Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Integrating Data Security with Existing Infrastructure > Working with Web proxies
Working with Web proxies
Deployment and Installation Center | Data Security Solutions | Version 7.7.x
Applies to:                                         
In this topic:                                       
*
Data Security, v7.7.x
*
Blue Coat Web proxy
*
Squid open source Web proxy
*
ICAP server error and response codes
If you want Websense Data Security to work with a Web proxy to monitor HTTP, HTTPS, and FTP traffic, we recommend that you use the Websense Content Gateway Web proxy. Websense Content Gateway includes a Data Security policy engine on box and streamlines communication with the TRITON Management Server.
If you have Websense Web Security Gateway or Web Security Gateway Anywhere, the Content Gateway proxy is included in the solution.
Websense Data Security also supports the following Web proxies:
*
Blue Coat
*
Squid open source
These proxies integrate with Websense Data Security over ICAP, an industry-standard protocol designed for off-loading specialized tasks from proxies.
Blue Coat Web proxy
Blue Coat provides protocol support for HTTP, HTTPS, and FTP.
The integration solution described in this section is the recommended one. Other configurations can be implemented, but should be tested prior to deployment.
Limitations
*
The solution does not support FTP GET method for request modification.
*
The solution does not support HTTP GET method for request modification.
*
The solution is limited to scan files of 10MB. The system is capable of generating an error if a file exceeds that size.
*
In the described deployment caching is not in effect (Blue Coat SG does not cache PUTs and POSTs). However, you should exercise care if a response mode configuration is used.
Deployment
This deployment recommendation describes a forward proxy: a Blue Coat SG appliance connected to a Websense protector using ICAP. The Blue Coat SG appliance serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with rules that route data to the Websense ICAP server.
The Websense protector receives all traffic directed to it from the Blue Coat appliance for scanning,
The following diagram outlines the recommended deployment:
The deployment solution can be used in 2 modes:
*
Monitoring mode
*
Enforcement mode
You can change the mode as required.
Enforcement mode
In this mode, the Blue Coat SG appliance requires Websense Data Security to authorize each transaction before allowing the transactions to be posted or uploaded to their intended destination. This is the recommended mode of operation for the solution as it provides the most security.
Monitoring mode
In this mode, the transactions that are redirected by the Blue Coat SG appliance are analyzed by Websense Data Security, which can then generate audits for confidential information usage as well as generate notifications for administrators and information owners. However, in monitoring mode, the Websense ICAP server universally responds to all redirected transactions with Allow.
Network integration
The solution consists of 3 components:
*
Websense protector
*
Websense TRITON Management Server
*
Blue Coat SG appliance
The Websense - Blue Coat ICAP integration component resides on the protector, and acts as a relay between the Blue Coat SG appliances and the TRITON Management Server as shown below:
Configuring the Blue Coat integration
System setup
Refer to Installing Data Security Solutions for instructions on installing Websense Data Security. Refer to relevant Blue Coat documentation for more information on installing the Blue Coat appliance.
After connecting the systems, follow instructions to configure network parameters and other properties.
Configuring Blue Coat
The Blue Coat Proxy SG can be configured with its basic information. You will need several pieces of information to configure the Proxy SG:
1.
IP address and netmask of the main interface
2.
Default gateway IP address
3.
DNS server IP address
4.
Console user name and password
5.
Enable password
6.
IP address and netmask of the ICAP interface
Items 1-5 enable you to set up the initial configuration of the Proxy SG by following the steps configure the Proxy SG with a direct serial port connection in your Blue Coat installation guide.
Once you have completed those steps, you can configure the second interface on the Proxy SG for use with the Websense ICAP server.
First, log on to the Proxy SG management console following the instructions in the Blue Coat installation guide. Then configure Adapter #1 with the IP address and netmask of the ICAP interface using the steps in the Adapters section of your Blue Coat configuration guide. (Adapter #0 is configured during the serial port configuration)
HTTPS forward proxy configuration
To enable ILP scanning of HTTPS posted documents, the Proxy SG must be configured for HTTPS forward proxy.
To configure the HTTPS forward proxy, follow the steps in these sections of your Blue Coat configuration guide:
1.
Setting up the SSL proxy in transparent proxy mode
2.
Creating an issuer keyring for SSL interception
3.
Downloading an issuer certificate
You can find this guide in the Documentation section of your Blue Coat account (https://bto.bluecoat.com).
Configuring the protector for ICAP
You configure the ICAP support on the protector in TRITON - Data Security.
1.
Open TRITON - Data Security, and go to Settings > System Modules.
2.
Under the protector you want to configure, select the ICAP server.
For more information, see the section "Configuring ICAP" in TRITON - Data Security Help.
Configuring the ICAP service on Blue Coat
This section describes how to configure the Proxy SG to communicate with the Websense ICAP server on the protector.
This procedure assumes the Proxy SG is operating minimally with initial configurations, and you are logged on to the Blue Coat Management Console. If you have multiple protectors with ICAP servers, you must create a unique Proxy SG service for each one.
To configure the Proxy SG ICAP service:
1.
Select Configuration > External Services > ICAP.
2.
To add a new service:
a.
Click New.
The Add list item window appears.
b.
In the Add ICAP Service field, enter an alphanumeric name.
c.
Click OK.
3.
In the Services list, select the new ICAP service name and click Edit. The following screen appears:
4.
On the Edit ICAP Service window, configure the following options.
Field
Description
Service URL
This includes the URL schema, the ICAP server host name or IP address, and the ICAP port number. For example, icap://10.1.1.1/reqmod/http or icap://10.1.1.1/reqmod/ftp.
You can distinguish between encapsulated protocols using different service URLs.
Maximum number of connections
The maximum number of connections at any time between the Proxy SG and the ICAP server. This can be any number between 1 and 65535. The default is 5.
Connection timeout
The number of seconds the Proxy SG waits for replies from the ICAP server. This can be any number between 60 and 65535. The default timeout is 70 seconds.
Notify administrator
Check the Virus detected box to send an email to the administrator if the virus scan detects a match. The notification is also sent to the Event Log and the Event Log email list.
Method supported
Select request modification for this service. Also select Client address and/or Authenticated user.
Send
Optionally, check one or more of these options to specify what is sent to the ICAP server.
Sense settings
Optionally, click this to automatically configure the ICAP service using the ICAP server parameters.
5.
Click OK.
6.
Click Apply.
Policy setup
This section describes how to configure the Proxy SG policy to redirect traffic across the ICAP service.
For full details of managing Data Security policies, refer to "Creating Custom Policies" in TRITON - Data Security Help.
The procedure in this section assumes the Proxy SG is operating with initial configurations and ICAP configuration, and you are logged on to the Blue Coat Management Console.
To configure the Proxy SG ICAP policies:
1.
Select Configuration > Policy >Visual Policy Manager.
2.
Click Launch.
3.
In the Visual Policy Manager, select Add a policy.
4.
Add a content layer.
a.
Click the Web Content Layer tab.
b.
Click Add Rule.
5.
Enter a policy name, and click OK.
6.
Right click the Action option and select Set from the menu.
7.
Under Show, select Set ICAP Request Service Objects.
8.
Click New > Set ICAP Request Service.
9.
Enter a name for the ICAP request service.
10.
Select Use ICAP request service, choose a service from the drop-down list, and click Add.
11.
Click OK twice.
12.
Click Install policy.
Configuring HTTPS policies
To configure an HTTPS policy, follow the steps in these sections of your Blue Coat configuration guide:
1.
Using the SSL intercept layer
2.
Using the SSL access layer
You can find this guide in the Documentation section of your Blue Coat account (https://bto.bluecoat.com).
Recommended Blue Coat filtering rules
The table below lists filters that should be applied to the Blue Coat policy layer before the data is sent to the protector's ICAP server.
Protocol
Filter
Condition
HTTP
GET
Allow always
HTTP
POST < 10MB
ICAP REQMOD
HTTP
POST > 10MB
Block/Allow always
HTTP
PUT < 10MB
ICAP REQMOD
HTTP
PUT > 10MB
Block/Allow always
HTTPS
GET
Allow always
HTTPS
POST < 10MB
ICAP REQMOD
HTTPS
POST > 10MB
Block/Allow always
HTTPS
PUT < 10MB
ICAP REQMOD
HTTPS
PUT > 10MB
Block/Allow always
FTP
PUT < 10MB
ICAP REQMOD
FTP
PUT > 10MB
Block/Allow always
Squid open source Web proxy
Squid provides protocol support for HTTP, HTTPS, and FTP. It integrates with Websense Data Security over ICAP, which is supported in Squid-3.0 and later.
Deployment
This deployment recommendation describes a forward proxy: a Squid Web proxy server connected to a Websense protector using ICAP. Squid serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with rules that route data to the Websense ICAP server.
The Websense protector receives all traffic directed to it from the Squid server for scanning,
The following diagram outlines the recommended deployment:
The deployment solution can be used in 2 modes:
*
Monitoring mode
*
Enforcement mode
You can change the mode as required.
System setup
Refer to Installing Data Security Solutions for instructions on installing Websense Data Security, and refer to the relevant Squid documentation for more information on installing the Squid Web proxy.
After connecting the systems, follow instructions to configure network parameters and other properties.
Configuring Squid for ICAP
Set up your Squid proxy to send requests to the ICAP server that is part of the Websense protector.
This example is for Squid-3.1:
icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
adaptation_access service_req allow all
This example is for Squid-3.0:
icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
icap_class class_req service_req
icap_access class_req allow all
For full ICAP configuration details for Squid, see http://wiki.squid-cache.org/Features/ICAP?highlight=%28faqlisted.yes%29.
Configuring the protector for ICAP
You configure the ICAP support on the protector in TRITON - Data Security.
1.
Open TRITON - Data Security, and go to Settings > System Modules.
2.
Under the protector you want to configure, select the ICAP server.
For more information, see the section "Configuring ICAP" in TRITON - Data Security Help.
ICAP server error and response codes
Response Condition
Websense Block Decision
Control Exceeds Size Limit
Error Condition
Condition
"pana_response"
"huge_content"
"pana_error"
Error Code
500
500
512
="X-Response-Info"
PA-block
 
PA-error
 
="X-Response-Desc"
Websense blocked
 
 
 
Plain URL
/usr/local/spicer/etc/blockmessageexample.plain
 
 
Markup URL
/usr/local/spicer/etc/block-messageexample.markup
 
 

Go to the table of contents Go to the previous page Go to the next page
Integrating Data Security with Existing Infrastructure > Working with Web proxies
Copyright 2016 Forcepoint LLC. All rights reserved.