Transcription
EVALUATION AND QUICK START GUIDEWebsense Enterprise -including Corp orate Edit ionv6.3ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Recommended evaluation setup. . . . . . . . . . . . . . . .6Installing the Stand-Alone Edition plus Explorer . . . .8Initial configuration . . . . . . . . . . . . . . . . . . . . . . . . .11Basic filtering setup . . . . . . . . . . . . . . . . . . . . . . . . .13Additional installation details . . . . . . . . . . . . . . . . . .22Assessing your implementation . . . . . . . . . . . . . . .23
1996–2006, Websense Inc.All rights reserved.10240 Sorrento Valley Rd., San Diego, CA 92121, USAPublished October 2, 2006Printed in the United States of America and IrelandThe products and/or methods of use described in this document are covered by U.S. Patent Numbers 6,606,659 and 6,947,985 and other patents pending.This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readableform without prior consent in writing from Websense Inc.Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with respect to this documentation anddisclaims any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable for any error or for incidentalor consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in thisdocumentation is subject to change without notice.TrademarksWebsense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain international markets. Websense hasnumerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.Sun, Solaris, UltraSPARC, Sun Java System, and all Sun Java System based trademarks and logos are trademarks or registered trademarks of SunMicrosystems, Inc., in the United States and other countries.The following is a registered trademark of Novell, Inc., in the United States and other countries: Novell Directory Services.Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or othercountries.Pentium is a registered trademark of Intel Corporation.This product includes software distributed by the Apache Software Foundation (http://www.apache.org).Copyright (c) 2000. The Apache Software Foundation. All rights reserved.Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of theirrespective manufacturers.WinPcapCopyright (c) 1999 - 2006 NetGroup, Politecnico di Torino (Italy).Copyright (c) 2006 CACE Technologies, Davis (California).All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to endorse or promote products derivedfrom this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USEOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Evaluation and Quick Start GuideIntroductionWebsense, Inc., software minimizes employee downtime spent accessing internet data deemedinappropriate or not work-related. With Websense software, the misuse of network resources and thethreat of legal action due to inappropriate access are also minimized.This guide is designed to help you determine your strategy for managing internet content in yournetwork, and activating filtering efficiently and effectively.iIMPORTANTThis implementation is based on installation of the Websense Enterprise StandAlone Edition on Windows.Features available only with Websense Web Security Suite are not covered in thisguide. The Websense Administrator’s Guide includes instructions for use of anyWebsense edition.If you are using an integrated proxy server, cache engine or firewall along with Websense software,see the appropriate documentation: Deployment details and integration-specific instructions – the Websense Enterprise installationguide for your integration productInitial setup and policy configuration instructions – Websense Administrator’s GuideRecommendations for large networks (10,000 users) or distributed systems – WebsenseDeployment GuideNOTEDelegated Administration and Reporting are available in Corporate Edition ofWebsense and provide flexible management of clients and filtering settings acrossservers and locations. For more information, see Delegated Administration andReporting – Corporate Edition, page 4.Product documentation is available at ductDocumentation/?Section New.The MyWebsense website (www.mywebsense.com) provides access to Websense documentation,the knowledge base, and software downloads. This site is displayed automatically after you run setupand enter your subscription key.This guide also summarizes how to use the Real-Time Analyzer (RTA) and Explorer reportingtools to analyze internet usage in your network. For evaluation purposes (500 or fewer users), installthe Websense Enterprise Stand-Alone Edition plus Explorer on one machine.Required components include: WebsenseWebsense Policy Server: Stores policy configuration data.3Version 6.3
Evaluation and Quick Start Guide Websense Filtering Service: Filters internet requests according to input from Network Agentplus configuration data from Policy Server.Websense User Service: Communicates with a directory service to convey user-relatedinformation to Policy Server and Filtering Service.Websense Master Database: Houses URL categories and protocol definitions.Websense Network Agent: Enables management of non-HTTP internet protocols andapplications.Websense Manager: Provides configuration interface for policies and filtering settings.Optional components include: Websense Usage Monitor: Enables alerting for system administrators based on internet usage.Remote Filtering Server: Allows filtering of clients outside a network firewall.Remote Filtering Client: Identifies remote client machines to be filtered, and communicatesthis information to Remote Filtering Server.Transparent identification agents: For available options, see the Websense Administrator’sGuide.Websense Enterprise Reporting components include: Log Server: Sends internet activity to Log Database.Log Database: Comprised of the Catalog Database and database partitions for reporting. LogDatabase stores user internet activity records.Websense Real-Time Analyzer: Graphically displays real-time internet activity via a webbrowser.Websense Enterprise Reporter: Provides customizable views into Log Database.Websense Enterprise Explorer: Provides flexible reporting via web browser.Explorer’s Intranet website on a web server: Provides access to Log Database.Database Administration: Manages the database partitions with a scheduled rollover andautomatic creation of new database partitions.Additional reporting components may be required for your chosen Websense Enterprise reportingtools. For evaluation purposes, you will use: Microsoft MSDE database: Enables Explorer or Reporter.You can install a free version of MSDE during installation of reporting components.Microsoft IIS Web server: Enables Real-Time Analyzer; retrieves information from the LogDatabase; and receives information requests from and returns reports to the Explorer browserinterface.Standard web browser (Microsoft Internet Explorer): Provides view into Explorer.Websense Enterprise Explorer offers the most sophisticated and comprehensive reportingcapabilities. Explorer offers a direct view into records stored by Websense Log Server.Explorer also offers optional multi-level reporting functions. This guide does not cover suchfunctionality. For more information, see your Websense Enterprise Reporting documentation.Delegated Administration and Reporting – Corporate EditionIf your organization includes multiple administrators (for one or several Policy Servers), theDelegated Administration and Reporting features allow flexible management of clients and filteringsettings. If you are running a non-Corporate Edition of Websense, you can still customize reportingWebsense4Version 6.3
Evaluation and Quick Start Guideroles and permissions. Contact Websense, Inc., or your authorized reseller for information onpurchasing Corporate Edition.Delegated Administration and Reporting provide sophisticated, streamlined methods for: Managing internet filtering and reporting for groups of clients across multiple locations.Customizing filtering behavior via configurable roles and permissions for clients andadministrative users.Assigning administrative users to manage policies at each site.Restricting policy configuration and reporting permissions for Delegated Administrators.Setting up filtering restrictions from a central location, and distributing them to multiplelocations.For more information, see the Delegated Administration chapter of the Websense Administrator’sGuide.Also see the tutorial Getting Started with Delegated Administration:For information on Delegated Reporting, see the Websense Enterprise Reporting Administrator’sGuide.InstallationTo evaluate Websense Enterprise v6.3 on a small network (or on a segment of a larger network),deploy the Stand-Alone Edition using these guidelines. A typical Stand-Alone installation places allcore components on the same machine, depending on the operating system. In this configuration, nofirewall, network appliance, or proxy server is required for full functionality.To distribute Websense Enterprise components to different machines or operating systems, see theWebsense Deployment Guide.NOTEA typical installation on Windows includes Websense Policy Server, WebsenseFiltering Service, Websense Manager, Websense User Service, Websense NetworkAgent, Websense Usage Monitor, and Websense Real-Time Analyzer. Installing atransparent identification agent at the same time is optional.Websense Enterprise Explorer is not included in a typical installation. Thisdocument assumes that you will install Explorer. For instructions, see Installing theStand-Alone Edition plus Explorer, page 8.Real-Time Analyzer (RTA) is installed automatically with the Stand-Alone Edition on Windows ifyou have a supported web server on the installation machine. RTA displays via web browser the realtime status of all the traffic filtered by Websense software. RTA shows requests by category orprotocol and graphically displays bandwidth information.Websense Enterprise Explorer can also be installed with the Stand-Alone Edition on Windows. Thisguide assumes Explorer is installed on the same machine as main Websense components forevaluation of 500 or fewer users.Websense5Version 6.3
Evaluation and Quick Start GuideNOTEWebsense Explorer for Unix is also available for Linux or Solaris environments.This guide only covers Websense implementation on Windows.The Websense Language Pack launches automatically following completion of the non-EnglishWebsense installation and converts your Websense system to that language.Recommended evaluation setupFor evaluation purposes, this guide provides installation and configuration instructions for the StandAlone Edition in a Windows environments only. Make sure that your installation machine meets orexceeds the following recommendations for optimal performance.Operating systems Windows 2000 SP3 or higher (Professional or Server)Windows Server 2003 SP1 (Standard or Enterprise)Hardware recommendationsTo install the Websense Enterprise Stand-Alone Edition and Websense Enterprise Explorercomponents on the same machine, you will need a dedicated machine with the following: Pentium 4, 3 GHz processor2 GB RAMFree space must comprise at least 20% of the total disk spaceFor more information, see the Websense Deployment Guide.Windows Directory Services Windows NTLM-based directory, orWindows Active DirectoryWebsense Explorer Microsoft MSDE 2000Log Server installed on the same machine as the database engine (MSDE)Internet Explorer v5.5 or higherWeb server for Real-Time Analyzer Microsoft Internet Information Services (IIS) v5.0 or v6.0, orApache HTTP Server 2.0.50Configuration prerequisites WebsenseDeployment: For a simple evaluation, connect the installation machine to an unmanaged,unswitched hub that is located between an external router and your network. Network Agent will6Version 6.3
Evaluation and Quick Start Guidemonitor requests sent to the internet and replies received from the internet to the requestingworkstations. For information on switched networks, see the Websense Deployment Guide.i IMPORTANTDo not install the Stand-Alone Edition on a machine running a firewall. NetworkAgent uses a packet-capturing utility that may not work properly when installed ona firewall machine.Web server: Microsoft IIS is recommended while evaluating Real-Time Analyzer (RTA).NOTEIf Setup does not detect a supported web server, it gives you the option to installApache. You must restart your machine after installing Apache HTTP Server, andthen run Setup again to install Websense software. WebsenseInternet access: For the database download to occur during installation, the Websense machinemust have internet access to the download servers at the following URLs: download.websense.com ddsdom.websense.com ddsint.websense.com portal.websense.com my.websense.comMake sure that these addresses are permitted by all firewalls, proxy servers, routers, or host filesthat control the URLs the Websense machine can access.7Version 6.3
Evaluation and Quick Start GuideInstalling the Stand-Alone Edition plus Explorer1. Log on to the installation machine with local and domain administrator privileges. InstallingUser Service with domain administrator privileges ensures the retrieval of user logoninformation from the domain controller. If you install User Service with local privileges only andcannot retrieve user information, check Windows Event Viewer for access denied messages.You may need to increase your level of privileges.2. Close all applications and stop any antivirus software.3. Download the Windows installer package from http://www.my.websense.com/download to theinstallation machine, and extract the installer files.iIMPORTANTDo not extract the installer files to a folder on your desktop. This may prevent RealTime Analyzer from receiving the IP address of the Policy Server machine. Acceptthe default location of C:\Temp, or select another appropriate folder.4. Setup.exe runs automatically after the files are decompressed. Select Next in the welcomescreen and follow the on-screen instructions through the subscription agreement.5. You are asked to select a Websense product to install. Select Websense Enterprise, and thenclick Next.6. Follow the onscreen instructions and make the following selections. WebsenseSelect the setup that best suits your needs: Select Typical to install the primary Websensecomponents. When asked whether to install certain components, all selected components areplaced on the same machine.Multiple IPs Detected: If the installation machine is multihomed, all enabled networkinterface cards (NICs) with IP addresses are listed. Select the IP address of the card to use forWebsense component communication.Integration Option: Select Stand-alone.Websense Subscription Key: Enter your Websense subscription key or temporaryevaluation key to download the Websense Master Database during installation and beginfiltering immediately after installation.Web server: IIS should be installed. If Setup does not detect a supported web server, itprovides the option to install the Apache HTTP Server.If you select Apache HTTP Server, Setup exits and launches the separate Apache installer.After the server is installed, you must restart the machine and run Websense Enterprise Setupagain to install Websense software.IIS Virtual Directory Location: Select the name of a website from IIS Manager where theinstaller should create a virtual directory for RTA. Typically, Default Web Site isappropriate. If you have renamed the Default Web Site in IIS Manager or want to use adifferent site, change it here.Network Agent Interface: Select the network interface card (NIC) to be used formonitoring traffic. If you are installing on a machine with a single NIC, that card must beselected.8Version 6.3
Evaluation and Quick Start Guide Network Agent Feedback: Select whether to allow Websense, Inc., to gather informationabout the use of Websense-defined protocols. Information is used in the development ofprotocol filtering.Initial Filtering: Select Yes to begin filtering internet traffic immediately after installation,based on a predefined default policy.Transparent User Identification: This procedure does not include configuring Websensesoftware to identify users or objects in a directory service. Select None. You can install atransparent identification agent later.RADIUS Agent: Select No. You can install RADIUS Agent later.Installation Folder: Accept the default path or define another installation folder.System Requirements Check: The installer checks the resources of the installation machine.If the installation machine has insufficient disk space, the selected components cannot beinstalled, and the installer will quit.Installation: A summary list appears, showing the installation path and size, and the selectedcomponents. Click Next to begin installation.Websense Master Database: Select Download now to download the Websense MasterDatabase. Because of its size, the downloading the database for the first time and loading itinto local memory can take from a few minutes to more than 60 minutes, depending onfactors such as internet connection speed, bandwidth, available memory, and free disk space.Start Websense: When installation is complete, the installer displays a screen asking if youwant to launch Websense Manager. Deselect this option, and then click Finish to exit theinstaller.7. Run the Websense installer again to install Websense Enterprise Explorer. Go to the folder whereyou extracted the installer files (C:\Temp by default), and then double-click Setup.exe.8. Click Next on the welcome screen. The installer detects the previously installed Stand-AloneEdition components and asks how you want to proceed.9. Select Add Websense components, and then click Next.10. When prompted, select Websense Enterprise Reporting.11. Follow the onscreen instructions and provide the information requested. Components to install: Select Log Server and Enterprise Explorer (which includesDatabase Administration to manage and create database partitions) for installation.Database engine: Connect to an existing database engine (MSDE for evaluation purposes),or download and install MSDE.Database information: The installer asks for the IP address or machine name where theMSDE database engine is located. If MSDE is installed on the installation machine, themachine name will be entered automatically. Select SQL database account as the methodfor Log Server to access the database.NOTEIt is recommended not to use a Trusted Connection with MSDE. After installation,assign the appropriate logon ID and password to the Log Server service. For moreinformation, see the Websense Enterprise Reporting Administrator’s Guide WebsenseDatabase access account: Enter the user name and password for a SQL Server account withadministrator rights.9Version 6.3
Evaluation and Quick Start Guide Database location: Click Browse to select where to create the Catalog Database,wslogdb63, or accept the default location. Make sure there is enough free disk space (atleast 2 GB) on the specified drive for the database. Depending on the number of users inyour enterprise and your network setup, your database may grow rapidly.NOTESince Log Server was installed at the same time as Explorer, Explorer will connectto the same database that Log Server is using. Minimizing database management: Use the default selections for database management:Logging Web Page Visits selected; Consolidating Log Records deselected.Installation: A summary appears, showing the installation path and size, and the selectedcomponents. Click Next.WebCatcher: WebCatcher improves the quality of the Websense Master Database bysending unrecognized or security URLs back to Websense, Inc., for analysis. No useridentifying information is sent to Websense. (For evaluation purposes, select No, do notsend information to Websense.)12. Click Finish.13. Start your antivirus software again.14. Continue with post-installation tasks.Websense10Version 6.3
Evaluation and Quick Start GuideInitial configurationAfter installing Websense software, you must perform certain configuration tasks before the StandAlone Edition is ready to begin internet filtering. Configure your firewall or proxy server (see Firewalls or proxy servers, page 11).Ensure that your settings for downloading the Master Database are correct (see Policy Serverpassword and database download, page 11). The database contains the categorized URLs andnetwork protocol definitions that Websense software uses for filtering internet requests.Enable the Messenger Service on workstations being filtered, so protocol block messages can bereceived (see Displaying protocol block messages, page 12).Firewalls or proxy serversIf Websense Manager must authenticate through a proxy server or firewall to connect to the internet,the proxy or firewall must accept clear text or basic authentication to enable Master Databasedownload. For configuration instructions, see the product documentation for your firewall or proxyserver.To download the Master Database, you must also configure Websense software to communicate withthe proxy server or firewall. For instructions, see page 12.Policy Server password and database downloadSince you entered your subscription key and downloaded the Master Database during installation,you are almost ready to begin filtering clients. Set your password for Policy Server and ensure thatyour download settings are appropriate for your network.1. From the Windows Start menu select Programs Websense Websense Manager.2. If the Policy Server IP address or machine name does not already appear in Websense Manager’snavigation pane, add Policy Server to Websense Manager. (Right-click in the navigation tree, andselect Add Policy Server).3. Double-click the IP address or machine name that you just defined. The Set Websense Passworddialog box appears.4. Set a password (between 4 and 25 characters) for Policy Server.NOTERetain this password. It must be entered when you connect to the Websense PolicyServer from Websense Manager.5. Click OK. The Settings dialog box appears.6. Establish a database download schedule. By default, the database is downloaded once daily.NOTEYou must download the database at least every 14 days in order for filtering tocontinue without interruption.Websense11Version 6.3
Evaluation and Quick Start Guide7. If your network requires authentication to an upstream firewall or proxy server to reach theinternet and download the Master Database, do the following:a. Check Use authentication.b. Enter the User name required by the upstream proxy server or firewall to download theMaster Database.c. Enter the Password required by the upstream proxy server or firewall.d. If you have not already done so, configure the upstream proxy server or firewall to acceptclear text or basic authentication.8. If your network requires that browsers use an upstream proxy server to reach the internet, use thesame proxy settings used by the browser for downloading the Websense Master Database.Establish the proxy settings for download:a. Check Use proxy server.b. Identify the upstream proxy server or firewall machine in the Server field.NOTEIt is recommended to identify the machine by IP address. You can use a machinename, but do not use a machine name that contains extended ASCII or double-bytecharacters.c. Enter the Port of the upstream proxy server or firewall (default is 8080).You have specified your Policy Server password and database download preferences.Displaying protocol block messagesWebsense software filters protocol requests normally whether or not protocol block messages areconfigured to display on user workstations.iIMPORTANTMake sure the Websense User Service has domain administrator privileges, so itcan access all areas of the network. For instructions on modifying privileges, seeConfiguring domain administrator privileges, page 21.For protocol block messages to display in supported Windows operating systems, the MessengerService must be enabled on each client workstation being filtered. Check the Windows Servicesmanager to see if the Messenger Service is running. If your company policy requires MessengerService to be disabled, advise users that certain protocols will be blocked without notification.To view protocol block messages on a Windows 98 machine, you must start winpopup.exe in theWindows directory of the local drive. Start this application from a command prompt, or configure itto start automatically by copying it to the Startup folder. For instructions, see your operatingsystem documentation.Websense12Version 6.3
Evaluation and Quick Start GuideBasic filtering setupThis overview will help you implement filtering quickly and easily.Define your networkOnce you have installed Websense software, implement internet filtering as follows.1. If it is not already running, start Websense Manager. From the Windows Start menu selectPrograms Websense Websense Manager.2. Double-click the Policy Server icon, and then enter the password you specified earlier (see PolicyServer password and database download, page 11).3. The Websense Master Database should have already been downloaded during installation (seeInstallation, page 5). To initiate a download at any time, select Server Database Download Download.4. Network Agent monitors internet traffic. These settings determine how the Agent monitors yournetwork. Configure Network Agent to capture internet traffic in your network and see allmachines in your network that you want Websense software to filter. Go to Websense Managerand select Server Settings. Select Network Agent at the left.The machine where Network Agent is installed must be able to monitor bi-directional employeeinternet traffic. If you don’t know if Network Agent can monitor all desired traffic, see page 21.iIMPORTANTIf you install Network Agent on a machine that cannot monitor targeted internettraffic, requests cannot be filtered.See the following documents, which are available from: http://www.websense.com/global/en/SupportAndKB/. WebsenseFor deployment recommendations, planning worksheets, configuration instructions, andtroubleshooting tips, see the Quick Start for Network Agent.For Websense deployment recommendations, see the Websense Deployment Guide.See the Websense Administrator’s Guide for instructions on: Filtering users based on groupings in a directory service (see the User Identification chapter). Using Remote Filtering to identify and filter users logging on to domains from outside thenetwork (see the Filtering Remote Clients section of the Clients chapter). Customizing URLs, protocols, or downloadable files Websense software can manage (see theCustom URLs and File Types sections, and the Protocol Management chapter). Implementing a full internet video and audio filtering solution (see the Practical Applicationschapter). Corporate Edition only: Managing filtering using configurable roles and administrativepermissions (see the Delegated Administration chapter).13Version 6.3
Evaluation and Quick Start GuideView sample reports using Real-Time Analyzer RTARTA provides immediate, real-time data to show current internet usage trends in your network. RTAdisplays internet activity as soon as it is installed; data is not collected through a database, as withExplorer or Reporter.Reports displayed now are based on the default filtering policies provided by Websense, Inc.Viewing a few reports can help you determine which filtering policies to implement.1. Log on to RTA.a. From the Windows Start menu select Programs Websense Web Reporting Tools.b. After roles have been defined in Websense Manager, enter your network User Name andPassword to access the Reporting Tools Portal.The logon is validated throug
Websense Filtering Service: Filters internet requests according to input from Network Agent plus configuration data from Policy Server. Websense User Service: Communicates with a directory service to convey user-related information to Policy Server and Filtering Service. Websense Master Database: Houses URL categories and protocol definitions.
