Solved

websense appliance and watchguard

Posted on 2013-06-28
15
1,089 Views
Last Modified: 2013-09-06
I have a websense appliance and a watchguard firewall.  I'm trying to route my traffic from the websense to the firewall and out to the internet. I've created an http proxy from the websense to the internet.  How can I verify how the traffic is returning.  I'm having an issue resolving many web pages once I use the IP of the websense as a proxy in my browser
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
15 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39286343
Please provide more details as to:
a. Are you using the webblocker feature of WG?
 If yes, then please a look at link below:
http://customers.watchguard.com/articles/Article/3093

b. You are using websense solution not part of WG webblocker.
 If yes, then as I understand, you are having setup as below:
1. All the hosts in the network use websense server IP as proxy in the browser settings.
2. On the firewall you have created a HTTP policy, something like this:
    Enabled and Allowed; from websense_server_ip; to ANY
3. Now only traffic from websense server IP to the internet would be allowed.
4. Any host if it tries to send traffic directly to firewall would be denied, as the firewall is configured to access traffic from websense server IP only.
5. For the return traffic from the internet, all return traffic would be allowed in to the IP of websense server only. If WG is performing NAT [which I think it is], WG would do NAT for outbound and reverse NAT for the specific return traffic.

Please check and update.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39290580
No this has nothing to do with Watchguard.  It is a separate appliance which will run though (if you will) watchguard.  It's not part of Watch Guard.
0
 

Author Comment

by:WellingtonIS
ID: 39290593
Humm.  I think I understand my issue.  Currently I have my watchguard set to Any-Trusted-Any because I can't get the websense running properly.  I have created a Proxy from the websense appliance IP to any.  Now for testing purposes if I add an additional proxy from my test pc to the websense will that be ok?
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:WellingtonIS
ID: 39290684
OK so I'm still a bit fuzzy on some things.  taking out the extra http proxy did the trick but only when I put the ip of the websense as a proxy. I have all the traffic on my network routed to my firewall.  But unless I use the websense as a proxy the internet is wide open.  Is there something else I need to do?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39292597
Sorry but I do not understand fully what you are trying to do here.

As I understand you want all users to get redirected to websense and then only websense should be allowed access to internet.

I do not know how to configure the user machines to send all traffic to websense; may be through proxy...better check that out.

Once websense has all the traffic from the users and it wants to go out to internet we would need HTTP policy on the WG firewall to permit the traffic as I already mentioned in my earlier post.

Please let know if there is anything else I can assist with.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39293034
there is an article that watchguard publishes which is extremely vague - http://www.watchguard.com/help/docs/wsm/11/en-us/content/en-us/proxies/http/http_caching_proxy_server_wsm.html.
I've tried many combination but nothing is working.  I know you are suppose put in the web cache server as the IP of the websense appliance via port 80.  But what are the From and To suppose to be. And if you Add the HTTP proxy setting are you suppose to delete the regular HTTP?  This is so vague. Does anyone know how to do this???  Currently I have proxy setting in my IE setting via group policy  the only way I can use websense is just to replace those settings with the iP of websense.  I know there must be a way to do this.... Does anybody know?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39293385
Yes you are right we can configure external caching server in HTTP-proxy:
https://www.watchguard.com/help/docs/wsm/11_XTM/en-US/index.html#en-US/proxies/http/http_caching_proxy_server_c.html%3FTocPath%3DProxy%20Settings%7CAbout%20the%20HTTP-Proxy%7C_____17

For the HTTP from and to, would also be as you listed, from websense server IP to any.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39293404
OK I tried that but it doesn't work.  It's not sending the response back to Websense.  If I use the HTTP-Proxy then do I delete the original Http?  I've tried setting the From to the IP of the Websense and to Any then the web cache but that's not working either. the only way I've been able to make this work is to use the proxy setting in explorer.  Do you know if anyone has had any luck doing this?
0
 

Author Comment

by:WellingtonIS
ID: 39296551
Basically what I trying to do it route all the traffic that enters the Firewall though the websense.  I've tried all  - to the websense but I'm not seeing the traffic filter though
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39296572
Are you sure websense is sending traffic to WG; websense should have default route pointing towards WG internal IP.
Also, make sure that websense is properly configured as proxy and listening to request as configured on the ports/IP.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39296724
It is but I'm trying to make it so you don't have to add the proxy settings in IE.  I'm trying to route all the internet traffic though the web-sense appliance.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39297276
Once you configure web-cache setting in HTTP proxy; please ensure that websense server is listening on the ports and IP as configured on WG.

If the problem persists, check if you configure the proxy in the web browser directly if the things work; if yes, then we would know for sure that the websense server is configured properly.
0
 

Author Comment

by:WellingtonIS
ID: 39297347
I"m thinking but I'm not sure that Websense listens on Port 80 and port 8080?  I'm just not sure but in any event no matter how hard I try I can not direct the traffic to the web though the websense unless I configure proxy setting in the browser.
0
 

Accepted Solution

by:
WellingtonIS earned 0 total points
ID: 39456484
close this as I reconfigured my Cisco ASA's for websense.  Watchguard and Websense do not play nice.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39469697
I can't use watchguard along with websense. So I configured my Cisco ASAs instead.  This isnt' needed anymore.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question