ASA 5520 & Websense

mathieu.ploton · ‎10-30-2009

Hi,

I've just installed a standalone version of Websense security suite in my DMZ.

My users are connected to Internet through an ASA 5520. I would like that the ASA intercept the url requests and send it to the websense for approbation.

I use the "url-XXXX" set of commands in my asa.

url-server (dmz) vendor websense host WEBSENSE timeout 30 protocol TCP version 4 connections 5

url-cache dst 100

filter url http users_ipaddress 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate

url-block url-mempool 2

url-block url-size 2

url-block block 10

I would like to know what contain the packet sent by the ASA to the websense ? Only the user ip address and the destination url ?

Actually I would like to be able to create groups in the websense connected to the AD Database but i'm not sure the ASA is sending me the credentials. Is there a way to do that ?

Regards,

Mathieu

Diego Armando Cambronero Arias · ‎11-01-2009

The ASA ask to the Websense if the user is allow to access that specific website. If not the ASA blocks the request. The websense only respond to the question from the ASA, The ASA is who block the request or allow it.

The websense can block with:

destination hostname

destination IP address

keywords

user name

All that information is forwarded to the Websense server.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Hope It helps.

mathieu.ploton · ‎11-01-2009

It seems that the username is forwarded to the websense if user authentication is enabled on the security appliance. Is this a way to setup transparent authentication in order to simply forward the username request to the websense ?

Diego Armando Cambronero Arias · ‎11-02-2009

This information is in the link that I gave u.

*

Software version 7.x and later:

pix(config)# url-server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version 1|4

[connections num_conns] ]

Replace if_name with the name of the security appliance interface that is connected to the filtering server. The default is inside. Replace local_ip with the IP address of the filtering server. Replace seconds with the number of seconds the security appliance must continue to try to connect to the filtering server.

Use the protocol option in order to specify whether you want to use TCP or UDP. With a Websense server, you can also specify the version of TCP you want to use. TCP version 1 is the default. TCP version 4 allows the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user.

For example, in order to identify a single Websense filtering server, issue this command:

hostname(config)#url-server (DMZ) vendor websense host 192.168.15.15 protocol TCP version 4

Please let me know if this is what u were looking for.

Regards,

mathieu.ploton · ‎11-02-2009

In your quote :

"the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user. "

How can I proceeed to transparent authenticate the user in the firewall ?