Quantcast
Channel: Forcepoint Community
Viewing all 2011 articles
Browse latest View live

Blocking torrents with Websense Web Security

October 21, 2014, 1:38 am
$
0
0

I have a test set up with a Cisco ASA, Websense Web Security v7 server and client machine.

Does anyone have any suggestions on the most effective way to configure Websense Web Security v7 to block torrents from being downloaded? Blocking websites e.g. piratebay is all well and good, but if say a user gets hold of a .torrent file, is there some way to block it from communicating with trackers etc and downloading after being loaded into a client application e.g. BitTorrent?

I know about the BitTorrent object in the protocols section of Websense, but even if I block it it doesn't seem to have any effect at all.

Search

Blocking of HTTPS, Torrents and Skype

October 20, 2014, 12:51 am
$
0
0

Hi,

We are currently evaluating the WebSebnse Web Filter and have so far been quite happy with the results but am currently experiencing some issues which I'll mention further down. Currently I have a set-up where the WebSense Web Filter, Security and Infrastructure are all installed on a Windows Server 2012 R2 VM integrated with a Cisco ASA together with a Windows 7 VM client for testing, hence the WebSense gateway on the server has been pointed to the Cisco ASA.

Issues which I am encountering;

  • Client is getting access denied through HTTP which is what we need but it can still go through HTTPS requests.
  • Client can still download torrent Magnets (even though torrent protocol is blocked).
  • Client can still use Skype no matter if it's protocol is blocked.

Let me know if I should add more details of my infrastructure.

I hope I have explained myself correctly and look forward to have some suggestions.

Thanks

Why span port?

November 6, 2014, 12:42 pm
$
0
0

I'm working on creating a stand-alone network agent vm. According to this KB article (http://www.websense.com/support/article/t-kbarticle/v7-Where-does-Network-Agent-fit-in-my-network-1258048450313?popup=true) you need to have mirror or span port enabled on the physical port on the switch that the monitor NIC is plugged into.

The only thing that span port does is allows the node connected to that port to see other traffic. But it does not allow you to do anything with that traffic. So I am wondering why does the span port need to be enabled? Or, has anyone got this to work without enabling the span port?

Thank you

Ignore Traffice

November 6, 2014, 9:50 am
$
0
0

 

I have a request to ignore only the port 443 traffic for a specific workstation IP address.  We are a 7.5 Standalone install.  I know that I can exclude the IP address in the Monitor List Exceptions in the Network Agent.  But is it possible to filter all activity for a user except port 443?

 

Thanks in advance

Web Security (no appliance) upgrade from 7.6.7 to 7.8.4

October 17, 2014, 8:23 am
$
0
0

Is this a direct upgrade using the v7.8.4 Windows installer? I can't find anything that says it explicitly.

 

Thanks

7.7.3 Issues creating new policy

July 18, 2013, 2:39 pm
$
0
0

I edited the default policy to allow all sites except one category (gambling).  This works.  Now i need to create another category to block "Social Web - youtube".

I went to Policies, add, <new policy name> checked base on existing policy (Default). 

Now in this new policy, i am trying to block Social Web - youtube along with the default block of gambling.  I hit ok and save and deploy.  Next i go to clients, find the IP of the computer i want to push this new policy to and change it to my new policy name. save and deploy.  when i do this, it affects all users and not the one i want to push this policy to. 

When i go to the default policy, i see the block of youtube but i made that change in my new policy and not the default policy.  When i change in the default policy it back to allow youtube, ok and save and deploy.  It also changes my new policy.

Can someone please explain why creating a new policy changes the default policy and how to create a custom policy that i want to push to certain users?

 

Thanks

 

 

Policy is applied to client but not effective

October 14, 2014, 9:29 pm
$
0
0

Websense TRITON - Unified Security Center 7.6 build: 7.6.2.1449

I have multiple category-based policies being applied to AD users via AD security groups. I'm getting irregular and unpredictable results for the time it takes to 'refresh' and enforce policies for users. My users are being identified correctly on the client machines - checking the More Information frame shows the correctly identified user and correct policies.

For example:

1.       USER_A is added to an AD group: 'GROUP_StreamingMedia' which is attached to policy: POL_StreamingMedia. This policy allows the Streaming Media category.

2.       Within an hour, the User Service has done its job because I see the POL_StreamingMedia policy associated with the GROUP_StreamingMedia ‘client’ in the Check Policy tool. Shortly after this I see the refreshed results appear in the Test Filtering tool, suing a URL categorized as Streaming Media.

3.       USER_A is logged onto a Windows 7 domain client, and browses to the URL but gets the block page. They view More information and they see the correct LDAP path to their account and the correct policies applying.

Background:

·          ‘Use more restrictive blocking’ is inactive

·         Websense.ini modifications: [DirectoryService] CacheTimeout=60

·         Restarting the ‘Websense Filtering Service’ makes the changes take effect immediately, otherwise the change will take up to 5 hours to take effect

Could someone please point me to the correct debug/error log info to start troubleshooting?

Thanks and regards

Citrix Users not showing in reporting

October 15, 2014, 5:46 am
$
0
0

I've installed the Citrix Integration Service on all my Xenapp 6.5 servers, and it is filtering the users correctly, but they're not showing up in any reports.  I have a separate Network Agent for just these servers as outlined in the Install instructions. 

Reporting works for other lan users, but how do I get reports on those users inside the Citrix Farm.

Search

No data displayed on threats tab after upgrade to 7.8.4

November 7, 2014, 8:35 am
$
0
0

After upgrading to 7.8.4 there is no current data displayed on the Threats tab in the Dashboard. It seems that everything else is working as it should.  The rest of the tabs contain current data and I am able to view activity through the Investigative Reports area.  OS is 2008 R2.  Is anyone else experiencing this?

Web Endpoint Client Network Diagnostics

October 22, 2014, 4:11 am
$
0
0

Hi

Sorry for mulitple posts, my posts don't seem to show up when posted through the cloud service - how ironic!

I'm new to Cloud Web Security Gateway product (although used on-premises Web Security for many years).

I am having a problem with the Web Endpoint client, in that it thinks the Internet is not available and thus remains in Override mode.  In our environment our perimeter firewall is locked down and denies most outbound traffic.  We opened up the stipulated ports, to the stipulated destinations as per the product evaluation guide.  Filtering by the cloud service works, albeit pretty clunky at the moment.

However the Endpoint Client sits in the systray with an exclamation mark on it, and when i run the Network Diagnostics test it fails saying 'Internet Access: No'.

The log file (C:\Program Files\Websense\Websense Endpoint\DebugDump.txt) is full of:

WSPXY   [ 10/22/2014 09:59:41.566 ] NetworkDetector[ProxyInternet]: send() failed with error code 10057!

As i said, filtering is working to some extent, if i go to say www.whatismyip.com it tells me i am proxied by 'webdefence.global.blackspider.com:8081', and if i try navigating to a more 'interesting' site... I receive the cloud blockpage as expected.

If i move the endpoint off of our corporate network to an unfiltered connection (ie. standard DSL) then the Endpoint network diagnostic completes successfully, the systray icon has a tick instead of the exclamation mark, and it is no longer in Override mode.

If I nmap the host webdefence.global.blackspider.com, on the relevant ports (tcp 80,443,8080-8100), i get the same results from both corporate network and DSL connection (same IP address returned, 85.115.54.180):

80 - open
443 - closed
8080 - filtered
8081 - open
8082 - open
8083-8087 - filtered
8088 - open
8089 - open
8090-8100 - filtered

If i run a network trace I can see that both wepsvc.exe and wepdiag.exe try and access www.msncsi.com/ncsi.txt (various IP addresses attempted).  The only discernable difference in connectivity between our corp net and the non-corp net is that the we don't allow traffic outbound to these IP addresses returned by DNS for www.msncsi.com

Does the Endpoint client require access to www.msncsi.com in order to be happy the Internet is available?  I can't see that requirement in the documentation.

Am I barking up the wrong tree?

Any advice or suggestions?

Thanks.

David

PAC file non-proxied connections

November 10, 2014, 6:42 am
$
0
0

Hello,

I'm in the middle of a debate with a solutions provider and our internal solutions architect team for using Office365 through the Websense Cloud Security.

So far as I understand, when a non-proxied connection is configured in Websense Cloud Security , and a client tries to go one of the non-proxied URL's, those connections will go direct to the specific website (after DNS resolution of course); the browser will parse the policy PAC file, read the non-proxied URL and just go to the website directly without trying to go via the Websense Cloud Security proxy service.

I've tried searching for a document that definitively states this but am unable to find one, does anyone know of a link to an official Websense document that is clear about how a browser parses the PAC file and what it does with website connections that are proxied and non-proxied?

Many thanks and regards

Sam

Web Endpoint Client - network diags

October 22, 2014, 4:22 am
$
0
0

I am having a problem with the Web Endpoint client, in that it thinks the Internet is not available and thus remains in Override mode.

option to show confirmation messages just once

November 11, 2014, 2:53 am
$
0
0

In order to use the confirmation Messages in a user friendly and Business supportive way it might be considered to include an Option to suppress subsequent confirmation Messages for example within a bulk upload of hundreds of files.

from a technical Point of view it is totally clear to accept each file by itself - but from a Business Point of view there should be an Option to have a single decision for a complete Transaction. maybe the confirmation page is just shown once and in the Background all files are tracked and logged.

 

Blocking torrent magnet links

September 8, 2014, 7:55 am
$
0
0

Doe anyone out there in websense land have any idea if its remotely possible to block torrent magnet links with Websense web security? 

I have all the P2P protocol options blocked and it seems to do a so so job with blocking anything '.torrent' that doesn't use a magnet link but these days its all done with magnet links which makes that feature fairly useless.

I have seen suggestions to block all inbound UDP traffic on the edge firewall and thats a completely valid and plausible, not to mention should be done kind of thing for anything that does not specifically need it but that also only works if it switches gears from TCP to UDD.

Anyone out there have any other suggestions on how to accomplish this?

Suggested end user feature E-Mail "report as SPAM"

November 11, 2014, 8:03 am
$
0
0

All of the major E-Mail security companies have a feature where users can click a button to report SPAM.  I am seeing multiple phishing emails coming through the Websense E-Mail Security Gateway.  Users are constantly E-Mailing me and asking that I block the messages.  It would make sense to have a place where they can click a button in Outlook and have the message sent to Websense as SPAM, for review.  Additionally, when I identify SPAM, there should be a button that allows me to send the message to Websense as SPAM.

Search

Incident Search Box

November 11, 2014, 11:39 am
$
0
0

Please add a search feature to search the incident by user name, incident number, etc.


Having to filter the columns then clear the filter to return to the list is not a proper method.

XID User Map showing IP addresses in reverse

October 8, 2014, 11:34 am
$
0
0

Has anyone seen this before? We are having some problems some users on thin clients aren't being logged by username, but within their citrix sessions they are.

IP addresses in bold are being reported in reverse order, which makes no sense. the rest of the IPs in the list are normal and are fine. 

Websense Support attributes this to a network issue; which i completely disagree with considering many computers within the same subnets are showing correctly in log and seem to get reported correctly.

They suspect it's a Reverse DNS issue, but I don't buy it.

 

The XID User Map shows this:

Number of entries in map is : 135

IP : 101.109.168.192 User: DOMAIN\tjk Timeout: 10-09-2014 06:38:00.0 Timestamp: 10-08-2014 06:38:00.0 Agent type: DC

IP : 102.109.168.192 User: DOMAIN\bfa Timeout: 10-09-2014 08:14:53.0 Timestamp: 10-08-2014 08:14:53.0 Agent type: DC

IP : 104.109.168.192 User: DOMAIN\rcs Timeout: 10-09-2014 10:00:30.0 Timestamp: 10-08-2014 10:00:30.0 Agent type: DC

IP : 105.106.168.192 User: DOMAIN\jed Timeout: 10-09-2014 07:03:13.0 Timestamp: 10-08-2014 07:03:13.0 Agent type: DC

IP : 105.109.168.192 User: DOMAIN\arg Timeout: 10-08-2014 14:18:20.0 Timestamp: 10-07-2014 14:18:20.0 Agent type: DC

IP : 106.111.168.192 User: DOMAIN\kralwhse Timeout: 10-09-2014 07:59:34.0 Timestamp: 10-08-2014 07:59:34.0 Agent type: DC

IP : 107.111.168.192 User: DOMAIN\neg Timeout: 10-09-2014 09:13:08.0 Timestamp: 10-08-2014 09:13:08.0 Agent type: DC

IP : 110.111.168.192 User: DOMAIN\rks Timeout: 10-09-2014 08:17:40.0 Timestamp: 10-08-2014 08:17:40.0 Agent type: DC

IP : 111.106.168.192 User: DOMAIN\shf Timeout: 10-09-2014 07:09:55.0 Timestamp: 10-08-2014 07:09:55.0 Agent type: DC

IP : 135.106.168.192 User: DOMAIN\mta Timeout: 10-09-2014 09:38:03.0 Timestamp: 10-08-2014 09:38:03.0 Agent type: DC

7.6 - Filtering Saved Investigative Reports

November 11, 2014, 2:07 pm
$
0
0

I have a series of Investigative Reports that we run on a scheduled basis for various Risk Classes and Categories.

I have been asked to produce versions of the reports that are filtered to a specific set of IP addresses on the network. Does anyone know how to make that work?

 

Thanks

There is no SSL Decryption for Secondary Proxy Server Ports

November 12, 2014, 4:43 am
$
0
0

I’ve just discovered that SSL decryption is not available for users connecting to a secondary proxy server port.

Using secondary proxy server ports is an invaluable option when using Rules-based authentication, but its value is severely compromised if it means SSL decryption is effectively disabled for those users.

 

Feature Request: Support SSL decryption on the secondary HTTP proxy server ports.  Currently Content Gateway will only inspect SSL traffic on proxy port 8080.  Right now you cannot add additional ports to the HTTPS Proxy Server Port field in CG Manager > Configure > Protocols > HTTPS.  This should be extended to allow administrators to add in the secondary proxy server ports.

There is no SSL Decryption for Secondary Proxy Server Ports

November 12, 2014, 4:43 am
$
0
0

I’ve just discovered that SSL decryption is not available for users connecting to a secondary proxy server port.

Using secondary proxy server ports is an invaluable option when using Rules-based authentication, but its value is severely compromised if it means SSL decryption is effectively disabled for those users.

 

Feature Request: Support SSL decryption on the secondary HTTP proxy server ports.  Currently Content Gateway will only inspect SSL traffic on proxy port 8080.  Right now you cannot add additional ports to the HTTPS Proxy Server Port field in CG Manager > Configure > Protocols > HTTPS.  This should be extended to allow administrators to add in the secondary proxy server ports.

Viewing all 2011 articles
Browse latest View live
Search