ASA5520 and Websense ?

Unanswered Question

Looking for a URL filtering solution. I currently have an ASA5520 as our main firewall. Looking to intergrate Websense and I have a few questions.

- One real requirement from our security guys is the need for authentication in the logs. Essentially they need to be able to pull web surfing logs and trace that back to a username. I currently do it via a syslog appliance but there are times when that user's ip has changed and its not bulletproof.

Can websense force authentication ?

If our users are logged into the domain, can websense pick up the NTLM authentication ?

If so can this authentication be seamless to the user. I.E. Not having them log into a web page before they can surf the web ?

Are there any cut thru proxy feature internal to the ASA that would allow me to log via username who is surfing what ?

Any help would be appreciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gregbeifuss Thu, 09/10/2009 - 03:12

We run a setup similar to what you're trying to do. I've integrated Websense (6.3) with AD and an ASA 5510 - it allows me to act on URL requests based on the user's AD credentials (ie. AD groups or individual ID). I do not have websense forcing authentication, but it still discovers their credentials.

Can Websense force authentication? Yes, but this is probably unnecessary. You could check into a websense tool like Logon Agent (LogonApp.exe) via. their AD login script.

If users are logged in to the domain, websense picks their ID up. It shows their IP (and where possible, their AD ID) in all websense reports.

At our organization, this is done seamlessly to the user - no log in webpage.

The unresolved issue for us (no Login Agent) is that websense sees all Terminal Server users as the same person, but I can live with that. You could probably find out more information about Websense configuration in the scenario you describe on the websense forum with your subscription.

Overall, I'm quite happy with the way websense and the ASA work together. It's certainly a cinch to configure on the ASA!

Another quick question, I currently have it running in the lab and all appears to be working. BUT, I cant seem to create filters based on username from our AD directory. It appears that I have to run either the DC agent or the logon agent in order to get that functionality to work. I assume that you are only filtering based on IP's and not usernames ?




This Discussion