12 Replies Latest reply on May 1, 2012 6:24 AM by noor

    URL Filtering

    kbillings New Member

      Does anyone know how to config URL filtering for an external WebSense Cloud base server?

        • Re: URL Filtering
          Employee

          @kbilllings - Websense in AOS products is only compatible with Websense Web Security Suite version 6.1.1 or higher. I do not believe any other Websense product will work with this feature within AOS.

           

          More details regarding this feature can be found in the document below:

           

          https://supportforums.adtran.com/docs/DOC-1584

           

          Please let us know if you have any further questions.

           

          Thanks,

          Noor

            • Re: URL Filtering
              kbillings New Member

              Does it matter if the WebSense server is external to our local lan?

                • Re: URL Filtering
                  Employee

                  @kbillings - It should not matter if the server is outside the local LAN as long as the AOS device has connectivity to and from the websense server.

                   

                  Please let us know if you have any further questions.

                   

                  Thanks,

                  Noor

                    • Re: URL Filtering
                      kbillings New Member

                      Do we need to config any FW ACL?  Can you provide a example config with URL filtering to an external server?

                        • Re: URL Filtering
                          Employee

                          @kbillings - From my understanding of it, as long as the response from the Websense server comes back on the same port the Adtran sent the request on, then if you are seeing the request go out, you should not have to configure an inbound ACL rule to let the response back in. On an Adtran device, the requests are sent out TCP port 15868 by default. I don't believe there should be any additional configuration needed as long as the Adtran has internet access to the Websense server.

                           

                          Are you seeing the request go out? You can monitor this by viewing the policy-sessions when you attempt to access the webpage. The command "show ip policy-session self" should show a session created that is destined for the Websense server on port 15868.

                           

                          We can check to see if there are sessions being created by the Websense server from the outside by allowing traffic from it inbound. First, you would need to create an ACL that matches traffic coming from the Websense server, then apply this rule to the access-policy/security zone applied to your WAN interface. The configuration for this rule would look like this:

                           

                          ip access-list ext WebSenseIn

                              permit ip <Websense Server IP> any

                           

                          ip policy-class <WAN Policy-class Name>

                              allow list WebSenseIn

                           

                          Once this is configured, you can attempt to reach a webpage again and issue the "show ip policy-session" command. This time, you will be looking for traffic that is coming from the Websense server. This rule should also open up all communication to and from the Adtran to the Websense server. If it is still not functioning, you will need to verify if the request is reaching the Websense server or not. If it starts to function, then the "show ip policy-session" output will tell us which ports you will need to open from the outside for the Websense server to communicate with the Adtran.

                           

                          I would be more than happy to review your configuration. If you attach it to this thread, please be sure to remove any information that be sensitive to your company and network.

                           

                          Thanks,

                          Noor

                            • Re: URL Filtering
                              kbillings New Member

                              Need to see if we can config PBR or a FW redirect to forward the http request to the WebSense cloud server.  The URL Filtering options does not work with a Cloud based solution…

                              • Re: URL Filtering
                                kbillings New Member

                                Can you provide a solution for PBR or FW redirect?

                                • Re: URL Filtering
                                  kbillings New Member

                                  If we were using a Cisco ASA here is the config for it:

                                   

                                   

                                  1. Set up service objects to match TCP traffic going from all available ports to ports

                                  8081 or 80:

                                  hostname(config)# object service http-original

                                  hostname(config-service-object)# service tcp source range 1

                                  65535 destination eq www

                                  hostname(config-service-object)# description http-original

                                  hostname(config)# object service http-redirect

                                  hostname(config-service-object)# service tcp source range 1

                                  65535 destination eq 8081

                                  hostname(config-service-object)# description http-redirect

                                  2. Create a network object to match the source traffic that should be filtered by

                                  Cloud Web Security:

                                  hostname(config)# object network Filtered-Web-Addresses

                                  hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0

                                  Use the subnet addresses that apply to your organization.

                                  3. Create a network object to match the destination address (i.e. the Websense Cloud

                                  Web Security proxy):

                                  hostname(config)# object network Websense-Proxy

                                  hostname(config-network-object)# host

                                  webdefence.global.blackspider.com

                                  hostname(config-network-object)# description Websense-Proxy

                                  4. Using the object and network services you have set up, create NAT rules on your

                                  firewall to send Web traffic from your internal addresses to the cloud service. We

                                  recommend two rules: one for internal IP addresses, and one for your guest

                                  wireless network.

                                  The NAT statements for these rules are as follows:

                                  nat (inside,outside) source dynamic any interface

                                  destination static Filtered-Web-Addresses Websense-Proxy

                                  service http-original http-redirect inactive

                                  nat (guest-wireless,outside) source dynamic any interface

                                  destination static Filtered-Web-Addresses Websense-Proxy

                                  service http-original http-redirect inactive

                                    • Re: URL Filtering
                                      Employee

                                      @kbillings - I don't believe the route-map or firewall redirect option will work to forward URL filter requests to the Websense server. If you could provide us the following information, we would be better able to help you determine whether this application can work or not:

                                       

                                      1. Copy of the configuration and the issue you are experiencing. (Please be sure to remove any information that may be sensitive to your network)

                                      2. The Websense product that is being used, including software and version.

                                      3. The output to "show ip policy-session" when an attempt is made to access a webpage.

                                       

                                      This information will help us troubleshoot the issue you are seeing. Please let us know if you have any questions.

                                       

                                      Thanks,

                                      Noor

                                        • Re: URL Filtering
                                          kbillings New Member

                                          Accoring to WebSense they are expecting to see a url request and not an IP.  They use load-balance and need to see a url.  Any way to have the AOS translate the IP to a url/dns name before going out?

                                            • Re: URL Filtering
                                              Employee

                                              @kbillings - I'm not sure I follow your question. When the Adtran device sends the request to the Websense server, the request will contain the URL that a client is attempting to access. Do you have a packet capture or debug that would show what Websense is seeing?

                                               

                                              Thanks,

                                              Noor

                                                • Re: URL Filtering
                                                  Employee

                                                  kbillings - I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

                                                   

                                                  Thanks,

                                                  Noor