ASA 5520 & Websense

Unanswered Question
Oct 30th, 2009
User Badges:

Hi,


I've just installed a standalone version of Websense security suite in my DMZ.


My users are connected to Internet through an ASA 5520. I would like that the ASA intercept the url requests and send it to the websense for approbation.


I use the "url-XXXX" set of commands in my asa.


url-server (dmz) vendor websense host WEBSENSE timeout 30 protocol TCP version 4 connections 5

url-cache dst 100

filter url http users_ipaddress 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate

url-block url-mempool 2

url-block url-size 2

url-block block 10



I would like to know what contain the packet sent by the ASA to the websense ? Only the user ip address and the destination url ?

Actually I would like to be able to create groups in the websense connected to the AD Database but i'm not sure the ASA is sending me the credentials. Is there a way to do that ?


Regards,


Mathieu

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Sun, 11/01/2009 - 11:09
User Badges:
  • Bronze, 100 points or more

The ASA ask to the Websense if the user is allow to access that specific website. If not the ASA blocks the request. The websense only respond to the question from the ASA, The ASA is who block the request or allow it.


The websense can block with:


destination hostname

destination IP address

keywords

user name


All that information is forwarded to the Websense server.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml


Hope It helps.

mathieu.ploton Sun, 11/01/2009 - 12:54
User Badges:

It seems that the username is forwarded to the websense if user authentication is enabled on the security appliance. Is this a way to setup transparent authentication in order to simply forward the username request to the websense ?


Diego Armando C... Mon, 11/02/2009 - 06:54
User Badges:
  • Bronze, 100 points or more

This information is in the link that I gave u.


*


Software version 7.x and later:


pix(config)# url-server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version 1|4

[connections num_conns] ]


Replace if_name with the name of the security appliance interface that is connected to the filtering server. The default is inside. Replace local_ip with the IP address of the filtering server. Replace seconds with the number of seconds the security appliance must continue to try to connect to the filtering server.


Use the protocol option in order to specify whether you want to use TCP or UDP. With a Websense server, you can also specify the version of TCP you want to use. TCP version 1 is the default. TCP version 4 allows the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user.


For example, in order to identify a single Websense filtering server, issue this command:


hostname(config)#url-server (DMZ) vendor websense host 192.168.15.15 protocol TCP version 4



Please let me know if this is what u were looking for.


Regards,

mathieu.ploton Mon, 11/02/2009 - 07:01
User Badges:

In your quote :


"the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user. "


How can I proceeed to transparent authenticate the user in the firewall ?

Actions

This Discussion