Cach Engine ACNS 5.4 & Embedded WebSense S/W ver 5.2.2
I have some design questions that related to CE-7326 with ACNS 5.4 and its embedded Websense s/w ver 5.2 the questions are:
1) is it possible for the embedded websense s/w to block any TCP user traffic? if yes, does it use the TCP RST flag technique? how the CE sends this TCP RST flag?
2)if it is possible to block any TCP sessions, how can I let all users' traffic to be redirected to the CE-7326? is there any other way to redirect the users traffic other than the URL redirection? what is that way?
3) if for example it is possible to redirect the traffic using switch SPAN session (switch mirror port), do I need configure two NICs on the CE-7326 one for the monitor session and the other for sending the TCP RST signal?
4) is it possible to use the Web caching features (WCCP) in conjunction with the blocking feature? in this case how the traffic will be redirected using WCCP or using a SPAN session, is there any conflict between the two methods or both are totally apart from each others?
5) is it possible for the embedded Websense to filter (all TCP sessions, not only the redirected HTTP, HTTPS or FTP) the users by their usernames rather than the users IP address?
6) now I purchased a Websense Enterprise 36 mo Subscription 1001 to 2500 Users license (SF-WEB36-1K-2500), what is the purpose of this license, do I need it to activate the embedded websense on the CE7326 device? Is it possible to use it to install all the websense modules on an external machine other that the CE7326?
I've done a few deployments liks this so here is my personal take on your questions.
1) No, to my knowledge the CE can only deal with the proxy services defined, however the network agent, an element of websense can deal with other TCP protocols. You have to realise that with the CE and websense its more about the capabilities of websense.
2) See answer 1 and read in the websense deployment guide on the network agents for an idea on deployment, is available from websenses website for a free download.
3) No, Websense either runs as server on the CE or redirects to an external server, you need to decide on your deployment model.
4) Yes, you can use Websense/CE with either transparent (WCCP) or non-transparent dependin g on the edge CPE/
5) Websense supports policies via the manager for IP address or username from ADS/LDAP, be aware that the login for the proxies if using LDAP/ADS does not support single sign on, for transparent identification I'd recommend using IP addresses via WCCP.
6) You need to setup the Websense server environment, there are sizing guides on Websenses website for the reporting, manager and server. You need the license key to download the URL list on the server (either on the CE or via an external Server).
I should point out this internal server function is referred to as on box and the external server is referred to as off box.
For what its worth I would deploy as off box as Cisco have announced their plans to remove support for URL filtering in the CE and it will be easier for you to support off box in the future.
Feel free to post here if you'd like a 1-2-1 discussion via email as having done the Websense course and playing with the CE its a bit of mind field. I have to say that Websense direct are very good at support but they may want you to do the Websense training as the product is more complex to deploy than say Smartfilter.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...