Go to the table of contents Go to the previous page Go to the next page
Websense Web Security Gateway Anywhere v7.6: Hybrid Web Tips : Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG

Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG
A Microsoft® Internet Security and Acceleration (ISA) Server or Forefront™ Threat Management Gateway (TMG) server can be deployed as a downstream proxy with hybrid filtering as supplied with Websense Web Security Gateway Anywhere. You can configure proxy chaining in the following ways:
*
Basic chaining. The ISA server does not perform any authentication before forwarding requests to the hybrid proxy. The hybrid proxy can perform manual authentication only.
*
NTLM pass-through. The ISA server is aware of a requirement for NTLM identification but takes no part in the authentication, forwarding requests to the hybrid proxy which then performs NTLM identification.
*
X-Authenticated-User. The ISA server performs user authentication and forwards requests to the hybrid proxy using the X-Authenticated-User header.
In this guide, "ISA/TMG" refers to ISA Server and Forefront TMG collectively. When instructions or information differ for the two products, they are referred to specifically as "ISA Server" or "Forefront TMG".
1
2.
Under Configuration, open the Networks option and select the Web Chaining tab. Under this tab a default rule is present. Leave this as it is.
3.
Click the Tasks tab, then click the Create New Web Chaining Rule link to start the wizard.
5.
On the Web Chaining Rule Destination page, choose the destinations to which this rule applies (in most cases, it applies to external networks). Click Add and select the appropriate network.
6.
Click Next to specify how requests are to be handled. This is where you specify that requests be sent to an upstream server (i.e., the hybrid proxy).
Select Redirect requests to a specified upstream server and click Next.
7.
On the Primary Routing page, specify the address of the hybrid service:
hybrid-web.global.blackspider.com
9.
On the Backup Action page, select the appropriate action for your organization. Your choice depends on whether you are willing to allow requests to be served directly, without using the hybrid proxy. Click Next.
If there are any hosts that you do not want to use the proxy service, you must configure an exception for them. Minimally, you should add those hosts that are in the PAC file that is downloaded from the hybrid service. You can identify these sites by examining the service-generated PAC file available at http://hybrid-web.global.blackspider.com:8082/proxy.pac.
1
To configure exceptions, click Firewall Policy, then select Network Objects from the Toolbox.
2.
Right-click Domain Name Sets and click New Domain Name Set.
In the Domain names included in this set section, add all hybrid filtering global exceptions (from the PAC file). These include the following Microsoft Windows update sites:
download.microsoft.com
ntservicepack.microsoft.com
cdm.microsoft.com
wustat.windows.com
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
4.
Click OK and Apply changes.
6.
In the Exceptions section, click Add.
7.
Expand Domain Name Sets, select the domain set you just created (Hybrid Service Unfiltered), and click Add.
8.
Click Close on Add Network Entities.
9.
Click OK on the Web chaining policy and Apply the changes.
2.
Open TRITON - Web Security.
3.
Use the Settings > Hybrid Configuration > Shared User Data page to configure Websense Directory Agent to collect user and group information from Directory Server and send it to the hybrid service. For more information, see Send user and group data to the hybrid service in the TRITON - Web Security Help.
4.
Use the Settings > Hybrid Configuration > User Access page to enable NTLM identification for users filtered through the hybrid proxy. For more information, see Configure user access to hybrid filtering in the TRITON - Web Security Help.
You can pass authentication details from your ISA/TMG server to the hybrid proxy via a plug-in from Websense, Inc. This plug-in allows the hybrid proxy to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA/TMG server as part of a proxy chained configuration.
When ISA authentication is turned on, this header will be populated with the user domain and username (domain\user).
With this setup, end users can be authenticated transparently by the hybrid proxy, removing an authentication step and improving performance.
*
Websense-AuthForward32.dll for 32-bit ISA/TMG servers
*
Websense-AuthForward64.dll for 64-bit ISA/TMG servers.
2.
Select the Downloads tab.
4.
In the list that appears, expand ISA 32-bit plugin for WCG or ISA 64-bit plugin for WCG to see the download details. Click the download link to start the download.
1.
Copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA/TMG installation directory. The default directory for this file is C:\Program Files\Microsoft ISA Server for ISA server, or C:\Program Files\Microsoft Forefront Threat Management Gateway for ForefrontTMG..
Microsoft.VC90.CRT.manifest
msvcm90.dll
msvcp90.dll
msvcr90.dll
4.
Verify the plug-in was registered in the ISA/TMG management user interface (Start > Programs > Microsoft ISA Server > ISA Server Management, or Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.



Go to the table of contents Go to the previous page Go to the next page
Websense Web Security Gateway Anywhere v7.6: Hybrid Web Tips : Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG