Chaining Hybrid Web Filtering with BlueCoat ProxySG

Topic 45022/ Updated: 19-April-2011

Applies To:

Websense Web Security Gateway Anywhere 7.6

Blue Coat ProxySG can be deployed as a downstream proxy with hybrid filtering as supplied with Websense Web Security Gateway Anywhere. You can configure proxy chaining in the following ways:

Basic chaining. The Blue Coat server does not perform any authentication before forwarding requests to the hybrid proxy. The hybrid proxy can perform manual authentication only.

NTLM pass-through. The Blue Coat server takes no part in authentication, forwarding requests to the hybrid proxy which then performs NTLM identification.

X-Authenticated-User. The Blue Coat server performs user authentication and forwards requests to the hybrid proxy using the X-Authenticated-User header.

Basic chaining

In this case, Blue Coat ProxySG forwards requests to the hybrid proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.

Use the Blue Coat Management Console to forward requests to the hybrid proxy as follows:

1.	In the Blue Coat Management Console Configuration tab, select Forwarding > Forwarding Hosts.

2.	Select Install from Text Editor from the drop-down, and then click Install.

3.	Update the Forwarding Hosts configuration file to point an alias name to hybrid-web.global.blackspider.com, port 8081. For example, if you choose the alias name 'Websense_Proxy', enter the following at the end of the 'Forwarding host configuration' section:

fwd_host Websense_Proxy hybrid-web.global.blackspider.com http=8081

4.	Add the following to the end of the 'Default fail-over sequence' section:

sequence alias name

 

replacing alias name with the alias name that you chose in step 2.

5.	When you have finished editing, click Install.

6.	In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch.

7.	In the Policy menu, select Add Forwarding Layer and enter an appropriate policy name in the Add New Layer dialog box.

8.	Select the Forwarding Layer tab that is created. The Source, Destination, and Service column entries should be Any (the default).

9.	Right-click the area in the Action column, and select Set.

10.	Select the alias name that you created (for example, Websense_Proxy) from the list, and click OK.

11.	Right-click the alias name in the Action column and select Edit.

12.	Choose whether you want the forwarding to connect directly or refuse the browser request if your Blue Coat proxy cannot contact the hybrid proxy.

13.

Click OK.

14.	Click Install Policy in the Blue Coat Visual Policy Manager.

NTLM chaining

To chain Blue Coat ProxySG with the hybrid proxy and perform NTLM identification:

1.	Follow the steps in Basic chaining.

2.	Open TRITON - Web Security.

3.

Use the Settings > Hybrid Configuration > Shared User Data page to configure Websense Directory Agent to collect user and group information from Directory Server and send it to the hybrid service. For more information, see the topic Send user and group data to the hybrid service in the TRITON - Web Security Help.

4.	Use the Settings > Hybrid Configuration > User Access page to enable NTLM identification for users filtered through the hybrid proxy. For more information, see the topic Configure user access to hybrid filtering in the TRITON - Web Security Help.

X-Authenticated-User chaining

You can pass authentication details from your Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers to the hybrid proxy either by manually editing a policy text file, or defining the policy in Blue Coat Visual Policy Manager.

X-Forwarded-For	Contains the client IP address
X-Authenticated-User	When Blue Coat authentication is turned on, this header will be populated with the user domain and username (domain\user).

With this setup, end users can be authenticated transparently by the hybrid proxy, removing an authentication step and improving performance.

Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.

Editing the local policy file

In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:

<Proxy>

action.Add[header name for authenticated user](yes)

 

define action dd[header name for authenticated user]

set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")

end action Add[header name for authenticated user]

 

action.Add[header name for client IP](yes)

 

define action dd[header name for client IP]

set(request.x_header.X-Forwarded-For,$(x-client-address))

end action Add[header name for client IP]

Using the Blue Coat graphical Visual Policy Manager

Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Websense Hosted Web Security as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts). The address of the hybrid proxy is
hybrid-web.global.blackspider.com, port 8081.

In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:

1.	In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.

2.	Select the Web Access Layer tab that is created.

3.	The Source, Destination, Service, and Time column entries should be Any (the default).

4.	Right-click the area in the Action column, and select Set.

5.	Click New in the Set Action Object dialog box and select Control Request Header from the menu.

6.	In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.

7.	Enter X-Forwarded-For in the Header Name entry field.

8.	Select the Set value radio button and enter the following value:

$(x-client-address)

9.

Click OK.

10.	Click New and select Control Request Header again.

11.	In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.

12.	Enter X-Authenticated-User in the Header Name entry field.

13.	Select the Set value radio button and enter the following value:

WinNT://$(user.domain)/$(user.name)

14.

Click OK.

15.	Click New and select Combined Action Object from the menu.

16.	In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.

17.	In the left pane, select the previously created control request headers and click Add.

18.	Select the combined action item in the Set Action Object dialog box and click OK.

19.	Click Install Policy in the Blue Coat Visual Policy Manager.