Configuring Websense and URL Filtering in AOS

Version 2

    Configuring Websense and URL Filtering in AOS Common Application Guide 

     


     

    Overview

    The ability to filter web content based on a unified resource locator (URL) has now been integrated into the ADTRAN Operating System (AOS) firewall. This enables a unit to integrate with the Websense® (www.websense.com) web content filtering software. This feature allows you to prevent users from accessing specified websites based upon a settings defined on a Websense server.  Filtering can be applied to incoming or outgoing sessions on any IP interface. This feature includes:

    • Primary and Secondary Servers
      • The firewall can be configured with multiple Websense servers, but only uses one server at a time. If the first server (primary) ceases to respond, the firewall will start using the next server listed (secondary). The default port used is 15868 and the default timeout is 5 seconds.
    • Packet Buffering
      • The firewall can buffer up to 100 hypertext transfer filter (HTTP) responses and up to 500 outstanding requests at any given time. Both of these values can be decreased if necessary.
    • Exclusive Domains
      • A list of configurable domain names may be specified which do not require a lookup to the Websense server.
    • Allow Mode
      • If the firewall can no longer communicate with any Websense server, it will go into Allow mode. By default, Allow mode is disabled so that all web traffic is automatically blocked.

    Hardware/Software Requirements

    AOS Websense support is compatible with Websense Web Security Suite™ version 6.1.1 or higher. This feature was introduced with AOS revision 12.01.00.

    AOS Websense is available on AOS products as outlined in the AOS Product Feature Matrix.

     

    Only one HTTP URL filter may be used in a given configuration.  HTTP over secure socket layer (HTTPS) and file transfer protocol (FTP) URL filtering are not currently supported.

     

    Configuration Steps

    The following example creates an HTTP filter called my_filter that is enabled on all inbound traffic to eth 0/1. The primary Websense server has an IP address of 192.168.100.10, uses the default port of 15868, and uses the default timeout of 5 seconds.  The secondary Websense server has an IP address of 192.168.100.11, uses port 15869, and has a timeout specified of 10 seconds. The website www.adtran.com is always allowed without requiring a lookup to the Websense server. In the event that the firewall cannot communicate with the Websense servers, all websites will be accessible (ip urlfilter allowmode).

    NOTE: You must be in the command line interface of the unit (console/telnet) and enter into global configuration mode by issuing the 'configure terminal' command to alter the configuration."

     

    Example Configuration

    Sample URL Filtering Configuration

    !
    ip firewall
    !
    ip urlfilter my_filter http
    ip urlfilter exclusive-domain permit www.adtran.com
    ip urlfilter server 192.168.100.10
    ip urlfilter server 192.168.100.11 port 15869 timeout 10
    ip urlfilter allowmode

    ip urlfilter max-request 500

    ip urlfilter max-response 100

    !
    !
    interface eth 0/1
    ip address192.168.100.1255.255.255.0
    ip urlfilter my_filter in
      no shutdown
    !

     

    NOTE: The command “ip urlfilter max-request 500” is applied by default.  This is used to specify the number of requests (1-500) that are sent to the Websense server at a time. 

     

    NOTE: The command “ip urlfilter max-response 100” is applied by default.  This is used to specify the number of responses (1-100) that are buffered from a webserver before a response is obtained from the Websense server.

     
     

    Troubleshooting

    The debug ip urlfilter [verbose], show ip urlfilter, and show ip urlfilter [exclusive-domain | statistics] commands may be used for troubleshooting.

    The Blocked URL Message

    Websense provides default HTML files for blocked pages. However, you can customize the text of the default Websense messages to better fit your organization’s needs. Additionally, you can use alternate HTML files to completely replace the top frame of all blocked pages.  

    This is configured in Websense® Web Security Suite™, not AOS. See the Websense Enterprise Administrator’s Guide at http://www.websense.com/global/en/SupportAndKB/ProductDocumentation/




    show ip urlfilter command
    Displays the configured URL filter, server information, excluded domains, and other settings. The maximum outstanding requests shows the maximum number of packets that can be sent to the Websense server without receiving a response.


     

     
     

    show ip urlfilter statistics command

    Displays information such as the number of requests that are sent to the Websense server, the number of responses received from the Websense server, the number of pending requests in the system, the number of failed requests, and the number of blocked URLs.

     



    clear ip urlfilter statistics
    command

    Resets URL filtering statistics.

     

    show ip urlfilter exclusive-domain command

    Displays domains excluded from Websense URL filtering.


     
    debug ip urlfilter [verbose] command

    Displays events for URL filter.


     


    Installing Websense Web Security Suite

     

    Obtaining Websense Products

    1. Using your web browser, go to the Websense website at http://www.websense.com/global/en/Downloads.
    2. From the Downloads page, create an account or log into your existing account.
    3. On the Downloads page, select Websense Web Security Suite - Corporate Edition and Client Policy Manager.
    4. Select Continue.
    5. Then complete the rest of the form, as applicable to your company.
    6. Select Continue.
    7. Record or copy the Evaluation Key for the product, and keep it in a safe place. An enabled Websense evaluation key is required.
    8. Select the appropriate installer link and download the software.
    9. Repeat steps as necessary to download Websense Reporting Tools.

       

    Installing and configuring Websense products

    1. Double-click the executable file that you downloaded from the Websense website, and follow the installation procedure.
    2. When prompted, enter your Websense evaluation key.
    3. To configure the tools, follow the instructions in the Websense Enterprise Installation Guide. (Refer to http://www.websense.com/global/en/SupportAndKB/ProductDocumentation.)