It would nice to be able to get real-time alerts generated off the dashboard when Websense detects that a users internet activity falls in to a High Risk category. We have managed to get a daily report working but it reports on all activity not just the high threats.
↧
Automatic Email Alerts
↧
Filtering not working with HTTPS sites
I have a test set up with a Cisco ASA, Websense Web Security v7 server and client machine.
When trying to block websites using Websense categories (e.g. news & media), Websense only seems to block the sites when prefixed with http:// . If a user prefixes the same site with https:// then the site doesn't get blocked.
This happens with any category. Also, when checking the logs, it seems the sites with an https:// are sometimes being listed under the same blocked category (e.g news & media) yet are permitted due to the https:// prefix. Other times they're listed under the Miscellaneous category.
When I block https explicitly from the Protocol section it does successfully block the sites, but obviously I don't want that as there are https sites which need to be accessed.
Any ideas? Has this ever happened to anyone? I went through the KB already but it was of no help.
↧
↧
Blocking torrents with Websense Web Security
I have a test set up with a Cisco ASA, Websense Web Security v7 server and client machine.
Does anyone have any suggestions on the most effective way to configure Websense Web Security v7 to block torrents from being downloaded? Blocking websites e.g. piratebay is all well and good, but if say a user gets hold of a .torrent file, is there some way to block it from communicating with trackers etc and downloading after being loaded into a client application e.g. BitTorrent?
I know about the BitTorrent object in the protocols section of Websense, but even if I block it it doesn't seem to have any effect at all.
↧
Internal Root CA import not working after 7.8.4
| Subject | Internal root CA import doesnt work after upgrade to 7.8.4 | ||
| Description | I have created a private key and certificate for my new CentOS 8.4 Websense 7.8.4 server. Importing works fine, when I backup it (download) it looks ok. However, it seems that Websense doenst re-encrypt the HTTPS stream with the full certificate path after 7.8.4. On 7.8.2 it works fine, after upgrading to 7.8.4 it still works fine, but after reinstalling the same certificates it stops working and users get an insecure message. | ||
[This is also a (stale) support ticket btw]
↧
End User Cloud Email Security message report
This report runs out after 93 days. If you do not renew at 62 days it continues for the 31 days then stops.
Please can this feature be changed and the report either be indefinately set with the users address until removed manually or the address is retired. Users miss the mail and then complain they do not receive the report and have missed important emails
More flexiblity please.
↧
↧
Feature Request: Multiple Header / Footer Value
Why we can't write multiple value to Data Security > Content Classifier > Patterns & Phrases > Text in Header / Footer object.?
↧
Cloud Web security - AD nested groups
Anybody know for sure whether AD nested groups are supported with DirSync client using Cloud web Security?
I am a member of Group A.
Group A is a member of Group B.
Both groups A and B sync to cloud.
Policy is assigned to Group B.
I appear not to be getting policy. If I click on Account \ End Users, run a search including Group name\membership, I only appear to be a member of Group A and not Group B.
AD is 2008 R2 native.
How do you guys deal with nested groups?
↧
Web Endpoint Client - network diags
I am having a problem with the Web Endpoint client, in that it thinks the Internet is not available and thus remains in Override mode.
↧
some entries in the log have unidentified user
Hi Christian,
When you access certain site, there are many sub-URLs, some of them is not directly linked to the site domain, this is expected result, all sub-URLs will be listed on the report as well. This is by design, report will show all URLs including all the link related to the accessed site. This is hard coded, can't be changed.
↧
↧
Export all rules and exceptions in a readable form
When something doesn't work for a user and an url, it's very hard to find out why. Also for documentation needs, it would be fine to export these rules in a human readable file
↧
bluecoat to websense transition guide?
Has anyone transitioned from Bluecoat to Websense CWS? Before I dive into this I'd like to know if there are any giudes (havent seen any yet), or advice from anyone here?
Thanks.
↧
AMT logging not work after upgrade to version 7.8.4
After upgrade to version 7.8.4 AMT dashboard is empty, all other logging features are working fine (also investigative reports).
I've tried to recreate amt partition and background jobs (that works with no error), but with no luck.
Anyone have a similar problem? There is a case opened, but at the moment is stalled.
↧
Web Endpoint beacon - MSNCSI
Hi
New user to Cloud Security Gateay.
Perimeter firewall is closed for most outbound traffic, so we opened up the ports and IP ranges specified in the Product Evaluation Guide (which matches the relevant web security details on:
http://www.websense.com/content/support/library/web/hosted/getting_started/firewall_config.aspx
and
When web endpoint runs on a client, it cannot see the cloud service and appears with an exclamation mark in the system tray. It does configure the IE proxy settings, and filtered browsing does work albeit a bit clunky at the moment.
If I move the machine onto an unfiltered (non-firewalled) connection then it successfully connects and shows with a tick in the system tray.
Network monitoring shows that wepsvc.exe and wepdiag.exe both try to connect to www.msncsi.com/ncsi.txt presumably to determine if the Internet is available. This is evidently some sort of cname dns record resolving to numerous other hosts, presumably for better geographic affinity, but there are numerous IP addresses involved.
Is it a requirement for these processes to be able to contact that URL in order or Web Endpoint client to decide the Internet is available (and thus not go into override mode)? If so, why is it not stipulated in the documentation for firewall configuration?
If I run nmap against webdefense.global.blackspider.com, I see the following which is largely what I would expect to see:
80 - open
443 - closed
8080 - filtered
8081 - open
8082 - open
8083-8087 - filtered
8088-8089 - open
8090-8100 - filtered
The same results arise from both corp net (filtered behind firewall) and a home-type DSL network with no outbound ACLs.
Any help\advice would be appreciated.
Thanks.
David
↧
↧
Web Endpoint Client - Network Diagnostics
Hi
I'm new to Cloud Web Security Gateway product (although used on-premises Web Security for many years).
I am having a problem with the Web Endpoint client, in that it thinks the Internet is not available and thus remains in Override mode. In our environment our perimeter firewall is locked down and denies most outbound traffic. We opened up the stipulated ports, to the stipulated destinations as per the product evaluation guide. Filtering by the cloud service works, albeit pretty clunky at the moment.
However the Endpoint Client sits in the systray with an exclamation mark on it, and when i run the Network Diagnostics test it fails saying 'Internet Access: No'.
The log file (C:\Program Files\Websense\Websense Endpoint\DebugDump.txt) is full of:
WSPXY [ 10/22/2014 09:59:41.566 ] NetworkDetector[ProxyInternet]: send() failed with error code 10057!
As i said, filtering is working to some extent, if i go to say www.whatismyip.com it tells me i am proxied by 'webdefence.global.blackspider.com:8081', and if i try navigating to a more 'interesting' site... I receive the cloud blockpage as expected.
If i move the endpoint off of our corporate network to an unfiltered connection (ie. standard DSL) then the Endpoint network diagnostic completes successfully, the systray icon has a tick instead of the exclamation mark, and it is no longer in Override mode.
If I nmap the host webdefence.global.blackspider.com, on the relevant ports (tcp 80,443,8080-8100), i get the same results from both corporate network and DSL connection (same IP address returned, 85.115.54.180):
80 - open
443 - closed
8080 - filtered
8081 - open
8082 - open
8083-8087 - filtered
8088 - open
8089 - open
8090-8100 - filtered
If i run a network trace I can see that both wepsvc.exe and wepdiag.exe try and access www.msncsi.com/ncsi.txt (various IP addresses attempted). The only discernable difference in connectivity between our corp net and the non-corp net is that the we don't allow traffic outbound to these IP addresses returned by DNS for www.msncsi.com.
Does the Endpoint client require access to www.msncsi.com in order to be happy the Internet is available? I can't see that requirement in the documentation.
Am I barking up the wrong tree?
Any advice or suggestions?
Thanks.
David
↧
Web Endpoint Client Network Diagnostics
Hi
Sorry for mulitple posts, my posts don't seem to show up when posted through the cloud service - how ironic!
I'm new to Cloud Web Security Gateway product (although used on-premises Web Security for many years).
I am having a problem with the Web Endpoint client, in that it thinks the Internet is not available and thus remains in Override mode. In our environment our perimeter firewall is locked down and denies most outbound traffic. We opened up the stipulated ports, to the stipulated destinations as per the product evaluation guide. Filtering by the cloud service works, albeit pretty clunky at the moment.
However the Endpoint Client sits in the systray with an exclamation mark on it, and when i run the Network Diagnostics test it fails saying 'Internet Access: No'.
The log file (C:\Program Files\Websense\Websense Endpoint\DebugDump.txt) is full of:
WSPXY [ 10/22/2014 09:59:41.566 ] NetworkDetector[ProxyInternet]: send() failed with error code 10057!
As i said, filtering is working to some extent, if i go to say www.whatismyip.com it tells me i am proxied by 'webdefence.global.blackspider.com:8081', and if i try navigating to a more 'interesting' site... I receive the cloud blockpage as expected.
If i move the endpoint off of our corporate network to an unfiltered connection (ie. standard DSL) then the Endpoint network diagnostic completes successfully, the systray icon has a tick instead of the exclamation mark, and it is no longer in Override mode.
If I nmap the host webdefence.global.blackspider.com, on the relevant ports (tcp 80,443,8080-8100), i get the same results from both corporate network and DSL connection (same IP address returned, 85.115.54.180):
80 - open
443 - closed
8080 - filtered
8081 - open
8082 - open
8083-8087 - filtered
8088 - open
8089 - open
8090-8100 - filtered
If i run a network trace I can see that both wepsvc.exe and wepdiag.exe try and access www.msncsi.com/ncsi.txt (various IP addresses attempted). The only discernable difference in connectivity between our corp net and the non-corp net is that the we don't allow traffic outbound to these IP addresses returned by DNS for www.msncsi.com.
Does the Endpoint client require access to www.msncsi.com in order to be happy the Internet is available? I can't see that requirement in the documentation.
Am I barking up the wrong tree?
Any advice or suggestions?
Thanks.
David
↧
Migrating websense from ISA to ASA
We are about to migrate from ISA to a Cisco ASA 5515. We are using web security 7.5 with an ISA cluster for a web proxy. From all the research that I have done it seems like a fairly straight forward migration using this documentation:
https://www.websense.com/content/support/library/web/v71/wws_pdfs/install_cisco.pdf
We are looking to move our websense server into our DMZ as part of this migration. The SQL server will still reside on the internal network. I believe that we will also need to upgrade to 7.6+ and we will probably upgrade to 7.8.
I would like to know if anyone has performed this migration or anything similar and come across any issues with the migration and whether it has been detrimental to the service?
Thanks
↧
7.8.4 and windows 2012 R2 installer cant strt service with domain admin account
Has anyone come across issues with installing triton/web security on 2012. Specifically when asked to define account to run services with the installer errors out with 1920 error. Despite the account being a valid domain admin account and installer wizard initially accepting account when it comes to try and start services at end of install with the account it fails and locks the account. Maybe more a 2012 issue but frustrating as hell. Using a local admin account doesnt have any issues. Usual things like av, firewall, dep etc switched off but have a feeling this may be related to an underlying feture in 2012 causing issues
↧
↧
Websense config.xml corrupted, this is very frustrating
Hello guys,
I have a distributed websense configuration, with a main windows server working as the main policy server, and a a couple of linux servers working as filtering services.
A couple of days ago, my config.xml died. Apparently a service died in the middle of a write operation and the xml file was broken. No worries, right? I have the config.xml.bak for this cases...
Well, the backup file was a copy of the corrupted xml file. Very nice!. So I have been trying like crazy to fix it. Finally I decided to uninstall, nothing worked... apparently this config.xml file is WAY more important that I thought.
So I decided to download a 7.8.4 installer (I have a 7.8.1 installation), tried it and still didnt work... So I god creative... I stopped all services, removed all the Web Sercurity related services with SC.exe, then renamed the "Web Security" directory.
Finally the Installer (7.8.4) worked. It did the upgrade of the EIP Infra, and after that I tried installing all the Websense services, and EVERYTHING WORKED... woohooo... well, sort of...
All the services are running, and a lot of ports are running, aparently even the remote linux boxes are connecting to the server... but the 9443 port never opens, so I can't enter the management interface, and can't do anything.
I think there is some kind of ID discrepancy between the EIP Infra services and the Web Security management services, but everything appears to be running fine, no errors whatsoever.
I have been cracking my head on this for too many hours now, with no idea how to move forward.
I guess a full uninstall and reinstall would do the trick, but I would love to keep my settings, we have a lot of custom configurations.
Can anyone please point me in the right direction or help me in discovering why the triton mngmt interface is not coming up?
I think it should be something simple, now that all services are up. Maybe could be just something I am overlooking.
Thanks in advance
Luis
↧
Migrate log database partitions from Web Security 7.1 to 7.8.4
Hi,
I’m half way through migrating from Web Security 7.1 to Web Security 7.8.4
So far I have built a new Windows 2008 R2 server and successfully installed Web Security 7.8.4
Policies have been successfully exported from Web Security 7.1 and imported into Web Security 7.8.4
Does anyone know whether it’s possible to migrate log database partitions from v7.1 to v7.8.4?
Thanks,
TPO
↧
Delegated adminstrator role that possess "exceptions only + auditor" functionality
We have created 2 roles below delegated administrators to facilitate them to do their work.
The assumption was that "exceptions only" would also provide read only access to policies and filters.
This is not the case.
To provide a good functionality to administrators that don't require "full policy" we request a role be created that is providing "exceptions only" + "read only" (to be able to maintain whitelist and blacklists and ALSO to check policy and view filters and polices without the ability to change them)
The role "exceptions only" is useless since "check policy" is unavailable and the support personel with this role cant troubleshoot properly before being able to conclude a specific url should be added to a particular white or blacklist.
↧