Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5520 and Websense ?

Looking for a URL filtering solution. I currently have an ASA5520 as our main firewall. Looking to intergrate Websense and I have a few questions.

- One real requirement from our security guys is the need for authentication in the logs. Essentially they need to be able to pull web surfing logs and trace that back to a username. I currently do it via a syslog appliance but there are times when that user's ip has changed and its not bulletproof.

Can websense force authentication ?

If our users are logged into the domain, can websense pick up the NTLM authentication ?

If so can this authentication be seamless to the user. I.E. Not having them log into a web page before they can surf the web ?

Are there any cut thru proxy feature internal to the ASA that would allow me to log via username who is surfing what ?

Any help would be appreciated.

Cheers

Dave

3 REPLIES
New Member

Re: ASA5520 and Websense ?

We run a setup similar to what you're trying to do. I've integrated Websense (6.3) with AD and an ASA 5510 - it allows me to act on URL requests based on the user's AD credentials (ie. AD groups or individual ID). I do not have websense forcing authentication, but it still discovers their credentials.

Can Websense force authentication? Yes, but this is probably unnecessary. You could check into a websense tool like Logon Agent (LogonApp.exe) via. their AD login script.

If users are logged in to the domain, websense picks their ID up. It shows their IP (and where possible, their AD ID) in all websense reports.

At our organization, this is done seamlessly to the user - no log in webpage.

The unresolved issue for us (no Login Agent) is that websense sees all Terminal Server users as the same person, but I can live with that. You could probably find out more information about Websense configuration in the scenario you describe on the websense forum with your subscription.

Overall, I'm quite happy with the way websense and the ASA work together. It's certainly a cinch to configure on the ASA!

New Member

Re: ASA5520 and Websense ?

This is exactly what I wanted to hear :) Personally if they dont need to authenticate great. Was more interested in being able to pickup the usernames against the web traffic for the reporting requirement.

I guess I will download the websense eval and get it working in the lab.

Cheers

Dave

New Member

Re: ASA5520 and Websense ?

Another quick question, I currently have it running in the lab and all appears to be working. BUT, I cant seem to create filters based on username from our AD directory. It appears that I have to run either the DC agent or the logon agent in order to get that functionality to work. I assume that you are only filtering based on IP's and not usernames ?

Cheers

Dave

515
Views
0
Helpful
3
Replies
CreatePlease to create content