Solved

websense appliance and watchguard

Posted on 2013-06-28
15
1,049 Views
Last Modified: 2013-09-06
I have a websense appliance and a watchguard firewall.  I'm trying to route my traffic from the websense to the firewall and out to the internet. I've created an http proxy from the websense to the internet.  How can I verify how the traffic is returning.  I'm having an issue resolving many web pages once I use the IP of the websense as a proxy in my browser
0
Comment
Question by:WellingtonIS
  • 10
  • 5
15 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39286343
Please provide more details as to:
a. Are you using the webblocker feature of WG?
 If yes, then please a look at link below:
http://customers.watchguard.com/articles/Article/3093

b. You are using websense solution not part of WG webblocker.
 If yes, then as I understand, you are having setup as below:
1. All the hosts in the network use websense server IP as proxy in the browser settings.
2. On the firewall you have created a HTTP policy, something like this:
    Enabled and Allowed; from websense_server_ip; to ANY
3. Now only traffic from websense server IP to the internet would be allowed.
4. Any host if it tries to send traffic directly to firewall would be denied, as the firewall is configured to access traffic from websense server IP only.
5. For the return traffic from the internet, all return traffic would be allowed in to the IP of websense server only. If WG is performing NAT [which I think it is], WG would do NAT for outbound and reverse NAT for the specific return traffic.

Please check and update.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39290580
No this has nothing to do with Watchguard.  It is a separate appliance which will run though (if you will) watchguard.  It's not part of Watch Guard.
0
 

Author Comment

by:WellingtonIS
ID: 39290593
Humm.  I think I understand my issue.  Currently I have my watchguard set to Any-Trusted-Any because I can't get the websense running properly.  I have created a Proxy from the websense appliance IP to any.  Now for testing purposes if I add an additional proxy from my test pc to the websense will that be ok?
0
 

Author Comment

by:WellingtonIS
ID: 39290684
OK so I'm still a bit fuzzy on some things.  taking out the extra http proxy did the trick but only when I put the ip of the websense as a proxy. I have all the traffic on my network routed to my firewall.  But unless I use the websense as a proxy the internet is wide open.  Is there something else I need to do?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39292597
Sorry but I do not understand fully what you are trying to do here.

As I understand you want all users to get redirected to websense and then only websense should be allowed access to internet.

I do not know how to configure the user machines to send all traffic to websense; may be through proxy...better check that out.

Once websense has all the traffic from the users and it wants to go out to internet we would need HTTP policy on the WG firewall to permit the traffic as I already mentioned in my earlier post.

Please let know if there is anything else I can assist with.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39293034
there is an article that watchguard publishes which is extremely vague - http://www.watchguard.com/help/docs/wsm/11/en-us/content/en-us/proxies/http/http_caching_proxy_server_wsm.html.
I've tried many combination but nothing is working.  I know you are suppose put in the web cache server as the IP of the websense appliance via port 80.  But what are the From and To suppose to be. And if you Add the HTTP proxy setting are you suppose to delete the regular HTTP?  This is so vague. Does anyone know how to do this???  Currently I have proxy setting in my IE setting via group policy  the only way I can use websense is just to replace those settings with the iP of websense.  I know there must be a way to do this.... Does anybody know?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39293385
Yes you are right we can configure external caching server in HTTP-proxy:
https://www.watchguard.com/help/docs/wsm/11_XTM/en-US/index.html#en-US/proxies/http/http_caching_proxy_server_c.html%3FTocPath%3DProxy%20Settings%7CAbout%20the%20HTTP-Proxy%7C_____17

For the HTTP from and to, would also be as you listed, from websense server IP to any.

Thank you.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:WellingtonIS
ID: 39293404
OK I tried that but it doesn't work.  It's not sending the response back to Websense.  If I use the HTTP-Proxy then do I delete the original Http?  I've tried setting the From to the IP of the Websense and to Any then the web cache but that's not working either. the only way I've been able to make this work is to use the proxy setting in explorer.  Do you know if anyone has had any luck doing this?
0
 

Author Comment

by:WellingtonIS
ID: 39296551
Basically what I trying to do it route all the traffic that enters the Firewall though the websense.  I've tried all  - to the websense but I'm not seeing the traffic filter though
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39296572
Are you sure websense is sending traffic to WG; websense should have default route pointing towards WG internal IP.
Also, make sure that websense is properly configured as proxy and listening to request as configured on the ports/IP.

Thank you.
0
 

Author Comment

by:WellingtonIS
ID: 39296724
It is but I'm trying to make it so you don't have to add the proxy settings in IE.  I'm trying to route all the internet traffic though the web-sense appliance.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39297276
Once you configure web-cache setting in HTTP proxy; please ensure that websense server is listening on the ports and IP as configured on WG.

If the problem persists, check if you configure the proxy in the web browser directly if the things work; if yes, then we would know for sure that the websense server is configured properly.
0
 

Author Comment

by:WellingtonIS
ID: 39297347
I"m thinking but I'm not sure that Websense listens on Port 80 and port 8080?  I'm just not sure but in any event no matter how hard I try I can not direct the traffic to the web though the websense unless I configure proxy setting in the browser.
0
 

Accepted Solution

by:
WellingtonIS earned 0 total points
ID: 39456484
close this as I reconfigured my Cisco ASA's for websense.  Watchguard and Websense do not play nice.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39469697
I can't use watchguard along with websense. So I configured my Cisco ASAs instead.  This isnt' needed anymore.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now