karinerivet
asked on
Virtual Server Promiscuous Mode for Websense
We're trying to get Websense to work in a virtual machine on Microsoft Virtual Server 2005 R2 and need to know how to properly configure all necessary elements to allow for span traffic or promiscuous mode so that Websense will be able to see all traffic to properly record and filter it, etc. So far we have the port on the Cisco switch configured for port span (echoing traffic from the port with our firewall to the port to which the physical server is connected), we have the virtual machine configured to point directly to the physical NIC of the physical server (no virtual network) and we have the virtual machine configured to allow promiscuous mode, but we're not seeing any traffic. Can anyone please advise as to how we might make this work?
Review this as well:
http://www.aspdeveloper.net/Virtual_Server_2005/rn-738-15929_Virtual_Server_2005_R2_SP1_and_Network_Monitor.aspx
<allow_packet_filtering type="boolean">false</allo
<allow_promiscuous_mode type="boolean">false</allo
</virtual_machines>
I guess there is also a allow_packet_filtering.
Mark
ASKER
We're already running SP1 for Virtual Server 2005 R2 and we already have promiscuous mode set to true.
We ran a packet sniffer on the port that the physical server is connected to and confirmed that it is seeing all network traffic.
I don't understand the question, "You are running network monitor on the guest, the web server directly and not seeing incoming traffic?"
And, although I don't understand what the allow_packet_filtering option does, we did try setting it to true and it didn't make a difference.
We ran a packet sniffer on the port that the physical server is connected to and confirmed that it is seeing all network traffic.
I don't understand the question, "You are running network monitor on the guest, the web server directly and not seeing incoming traffic?"
And, although I don't understand what the allow_packet_filtering option does, we did try setting it to true and it didn't make a difference.
I don't know abut virtual servers, but I know Websense. I have some points as did not understand exactly your question:
1- You have to span (mirror) the port that passes the traffic from your network to the firewall, and not the port to which the firewall is connected.
2- The machine that is used for spanning (on which Network Agent is installed) must have 2 NIC, one connected to a normal port on the switch and the other one to the mirror port.
3- In WS manager you have to specify in network agent setup which NIC is ised to monitor and which is used to block traffic.
Are you using Websense Integrated with the FW or stand alone?
1- You have to span (mirror) the port that passes the traffic from your network to the firewall, and not the port to which the firewall is connected.
2- The machine that is used for spanning (on which Network Agent is installed) must have 2 NIC, one connected to a normal port on the switch and the other one to the mirror port.
3- In WS manager you have to specify in network agent setup which NIC is ised to monitor and which is used to block traffic.
Are you using Websense Integrated with the FW or stand alone?
ASKER
Websense is installed in a virtual machine, installed on Virtual Server 2005 R2 SP1, installed on Windows Server 2003 SP1, installed on physical hardware with a single NIC, connected to a switch port that is configured for spanning.
According to Websense documentation and Websense support, two NIC's are not required provided that the single NIC is capable of spanning and both the NIC in the physical hardware and the NIC in the virtual machine are capable of spanning.
The Network Agent setup does have the NIC configured.
We're running Websense in stand alone mode.
According to Websense documentation and Websense support, two NIC's are not required provided that the single NIC is capable of spanning and both the NIC in the physical hardware and the NIC in the virtual machine are capable of spanning.
The Network Agent setup does have the NIC configured.
We're running Websense in stand alone mode.
ASKER
I installed Wireshark on the host server and it shows unquestionably that spanning is working because it sees all traffic. I installed Wireshark on the virtual machine where Websense is installed and it shows unquestionably that the necessary traffic isn't being passed from the host to the virtual machine. Does anyone know how to get the necessary traffic passed from the host to the virtual machine?
You cannot have a single NIC for the NA machine unless your switch support having a port configured for both mirroring and normal traffic.
How many IPs from the total IPs can traffic monitor (of NA) see?
How many IPs from the total IPs can traffic monitor (of NA) see?
Am I correct the websense machine is a virtual guest running on the MS Virtual Server.
Is the webserver also a virtual machine? Is it on the same MS Virtual Server?
Mark
ASKER
Ehabsalem, I'm sorry, but I don't understand the questions you're asking or the terminology you're using. What I can say is that the Cisco port that the host server is connected is configured for spanning which means it sees both types of traffic. And, again, I was able to confirm using Wireshark that the necessary traffic is coming through to the host; it just isn't being passed to the virtual machine.
Mark, yes, Websense is running in a virtual machine on Microsoft Virtual Server 2005 R2 SP1. And, yes, the webserver that Websense uses is running on the same virtual machine as Websense.
Mark, yes, Websense is running in a virtual machine on Microsoft Virtual Server 2005 R2 SP1. And, yes, the webserver that Websense uses is running on the same virtual machine as Websense.
There is a tool with Websense called Network Visibility tool, did you run this tool on the machine where there is the network Agent?
ASKER
Yes, I did run the network visibility tool and it only saw a very small number of IP addresses. This was expected since Wireshark confirmed that traffic isn't being passed from the host to the virtual machine. I'm fairly confident that there is nothing wrong and nothing needs to be changed with Websense. Something needs to be configured different between the host and the virtual machine to allow the necessary traffic to pass.
In the vmc file for the websense
did you check to see if the
allow_promiscuous_mode
and
allow_packet_filtering
I have the links to the info about them in my first few posts.
Mark
ASKER
Yes, both packet filtering and promiscuous mode are set to true in the VMC file and traffic is still not passing between the host and the virtual machine.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I searched and read a bit about this issue and tried to offer suggestions, as did some others. What is the EE view on when points are earned, if that is the option of the person asking the question then I will ask they reconsider awarding some points - if I gave steps on how Microsoft said it shoudl work, and there is a known bug didn't my input have value?
Thanks,
Mark
Try SP1 and the
<allow_promiscuous_mode type="boolean">TRUE/FALSE<
in the VMC file.
more info:
http://blogs.technet.com/roblarson/archive/2007/10/24/changes-to-virtual-networks-in-virtual-server-2005-r2-sp1.aspx
#2
Do you see traffic to the machine directly?
You are running network monitor on the guest, the web server directly and not seeing incoming traffic?
Mark