Does anyone know how to config URL filtering for an external WebSense Cloud base server?
@kbilllings - Websense in AOS products is only compatible with Websense Web Security Suite version 6.1.1 or higher. I do not believe any other Websense product will work with this feature within AOS.
More details regarding this feature can be found in the document below:
https://supportforums.adtran.com/docs/DOC-1584
Please let us know if you have any further questions.
Thanks,
Noor
Does it matter if the WebSense server is external to our local lan?
@kbillings - It should not matter if the server is outside the local LAN as long as the AOS device has connectivity to and from the websense server.
Please let us know if you have any further questions.
Thanks,
Noor
Do we need to config any FW ACL? Can you provide a example config with URL filtering to an external server?
@kbillings - From my understanding of it, as long as the response from the Websense server comes back on the same port the Adtran sent the request on, then if you are seeing the request go out, you should not have to configure an inbound ACL rule to let the response back in. On an Adtran device, the requests are sent out TCP port 15868 by default. I don't believe there should be any additional configuration needed as long as the Adtran has internet access to the Websense server.
Are you seeing the request go out? You can monitor this by viewing the policy-sessions when you attempt to access the webpage. The command "show ip policy-session self" should show a session created that is destined for the Websense server on port 15868.
We can check to see if there are sessions being created by the Websense server from the outside by allowing traffic from it inbound. First, you would need to create an ACL that matches traffic coming from the Websense server, then apply this rule to the access-policy/security zone applied to your WAN interface. The configuration for this rule would look like this:
ip access-list ext WebSenseIn
permit ip <Websense Server IP> any
ip policy-class <WAN Policy-class Name>
allow list WebSenseIn
Once this is configured, you can attempt to reach a webpage again and issue the "show ip policy-session" command. This time, you will be looking for traffic that is coming from the Websense server. This rule should also open up all communication to and from the Adtran to the Websense server. If it is still not functioning, you will need to verify if the request is reaching the Websense server or not. If it starts to function, then the "show ip policy-session" output will tell us which ports you will need to open from the outside for the Websense server to communicate with the Adtran.
I would be more than happy to review your configuration. If you attach it to this thread, please be sure to remove any information that be sensitive to your company and network.
Thanks,
Noor
Need to see if we can config PBR or a FW redirect to forward the http request to the WebSense cloud server. The URL Filtering options does not work with a Cloud based solution…
Can you provide a solution for PBR or FW redirect?
If we were using a Cisco ASA here is the config for it:
1. Set up service objects to match TCP traffic going from all available ports to ports
8081 or 80:
hostname(config)# object service http-original
hostname(config-service-object)# service tcp source range 1
65535 destination eq www
hostname(config-service-object)# description http-original
hostname(config)# object service http-redirect
hostname(config-service-object)# service tcp source range 1
65535 destination eq 8081
hostname(config-service-object)# description http-redirect
2. Create a network object to match the source traffic that should be filtered by
Cloud Web Security:
hostname(config)# object network Filtered-Web-Addresses
hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0
Use the subnet addresses that apply to your organization.
3. Create a network object to match the destination address (i.e. the Websense Cloud
Web Security proxy):
hostname(config)# object network Websense-Proxy
hostname(config-network-object)# host
webdefence.global.blackspider.com
hostname(config-network-object)# description Websense-Proxy
4. Using the object and network services you have set up, create NAT rules on your
firewall to send Web traffic from your internal addresses to the cloud service. We
recommend two rules: one for internal IP addresses, and one for your guest
wireless network.
The NAT statements for these rules are as follows:
nat (inside,outside) source dynamic any interface
destination static Filtered-Web-Addresses Websense-Proxy
service http-original http-redirect inactive
nat (guest-wireless,outside) source dynamic any interface
destination static Filtered-Web-Addresses Websense-Proxy
service http-original http-redirect inactive
@kbillings - I don't believe the route-map or firewall redirect option will work to forward URL filter requests to the Websense server. If you could provide us the following information, we would be better able to help you determine whether this application can work or not:
1. Copy of the configuration and the issue you are experiencing. (Please be sure to remove any information that may be sensitive to your network)
2. The Websense product that is being used, including software and version.
3. The output to "show ip policy-session" when an attempt is made to access a webpage.
This information will help us troubleshoot the issue you are seeing. Please let us know if you have any questions.
Thanks,
Noor
Accoring to WebSense they are expecting to see a url request and not an IP. They use load-balance and need to see a url. Any way to have the AOS translate the IP to a url/dns name before going out?
@kbillings - I'm not sure I follow your question. When the Adtran device sends the request to the Websense server, the request will contain the URL that a client is attempting to access. Do you have a packet capture or debug that would show what Websense is seeing?
Thanks,
Noor
- I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thanks,
Noor