Websecurity 7.8.4 Standalone. No clients are having pages blocked, but real-time monitor sees the clients and reports appropriate sites as blocked as per policies.
Websense server has 2 NICs. The monitor nic has ip address 0.0.0.0 (this is promiscuous mode from what I read). I prefer to keep using promiscuous mode. Filter/Block NIC is assigned static ip from internal LAN.
Using DC Agent and Login Agent, Windows 2008 R2 domain controller. Mix of Windows 7, chromebooks, iPad clients. Websense seems to have no problems with communicating Active Directory on local domain.
From client, http://[websense_ip]:15871/cgi-bin/blockpage.cgi returns "Invalid Request", which i understand to be a good sign.
testlogserver shows data being received and reports pages that should be blocked as blocked.
The monitor nic is connected to a mirror port on Netgear GS748TPS (which mirrors TX/RX of port connected to Untangle firewall/router 11.1.0, which goes to internet). I had Websecurity 7.8.3 working with this same switch and config, but my monitor nic had an ip assigned (not in promiscuous mode).
Does my monitor nic need an ip address? If not, what further troubleshooting steps can i take? I can capture from the client with wireshark, but I don't know exactly what to look for. What would cause block message to get dropped? Maybe it isn't even being sent from the filtering NIC? Anything I should check in the Untangle (firewall/router) config?