snowmizer
asked on
Content Filter for Internal and External Users
Our company has recently implemented Websense's V10000 Content Gateway appliance. It works fine to filter our internal users via WCCP from our ASA.
However VPN users and DMZ type servers can't be filtered in the same manner because WCCP will not allow you to redirect traffic if it doesn't originate on the same interface where the Content Gateway resides.
To get around this problem we set up our VPN users to use a PAC file. This works as long as they are browsing with IE. However, when we look at the Websense reports we see that the traffic from VPN users shows as an IP address instead of a name. We can get this to work with Websense if we run a script at connection time that runs a "gpupdate /force" but it takes a couple of minutes for that to allow Websense to associate the traffic with a user. Using a PAC file/proxy solution limits the ability for us to use Cisco's new "Always-on VPN" functionality.
The proxy configuration doesn't appear to work for the DMZ.
Has anyone else run into an issue like this? Does anyone have any other solutions for filtering remote users as well as DMZ type servers? We're open to all ideas.
Thanks.
However VPN users and DMZ type servers can't be filtered in the same manner because WCCP will not allow you to redirect traffic if it doesn't originate on the same interface where the Content Gateway resides.
To get around this problem we set up our VPN users to use a PAC file. This works as long as they are browsing with IE. However, when we look at the Websense reports we see that the traffic from VPN users shows as an IP address instead of a name. We can get this to work with Websense if we run a script at connection time that runs a "gpupdate /force" but it takes a couple of minutes for that to allow Websense to associate the traffic with a user. Using a PAC file/proxy solution limits the ability for us to use Cisco's new "Always-on VPN" functionality.
The proxy configuration doesn't appear to work for the DMZ.
Has anyone else run into an issue like this? Does anyone have any other solutions for filtering remote users as well as DMZ type servers? We're open to all ideas.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
An agent is installed. VPN and DMZ would be filtered.
ASKER
We'll have to look at hosted solutions. If we decided not to go this route could you achive the same thing by putting some type of filtering solution in the DMZ?
You could rig something up. I always hated band-aid solutions. They end up being a bigger PITA than they are worth.
ASKER
I don't disagree with that at all. This whole thing has been a PITA. :) I really don't want to have to manage two different solutions either. I guess it comes down to whether we want to use a hosted solution.
Sometimes the best thing is to bite the bullet and pay for the right solution up front.
ASKER
Well the WCG is working fine for our internal users. It's the external VPN users and DMZ type servers that are causing the problem.
I do squid + dansguardian they are a very good choice!
I use squid with squidGuard - Blacklists regarding authentication (NCSA, LDAP, MSNT, PAM, SASL, NTLM ..etc.) I do ncsa_auth (with 80 users) you have to maintain your own password_file with
"htpasswd -a /path/to/your/password_fil
One thing, check http://www.reub.net/node/3 ......consider Cisco WCCP with squid - it scales better with squid...
I use squid with squidGuard - Blacklists regarding authentication (NCSA, LDAP, MSNT, PAM, SASL, NTLM ..etc.) I do ncsa_auth (with 80 users) you have to maintain your own password_file with
"htpasswd -a /path/to/your/password_fil
One thing, check http://www.reub.net/node/3 ......consider Cisco WCCP with squid - it scales better with squid...
ASKER
The more I think about this shouldn't I be able to configure IE on my DMZ servers with a proxy configuration and then just allow this traffic through the firewall?
ASKER
I guess a better question would be...can explicit proxy be used on a DMZ server to a proxy server that resides on the internal network?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all of the suggestions. This gives me an idea of how other people are addressing this issue.
ASKER
Thanks.