?
Solved

Virtual Server Promiscuous Mode for Websense

Posted on 2008-06-18
15
Medium Priority
?
2,887 Views
Last Modified: 2010-05-18
We're trying to get Websense to work in a virtual machine on Microsoft Virtual Server 2005 R2 and need to know how to properly configure all necessary elements to allow for span traffic or promiscuous mode so that Websense will be able to see all traffic to properly record and filter it, etc. So far we have the port on the Cisco switch configured for port span (echoing traffic from the port with our firewall to the port to which the physical server is connected), we have the virtual machine configured to point directly to the physical NIC of the physical server (no virtual network) and we have the virtual machine configured to allow promiscuous mode, but we're not seeing any traffic.  Can anyone please advise as to how we might make this work?
0
Comment
Question by:karinerivet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
15 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818544
#1
Try SP1 and the
<allow_promiscuous_mode type="boolean">TRUE/FALSE</allow_promiscuous_mode>
in the VMC file.


more info:
http://blogs.technet.com/roblarson/archive/2007/10/24/changes-to-virtual-networks-in-virtual-server-2005-r2-sp1.aspx

#2
Do you see traffic to the machine directly?
You are running network monitor on the guest, the web server directly and not seeing incoming traffic?

Mark
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818566


Review this as well:
http://www.aspdeveloper.net/Virtual_Server_2005/rn-738-15929_Virtual_Server_2005_R2_SP1_and_Network_Monitor.aspx

<allow_packet_filtering type="boolean">false</allow_packet_filtering>
<allow_promiscuous_mode type="boolean">false</allow_promiscuous_mode>
</virtual_machines>

I guess there is also a allow_packet_filtering.

Mark
0
 

Author Comment

by:karinerivet
ID: 21818813
We're already running SP1 for Virtual Server 2005 R2 and we already have promiscuous mode set to true.

We ran a packet sniffer on the port that the physical server is connected to and confirmed that it is seeing all network traffic.

I don't understand the question, "You are running network monitor on the guest, the web server directly and not seeing incoming traffic?"

And, although I don't understand what the allow_packet_filtering option does, we did try setting it to true and it didn't make a difference.
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21819542
I don't know abut virtual servers, but I know Websense. I have some points as did not understand exactly your question:
1- You have to span (mirror) the port that passes the traffic from your network to the firewall, and not the port to which the firewall is connected.
2- The machine that is used for spanning (on which Network Agent is installed) must have 2 NIC, one connected to a normal port on the switch and the other one to the mirror port.
3- In WS manager you have to specify in network agent setup which NIC is ised to monitor and which is used to block traffic.
Are you using Websense Integrated with the FW or stand alone?
0
 

Author Comment

by:karinerivet
ID: 21824143
Websense is installed in a virtual machine, installed on Virtual Server 2005 R2 SP1, installed on Windows Server 2003 SP1, installed on physical hardware with a single NIC, connected to a switch port that is configured for spanning.

According to Websense documentation and Websense support, two NIC's are not required provided that the single NIC is capable of spanning and both the NIC in the physical hardware and the NIC in the virtual machine are capable of spanning.

The Network Agent setup does have the NIC configured.

We're running Websense in stand alone mode.
0
 

Author Comment

by:karinerivet
ID: 21824520
I installed Wireshark on the host server and it shows unquestionably that spanning is working because it sees all traffic.  I installed Wireshark on the virtual machine where Websense is installed and it shows unquestionably that the necessary traffic isn't being passed from the host to the virtual machine.  Does anyone know how to get the necessary traffic passed from the host to the virtual machine?
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21830668
You cannot have a single NIC for the NA machine unless your switch support having a port configured for both mirroring and normal traffic.
How many IPs from the total IPs can traffic monitor (of NA) see?
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21831132


Am I correct the websense machine is a virtual guest running on the MS Virtual Server.

Is the webserver also a virtual machine? Is it on the same MS Virtual Server?

Mark
0
 

Author Comment

by:karinerivet
ID: 21833305
Ehabsalem, I'm sorry, but I don't understand the questions you're asking or the terminology you're using.  What I can say is that the Cisco port that the host server is connected is configured for spanning which means it sees both types of traffic.  And, again, I was able to confirm using Wireshark that the necessary traffic is coming through to the host; it just isn't being passed to the virtual machine.

Mark, yes, Websense is running in a virtual machine on Microsoft Virtual Server 2005 R2 SP1.  And, yes, the webserver that Websense uses is running on the same virtual machine as Websense.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21839802
There is a tool with Websense called Network Visibility tool, did you run this tool on the machine where there is the network Agent?
0
 

Author Comment

by:karinerivet
ID: 21848331
Yes, I did run the network visibility tool and it only saw a very small number of IP addresses.  This was expected since Wireshark confirmed that traffic isn't being passed from the host to the virtual machine.  I'm fairly confident that there is nothing wrong and nothing needs to be changed with Websense.  Something needs to be configured different between the host and the virtual machine to allow the necessary traffic to pass.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21857004


In the vmc file for the websense
did you check to see if the

allow_promiscuous_mode
and
allow_packet_filtering

I have the links to the info about them in my first few posts.

Mark
0
 

Author Comment

by:karinerivet
ID: 21857212
Yes, both packet filtering and promiscuous mode are set to true in the VMC file and traffic is still not passing between the host and the virtual machine.
0
 

Accepted Solution

by:
karinerivet earned 0 total points
ID: 22012155
I learned from Microsoft Premier support that this is a know bug and the promiscuous mode feature does not work.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 22035055

I searched and read a bit about this issue and tried to offer suggestions, as did some others. What is the EE view on when points are earned, if that is the option of the person asking the question then I will ask they reconsider awarding some points - if I gave steps on how Microsoft said it shoudl work, and there is a known bug didn't my input have value?

Thanks,
Mark

0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Guide: Build a Hyper-V Cluster Introduction We all know that Hyper-V is a cost effective solution (see http://www.experts-exchange.com/A_7831.html), and now we want to take advantage of it, right?  Unfortunately, hardware fails, leading to dow…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question