Integrating Data Security with Existing Infrastructure > Working with Web proxies
|
If you want Websense Data Security to work with a Web proxy to monitor HTTP, HTTPS, and FTP traffic, we recommend that you use the Websense Content Gateway Web proxy. Websense Content Gateway includes a Data Security policy engine on box and streamlines communication with the TRITON Management Server.If you have Websense Web Security Gateway or Web Security Gateway Anywhere, the Content Gateway proxy is included in the solution.These proxies integrate with Websense Data Security over ICAP, an industry-standard protocol designed for off-loading specialized tasks from proxies.The integration solution described in this section is the recommended one. Other configurations can be implemented, but should be tested prior to deployment.
The solution is limited to scan files of 10MB. The system is capable of generating an error if a file exceeds that size.
In the described deployment caching is not in effect (Blue Coat SG does not cache PUTs and POSTs). However, you should exercise care if a response mode configuration is used.This deployment recommendation describes a forward proxy: a Blue Coat SG appliance connected to a Websense protector using ICAP. The Blue Coat SG appliance serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with rules that route data to the Websense ICAP server.The Websense protector receives all traffic directed to it from the Blue Coat appliance for scanning,In this mode, the Blue Coat SG appliance requires Websense Data Security to authorize each transaction before allowing the transactions to be posted or uploaded to their intended destination. This is the recommended mode of operation for the solution as it provides the most security.In this mode, the transactions that are redirected by the Blue Coat SG appliance are analyzed by Websense Data Security, which can then generate audits for confidential information usage as well as generate notifications for administrators and information owners. However, in monitoring mode, the Websense ICAP server universally responds to all redirected transactions with Allow.The Websense - Blue Coat ICAP integration component resides on the protector, and acts as a relay between the Blue Coat SG appliances and the TRITON Management Server as shown below:Refer to Data Security for instructions on installing Websense Data Security. Refer to relevant Blue Coat documentation for more information on installing the Blue Coat appliance.After connecting the systems, follow instructions to configure network parameters and other properties.The Blue Coat Proxy SG can be configured with its basic information. You will need several pieces of information to configure the Proxy SG:Items 1-5 enable you to set up the initial configuration of the Proxy SG by following the steps configure the Proxy SG with a direct serial port connection in your Blue Coat installation guide.Once you have completed those steps, you can configure the second interface on the Proxy SG for use with the Websense ICAP server.First, log on to the Proxy SG management console following the instructions in the Blue Coat installation guide. Then configure Adapter #1 with the IP address and netmask of the ICAP interface using the steps in the Adapters section of your Blue Coat configuration guide. (Adapter #0 is configured during the serial port configuration)To enable ILP scanning of HTTPS posted documents, the Proxy SG must be configured for HTTPS forward proxy.To configure the HTTPS forward proxy, follow the steps in these sections of your Blue Coat configuration guide:You can find this guide in the Documentation section of your Blue Coat account (https://bto.bluecoat.com).
1. Open TRITON - Data Security, and go to Settings > System Modules.This section describes how to configure the Proxy SG to communicate with the Websense ICAP server on the protector.This procedure assumes the Proxy SG is operating minimally with initial configurations, and you are logged on to the Blue Coat Management Console. If you have multiple protectors with ICAP servers, you must create a unique Proxy SG service for each one.
1. Select Configuration > External Services > ICAP.
a. Click New.
b. In the Add ICAP Service field, enter an alphanumeric name.
c. Click OK.
3. In the Services list, select the new ICAP service name and click Edit. The following screen appears:
This includes the URL schema, the ICAP server host name or IP address, and the ICAP port number. For example, icap://10.1.1.1:87. Maximum number of connections The maximum number of connections at any time between the Proxy SG and the ICAP server. This can be any number between 1 and 65535. The default is 5. Connection timeout The number of seconds the Proxy SG waits for replies from the ICAP server. This can be any number between 60 and 65535. The default timeout is 70 seconds. Notify administrator Check the Virus detected box to send an email to the administrator if the virus scan detects a match. The notification is also sent to the Event Log and the Event Log email list. Method supported Optionally, check one or more of these options to specify what is sent to the ICAP server. Optionally, click this to automatically configure the ICAP service using the ICAP server parameters.
5. Click OK.
6. Click Apply.This section describes how to configure the Proxy SG policy to redirect traffic across the ICAP service.For full details of managing Data Security policies, refer to "Creating Custom Policies" in TRITON - Data Security Help.The procedure in this section assumes the Proxy SG is operating with initial configurations and ICAP configuration, and you are logged on to the Blue Coat Management Console.
1. Select Configuration > Policy >Visual Policy Manager.
2. Click Launch.
3. In the Visual Policy Manager, select Add a policy.
6.
7.
8. Click New > Set ICAP Request Service.
10.
11. Click OK twice.
12. Click Install policy.To configure an HTTPS policy, follow the steps in these sections of your Blue Coat configuration guide:You can find this guide in the Documentation section of your Blue Coat account (https://bto.bluecoat.com).The table below lists filters that should be applied to the Blue Coat policy layer before the data is sent to the protector's ICAP server.
Squid provides protocol support for HTTP, HTTPS, and FTP. It integrates with Websense Data Security over ICAP, which is supported in Squid-3.0 and later.This deployment recommendation describes a forward proxy: a Squid Web proxy server connected to a Websense protector using ICAP. Squid serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with rules that route data to the Websense ICAP server.Refer to Data Security for instructions on installing Websense Data Security, and refer to the relevant Squid documentation for more information on installing the Squid Web proxy.After connecting the systems, follow instructions to configure network parameters and other properties.Set up your Squid proxy to send requests to the ICAP server that is part of the Websense protector.icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
adaptation_access service_req allow allicap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
icap_class class_req service_req
icap_access class_req allow allFor full ICAP configuration details for Squid, see http://wiki.squid-cache.org/Features/ICAP?highlight=%28faqlisted.yes%29.
1. Open TRITON - Data Security, and go to Settings > System Modules.
Response Condition Websense Block Decision Control Exceeds Size Limit ="X-Response-Info" ="X-Response-Desc" /usr/local/spicer/etc/blockmessageexample.plain /usr/local/spicer/etc/block-messageexample.markup
Integrating Data Security with Existing Infrastructure > Working with Web proxies
|