General troubleshooting procedures

Deploying the Remote Filter Module | Forcepoint URL Filtering | v8.4.x, v8.5.x

Verify that your subscription key includes remote filtering.

Make sure that Remote Filtering Server is running.

Windows: Use the Windows Services tool to find the status of Remote Filtering Server.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to review service status.

Make sure Remote Filtering Server is not installed on the same machine as Filtering Service.

Installing these components on the same machine causes a serious drain on the machine's resources. Filtering becomes very slow, and may eventually fail, permitting all Internet requests.

Check that any firewalls located between Filtering Service and Remote Filtering Server are correctly configured.

If one or more firewalls sit between the Remote Filtering Server machine and the machines running other web protection components, check that they have been properly configured, as described in Firewall configuration.

Make sure the Filtering Service's filtering port (by default, 15868) has been opened on all firewalls between the Filtering Service and Remote Filtering Server. If this port is not open, Filtering Service cannot accept connections from the Remote Filtering Server.

Make sure that the block page port (by default, 15871) has been opened on all firewalls between the Filtering Service and Remote Filtering Server. If this port is not open, Filtering Service cannot send block pages to remote clients through Remote Filtering Server.

Check that the external network firewall and any additional firewalls located between the Remote Filtering Server machine and the remote computers have been properly configured, as described in Firewall configuration.

The Remote Filtering Server's external communication port on these firewalls must be able to accept connections from Remote Filtering Clients on machines located outside the network firewall. By default, this is port 80, unless it was changed during installation of the Remote Filtering Server.

Access to the Remote Filtering Server's internal communication port must be blocked from machines located outside the network firewall. By default, this is port 8800, unless it was changed during installation of the Remote Filtering Server.

Make sure Network Agent is not monitoring responses to remote filtering requests, and that it is not monitoring the machine on which Remote Filtering Server is installed.

See the Network Agent Quick Start for more information about configuring Network Agent settings.

Check that connections are working properly.

If your firewall allows ICMP, use the ping command to verify that the remote computers on which Remote Filtering Client has been installed are able to communicate with the Remote Filtering Server machine.

Verify that the Remote Filtering Server machine is communicating properly with the network. Try to ping the Filtering Service machine and other machines on the local network.

Use a text editor to check the RFSErrors.log file on the Remote Filtering Server machine (located in the C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/ directory, by default).

Check for error 64. This error might indicate that DHCP is enabled for the machine running the Remote Filtering Server. To solve this problem, acquire a static IP address and disable DHCP on this machine.

Check that communication settings are properly configured for Remote Filtering Server and Remote Filtering Clients.

Remote Filtering Clients must be able to connect to Remote Filtering Server from both inside and outside the Internet gateway or network firewall. The correct communication information—IP addresses and port numbers for internal and external communications—must be entered during installation. See Installing Remote Filtering Server on Windows for more information.

On the Remote Filtering Server machine, navigate to the product bin directory (C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/, by default), and open the securewispproxy.ini file in a text editor.

Under Proxy Server parameters, make note of these settings:

ProxyIP: Must match the IP address of the network interface card (NIC) on the Remote Filtering Server machine that is used for internal communications.

ProxyPort: The port on the Remote Filtering Server machine used for external communications. The default is 80, but many installations set it to port 8080 during installation of Remote Filtering Server.

ProxyPublicAddress: The IP address or hostname used for external access to the Remote Filtering Server machine from outside the external network firewall or Internet gateway.

Under HeartBeat Server Parameters, make note of the HeartBeatPort setting. This is the Internal Communication Port on the Remote Filtering Server machine, used for communication with Remote Filtering Client machines that have been moved inside the external network firewall. The default is 8800.

On the Remote Filtering Server machine, open a command prompt and run the ipconfig (Windows) or ifconfig -a (Linux) command to get the IP addresses for each network interface card (NIC) in that machine.

Verify that these IP address values match the Proxy Server parameters found in the securewispproxy.ini file.

Check the values on the Remote Filtering Client machines. Contact Forcepoint Technical Support for assistance. The technician needs the information gathered in the previous steps to verify that communications are properly configured.

10.

Check that the pass phrases for Remote Filtering Server and all Remote Filtering Clients match.

Use the Windows Services tool or /opt/Websense/WebsenseDaemonControl command to stop Remote Filtering Server.

Open the securewispproxy.ini file.

Add or edit the TraceType entry to read:

TraceType=All

Save and close the securewispproxy.ini file.

Start Remote Filtering Server.

Go to a remote client computer and browse the Internet.

On the Remote Filtering Server machine, navigate to the product bin directory (C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/, by default) and open the traceFile.log file.

If the trace file contains errors indicating that "HandShake failed", the pass phrases set for Remote Filtering Client and Remote Filtering Server most likely do not match.

If the client and server pass phrases do not match, and you know the pass phrase, reinstall the Remote Filtering Clients with the correct pass phrase.

If this resolves the problem, repeat steps a) through e) to disable tracing. Either remove the TraceType entry, or edit it to read TraceType=none.

If you do not know the correct pass phrase, reinstall the Remote Filtering Server and enter a new proper pass phrase. Then, reinstall the Remote Filtering Clients, using the same pass phrase.

If the same error occurs, contact Forcepoint Technical Support.

11.

If you are using a load balancer, ensure that it is forwarding packets to the Remote Filtering Server. See your load balancing appliance or software documentation for configuration information.