How remote filtering works

Deploying the Remote Filter Module | Web Filter & Security | v8.0.x, v8.1.x

Related topics:

Deployment information

Differences between remote and local management of HTTPS and FTP traffic

Identifying remote users

When server communication fails

Websense Remote Filtering Client resides on client machines that are used outside your organization's network. When a user makes a browser-based Internet request, Remote Filtering Client uses a heartbeat to determine whether it is within or outside the network. If the machine is outside the network, the request is forwarded to Remote Filtering Server.

You can configure how often Remote Filtering Client sends the heartbeat to see whether it is inside the network. See Configuring the Remote Filtering Client heartbeat interval.

When the client is outside your network

When a computer is started outside the network, Remote Filtering Client attempts to send a heartbeat to Remote Filtering Server, but the heartbeat port is blocked at the external firewall.

This heartbeat failure prompts Remote Filtering Client to send a query about each HTTP, HTTPS, or FTP request over the configured port (default 80) to Remote Filtering Server in the DMZ.

Remote Filtering Server then forwards the request to Filtering Service inside the network.

Filtering Service evaluates the request and sends a response to Remote Filtering Server.

Remote Filtering Server sends the response to the client.

If the site is blocked, Remote Filtering Client requests and receives the appropriate block page, which is displayed to the user.

Remote Filtering Client delays each request until it receives a response from Remote Filtering Server. Depending on the response received, Remote Filtering Client either permits the site or displays the block page.

A log file tracks remote filtering activities, such as entering and leaving the network, failing open or closed, and restarting the client. Remote Filtering Client creates the log file when it starts for the first time. You control the presence and size of this log file. See Global remote filtering settings.

When the client is inside your network

When the client machine is started inside the network, the Remote Filtering Client attempts to send a heartbeat to the Remote Filtering Server in the DMZ. The heartbeat is successful because the heartbeat port is open on the internal firewall.

Remote Filtering Client does not query Remote Filtering Server about Internet requests. Instead, requests are passed directly from the browser to Network Agent, or an integrated proxy, cache, or firewall and managed like any other request.

Identifying remote users

The policy applied to requests from a remote machine depends on how the user logs on to the machine.

If a user logs on using cached domain credentials (network directory logon information), Filtering Service is able to resolve the user name and apply the appropriate user or group-based policy. Internet activity is logged under the network user name.

If the user logs on with a local account, Filtering Service cannot resolve the user name.

If manual authentication is enabled, the user receives an in-browser logon prompt, and Internet requests are managed according to the user or group policy and Internet activity is logged under the network user name.

If manual authentication is not enabled, the Default policy is applied to Internet requests and Internet activity is logged under the local user name.


	Note Selective authentication settings do not apply to remote filtering users.

Differences between remote and local management of HTTPS and FTP traffic

When a remote user requests an HTTP site in a category that is set to the Quota or Confirm action, remote filtering software offers the appropriate block message, including the Quota or Continue button.

However, if a remote user requests an FTP or HTTPS site in a category that is set to Quota or Confirm, remote filtering presents only a block page. Remote filtering software does not support the Quota and Confirm actions for these protocols.