![]() |
![]() |
![]() |
Websense Web Security Gateway Anywhere v7.6: Hybrid Web Tips : Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG
|
Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG
A Microsoft® Internet Security and Acceleration (ISA) Server or Forefront™ Threat Management Gateway (TMG) server can be deployed as a downstream proxy with hybrid filtering as supplied with Websense Web Security Gateway Anywhere. You can configure proxy chaining in the following ways:
![]()
Basic chaining. The ISA server does not perform any authentication before forwarding requests to the hybrid proxy. The hybrid proxy can perform manual authentication only.
![]()
NTLM pass-through. The ISA server is aware of a requirement for NTLM identification but takes no part in the authentication, forwarding requests to the hybrid proxy which then performs NTLM identification.
![]()
X-Authenticated-User. The ISA server performs user authentication and forwards requests to the hybrid proxy using the X-Authenticated-User header.In this guide, "ISA/TMG" refers to ISA Server and Forefront TMG collectively. When instructions or information differ for the two products, they are referred to specifically as "ISA Server" or "Forefront TMG".To set up your ISA/TMG server to chain with the upstream hybrid proxy, follow the instructions below.
1 Log on to the ISA/TMG server and open the Server Management console.
2. Under Configuration, open the Networks option and select the Web Chaining tab. Under this tab a default rule is present. Leave this as it is.
3.
5. On the Web Chaining Rule Destination page, choose the destinations to which this rule applies (in most cases, it applies to external networks). Click Add and select the appropriate network.
6. Click Next to specify how requests are to be handled. This is where you specify that requests be sent to an upstream server (i.e., the hybrid proxy).
7. On the Primary Routing page, specify the address of the hybrid service:
hybrid-web.global.blackspider.com
9. On the Backup Action page, select the appropriate action for your organization. Your choice depends on whether you are willing to allow requests to be served directly, without using the hybrid proxy. Click Next.
10. Review your settings and click Finish.If there are any hosts that you do not want to use the proxy service, you must configure an exception for them. Minimally, you should add those hosts that are in the PAC file that is downloaded from the hybrid service. You can identify these sites by examining the service-generated PAC file available at http://hybrid-web.global.blackspider.com:8082/proxy.pac.
1
2. In the Domain names included in this set section, add all hybrid filtering global exceptions (from the PAC file). These include the following Microsoft Windows update sites:download.microsoft.com
ntservicepack.microsoft.com
cdm.microsoft.com
wustat.windows.com
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
4.
5.
6.
7. Expand Domain Name Sets, select the domain set you just created (Hybrid Service Unfiltered), and click Add.
8.
9.
2. Open TRITON - Web Security.
3. Use the Settings > Hybrid Configuration > Shared User Data page to configure Websense Directory Agent to collect user and group information from Directory Server and send it to the hybrid service. For more information, see Send user and group data to the hybrid service in the TRITON - Web Security Help.
4. Use the Settings > Hybrid Configuration > User Access page to enable NTLM identification for users filtered through the hybrid proxy. For more information, see Configure user access to hybrid filtering in the TRITON - Web Security Help.You can pass authentication details from your ISA/TMG server to the hybrid proxy via a plug-in from Websense, Inc. This plug-in allows the hybrid proxy to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA/TMG server as part of a proxy chained configuration.
When ISA authentication is turned on, this header will be populated with the user domain and username (domain\user).With this setup, end users can be authenticated transparently by the hybrid proxy, removing an authentication step and improving performance.
![]()
Websense-AuthForward32.dll for 32-bit ISA/TMG servers
![]()
Websense-AuthForward64.dll for 64-bit ISA/TMG servers.
2.
3.
4. In the list that appears, expand ISA 32-bit plugin for WCG or ISA 64-bit plugin for WCG to see the download details. Click the download link to start the download.
1. Copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA/TMG installation directory. The default directory for this file is C:\Program Files\Microsoft ISA Server for ISA server, or C:\Program Files\Microsoft Forefront Threat Management Gateway for ForefrontTMG..For the 32-bit version, install the following files in the installation directory in addition to Websense-AuthForward32.dll:
4. Verify the plug-in was registered in the ISA/TMG management user interface (Start > Programs > Microsoft ISA Server > ISA Server Management, or Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.To uninstall the plug-in, run the following command in a Windows command prompt from the ISA/TMG installation directory.
![]() |
![]() |
![]() |
Websense Web Security Gateway Anywhere v7.6: Hybrid Web Tips : Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG
|