cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
danb
Contributor
Contributor

Websense filter requests over VPN tunnels

Jump to solution

We have a customer who would like to use his main location's Websense filter for filtering URL request from his main site as well as all his remote sites (up to 5 remote sites, 3 now).   I have his 3448 sending requests at his main site just fine.  But I have a problem passing Websense URL filter requests over the VPN tunnels from the remote sites.   The remote sites do not see the Websense server even though they are passing data on the same subnet.  Configs are attached.

Ideas? V

Labels (2)
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
unified
Valued Contributor
Valued Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

I spoke to the Websense "Expert" here and he said you should check with Websense in terms of licensing.

He believes the Websense license requires you to have an Agent at each physical location.

View solution in original post

0 Kudos
10 Replies
Anonymous
Not applicable

Re: Websense filter requests over VPN tunnels

Jump to solution

@danb - Based on your configuration, only LAN to LAN internal traffic is being passed over the VPN tunnels. Are you wanting to filter HTTP requests coming over the VPN tunnel even if they are destined for the Main Site's LAN? Or is the Websense filter just for web traffic destined for the internet?

One thing you could try is changing the direction the webfilter is applied to your WAN interface. Currently, the filter is applied to eth 0/2 at the main site as the following: ip urlfilter Web_Http_Filter out I'm not sure traffic coming over the VPN is being caught by the filter with it applied in this direction.

You may want to try changing this to state: ip urlfilter Web_Http_Filter in .

Please do not hesitate to let us know if you have any further questions or issues.

Thanks,

Noor

danb
Contributor
Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

Noor,

Thank you for your response.  To clarify, each site has their own internet connection and a default route out to the internet.  The VPN tunnels are for privately addressed site to site traffic so I assumed that since the router needs to send the Websense filter request to 10.43.0.24 at the main site it would handle this request (and response) over the VPN tunnel.  When approved it would allow the traffic out the local interface.  Am I misunderstanding how the Websense works?

We don't want to bottleneck the main site with routing all internet traffic for all the remote site as well as its own users.  So the idea here was to funnel just the Websense requests to the main site and allow the traffic to leave and come back in the local public interface. 

How can this be accomplished?

unified
Valued Contributor
Valued Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

If you have Websence setup inline (which it sounds like you do) then all web traffic will have to go over the VPN and through the protector for it to get filtered.

Anonymous
Not applicable

Re: Websense filter requests over VPN tunnels

Jump to solution

- I think what mentioned may be correct if it was a hardware solution. However, I don't believe in this case the Websense filter has to be "inline" of the web traffic, but I could be wrong.

I do think the reason the Websense requests are not making it over the VPN tunnel is because the request is being sourced from the WAN interface of the remote router (Eth 0/2). Because of this, the traffic does not match the VPN selectors and therefore is not encrypted. Unfortunately, there is no way for us to specify to the router which source interface to use when sending the request to the Websense server. However, we could try adding an entry to the VPN selectors at the main and remote site that matches the websense request.

The remote site would need the following VPN selectors added (in bold):

ip access-list extended VPN-10-vpn-selectors1

  permit ip 10.10.10.0 0.0.0.255  10.43.0.0 0.0.0.255   

  permit ip 10.10.10.0 0.0.0.255  10.143.0.0 0.0.0.255

  permit tcp host 173.x.x.133 host 10.43.0.24 eq 15868

   permit tcp host 173.x.x.133 eq 15871 host 10.43.0.24

The main site would need the following VPN selectors added for the return traffic:

ip access-list extended VPN-10-vpn-selectors

  permit ip 10.43.0.0 0.0.0.255  10.10.10.0 0.0.0.255   

  permit ip 10.143.0.0 0.0.0.255  10.10.10.0 0.0.0.255

  permit tcp host 10.43.0.24 host 173.x.x.133 eq 15871

  permit tcp host 10.43.0.24 eq 15868 host 173.x.x.133

I referenced TCP ports 15868 and 15871 because I believe these are the default ports used by Websense to send web filter requests and block pages. You should be able to run a packet capture on the websense server to verify which ports are being used and to modify the VPN selectors I listed above accordingly.

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

unified
Valued Contributor
Valued Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

This is from the Websense deployment guide:

To ensure effective filtering, Websense software must be installed so that:

- Filtering Service can receive HTTP requests from an integrated firewall, proxy

server, or caching application, or Network Agent.

In a multi-segmented network, Filtering Service must be installed in a location

where it can both receive and manage Internet requests from the integration

product and communicate with Network Agent.

- Network Agent:

- Must be deployed where it can see all internal Internet traffic for the machines

that it is assigned to monitor.

- Can be installed on a dedicated machine to increase overall throughput.

- Must have bidirectional visibility into Internet traffic to filter non-HTTP

requests (such as instant messaging, chat, streaming media, and other Internet

applications and protocols).

- Multiple instances of Network Agent may be required in larger or distributed

networks. Each Network Agent monitors a specific IP address range or

network segment.

Using multiple Network Agents ensures that all network traffic is monitored,

and prevents server overload. The required number of Network Agents

depends on network size and Internet request volume.

danb
Contributor
Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

Unified, This seems to validate the point that we don't need to have an "inline" filter. 

Noor,  I will give the additional selection criteria a try.  I think that may be the issue.

Thanks,

Dan

unified
Valued Contributor
Valued Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

I spoke to the Websense "Expert" here and he said you should check with Websense in terms of licensing.

He believes the Websense license requires you to have an Agent at each physical location.

0 Kudos
danb
Contributor
Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

unified, Thank you, that may be the final answer but the first step is that the remote Adtran doesn't see the server.

noor, I tried the additional VPN selectors and it doesn't look like it worked.  I have not been able to get a packet capture to see what communication/ports look like but will attempt to troubleshoot this further soon.

Thanks,

Dan

unified
Valued Contributor
Valued Contributor

Re: Websense filter requests over VPN tunnels

Jump to solution

If you install a Network Agent at each location the Network Agent will need to contact the main site and not the web traffic.

Anonymous
Not applicable

Re: Websense filter requests over VPN tunnels

Jump to solution

- Are you still having issues with your setup? Please do not hesitate to let us know if you have any additional questions.

Thanks,

Noor