The url-server command takes the following parameters:
|
|
|
In v6.3.1 and earlier, <if_name> defaults to inside if not specified.
|
|
|
|
|
|
The amount of time, in seconds, that the security appliance waits for a response before switching to the next Filtering Service that you defined as a url-server, or, if specified, going into allow mode and permitting all requests.
If a timeout interval is not specified, this parameter defaults to 30 seconds in v7.0(1) and later, and 5 seconds in earlier versions of the Cisco PIX or ASA software.
|
protocol {TCP | UDP} version {1 | 4}
|
Defines whether the Cisco security appliance should use TCP or UDP protocol to communicate with Filtering Service, and which version of the protocol to use.
TCP is the recommended and default setting. The recommended protocol version is 4. The default is 1. ( Note: To send authenticated user information to Filtering Service, TCP version 4 must be selected.)
|
|
Limits the maximum number of TCP connections permitted between the Cisco security appliance and Filtering Service.
Range: 1 - 100; Default: 5.
|
The url-server command communicates the location of Filtering Service to the Cisco security appliance. More than one
url-server command can be entered. Multiple commands allow redirection to another Filtering Service after the specified timeout period, if the first server becomes unavailable.
Using zeroes for the last two entries, <foreign_ip> and <
foreign_mask>, allows access from the specified local IP address to all Web sites, as filtered by Websense software
You can enter multiple filter url commands to set up different portions of the network for filtering. Set up the smaller groups first, followed by the larger groups, to assure that all groups are filtered properly. Use a general
filter url command for all computers to be filtered, and then use TRITON - Web Security to apply filtering policies to individual clients (computers, networks, users, groups, and domains [OUs]).
|
|
|
Filters all HTTPS requests to all destinations. Filtering is applied to traffic on port 443.
|
|
|
filter https 443 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255
|
|
Using zeroes for the last two entries, <foreign_ip> and <
foreign_mask>, allows access from the specified local IP address to all Web sites, as filtered by Websense software.
You can enter multiple filter https commands to set up different portions of the network for filtering. Set up the smaller groups first, followed by the larger groups, to assure that all groups are filtered properly. Use a general
filter https command for all computers to be filtered, and then use TRITON - Web Security to apply filtering policies to individual clients (computers, networks, users, groups, and domains [OUs]).
Using zeroes for the last two entries, <foreign_ip> and <f
oreign_mask>, allows access via Websense software from the specified local IP address to all Web sites.
You can enter multiple filter ftp commands to set up different portions of the network for filtering. Set up the smaller groups first, followed by the larger groups, to assure that all groups are filtered properly. Use a general
filter ftp command for all computers to be filtered, and then use TRITON - Web Security to apply filtering policies to individual clients (computers, networks, users, groups, and domains [OUs]).
Here, <memory_pool_size> is the size of the buffer in KB. You can enter a value from 2 to 10240. The recommended value is 1500.
Here, <long_url_size> is the maximum URL size in KB. You can enter a value from 2 to 4. The recommended value is 4.
The HTTP response buffer in the security appliance must be large enough to store Web server responses while waiting for a filtering decision from the Filtering Service.
Here, <block_buffer_limit> is the number of 1550-byte blocks to be buffered. You can enter a value from 1 to 128.
Websense software is ready to filter Internet requests after the Websense Master Database is downloaded and the software is activated within the Cisco security appliance. See the Websense
Installation Guide and the TRITON - Web Security Help for information about configuring Websense software and downloading the Master Database.
The parameters used by the filter http,
filter https, and
filter ftp commands include the following. Note that some of the parameters listed do not apply to all 3 commands.
|
|
|
|
|
Defines which port number, or range of port numbers, the security appliance watches for HTTP requests. If you do not specify a port number, port 80 is used by default.
The option to set a custom Web port or port range is only available in v5.3 and higher of Cisco software.
In Cisco software versions 5.3 to 6.3, it is not mandatory to enter http before the port number; you can either enter http (to use port 80), or you can enter a port number.
|
|
|
Defines the port number the security appliance watches for https or ftp requests.
|
|
|
You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all internal clients. This address is the source for all connections to be filtered.
|
|
|
Network mask of the local_ip address (the IP address requesting access).
You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts within the local network.
|
|
|
|
|
|
Network mask of the foreign_ip address (the IP address to which access is requested).
Always specify a mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts within the external network.
|
|
|
Lets outbound connections pass through the security appliance without filtering when Filtering Service is unavailable.
If you omit this option, and Filtering Service becomes unavailable, the security appliance stops all outbound HTTP, HTTPS, or FTP traffic until Filtering Service is available again.
|
|
|
Sends CGI scripts to Filtering Service as regular URLs. When a URL has a parameter list starting with a question mark (?), such as a CGI script, the URL is truncated. All characters after, and including the question mark, are removed before sending the URL to Filtering Service.
|
|
|
Prevents users from connecting to the FTP server through an interactive FTP client.
An interactive FTP client allows users to change directories without entering the complete directory path, so Filtering Service cannot tell if the user is requesting something that should be blocked.
|
|
|
|
Enter longurl-truncate to send only the host name or IP address to Filtering Service.
|
|
Enter longurl-deny to deny the request without sending it to Filtering Service.
|
|
|
|
|