Configuration Guide For F5 BIG-IP Local Traffic Manager .

Transcription

Configuration GuideWebsense F5 BIG-IP Local Traffic Manager andWeb Security Gateway or Websense TRITON A P - WE B

F5 BIG-IP Local Traffic Manager and Websense Web Security Gateway or Websense TRITON AP-WEBCopyright 1996-2015 Websense, Inc. All rights reserved.Websense and the Websense logo are registered trademarks of Websense, Inc. in the United States and/or other countries. TRITON is a trademarkof Websense, Inc. in the United States and/or other countries. F5, F5 Networks, the F5 logo, BIG-IP, FirePass, and iControl are trademarks orregistered trademarks of F5 Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, orregistered service marks are the properties of their respective owners.Every effort has been made to ensure the accuracy of this manual. Websense, Inc. does not warrant or guarantee the accuracy of the informationprovided herein. Websense, Inc. makes no warranties with respect to this documentation and disclaims any implied warranties including, withoutlimitation, warranties of merchantability, noninfringement, and fitness for a particular purpose, or those arising from a course of dealing, usage, ortrade practice. All information provided in this guide is provided “as is,” with all faults, and without warranty of any kind, either expressed orimplied or statutory. Websense, Inc. shall not be liable for any error or for damages in connection with the furnishing, performance, or use of thismanual or the examples herein. The information in this documentation is subject to change without notice.Third-party product descriptions and related technical details provided in this document are for information purposes only and such products arenot supported by Websense, Inc.

ContentsTopic 1Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Prerequisites and configuration notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2iApp Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Websense Content Gateway Assistant iApp. . . . . . . . . . . . . . . . . 2Generic forward proxy with the Websense Filtering iApp . . . . . . 2Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2F5 LTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Product versions and revision history. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Explicit Proxy - Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Transparent Proxy - Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Explicit (or SOCKS) Proxy - BIG-IP . . . . . . . . . . . . . . . . . . . . . . . . . 5Configuring using Websense Content Gateway Assistant . . . . . . . . . . . . 6Getting started with the iApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Explicit Proxy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Transparent proxy options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Websense server pool, load balancing, and service monitor. . . . . . . . 9Protocol Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring using generic proxy with Websense Support. . . . . . . . . . . 12Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Getting started with the iApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Proxy configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Security and access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15URL filtering and inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Proxy autoconfiguration support. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Configuration Guide 1

2 F5BIG-IP Local Traffic Manager and Websense Web Security Gateway or TRITON AP-WEB

1Configuration GuideIntroductionConfiguration Guide F5 BIG-IP Local Traffic Manager and Websense Web Security Gatewayor TRITON AP-WEBThis guide provides step-by-step procedures for configuring F5 BIG-IP Local TrafficManager (LTM) devices with Websense Web Security Gateway or WebsenseTRITON AP-WEB.NoteWebsense product names and bundles changed in 8.0.0. See the v8.0.0 ReleaseNotes for TRITON APX Solutions.Web Security Gateway and TRITON AP-WEB each provide the defenses you need todefend against advanced attacks: real-time threat analysis at web gateways, plusforensic reporting. Combined with BIG-IP LTM, a security gateway infrastructuregains the capability to be: Easily scaled to meet the demands for high traffic levels common to eEnterprisedeployments.Expanded to accommodate new Web Security Gateway or TRITON AP-WEBcluster members with a simple menu-driven configuration update.Monitored closely for any conditions that might affect the availability of theeEnterprise gateway, ensuring continuous traffic flow.Used for any configurable authentication mechanism (NTLM and Kerberos)transparently.Deployed easily in both transparent and explicit proxy modes.New to BIG-IP version 11, F5 iApp is a powerful new set of features in the BIG-IPsystem that provides a new way to architect application delivery in the data center, andit includes a holistic, application-centric view of how applications are managed anddelivered inside, outside, and beyond the data center. The iApp templates forWebsense applications act as the single-point interface for building, managing, andmonitoring these servers.F5 BIG-IP Local Traffic Manager and Websense Web Security Gateway or TRITON AP-WEB 1

Configuration GuideFor more information on iApp, see the White Paper “F5 iApp: Moving ApplicationDelivery Beyond the Network”: or more information on Websense Web Security Gateway or TRITON AP-WEB , seehttp://www.websense.com/.For more information on the F5 devices described in this guide, see http://www.f5.com/products/big-ip/.Prerequisites and configuration notesConfiguration Guide F5 BIG-IP Local Traffic Manager and Websense Web Security Gatewayor TRITON AP-WEBiApp DownloadsSome components need to be downloaded in order to assist you in configuring yourenvironment.Websense Content Gateway Assistant iApp.This component will allow you to configure an integrated environment for explicitand transparent proxy in combination with a Websense appliance (e.g., WebsenseV10000 appliance). Use this if you want to route traffic through your Websenseappliance directly, or if you are managing the traffic configuration of a cluster ofWebsense sense-Content-Gateway-AssistantiApp.ashxGeneric forward proxy with the Websense Filtering iAppThis app is for configuring a simple, anonymous HTTP or SOCKS4/5 proxy that usesthe Websense Filtering Service for blocking threats and enforcing policy. Use thisiApp if you want to create a simple blocking proxy without routing traffic through theWebsense appliance directly. This functionality is good for providing basic proxyfiltering for guest equirementsConfiguration Guide F5 BIG-IP Local Traffic Manager and Websense Web Security Gatewayor TRITON AP-WEB2 F5 BIG-IP Local Traffic Manager and Websense Web Security Gateway or TRITON AP-WEB

Configuration GuideF5 LTMSoftwareBIG-IP LTM must be running version 11.3 or later. We recommend using version 11.3or later in order to be compatible with both Websense iApps. Websense Content Gateway Assistant iApp: Supported beginning with version11.3.Generic forward proxy with Websense Filtering iApp: Supported beginning withversion 11.3.HardwareThere are no specific hardware recommendations; these configuration iApps arecompatible with all hardware appliances known to run the recommended BIG-IPTraffic Management Operating System (TMOS) versions, including Virtual Edition.WebsenseSoftwareWe recommend using Websense software that is version 7.7.3 or greater. This versioncontains special health monitoring tools that we can utilize to check the properoperation of your proxy instance that previous versions do not contain. Websense Content Gateway Assistant iApp: Version 7.7 or above isrecommended. For extended health monitoring capabilities, version 7.7.3 orgreater is highly desired.Generic forward proxy with Websense Filtering iApp: Version 7.6 or above isrecommended. In order to use extended health monitoring capabilities, version7.7.3 or greater is highly desired.HardwareThere are no specific hardware recommendations.GeneralThe following items are generally recommended before starting your deployment: You should have a thorough understanding of your Websense configuration andits relation to your desired network topology before beginning your deployment.In particular, carefully consider your network’s traffic routing; it is likely that youwill need to make one or more changes in order to complete your task.This guide is not intended to replace Websense documentation or best practices,merely to supplement them with enough information to enable you to easilyconfigure this particular integration. You should not begin a new Websensedeployment using this document. Refer to ployctr/v81/first.aspx for up-to-date information about yourWebsense deployment.Configuration Guide 3

Configuration Guide If you use user authentication with your Websense installation, ensure that youpay attention to the configuration instructions related to configuration changesneeded on the Websense platform to prevent repeated authentication.Product versions and revision historyConfiguration Guide F5 BIG-IP Local Traffic Manager and Websense Web Security Gatewayor TRITON AP-WEBProduct and versions tested for this guide:Product TestedVersion TestedBIG-IP LTM11.3, 11.4, and 11.5Websense7.6, 7.7 or higher (applicable to generic proxy iApp)7.7 or higher (applicable to Websense Assistant iApp)Revision history for this document:VersionCommentAuthor1.0Initial releaseJMConfiguration examplesConfiguration Guide F5 BIG-IP Local Traffic Manager and Websense Web Security Gatewayor TRITON AP-WEBBefore continuing, you should select the type of integrated deployment that suits yourenvironment. BIG-IP supports several deployment modes for Websense integration.Explicit Proxy - WebsenseFigure 1. Explicit proxy configuration (Websense-routed)4 F5 BIG-IP Local Traffic Manager and Websense Web Security Gateway or TRITON AP-WEB

Configuration GuideThis mode allows you to configure your network’s web browser clients to use theBIG-IP Virtual Server as a direct HTTP proxy, or to define the created virtual addresswithin a proxy auto-configuration that is distributed via DNS or DHCP.If you use this particular mode, you must ensure that your browser clients are eithermanually configured or that you have correctly set up an auto-configurationmechanism that will serve them.This explicit proxy configuration will route traffic through the Websense appliance.To begin, turn to the “Configuring using Websense Content Gateway Assistant”configuration section of this document.Transparent Proxy - WebsenseFigure 2. Transparent proxy configuration (Websense-routed)This mode allows you to redirect select traffic from your network’s web browserclients transparently through the Websense appliance cluster.This mode ensures that you do not need to distribute any configuration changes toyour clients, but may require routing changes to your network. To begin, turn to the“Configuring using Websense Content Gateway Assistant” configuration section ofthis document.Explicit (or SOCKS) Proxy - BIG-IPFigure 3. Explicit proxy (BIG-IP-routed)Configuration Guide 5

Configuration GuideThis mode allows you to configure your network’s web browser clients to use theBIG-IP Virtual Server as an HTTP proxy, or to define the created virtual addresswithin a proxy auto-configuration that is distributed via DNS or DHCP.If you use this particular mode, you must ensure that your browser clients are eithermanually configured or that you have correctly set up an auto-configurationmechanism that will serve them.This explicit proxy configuration will route traffic through the BIG-IP, but will ask theWebsense appliance for blocking decisions. To begin, turn to the “Configuring usinggeneric proxy with Websense Support” configuration section of this document.Configuring using Websense Content Gateway AssistantConfiguration Guide F5 BIG-IP Local Traffic Manager and Websense Web Security Gatewayor TRITON AP-WEBRefer to the following for guidance on how to configure the BIG-IP system for themodes described by Figures 1 and 2 in the section “Configuration examples” using theiApp template described on page 1 of this document.Getting started with the iAppTo begin using the Websense Content Gateway Assistant iApp, you must import it andthen create an application from the template.1. Unpack the template file from the Zip ar

Configuration Guide 3 Configuration Guide F5 LTM Software BIG-IP LTM must be running version 11.3 or later. We recommend using version 11.3 or later in order to be compatible with both Websense iApps.File Size: 1MBPage Count: 24