?
Solved

Virtual Server Promiscuous Mode for Websense

Posted on 2008-06-18
15
Medium Priority
?
2,905 Views
Last Modified: 2010-05-18
We're trying to get Websense to work in a virtual machine on Microsoft Virtual Server 2005 R2 and need to know how to properly configure all necessary elements to allow for span traffic or promiscuous mode so that Websense will be able to see all traffic to properly record and filter it, etc. So far we have the port on the Cisco switch configured for port span (echoing traffic from the port with our firewall to the port to which the physical server is connected), we have the virtual machine configured to point directly to the physical NIC of the physical server (no virtual network) and we have the virtual machine configured to allow promiscuous mode, but we're not seeing any traffic.  Can anyone please advise as to how we might make this work?
0
Comment
Question by:karinerivet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
15 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818544
#1
Try SP1 and the
<allow_promiscuous_mode type="boolean">TRUE/FALSE</allow_promiscuous_mode>
in the VMC file.


more info:
http://blogs.technet.com/roblarson/archive/2007/10/24/changes-to-virtual-networks-in-virtual-server-2005-r2-sp1.aspx

#2
Do you see traffic to the machine directly?
You are running network monitor on the guest, the web server directly and not seeing incoming traffic?

Mark
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21818566


Review this as well:
http://www.aspdeveloper.net/Virtual_Server_2005/rn-738-15929_Virtual_Server_2005_R2_SP1_and_Network_Monitor.aspx

<allow_packet_filtering type="boolean">false</allow_packet_filtering>
<allow_promiscuous_mode type="boolean">false</allow_promiscuous_mode>
</virtual_machines>

I guess there is also a allow_packet_filtering.

Mark
0
 

Author Comment

by:karinerivet
ID: 21818813
We're already running SP1 for Virtual Server 2005 R2 and we already have promiscuous mode set to true.

We ran a packet sniffer on the port that the physical server is connected to and confirmed that it is seeing all network traffic.

I don't understand the question, "You are running network monitor on the guest, the web server directly and not seeing incoming traffic?"

And, although I don't understand what the allow_packet_filtering option does, we did try setting it to true and it didn't make a difference.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21819542
I don't know abut virtual servers, but I know Websense. I have some points as did not understand exactly your question:
1- You have to span (mirror) the port that passes the traffic from your network to the firewall, and not the port to which the firewall is connected.
2- The machine that is used for spanning (on which Network Agent is installed) must have 2 NIC, one connected to a normal port on the switch and the other one to the mirror port.
3- In WS manager you have to specify in network agent setup which NIC is ised to monitor and which is used to block traffic.
Are you using Websense Integrated with the FW or stand alone?
0
 

Author Comment

by:karinerivet
ID: 21824143
Websense is installed in a virtual machine, installed on Virtual Server 2005 R2 SP1, installed on Windows Server 2003 SP1, installed on physical hardware with a single NIC, connected to a switch port that is configured for spanning.

According to Websense documentation and Websense support, two NIC's are not required provided that the single NIC is capable of spanning and both the NIC in the physical hardware and the NIC in the virtual machine are capable of spanning.

The Network Agent setup does have the NIC configured.

We're running Websense in stand alone mode.
0
 

Author Comment

by:karinerivet
ID: 21824520
I installed Wireshark on the host server and it shows unquestionably that spanning is working because it sees all traffic.  I installed Wireshark on the virtual machine where Websense is installed and it shows unquestionably that the necessary traffic isn't being passed from the host to the virtual machine.  Does anyone know how to get the necessary traffic passed from the host to the virtual machine?
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21830668
You cannot have a single NIC for the NA machine unless your switch support having a port configured for both mirroring and normal traffic.
How many IPs from the total IPs can traffic monitor (of NA) see?
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21831132


Am I correct the websense machine is a virtual guest running on the MS Virtual Server.

Is the webserver also a virtual machine? Is it on the same MS Virtual Server?

Mark
0
 

Author Comment

by:karinerivet
ID: 21833305
Ehabsalem, I'm sorry, but I don't understand the questions you're asking or the terminology you're using.  What I can say is that the Cisco port that the host server is connected is configured for spanning which means it sees both types of traffic.  And, again, I was able to confirm using Wireshark that the necessary traffic is coming through to the host; it just isn't being passed to the virtual machine.

Mark, yes, Websense is running in a virtual machine on Microsoft Virtual Server 2005 R2 SP1.  And, yes, the webserver that Websense uses is running on the same virtual machine as Websense.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 21839802
There is a tool with Websense called Network Visibility tool, did you run this tool on the machine where there is the network Agent?
0
 

Author Comment

by:karinerivet
ID: 21848331
Yes, I did run the network visibility tool and it only saw a very small number of IP addresses.  This was expected since Wireshark confirmed that traffic isn't being passed from the host to the virtual machine.  I'm fairly confident that there is nothing wrong and nothing needs to be changed with Websense.  Something needs to be configured different between the host and the virtual machine to allow the necessary traffic to pass.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 21857004


In the vmc file for the websense
did you check to see if the

allow_promiscuous_mode
and
allow_packet_filtering

I have the links to the info about them in my first few posts.

Mark
0
 

Author Comment

by:karinerivet
ID: 21857212
Yes, both packet filtering and promiscuous mode are set to true in the VMC file and traffic is still not passing between the host and the virtual machine.
0
 

Accepted Solution

by:
karinerivet earned 0 total points
ID: 22012155
I learned from Microsoft Premier support that this is a know bug and the promiscuous mode feature does not work.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 22035055

I searched and read a bit about this issue and tried to offer suggestions, as did some others. What is the EE view on when points are earned, if that is the option of the person asking the question then I will ask they reconsider awarding some points - if I gave steps on how Microsoft said it shoudl work, and there is a known bug didn't my input have value?

Thanks,
Mark

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question