One Websense Server for two separate networks.

eskirvin
eskirvin used Ask the Experts™
on
Our organization has a Websense license and I've decided I want to use it across both of our companies networks. I'm able to monitor and block clients on both networks, 192.168.1.0/24 and 192.168.50.0/23, but the server IP is in the 1.0 network and the clients on the 50.0 network are unable to resolve the block page. Both networks have their own Cisco ASA. On the 50.0 network, the ASA communicates with the Websense server via the management port. Is there a way to make a static translation that will allow the http request to be translated to the 1.0 network, thus allowing the 50.0 network to resolve the block page? Again, the only thing that isn't working is the resolution of the block page.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
As far as I understood topology, it could be (on ASA in 50.0 network) :
static (outside,inside)  Websense_IP_on_50.0 Websense_IP_on_1.0

Author

Commented:
Websense is able to see both networks as the SPAN port sees all of the traffic on the switch, but the server is logically located on the 1.0 network and has no presence on the 50.0 network. The ASA refers the browser to an IP address on the 1.0 network, which clients on the 50.0 network have no access to, so they get no blocked page.

Commented:
but the above static on ASA will translate 'fake' IP address on 50.0 network to 'real' IP address on 1.0 network
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
You're right, it would, but the ASA is giving the browser a real IP of 192.168.1.5 as advertised to the ASA via the Websense server. I need the clients on the 50.0 network to be able to resolve that address in order to see the blocked page or perhaps be redirected to a webpage located on the 50.0 network. Can this be accomplished via the DNS server perhaps?

Commented:
are you familiar with DNS doctoring on ASA ?

Author

Commented:
No, not at all. We have Microsoft servers that handle our DNS because my boss wants it that way.
"...Both networks have their own ASA..."

How about another NIC in the Websense Server that is on the 50 Network, and then defining the Websense Server in that ASA as a 50 Address?

I haven't tried this myself, so I'm not sure if it will work or if it will "anger" the Websense licensing.

Author

Commented:
If I did that, how would Websense know to respond to requests on the 50.0 network? Would I have to create another policy server with a 50.0 address?

Commented:
Hm..maybe you can use Netmask Ordering on the Windows DNS server  to return records with IP addresses local to the queying machine's subnet. More info on netmask ordering : http://support.microsoft.com/kb/842197
Commented:
We can't keep DNS working properly through our ASA, so we've had to abandon it in favor of a Microsoft ISA server and another filtering brand that integrates with it. No working solution was presented to this question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial