import the internal root CA to ensure there is no certificate error. See Importing your Root CA in Content Gateway Help for details.

Enabled for HTTP Authentication page to display the authentication page using HTTP.

Disabled to disable the feature.

When the feature is enabled, users who match the rule are redirected to the new web portal authentication page. See Authentication using Captive Portal in Content Gateway Help for more details.

Diagnostic tools available in Content Gateway manager

Automatic and manual diagnostics can now be run from Monitor > My Proxy > Diagnostics in Content Gateway manager.

Tests provided on the Automatic tab verify connectivity to:

The IPv4 default gateway

The IPv6 default gateway

Your primary DNS server

Your secondary DNS server

download.websense.com (a Websense download server)

ddsdom.websense.com (a Websense download server)

ddsint.websense.com (a Websense download server)

my.websense.com (customer account portal)

Click Run Diagnostics to view test results and latency information. Details for any test that failed or could not complete are provided. Results from the last test display each time the page is accessed and include the date and time of the test in the Last update information

The Manual tab offers 4 commands typically run from the command line.

Ping, used to determine if a remote device can be reached across the network.

Traceroute, used to determine the path network packets take and measure delays across the network.

NSlookup, used to obtain domain name or IP address mapping.

TCPDump, used to analyze network packets.

Select the command you wish to run, enter valid parameters, and click Run to execute the command. The results for Ping, Traceroute, and NSlookup display in a Test Results window provided on the page. The results for TCPDump are written to a file that can then be downloaded and viewed or saved using a link provided when the command completes. File size is limited to 10,000 packets to avoid disk space problems.

Platform Support


	Note IPv6 is not supported for FTP passive mode

Content Gateway runs on 64-bit platforms only.


	Important If you are planning to upgrade to version 7.8.4, and Content Gateway is currently hosted on a 5-series version of Red Hat Enterprise Linux, you must upgrade the operating system upgrade to Red Hat Enterprise Linux 6-series as part of the Content Gateway upgrade process. Red Hat Enterprise Linux 6.4 is recommended. See Upgrading Websense Web Security solutions to find your upgrade procedure, which includes operating system upgrade instructions.

Content Gateway is certified on:

Red Hat Enterprise Linux 6 series, 64-bit, Basic Server

Kernel version for 6.5: 2.6.32-431 (not recommended with v7.8.3 or later)

Kernel version for 6.4: 2.6.32-358

V-Series appliances

Content Gateway is supported on:

Red Hat Enterprise Linux 6 series, 64-bit, Basic Server

Kernel version for 6.3: 2.6.32-279

Kernel version for 6.2: 2.6.32-220

Kernel version for 6.1: 2.6.32-131

Kernel version for 6.0: 2.6.32-71

The corresponding CentOS versions, including updates 3 and 4 (CentOS version numbers have a one-to-one correspondence with Red Hat Enterprise Linux version numbers)

Only kernels listed above are certified or supported. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:

/bin/uname -r

Websense, Inc. provides "best effort" support for the version of Red Hat Enterprise Linux and CentOS listed above. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion until the issue is deemed a Red Hat Enterprise Linux- or CentOS-specific issue, at which point you must contact Red Hat directly for assistance.

Websense recommends that the Red Hat Enterprise Linux version that will host Content Gateway be updated to the latest patch before running the version 7.8.4 Content Gateway installer.

Websense also recommends that Red Hat Enterprise Linux systems that host Content Gateway be registered with Red Hat Network and kept up-to-date with the latest security patches.


	Important You can update packages on your Red Hat Enterprise Linux installations and patch kernels if the underlying kernel upgrade does not change the kernel ABI.


	Important Content Gateway is designed to run on a dedicated machine and is not guaranteed to be compatible with other server applications installed on the same machine.

For a complete description of platform requirements, see Hardware requirements and Operating system and software requirements.