The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

URL Filtering

Does anyone know how to config URL filtering for an external WebSense Cloud base server?

0 Kudos
12 Replies
Anonymous
Not applicable

Re: URL Filtering

@kbilllings - Websense in AOS products is only compatible with Websense Web Security Suite version 6.1.1 or higher. I do not believe any other Websense product will work with this feature within AOS.

More details regarding this feature can be found in the document below:

https://supportforums.adtran.com/docs/DOC-1584

Please let us know if you have any further questions.

Thanks,

Noor

Anonymous
Not applicable

Re: URL Filtering

Does it matter if the WebSense server is external to our local lan?

Anonymous
Not applicable

Re: URL Filtering

@kbillings - It should not matter if the server is outside the local LAN as long as the AOS device has connectivity to and from the websense server.

Please let us know if you have any further questions.

Thanks,

Noor

Anonymous
Not applicable

Re: URL Filtering

Do we need to config any FW ACL? Can you provide a example config with URL filtering to an external server?

Anonymous
Not applicable

Re: URL Filtering

@kbillings - From my understanding of it, as long as the response from the Websense server comes back on the same port the Adtran sent the request on, then if you are seeing the request go out, you should not have to configure an inbound ACL rule to let the response back in. On an Adtran device, the requests are sent out TCP port 15868 by default. I don't believe there should be any additional configuration needed as long as the Adtran has internet access to the Websense server.

Are you seeing the request go out? You can monitor this by viewing the policy-sessions when you attempt to access the webpage. The command "show ip policy-session self" should show a session created that is destined for the Websense server on port 15868.

We can check to see if there are sessions being created by the Websense server from the outside by allowing traffic from it inbound. First, you would need to create an ACL that matches traffic coming from the Websense server, then apply this rule to the access-policy/security zone applied to your WAN interface. The configuration for this rule would look like this:

ip access-list ext WebSenseIn

    permit ip <Websense Server IP> any

ip policy-class <WAN Policy-class Name>

    allow list WebSenseIn

Once this is configured, you can attempt to reach a webpage again and issue the "show ip policy-session" command. This time, you will be looking for traffic that is coming from the Websense server. This rule should also open up all communication to and from the Adtran to the Websense server. If it is still not functioning, you will need to verify if the request is reaching the Websense server or not. If it starts to function, then the "show ip policy-session" output will tell us which ports you will need to open from the outside for the Websense server to communicate with the Adtran.

I would be more than happy to review your configuration. If you attach it to this thread, please be sure to remove any information that be sensitive to your company and network.

Thanks,

Noor

Anonymous
Not applicable

Re: URL Filtering

Need to see if we can config PBR or a FW redirect to forward the http request to the WebSense cloud server. The URL Filtering options does not work with a Cloud based solution…

Anonymous
Not applicable

Re: URL Filtering

Can you provide a solution for PBR or FW redirect?

Anonymous
Not applicable

Re: URL Filtering

If we were using a Cisco ASA here is the config for it:

1. Set up service objects to match TCP traffic going from all available ports to ports

8081 or 80:

hostname(config)# object service http-original

hostname(config-service-object)# service tcp source range 1

65535 destination eq www

hostname(config-service-object)# description http-original

hostname(config)# object service http-redirect

hostname(config-service-object)# service tcp source range 1

65535 destination eq 8081

hostname(config-service-object)# description http-redirect

2. Create a network object to match the source traffic that should be filtered by

Cloud Web Security:

hostname(config)# object network Filtered-Web-Addresses

hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0

Use the subnet addresses that apply to your organization.

3. Create a network object to match the destination address (i.e. the Websense Cloud

Web Security proxy):

hostname(config)# object network Websense-Proxy

hostname(config-network-object)# host

webdefence.global.blackspider.com

hostname(config-network-object)# description Websense-Proxy

4. Using the object and network services you have set up, create NAT rules on your

firewall to send Web traffic from your internal addresses to the cloud service. We

recommend two rules: one for internal IP addresses, and one for your guest

wireless network.

The NAT statements for these rules are as follows:

nat (inside,outside) source dynamic any interface

destination static Filtered-Web-Addresses Websense-Proxy

service http-original http-redirect inactive

nat (guest-wireless,outside) source dynamic any interface

destination static Filtered-Web-Addresses Websense-Proxy

service http-original http-redirect inactive

Anonymous
Not applicable

Re: URL Filtering

@kbillings - I don't believe the route-map or firewall redirect option will work to forward URL filter requests to the Websense server. If you could provide us the following information, we would be better able to help you determine whether this application can work or not:

1. Copy of the configuration and the issue you are experiencing. (Please be sure to remove any information that may be sensitive to your network)

2. The Websense product that is being used, including software and version.

3. The output to "show ip policy-session" when an attempt is made to access a webpage.

This information will help us troubleshoot the issue you are seeing. Please let us know if you have any questions.

Thanks,

Noor

Anonymous
Not applicable

Re: URL Filtering

Accoring to WebSense they are expecting to see a url request and not an IP. They use load-balance and need to see a url. Any way to have the AOS translate the IP to a url/dns name before going out?

Anonymous
Not applicable

Re: URL Filtering

@kbillings - I'm not sure I follow your question. When the Adtran device sends the request to the Websense server, the request will contain the URL that a client is attempting to access. Do you have a packet capture or debug that would show what Websense is seeing?

Thanks,

Noor

Anonymous
Not applicable

Re: URL Filtering

- I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks,

Noor