Bluecoat Proxy Deployment Design

Hello
Currently we have TMG as web proxy and websense as web filtering
We are going to replace TMG with Bluecoat SG Appliance.

Hence I need to know which design is considered as best in terms of secure and efficiency.

We have 1500 users.

Any help would be appreciated.
LVL 3
cciedreamerAsked:
Who is Participating?
 
Jeyaraj KathiresanConnect With a Mentor Cyber Security AnalystCommented:
Hi cciedreamer,

For a transparent deployment, you would require the proxySG appliance to work in the bridged mode. So, one interface in the appliance should be connected to the core switch and the other should be connected to the perimeter device (firewall/router). In this case, all the traffic would be received by the proxy and you need to intercept the traffic that needs to be inspected by the proxy. (HTTP, HTTPS, ports etc.,). This type of deployment is called transparent in-line deployment. This is why it has a single point of failure. (Once the proxy is down, entire LAN to WAN traffic gets dropped unless the core switch outside interface is manually connected to perimeter device's inside interface)

Otherwise, you can use WCCP routing if your network contains a CISCO router that is capable of handling WCCP operations to route the traffic to proxySG inside.

If the users need to be authenticated by proxySG, you would require to setup the LDAP realm if you have a dedicated LDAP server and the web authentication layer is to be added to ask for authentication for the users in proxySG VPM.

For the websense part, get the websense URL filter database downloaded to your local server in the inside network and create an FTP link or URL for accessing the DB. Then add it under the local database in the proxySG web management console and check the updates for daily basis. (Probably you can contact the vendor for checking the compatibilty for integration, since Forcepoint LLC., is the vendor managing websense now)

Good Luck For Your Deployment !
0
 
Jeyaraj KathiresanCyber Security AnalystCommented:
Considering the number of users, security and robustness, it is recommended to use explicit mode of deployment for the environment.

Not prone to single point of failure.
Network downtime is not required for deployment.
Proxied policies can be explicitly pushed to clients through PAC file or proxy settings in internet options.
0
 
cciedreamerAuthor Commented:
Hi Jeyaraj,

Thanks for the response.

Where I should keep the web sense in deployment ?
Bluecoat should use websense as a database only for web filtering
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Jeyaraj KathiresanCyber Security AnalystCommented:
Hi cciedreamer

By default, latest Bluecoat proxy SG 6.x version supports ,

Local Database (Locally pushed through custom URLs)
Bluecoat Webfilter (Requries license)
IWF Database (Open Source DB by Internet Watch Foundation)
Proventia (3rd Party)
Optenet (3rd Party)

You can refer the document below for integrating the websense DB to Bluecoat. However, I suppose that might be possible on 5.x versions.
https://www.websense.com/content/support/library/web/v75/wws_bc_rpt_supp/Blue%20Coat%20Reporting%20Supplement.pdf

Or, manually content filtering database can be downloaded locally and pushed to Bluecoat proxySG.

For explicit proxy configuration, the proxySG device can be placed in the DMZ in the network.
0
 
cciedreamerAuthor Commented:
Hi Jeyaraj,

What if I want to deploy proxy in transparent mode along with Bluecoat and Websense integration
Also I want to authenticate domain users before gaining internet access.

Please advise the deployment design.
0
 
cciedreamerAuthor Commented:
For the websense part, get the websense URL filter database downloaded to your local server in the inside network and create an FTP link or URL for accessing the DB. Then add it under the local database in the proxySG web management console and check the updates for daily basis. (Probably you can contact the vendor for checking the compatibilty for integration, since Forcepoint LLC., is the vendor managing websense now)

I suppose the bluecoat will not work with this way.

We are a large enterprise, hence it is best to configure explicit or transparent ?
If I configure explicit, may be some application will not work as they do not understand proxy
0
 
Jeyaraj KathiresanCyber Security AnalystCommented:
If you require the URL filtering DB of no license, you can use IWF (Internet Watch Foundation database integrated into proxySG.

For ideal solution, considering the user number and robustness and failover options, I would recommend using explicit mode deloyment. If any application is not able to understand proxy, you can either create rules to bypass the traffic from proxy SG or creating rules and logging the transactions in the perimeter device to directly access them through ISP would be the recommended solution.
0
 
cciedreamerAuthor Commented:
I have came up with this design, please have a look and give your precious inputs

Users  --- Bluecoat SG ---- Websense ---- Internet

Bluecoat will be deployed as explicit and will be configured with policies

If need to add DMZ, which design should be implemented.
0
 
Jeyaraj KathiresanConnect With a Mentor Cyber Security AnalystCommented:
That design looks perfect. You can keep the proxySG appliance connected to the DMZ switch and your edge firewall/router should be able to route the traffic to proxy and from proxy, all the internet traffic should be allowed. so, all the internet connections should be reaching proxy first and proxy establishes a new connection to Internet.

If websense is an appliance, you can connect it also in the DMZ switch and proxy will be able to fetch the DB since it lies under same security level in DMZ.

The connection flow would be like

User -> Firewall (Allow Inside To DMZ) -> DMZ Proxy -> Firewall (Allow DMZ To Internet/Untrust) -> Internet Websites
0
 
cciedreamerAuthor Commented:
Thanks. Much appreciated.
We are using Triton Websense installed on Windows 2008 R2 Server.
 Bluecoat and Websense will be two different boxes so in your design where is the websense ?

User -> Firewall (Allow Inside To DMZ) -> DMZ Proxy -> Firewall (Allow DMZ To Internet/Untrust) -> Internet Websites
0
 
Jeyaraj KathiresanConnect With a Mentor Cyber Security AnalystCommented:
In that case, Win 2008 R2 server can be connected either to the DMZ switch or to the management switch.

If the URL database is to be fetched by the proxySG on a scheduled basis, it would query the websense server periodically and update in it's local database. Here you can keep it under management switch or the backbone.

If dynamic categorization/filtering (real time) of the website is required keeping it under the same DMZ would be the best one.

You would require a web access layer in the visual policy manager in proxySG admin panel to configure the content filtering. But the forementioned traffic flow remains the same.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.