See the Network Configuration topic in TRITON - Web Security Help for instructions on adding and editing IP address ranges for Network Agent, and configuring policies for specific IP address ranges.
Websense Web Filter or Web Security can be set up to filter both Citrix and non-Citrix users. This section provides instructions for configuring Websense Web Filter or Web Security (deployed either as stand-alone or integrated with another integration product) to work with the Citrix integration product.
Some configurations allow a single installation of Websense Web Filter or Web Security in the same network to filter both Citrix users and non-Citrix users. Citrix users may be working from remote locations, while non-Citrix users may be located in the office where Websense Web Filter or Web Security is installed.
The corporate network (non-Citrix users) can access the Internet through an integration product, such as Cisco
® PIX
®; Check Point
®; Microsoft
® Internet Security and Acceleration (ISA) Server or Forefront TMG; or Network Agent (in a stand-alone deployment of Websense Web Filter or Web Security, Network Agent serves in the place of an integration product). The integration product sends Internet requests to Websense Web Filter or Web Security for filtering.
Citrix clients access the network through a Citrix Presentation Server, MetaFrame Presentation Server, or XenApp. Depending on the number of Citrix users, the access may be through one server, or through a server farm consisting of multiple Citrix servers. For more information on deploying Websense Web Filter or Web Security with Citrix, see
Filtering Citrix server users.
In lower volume networks, each Integration Service communicates with the same Filtering Service. The non-Citrix users can be pointed to the same instance of Filtering Service as the Integration Service.
If Websense Web Filter or Web Security is deployed as stand-alone, using Network Agent for filtering, separate instances of Network Agent are needed for the Citrix and non-Citrix users. See
Stand-Alone Websense Web Filter or Web Security configuration for configuration information.
If Websense Web Filter or Web Security is used to filter both Citrix users and users accessing the Internet through another integration product, the non-Citrix integration must be installed and running before integrating with the Citrix product.
This component sends requests from Citrix clients to Filtering Service for filtering. Up to 10 Integration Services can be pointed to the same Filtering Service. If more than 10 Citrix servers are deployed, then additional Filtering Services can be used.
Before the Citrix environment can be integrated, Websense Web Filter or Web Security must have been installed integrated with the non-Citrix integration product. If an older version of Websense Web Filter or Web Security is already installed, upgrade it first.
The Websense Technical Library (www.websense.com/library) provides instructions for integrating Websense Web Filter or Web Security with supported integration products.
A request from a Citrix client is passed to the Citrix server. The Citrix Integration Service sends the request to Filtering Service for filtering. The request is either blocked or permitted by Websense Web Filter or Web Security. Simultaneously, the Citrix server sends the same request to the non-Citrix integration, which must be configured to allow the request to pass to the Internet without sending it to Websense Web Filter or Web Security for filtering.
Use a console or TELNET session to configure your Cisco PIX Firewall (security appliance). This configuration has been tested for Cisco PIX version 6.3 and later.
Here, the internal IP address and
subnet mask refer to the Citrix server, and the
external IP address and
subnet mask are for a secondary machine, other than the PIX firewall, that is used for Internet access. The external settings are generally set to zero:
To configure Check Point FireWall-1 to work properly with a Citrix integration, you must define a rule on FireWall-1 to allow requests from the Citrix server to pass to the Internet without sending those requests to Websense Web Filter or Web Security for filtering.
The Websense ISAPI plug-in must be set to ignore traffic from the Citrix servers. This configuration is done by adding the host name of each Citrix server to the
isa_ignore.txt file on the Microsoft ISA Server/Forefront TMG (ISA/TMG) machine.
Replace <host_name> with the name of the Citrix server machine.
If Websense Web Filter or Web Security is running in stand-alone mode, separate instances of Network Agent must be installed to filter Citrix and non-Citrix users. The Network Agent monitoring non-Citrix users must be set to ignore the Citrix servers. This configuration allows protocol filtering of both Citrix and non-Citrix requests.