Configuring Websense and URL Filtering in AOS Common Application Guide
The ability to filter web content based on a unified resource locator (URL) has now been integrated into the ADTRAN Operating System (AOS) firewall. This enables a unit to integrate with the Websense® (www.websense.com) web content filtering software. This feature allows you to prevent users from accessing specified websites based upon a settings defined on a Websense server. Filtering can be applied to incoming or outgoing sessions on any IP interface. This feature includes:
Primary and Secondary Servers
The firewall can be configured with multiple Websense servers, but only uses one server at a time. If the first server (primary) ceases to respond, the firewall will start using the next server listed (secondary). The default port used is 15868 and the default timeout is 5 seconds.
The firewall can buffer up to 100 hypertext transfer filter (HTTP) responses and up to 500 outstanding requests at any given time. Both of these values can be decreased if necessary.
A list of configurable domain names may be specified which do not require a lookup to the Websense server.
If the firewall can no longer communicate with any Websense server, it will go into Allow mode. By default, Allow mode is disabled so that all web traffic is automatically blocked.
AOS Websense support is compatible with Websense Web Security Suite™ version 6.1.1 or higher. This feature was introduced with AOS revision 12.01.00.
AOS Websense is available on AOS products as outlined in the AOS Product Feature Matrix.
Only one HTTP URL filter may be used in a given configuration. HTTP over secure socket layer (HTTPS) and file transfer protocol (FTP) URL filtering are not currently supported.
The following example creates an HTTP filter called my_filter that is enabled on all inbound traffic to eth 0/1. The primary Websense server has an IP address of 192.168.100.10, uses the default port of 15868, and uses the default timeout of 5 seconds. The secondary Websense server has an IP address of 192.168.100.11, uses port 15869, and has a timeout specified of 10 seconds. The website www.adtran.com is always allowed without requiring a lookup to the Websense server. In the event that the firewall cannot communicate with the Websense servers, all websites will be accessible (ip urlfilter allowmode).
NOTE: You must be in the command line interface of the unit (console/telnet) and enter into global configuration mode by issuing the 'configure terminal' command to alter the configuration."
Sample URL Filtering Configuration
! ip firewall ! ip urlfilter my_filter http ip urlfilter exclusive-domain permit www.adtran.com ip urlfilter server 192.168.100.10 ip urlfilter server 192.168.100.11 port 15869 timeout 10 ip urlfilter allowmode
ip urlfilter max-request 500
ip urlfilter max-response 100
! ! interface eth 0/1 ip address192.168.100.125220.127.116.11 ip urlfilter my_filter in no shutdown !
NOTE: The command “ip urlfilter max-request 500” is applied by default. This is used to specify the number of requests (1-500) that are sent to the Websense server at a time.
NOTE: The command “ip urlfilter max-response 100” is applied by default. This is used to specify the number of responses (1-100) that are buffered from a webserver before a response is obtained from the Websense server.
The debug ip urlfilter [verbose], show ip urlfilter,and show ip urlfilter [exclusive-domain | statistics] commands may be used for troubleshooting. The Blocked URL Message
Websense provides default HTML files for blocked pages. However, you can customize the text of the default Websense messages to better fit your organization’s needs. Additionally, you can use alternate HTML files to completely replace the top frame of all blocked pages.
show ip urlfilter command Displays the configured URL filter, server information, excluded domains, and other settings. The maximum outstanding requests shows the maximum number of packets that can be sent to the Websense server without receiving a response.
show ip urlfilter statistics command
Displays information such as the number of requests that are sent to the Websense server, the number of responses received from the Websense server, the number of pending requests in the system, the number of failed requests, and the number of blocked URLs.
clear ip urlfilter statistics command
Resets URL filtering statistics.
show ip urlfilter exclusive-domain command
Displays domains excluded from Websense URL filtering.