Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Websense Web Security Gateway Anywhere v7.5: Hybrid Web Tips : Setting up hybrid filtering for branch offices

Websense Web Security Gateway Anywhere offers a flexible, comprehensive Web security solution that lets you combine on-premises and hybrid (in-the-cloud) filtering as needed to manage Internet activity for your organization.
You decide which method to use for which users. For example, use our robust on-premises Web filtering for your corporate office or main campus, and filter regional offices or satellite locations through our hybrid service. Hybrid filtering is also useful for users who are off-network, such as telecommuters and those who travel for business.
Before you can configure the hybrid service to start filtering locations, you must activate your hybrid account. This creates a connection between the on-premises and hybrid portions of Websense Web Security Gateway Anywhere.
Use the Hybrid Filtering section of the Settings > General > Account page to provide a contact email address and country for your Websense filtering administrators.
The email address is typically a group alias monitored by the group responsible for managing your Websense software. It is very important email sent to this account be received and acted upon promptly.
Select Settings > Hybrid Configuration > Filtered Locations to review, add, or edit information about the locations filtered by the hybrid portion of your Websense software.
A filtered location is the IP address, IP address range, or subnet from which browsers connecting to the hybrid service appear to be originating. Because the hybrid service is hosted outside your network, these must be external addresses, visible from the Internet. Filtered locations are:
Each location that you define appears in a table that combines a name and description with technical configuration details, including the time zone used for policy enforcement, the type of location (single IP address, IP address range, or subnet), and the actual external IP address or addresses from which requests originate.
To edit an existing entry, click the location Name, and then see Editing filtered locations in Websense Manager Help.
To define a new location, click Add, and then see Adding filtered locations in Websense Manager Help.
If you have added or edited a location entry, click OK to cache your changes. Changes are not implemented until you click Save All.
Select Settings > Hybrid Configuration > Unfiltered Destinations to review, add, or edit information about target sites to which you want to grant users unfiltered access. Users can access these sites directly, without sending the request to the hybrid service. Typical unfiltered destinations include organizational Web mail sites, internal IP addresses, and Microsoft update sites.
Tip 
As a best practice, add your organization's Web mail address as an unfiltered destination.
Destinations listed here are added to the Proxy Auto-Configuration (PAC) file that defines how filtered users' browsers connect to the hybrid service. By default, the PAC file excludes all non-routable and multicast IP address ranges from filtering. Therefore, if you are using private IP address ranges defined in RFC 1918 or RFC 3330, you need not enter them here.
Each unfiltered destination that you define appears in a table that combines a name and description with technical configuration details, including how the destination is defined (as an IP address, domain, or subnet), and the actual IP address, domain, or subnet that users can access directly.
To edit an existing entry, click the location Name, and then see Editing unfiltered destinations in Websense Manager Help.
To define a new location, click Add, and then see Adding unfiltered destinations in Websense Manager Help.
If you have added or edited an unfiltered destination entry, click OK to cache your changes. Changes are not implemented until you click Save All.
1.
Select Settings > Hybrid Configuration > User Access.
2.
Select the Common Options tab.
Use the Availability section to specify whether all Internet requests should be permitted or blocked when the hybrid service is unable to access policy information for your organization.
Under Time Zone, use the drop-down list to select a default time zone to use when applying policies to:
Users connecting to the hybrid service from an IP address that is not part of an existing filtered location. The default time zone is used, for example, by roaming users, or for other users that self-register with the hybrid service.
Use the User Identification section to configure how users are identified by the hybrid service, and to test and configure users' connections to the service.
1.
Indicate how the hybrid service should identify users requesting Internet access (see Identifying hybrid filtering users in Manager Help for more information):
*
Mark Use NTLM to identify users when possible to use directory information gathered by Websense Directory Agent to identify users transparently, if possible. This is used only for users connecting from a filtered location.
*
Mark Prompt users not identified via NTLM for logon information to have users who could not be identified via another means see a logon prompt when accessing the Internet.
Basic authentication is used to identify users who receive a logon prompt. Advise end users not to use the same password for hybrid filtering that they use to log on to the network.
When both options are selected, the hybrid service first attempts to use NTLM to identify the user, and then, if identification fails, provides a logon prompt.
2.
Specify whether or not a Welcome page is displayed when users who have not been identified via NTLM open a browser to connect to the Internet. The Welcome page:
*
Is used mainly by those who connect to the hybrid service from outside a filtered location (while working from home or traveling, for example)
If you choose to display the Welcome page, indicate whether or not the page should be sent via HTTPS when users request a secure site.
3.
When you are finished, click OK to cache your changes. Changes are not implemented until you click Save All.
Once you have set up hybrid filtering and configured user browsers to access the PAC file, you can use the links provided under Verify End User Configuration to make sure that end user machines have Internet access and are correctly configured to connect to the hybrid service.
If your hybrid filtering account has not been verified (which may mean that no email address has been entered on the Settings > General > Account page), the URLs are not displayed.
If your organization uses a supported, LDAP-based directory service?Windows Active Directory (Native Mode) or Novell eDirectory?you can collect user and group data and send it to the hybrid service.
When hybrid filtering is configured properly, the information from the Directory Agent can be used to apply user- and group-based filtering.
If your organization uses Windows NT Directory, Windows Active Directory (Mixed Mode), or Sun Java System directory, user and group data cannot be collected and sent to the hybrid service.
The process is similar to setting up user service for group-based policies. For more information see Send user and group data to the hybrid service in Websense Manager Help.



Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Websense Web Security Gateway Anywhere v7.5: Hybrid Web Tips : Setting up hybrid filtering for branch offices