Looking for a URL filtering solution. I currently have an ASA5520 as our main firewall. Looking to intergrate Websense and I have a few questions.
- One real requirement from our security guys is the need for authentication in the logs. Essentially they need to be able to pull web surfing logs and trace that back to a username. I currently do it via a syslog appliance but there are times when that user's ip has changed and its not bulletproof.
Can websense force authentication ?
If our users are logged into the domain, can websense pick up the NTLM authentication ?
If so can this authentication be seamless to the user. I.E. Not having them log into a web page before they can surf the web ?
Are there any cut thru proxy feature internal to the ASA that would allow me to log via username who is surfing what ?
We run a setup similar to what you're trying to do. I've integrated Websense (6.3) with AD and an ASA 5510 - it allows me to act on URL requests based on the user's AD credentials (ie. AD groups or individual ID). I do not have websense forcing authentication, but it still discovers their credentials.
Can Websense force authentication? Yes, but this is probably unnecessary. You could check into a websense tool like Logon Agent (LogonApp.exe) via. their AD login script.
If users are logged in to the domain, websense picks their ID up. It shows their IP (and where possible, their AD ID) in all websense reports.
At our organization, this is done seamlessly to the user - no log in webpage.
The unresolved issue for us (no Login Agent) is that websense sees all Terminal Server users as the same person, but I can live with that. You could probably find out more information about Websense configuration in the scenario you describe on the websense forum with your subscription.
Overall, I'm quite happy with the way websense and the ASA work together. It's certainly a cinch to configure on the ASA!
This is exactly what I wanted to hear :) Personally if they dont need to authenticate great. Was more interested in being able to pickup the usernames against the web traffic for the reporting requirement.
I guess I will download the websense eval and get it working in the lab.
Another quick question, I currently have it running in the lab and all appears to be working. BUT, I cant seem to create filters based on username from our AD directory. It appears that I have to run either the DC agent or the logon agent in order to get that functionality to work. I assume that you are only filtering based on IP's and not usernames ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :