?
Solved

Virtual Server Promiscuous Mode for Websense

Posted on 2008-06-18
15
Medium Priority
?
2,918 Views
Last Modified: 2010-05-18
We're trying to get Websense to work in a virtual machine on Microsoft Virtual Server 2005 R2 and need to know how to properly configure all necessary elements to allow for span traffic or promiscuous mode so that Websense will be able to see all traffic to properly record and filter it, etc. So far we have the port on the Cisco switch configured for port span (echoing traffic from the port with our firewall to the port to which the physical server is connected), we have the virtual machine configured to point directly to the physical NIC of the physical server (no virtual network) and we have the virtual machine configured to allow promiscuous mode, but we're not seeing any traffic.  Can anyone please advise as to how we might make this work?
0
Comment
Question by:karinerivet
  • 7
  • 5
  • 3
15 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818544
#1
Try SP1 and the
<allow_promiscuous_mode type="boolean">TRUE/FALSE</allow_promiscuous_mode>
in the VMC file.


more info:
http://blogs.technet.com/roblarson/archive/2007/10/24/changes-to-virtual-networks-in-virtual-server-2005-r2-sp1.aspx

#2
Do you see traffic to the machine directly?
You are running network monitor on the guest, the web server directly and not seeing incoming traffic?

Mark
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818566


Review this as well:
http://www.aspdeveloper.net/Virtual_Server_2005/rn-738-15929_Virtual_Server_2005_R2_SP1_and_Network_Monitor.aspx

<allow_packet_filtering type="boolean">false</allow_packet_filtering>
<allow_promiscuous_mode type="boolean">false</allow_promiscuous_mode>
</virtual_machines>

I guess there is also a allow_packet_filtering.

Mark
0
 

Author Comment

by:karinerivet
ID: 21818813
We're already running SP1 for Virtual Server 2005 R2 and we already have promiscuous mode set to true.

We ran a packet sniffer on the port that the physical server is connected to and confirmed that it is seeing all network traffic.

I don't understand the question, "You are running network monitor on the guest, the web server directly and not seeing incoming traffic?"

And, although I don't understand what the allow_packet_filtering option does, we did try setting it to true and it didn't make a difference.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21819542
I don't know abut virtual servers, but I know Websense. I have some points as did not understand exactly your question:
1- You have to span (mirror) the port that passes the traffic from your network to the firewall, and not the port to which the firewall is connected.
2- The machine that is used for spanning (on which Network Agent is installed) must have 2 NIC, one connected to a normal port on the switch and the other one to the mirror port.
3- In WS manager you have to specify in network agent setup which NIC is ised to monitor and which is used to block traffic.
Are you using Websense Integrated with the FW or stand alone?
0
 

Author Comment

by:karinerivet
ID: 21824143
Websense is installed in a virtual machine, installed on Virtual Server 2005 R2 SP1, installed on Windows Server 2003 SP1, installed on physical hardware with a single NIC, connected to a switch port that is configured for spanning.

According to Websense documentation and Websense support, two NIC's are not required provided that the single NIC is capable of spanning and both the NIC in the physical hardware and the NIC in the virtual machine are capable of spanning.

The Network Agent setup does have the NIC configured.

We're running Websense in stand alone mode.
0
 

Author Comment

by:karinerivet
ID: 21824520
I installed Wireshark on the host server and it shows unquestionably that spanning is working because it sees all traffic.  I installed Wireshark on the virtual machine where Websense is installed and it shows unquestionably that the necessary traffic isn't being passed from the host to the virtual machine.  Does anyone know how to get the necessary traffic passed from the host to the virtual machine?
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21830668
You cannot have a single NIC for the NA machine unless your switch support having a port configured for both mirroring and normal traffic.
How many IPs from the total IPs can traffic monitor (of NA) see?
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21831132


Am I correct the websense machine is a virtual guest running on the MS Virtual Server.

Is the webserver also a virtual machine? Is it on the same MS Virtual Server?

Mark
0
 

Author Comment

by:karinerivet
ID: 21833305
Ehabsalem, I'm sorry, but I don't understand the questions you're asking or the terminology you're using.  What I can say is that the Cisco port that the host server is connected is configured for spanning which means it sees both types of traffic.  And, again, I was able to confirm using Wireshark that the necessary traffic is coming through to the host; it just isn't being passed to the virtual machine.

Mark, yes, Websense is running in a virtual machine on Microsoft Virtual Server 2005 R2 SP1.  And, yes, the webserver that Websense uses is running on the same virtual machine as Websense.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21839802
There is a tool with Websense called Network Visibility tool, did you run this tool on the machine where there is the network Agent?
0
 

Author Comment

by:karinerivet
ID: 21848331
Yes, I did run the network visibility tool and it only saw a very small number of IP addresses.  This was expected since Wireshark confirmed that traffic isn't being passed from the host to the virtual machine.  I'm fairly confident that there is nothing wrong and nothing needs to be changed with Websense.  Something needs to be configured different between the host and the virtual machine to allow the necessary traffic to pass.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21857004


In the vmc file for the websense
did you check to see if the

allow_promiscuous_mode
and
allow_packet_filtering

I have the links to the info about them in my first few posts.

Mark
0
 

Author Comment

by:karinerivet
ID: 21857212
Yes, both packet filtering and promiscuous mode are set to true in the VMC file and traffic is still not passing between the host and the virtual machine.
0
 

Accepted Solution

by:
karinerivet earned 0 total points
ID: 22012155
I learned from Microsoft Premier support that this is a know bug and the promiscuous mode feature does not work.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 22035055

I searched and read a bit about this issue and tried to offer suggestions, as did some others. What is the EE view on when points are earned, if that is the option of the person asking the question then I will ask they reconsider awarding some points - if I gave steps on how Microsoft said it shoudl work, and there is a known bug didn't my input have value?

Thanks,
Mark

0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction RemoteFX is already in use today, but you're probably not aware of it.  With the advent of Windows 2012 and Windows 8, RDP has gotten a whole lot better due to the fact that RDP now uses even more RemoteFX technologies to make desktop …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question