Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
3
Replies

ASA5520 and Websense ?

dclee
Level 1
Level 1

‎09-09-2009 12:50 PM - edited ‎03-11-2019 09:14 AM

Looking for a URL filtering solution. I currently have an ASA5520 as our main firewall. Looking to intergrate Websense and I have a few questions.

- One real requirement from our security guys is the need for authentication in the logs. Essentially they need to be able to pull web surfing logs and trace that back to a username. I currently do it via a syslog appliance but there are times when that user's ip has changed and its not bulletproof.

Can websense force authentication ?

If our users are logged into the domain, can websense pick up the NTLM authentication ?

If so can this authentication be seamless to the user. I.E. Not having them log into a web page before they can surf the web ?

Are there any cut thru proxy feature internal to the ASA that would allow me to log via username who is surfing what ?

Any help would be appreciated.

Cheers

Dave

Labels:
0 Helpful
3 Replies 3

gregbeifuss
Level 1
Level 1

‎09-10-2009 03:12 AM

We run a setup similar to what you're trying to do. I've integrated Websense (6.3) with AD and an ASA 5510 - it allows me to act on URL requests based on the user's AD credentials (ie. AD groups or individual ID). I do not have websense forcing authentication, but it still discovers their credentials.

Can Websense force authentication? Yes, but this is probably unnecessary. You could check into a websense tool like Logon Agent (LogonApp.exe) via. their AD login script.

If users are logged in to the domain, websense picks their ID up. It shows their IP (and where possible, their AD ID) in all websense reports.

At our organization, this is done seamlessly to the user - no log in webpage.

The unresolved issue for us (no Login Agent) is that websense sees all Terminal Server users as the same person, but I can live with that. You could probably find out more information about Websense configuration in the scenario you describe on the websense forum with your subscription.

Overall, I'm quite happy with the way websense and the ASA work together. It's certainly a cinch to configure on the ASA!

0 Helpful

dclee
Level 1
Level 1
In response to gregbeifuss

‎09-10-2009 05:26 AM

This is exactly what I wanted to hear :) Personally if they dont need to authenticate great. Was more interested in being able to pickup the usernames against the web traffic for the reporting requirement.

I guess I will download the websense eval and get it working in the lab.

Cheers

Dave

0 Helpful

dclee
Level 1
Level 1
In response to gregbeifuss

‎09-10-2009 01:15 PM

Another quick question, I currently have it running in the lab and all appears to be working. BUT, I cant seem to create filters based on username from our AD directory. It appears that I have to run either the DC agent or the logon agent in order to get that functionality to work. I assume that you are only filtering based on IP's and not usernames ?

Cheers

Dave

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card