![]() |
![]() |
![]() |
Websense Web Security Gateway Anywhere v7.6: Hybrid Web Tips : Chaining Hybrid Web Filtering with BlueCoat ProxySG
|
Chaining Hybrid Web Filtering with BlueCoat ProxySG
Blue Coat ProxySG can be deployed as a downstream proxy with hybrid filtering as supplied with Websense Web Security Gateway Anywhere. You can configure proxy chaining in the following ways:
![]()
Basic chaining. The Blue Coat server does not perform any authentication before forwarding requests to the hybrid proxy. The hybrid proxy can perform manual authentication only.
![]()
NTLM pass-through. The Blue Coat server takes no part in authentication, forwarding requests to the hybrid proxy which then performs NTLM identification.
![]()
X-Authenticated-User. The Blue Coat server performs user authentication and forwards requests to the hybrid proxy using the X-Authenticated-User header.In this case, Blue Coat ProxySG forwards requests to the hybrid proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.
1.
2.
3. Update the Forwarding Hosts configuration file to point an alias name to
hybrid-web.global.blackspider.com, port 8081. For example, if you choose the alias name 'Websense_Proxy', enter the following at the end of the 'Forwarding host configuration' section:sequence alias namereplacing alias name with the alias name that you chose in step 2.
5.
6. In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch.
7. In the Policy menu, select Add Forwarding Layer and enter an appropriate policy name in the Add New Layer dialog box.
8. Select the Forwarding Layer tab that is created. The Source, Destination, and Service column entries should be Any (the default).
10. Select the alias name that you created (for example, Websense_Proxy) from the list, and click OK.
12. Choose whether you want the forwarding to connect directly or refuse the browser request if your Blue Coat proxy cannot contact the hybrid proxy.
13. Click OK.
14. Click Install Policy in the Blue Coat Visual Policy Manager.
2. Open TRITON - Web Security.
3. Use the Settings > Hybrid Configuration > Shared User Data page to configure Websense Directory Agent to collect user and group information from Directory Server and send it to the hybrid service. For more information, see the topic Send user and group data to the hybrid service in the TRITON - Web Security Help.
4. Use the Settings > Hybrid Configuration > User Access page to enable NTLM identification for users filtered through the hybrid proxy. For more information, see the topic Configure user access to hybrid filtering in the TRITON - Web Security Help.You can pass authentication details from your Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers to the hybrid proxy either by manually editing a policy text file, or defining the policy in Blue Coat Visual Policy Manager.
When Blue Coat authentication is turned on, this header will be populated with the user domain and username (domain\user).With this setup, end users can be authenticated transparently by the hybrid proxy, removing an authentication step and improving performance.Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:action.Add[header name for authenticated user](yes)define action dd[header name for authenticated user]set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")end action Add[header name for authenticated user]action.Add[header name for client IP](yes)define action dd[header name for client IP]end action Add[header name for client IP]Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Websense Hosted Web Security as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts). The address of the hybrid proxy is
hybrid-web.global.blackspider.com, port 8081.In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:
1. In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.
2. Select the Web Access Layer tab that is created.
3. The Source, Destination, Service, and Time column entries should be Any (the default).
5.
6. In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.
7. Enter X-Forwarded-For in the Header Name entry field.
8. Select the Set value radio button and enter the following value:
9. Click OK.
10.
11. In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.
12. Enter X-Authenticated-User in the Header Name entry field.
13. Select the Set value radio button and enter the following value:
14. Click OK.
15.
16. In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.
19. Click Install Policy in the Blue Coat Visual Policy Manager.
![]() |
![]() |
![]() |
Websense Web Security Gateway Anywhere v7.6: Hybrid Web Tips : Chaining Hybrid Web Filtering with BlueCoat ProxySG
|