Our company has recently implemented Websense's V10000 Content Gateway appliance. It works fine to filter our internal users via WCCP from our ASA.
However VPN users and DMZ type servers can't be filtered in the same manner because WCCP will not allow you to redirect traffic if it doesn't originate on the same interface where the Content Gateway resides.
To get around this problem we set up our VPN users to use a PAC file. This works as long as they are browsing with IE. However, when we look at the Websense reports we see that the traffic from VPN users shows as an IP address instead of a name. We can get this to work with Websense if we run a script at connection time that runs a "gpupdate /force" but it takes a couple of minutes for that to allow Websense to associate the traffic with a user. Using a PAC file/proxy solution limits the ability for us to use Cisco's new "Always-on VPN" functionality.
The proxy configuration doesn't appear to work for the DMZ.
Has anyone else run into an issue like this? Does anyone have any other solutions for filtering remote users as well as DMZ type servers? We're open to all ideas.