Solved

Content Filter for Internal and External Users

Posted on 2010-08-31
14
648 Views
Last Modified: 2013-11-16
Our company has recently implemented Websense's V10000 Content Gateway appliance. It works fine to filter our internal users via WCCP from our ASA.

However VPN users and DMZ type servers can't be filtered in the same manner because WCCP will not allow you to redirect traffic if it doesn't originate on the same interface where the Content Gateway resides.

To get around this problem we set up our VPN users to use a PAC file. This works as long as they are browsing with IE. However, when we look at the Websense reports we see that the traffic from VPN users shows as an IP address instead of a name. We can get this to work with Websense if we run a script at connection time that runs a "gpupdate /force" but it takes a couple of minutes for that to allow Websense to associate the traffic with a user. Using a PAC file/proxy solution limits the ability for us to use Cisco's new "Always-on VPN" functionality.

The proxy configuration doesn't appear to work for the DMZ.

Has anyone else run into an issue like this? Does anyone have any other solutions for filtering remote users as well as DMZ type servers? We're open to all ideas.

Thanks.
0
Comment
Question by:snowmizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 166 total points
ID: 33568093
0
 

Author Comment

by:snowmizer
ID: 33568234
Does this require an agent to be installed? Am I correct that hosted solutions would allow me to filter both VPN users and DMZ type servers? I've got no experience with hosted solutions so I'm not 100% sure how they work.

Thanks.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 33568353
An agent is installed.  VPN and DMZ would be filtered.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:snowmizer
ID: 33568485
We'll have to look at hosted solutions. If we decided not to go this route could you achive the same thing by putting some type of filtering solution in the DMZ?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 33568507
You could rig something up.  I always hated band-aid solutions.  They end up being a bigger PITA than they are worth.
0
 

Author Comment

by:snowmizer
ID: 33568534
I don't disagree with that at all. This whole thing has been a PITA. :) I really don't want to have to manage two different solutions either. I guess it comes down to whether we want to use a hosted solution.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 33568543
Sometimes the best thing is to bite the bullet and pay for the right solution up front.
0
 

Author Comment

by:snowmizer
ID: 33568553
Well the WCG is working fine for our internal users. It's the external VPN users and DMZ type servers that are causing the problem.
0
 
LVL 25

Expert Comment

by:madunix
ID: 33570313
I do squid + dansguardian they are a very good choice!
I use squid with  squidGuard - Blacklists regarding authentication (NCSA, LDAP, MSNT, PAM, SASL, NTLM ..etc.) I do ncsa_auth (with 80 users) you have to maintain your own password_file with
"htpasswd -a /path/to/your/password_file username"
One thing, check http://www.reub.net/node/3 ......consider Cisco WCCP with squid  - it scales better with squid...
 
0
 

Author Comment

by:snowmizer
ID: 33571038
The more I think about this shouldn't I be able to configure IE on my DMZ servers with a proxy configuration and then just allow this traffic through the firewall?
0
 

Author Comment

by:snowmizer
ID: 33571304
I guess a better question would be...can explicit proxy be used on a DMZ server to a proxy server that resides on the internal network?
0
 
LVL 14

Assisted Solution

by:Ehab Salem
Ehab Salem earned 167 total points
ID: 33574221
Websense has a remote filtering option. It is for WebSecurity but I do not know if it works with V1000:
http://www.3w.net/lan/Websense_RemoteFiltering.pdf
0
 
LVL 25

Accepted Solution

by:
madunix earned 167 total points
ID: 33591432
0
 

Author Comment

by:snowmizer
ID: 33715994
Thanks for all of the suggestions. This gives me an idea of how other people are addressing this issue.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question