Solved

Virtual Server Promiscuous Mode for Websense

Posted on 2008-06-18
15
2,847 Views
Last Modified: 2010-05-18
We're trying to get Websense to work in a virtual machine on Microsoft Virtual Server 2005 R2 and need to know how to properly configure all necessary elements to allow for span traffic or promiscuous mode so that Websense will be able to see all traffic to properly record and filter it, etc. So far we have the port on the Cisco switch configured for port span (echoing traffic from the port with our firewall to the port to which the physical server is connected), we have the virtual machine configured to point directly to the physical NIC of the physical server (no virtual network) and we have the virtual machine configured to allow promiscuous mode, but we're not seeing any traffic.  Can anyone please advise as to how we might make this work?
0
Comment
Question by:karinerivet
  • 7
  • 5
  • 3
15 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818544
#1
Try SP1 and the
<allow_promiscuous_mode type="boolean">TRUE/FALSE</allow_promiscuous_mode>
in the VMC file.


more info:
http://blogs.technet.com/roblarson/archive/2007/10/24/changes-to-virtual-networks-in-virtual-server-2005-r2-sp1.aspx

#2
Do you see traffic to the machine directly?
You are running network monitor on the guest, the web server directly and not seeing incoming traffic?

Mark
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818566


Review this as well:
http://www.aspdeveloper.net/Virtual_Server_2005/rn-738-15929_Virtual_Server_2005_R2_SP1_and_Network_Monitor.aspx

<allow_packet_filtering type="boolean">false</allow_packet_filtering>
<allow_promiscuous_mode type="boolean">false</allow_promiscuous_mode>
</virtual_machines>

I guess there is also a allow_packet_filtering.

Mark
0
 

Author Comment

by:karinerivet
ID: 21818813
We're already running SP1 for Virtual Server 2005 R2 and we already have promiscuous mode set to true.

We ran a packet sniffer on the port that the physical server is connected to and confirmed that it is seeing all network traffic.

I don't understand the question, "You are running network monitor on the guest, the web server directly and not seeing incoming traffic?"

And, although I don't understand what the allow_packet_filtering option does, we did try setting it to true and it didn't make a difference.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21819542
I don't know abut virtual servers, but I know Websense. I have some points as did not understand exactly your question:
1- You have to span (mirror) the port that passes the traffic from your network to the firewall, and not the port to which the firewall is connected.
2- The machine that is used for spanning (on which Network Agent is installed) must have 2 NIC, one connected to a normal port on the switch and the other one to the mirror port.
3- In WS manager you have to specify in network agent setup which NIC is ised to monitor and which is used to block traffic.
Are you using Websense Integrated with the FW or stand alone?
0
 

Author Comment

by:karinerivet
ID: 21824143
Websense is installed in a virtual machine, installed on Virtual Server 2005 R2 SP1, installed on Windows Server 2003 SP1, installed on physical hardware with a single NIC, connected to a switch port that is configured for spanning.

According to Websense documentation and Websense support, two NIC's are not required provided that the single NIC is capable of spanning and both the NIC in the physical hardware and the NIC in the virtual machine are capable of spanning.

The Network Agent setup does have the NIC configured.

We're running Websense in stand alone mode.
0
 

Author Comment

by:karinerivet
ID: 21824520
I installed Wireshark on the host server and it shows unquestionably that spanning is working because it sees all traffic.  I installed Wireshark on the virtual machine where Websense is installed and it shows unquestionably that the necessary traffic isn't being passed from the host to the virtual machine.  Does anyone know how to get the necessary traffic passed from the host to the virtual machine?
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21830668
You cannot have a single NIC for the NA machine unless your switch support having a port configured for both mirroring and normal traffic.
How many IPs from the total IPs can traffic monitor (of NA) see?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 15

Expert Comment

by:markpalinux
ID: 21831132


Am I correct the websense machine is a virtual guest running on the MS Virtual Server.

Is the webserver also a virtual machine? Is it on the same MS Virtual Server?

Mark
0
 

Author Comment

by:karinerivet
ID: 21833305
Ehabsalem, I'm sorry, but I don't understand the questions you're asking or the terminology you're using.  What I can say is that the Cisco port that the host server is connected is configured for spanning which means it sees both types of traffic.  And, again, I was able to confirm using Wireshark that the necessary traffic is coming through to the host; it just isn't being passed to the virtual machine.

Mark, yes, Websense is running in a virtual machine on Microsoft Virtual Server 2005 R2 SP1.  And, yes, the webserver that Websense uses is running on the same virtual machine as Websense.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21839802
There is a tool with Websense called Network Visibility tool, did you run this tool on the machine where there is the network Agent?
0
 

Author Comment

by:karinerivet
ID: 21848331
Yes, I did run the network visibility tool and it only saw a very small number of IP addresses.  This was expected since Wireshark confirmed that traffic isn't being passed from the host to the virtual machine.  I'm fairly confident that there is nothing wrong and nothing needs to be changed with Websense.  Something needs to be configured different between the host and the virtual machine to allow the necessary traffic to pass.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21857004


In the vmc file for the websense
did you check to see if the

allow_promiscuous_mode
and
allow_packet_filtering

I have the links to the info about them in my first few posts.

Mark
0
 

Author Comment

by:karinerivet
ID: 21857212
Yes, both packet filtering and promiscuous mode are set to true in the VMC file and traffic is still not passing between the host and the virtual machine.
0
 

Accepted Solution

by:
karinerivet earned 0 total points
ID: 22012155
I learned from Microsoft Premier support that this is a know bug and the promiscuous mode feature does not work.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 22035055

I searched and read a bit about this issue and tried to offer suggestions, as did some others. What is the EE view on when points are earned, if that is the option of the person asking the question then I will ask they reconsider awarding some points - if I gave steps on how Microsoft said it shoudl work, and there is a known bug didn't my input have value?

Thanks,
Mark

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction I've already written articles on how to set up a Hyper-V Cluster (http://www.experts-exchange.com/A_7910.html), and how we can benefit from Microsoft licensing grants within Hyper-V (http://www.experts-exchange.com/A_7831.html), but …
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now