Chaining Hybrid Web Filtering with Microsoft ISA Server or Forefront TMG

Topic 45021/ Updated: 19-April-2011

Applies To:

Websense Web Security Gateway Anywhere 7.6

A Microsoft® Internet Security and Acceleration (ISA) Server or Forefront™ Threat Management Gateway (TMG) server can be deployed as a downstream proxy with hybrid filtering as supplied with Websense Web Security Gateway Anywhere. You can configure proxy chaining in the following ways:

Basic chaining. The ISA server does not perform any authentication before forwarding requests to the hybrid proxy. The hybrid proxy can perform manual authentication only.

NTLM pass-through. The ISA server is aware of a requirement for NTLM identification but takes no part in the authentication, forwarding requests to the hybrid proxy which then performs NTLM identification.

X-Authenticated-User. The ISA server performs user authentication and forwards requests to the hybrid proxy using the X-Authenticated-User header.

In this guide, "ISA/TMG" refers to ISA Server and Forefront TMG collectively. When instructions or information differ for the two products, they are referred to specifically as "ISA Server" or "Forefront TMG".

Basic chaining

To set up your ISA/TMG server to chain with the upstream hybrid proxy, follow the instructions below.

1	Log on to the ISA/TMG server and open the Server Management console.

2.	Under Configuration, open the Networks option and select the Web Chaining tab. Under this tab a default rule is present. Leave this as it is.

3.	Click the Tasks tab, then click the Create New Web Chaining Rule link to start the wizard.

4.	Give the rule a meaningful name such as Websense Hybrid Proxy, and click Next.

5.	On the Web Chaining Rule Destination page, choose the destinations to which this rule applies (in most cases, it applies to external networks). Click Add and select the appropriate network.

6.	Click Next to specify how requests are to be handled. This is where you specify that requests be sent to an upstream server (i.e., the hybrid proxy).

Select Redirect requests to a specified upstream server and click Next.

7.	On the Primary Routing page, specify the address of the hybrid service: hybrid-web.global.blackspider.com

8.	Specify port 8081 for both Port and SSL. Click Next.

9.	On the Backup Action page, select the appropriate action for your organization. Your choice depends on whether you are willing to allow requests to be served directly, without using the hybrid proxy. Click Next.

10.	Review your settings and click Finish.

Configuring exceptions

If there are any hosts that you do not want to use the proxy service, you must configure an exception for them. Minimally, you should add those hosts that are in the PAC file that is downloaded from the hybrid service. You can identify these sites by examining the service-generated PAC file available at http://hybrid-web.global.blackspider.com:8082/proxy.pac.

1	To configure exceptions, click Firewall Policy, then select Network Objects from the Toolbox.

2.	Right-click Domain Name Sets and click New Domain Name Set.

3.	Give the new set a name (e.g., Hybrid Service Unfiltered).

In the Domain names included in this set section, add all hybrid filtering global exceptions (from the PAC file). These include the following Microsoft Windows update sites:

download.microsoft.com
ntservicepack.microsoft.com
cdm.microsoft.com
wustat.windows.com
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com

Include any other exceptions appropriate for your environment.

4.	Click OK and Apply changes.

5.	Navigate back to the Web chaining rule you created above, open the policy and click the To tab.

6.	In the Exceptions section, click Add.

7.	Expand Domain Name Sets, select the domain set you just created (Hybrid Service Unfiltered), and click Add.

8.	Click Close on Add Network Entities.

9.	Click OK on the Web chaining policy and Apply the changes.

Configuring NTLM pass through

To chain your ISA/TMG server with the hybrid proxy and perform NTLM identification:

1.	Follow the steps in Basic chaining.

2.	Open TRITON - Web Security.

3.

Use the Settings > Hybrid Configuration > Shared User Data page to configure Websense Directory Agent to collect user and group information from Directory Server and send it to the hybrid service. For more information, see Send user and group data to the hybrid service in the TRITON - Web Security Help.

4.	Use the Settings > Hybrid Configuration > User Access page to enable NTLM identification for users filtered through the hybrid proxy. For more information, see Configure user access to hybrid filtering in the TRITON - Web Security Help.

Configuring X-Authenticated-User chaining

You can pass authentication details from your ISA/TMG server to the hybrid proxy via a plug-in from Websense, Inc. This plug-in allows the hybrid proxy to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA/TMG server as part of a proxy chained configuration.

X-Forwarded-For	Contains the client IP address
X-Authenticated-User	When ISA authentication is turned on, this header will be populated with the user domain and username (domain\user).

With this setup, end users can be authenticated transparently by the hybrid proxy, removing an authentication step and improving performance.

Two versions of the plug-in are available:

Websense-AuthForward32.dll for 32-bit ISA/TMG servers

Websense-AuthForward64.dll for 64-bit ISA/TMG servers.

Zip files for both versions are available for download:

1.	Log on to your MyWebsense account.

2.	Select the Downloads tab.

3.	Select Websense Web Security Gateway from the Product drop-down list.

4.	In the list that appears, expand ISA 32-bit plugin for WCG or ISA 64-bit plugin for WCG to see the download details. Click the download link to start the download.

Install the plug-in as follows:

1.

Copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA/TMG installation directory. The default directory for this file is C:\Program Files\Microsoft ISA Server for ISA server, or C:\Program Files\Microsoft Forefront Threat Management Gateway for ForefrontTMG..

For the 32-bit version, install the following files in the installation directory in addition to Websense-AuthForward32.dll:

Microsoft.VC90.CRT.manifest
msvcm90.dll
msvcp90.dll
msvcr90.dll

2.	Open a Windows command prompt and change directory to the installation directory.

3.	From the command prompt, type

regsvr32 Websense-AuthForward32.dll

(to register the 32-bit plug-in)

 

regsvr32 Websense-AuthForward64.dll

(to register the 64-bit plug-in)

4.

Verify the plug-in was registered in the ISA/TMG management user interface (Start > Programs > Microsoft ISA Server > ISA Server Management, or Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.

To uninstall the plug-in, run the following command in a Windows command prompt from the ISA/TMG installation directory.

regsvr32 /u Websense-AuthForward32.dll

(to unregister the 32-bit plug-in)

 

regsvr32 /u Websense-AuthForward64.dll

(to unregister the 64-bit plug-in)