Transcription
Websense Web Security Gateway AnywhereGetting Started Guidev7.5
1996–2010, Websense Inc.All rights reserved.10240 Sorrento Valley Rd., San Diego, CA 92121, USAPublished September 8, 2010Printed in the United States of America and China.This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronicmedium or machine-readable form without prior consent in writing from Websense Inc.Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties withrespect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose.Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,performance, or use of this manual or the examples herein. The information in this documentation is subject to changewithout notice.TrademarksWebsense is a registered trademark of Websense, Inc., in the United States and certain international markets. Websense hasnumerous other unregistered trademarks in the United States and internationally. All other trademarks are the property oftheir respective owners.Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarksof Microsoft Corporation in the United States and/or other countries.Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companiesand are the sole property of their respective manufacturers.
ContentsTopic 1Introducing Web Security Gateway Anywhere . . . . . . . . . . . . . . . . . . 1Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Websense TRITON Unified Security Center . . . . . . . . . . . . . . . . . . .The TRITON module tray. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Collapsible navigation and content panes . . . . . . . . . . . . . . . . . . . . . .Hybrid Web filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sample hybrid deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Hybrid Sync Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Filtered locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Unfiltered destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Authenticating off-site users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remote filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Web data loss prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22345566677PreciseID fingerprinting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What is Web DLP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Enterprise-class Web DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Do this first! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Setup diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Topic 2Setting Up the V-Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Preparing the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Set up the appliance hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Perform initial command-line configuration. . . . . . . . . . . . . . . . . . .Configure the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Components running off the appliance . . . . . . . . . . . . . . . . . . . . . . .Logon portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing Windows components of Websense software . . . . . . . . . . . .Websense Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171920202228282929Getting Started Guide i
ContentsWebsense Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31More information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Topic 3Installing Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing Websense Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . .Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . .Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Preparing to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing hybrid and Web DLP components . . . . . . . . . . . . . . . . . . . . .Installing Websense Content Gateway. . . . . . . . . . . . . . . . . . . . . . . . . .Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . .Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Downloading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing Websense Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . .Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . .Installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing on a virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the ESXi platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Customizing ESXi. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the VMware Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the license and setting the time . . . . . . . . . . . . . . . . . . . . .Configuring an additional NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating the virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Topic 4Configuring the Web Security Module. . . . . . . . . . . . . . . . . . . . . . . . 83Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Logging on to TRITON - Web Security . . . . . . . . . . . . . . . . . . . . . .Activating Websense Web Security Gateway Anywhere . . . . . . . . .Checking that the database download is completed . . . . . . . . . . . . .Activating hybrid filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring directory service settings . . . . . . . . . . . . . . . . . . . . . . .Editing the Default policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Preparing for Web DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring linking between Web and data security . . . . . . . . . . . .Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating a common administrator account . . . . . . . . . . . . . . . . . . . .Configuring hybrid filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ii 7679Web Security Gateway Anywhere838385868788899393959696
ContentsDefine locations filtered by hybrid service . . . . . . . . . . . . . . . . . . . . 97Specify sites that hybrid filtering users can access directly . . . . . . . 99Configure hybrid filtering behavior . . . . . . . . . . . . . . . . . . . . . . . . 100Send user and group data to the hybrid service. . . . . . . . . . . . . . . . 103Schedule communication with hybrid filtering. . . . . . . . . . . . . . . . 105Topic 5Configuring the Content Gateway Module . . . . . . . . . . . . . . . . . . . 107Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Entering your subscription key . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enabling proxy features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Checking for alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Routing traffic to Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . .Explicit request routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Transparent request routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring proxy user authentication. . . . . . . . . . . . . . . . . . . . . . . . .Transparent proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . . .Using LDAP proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . .Using RADIUS proxy authentication . . . . . . . . . . . . . . . . . . . . . . .Using NTLM proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . .Preparing for Web DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Registering with the Data Security Management Server . . . . . . . .Topic 6Configuring the Data Security Module . . . . . . . . . . . . . . . . . . . . . . 127Logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Troubleshooting log on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Deploying the Content Gateway module . . . . . . . . . . . . . . . . . . . . . . .Configuring blocking versus monitoring . . . . . . . . . . . . . . . . . . . .Verifying linking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Verifying the Websense Linking Service . . . . . . . . . . . . . . . . . . . .Importing URL categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating an administrator account . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating data security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How data policies differ from Web policies . . . . . . . . . . . . . . . . . .Save All versus Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Topic 27128129129129131131133133134135135136Testing Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Verifying policy enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Testing filtering through the explicit proxy . . . . . . . . . . . . . . . . . . . . . 138Making sure that Internet activity is logged . . . . . . . . . . . . . . . . . . . . . 138Getting Started Guide iii
ContentsTesting hybrid filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Verify hybrid configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Check that hybrid filtering is functioning . . . . . . . . . . . . . . . . . . . .Using reports to verify Web filtering . . . . . . . . . . . . . . . . . . . . . . . . . .Testing data loss prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Test that Content Gateway is properly registered . . . . . . . . . . . . . .Verify that linking succeeded . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Test that the Websense Linking Service is enabled . . . . . . . . . . . .Test that joint administration works . . . . . . . . . . . . . . . . . . . . . . . .Test that outbound HTTP data is detected . . . . . . . . . . . . . . . . . . .Analyze traffic in Content Gateway Manager. . . . . . . . . . . . . . . . .Topic 8139139139140141141141142142143143Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Cannot register the Content Gateway with Data Security . . . . . . . . . . 145Linking has not been configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Linking Service information is not shown in TRITON - Data Security146Websense Linking Service stopped responding . . . . . . . . . . . . . . . . . . 147Unable to connect to TRITON - Data Security . . . . . . . . . . . . . . . . . . 147Administrator unable to access TRITON - Data Security . . . . . . . . . . 148Unsupported Data Security Management Server version . . . . . . . . . . 148Sync Service is not available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Directory Agent is not running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Directory Agent cannot connect to the domain controller . . . . . . . . . . 150Directory Agent does not support this directory service . . . . . . . . . . . 151Alerts were received from the hybrid service. . . . . . . . . . . . . . . . . . . . 151Unable to connect to hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Missing key hybrid configuration information. . . . . . . . . . . . . . . . . . . 153Hybrid filtering data does not appear in reports. . . . . . . . . . . . . . . . . . 153Topic 9Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Open Source Copyrights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167iv WebsenseWeb Security Gateway Anywhere
1Introducing Web SecurityGateway AnywhereOverviewWebsense Web Security Gateway Anywhere is a Web security solution designedfor distributed enterprises with one or more branch offices and multiple remote users.Web Security Gateway Anywhere offers an alternative to pure service- or appliancebased solutions. Rather than choosing between an in-the-cloud or on-premises Webfiltering solution for your entire enterprise, you can deploy a blended solution thatencompasses the best of both worlds, and you can manage it from a single userinterface—the TRITON Unified Security Center.You can decide which method to use for which users. For example, you may use ourrobust on-premises Web filtering for your corporate office (business) or main campus(education), and filter your regional offices or satellite locations through our hybridservice.Unlike alternate approaches, hybrid filtering gives you the flexibility to choose theplatform or mix of platforms that best meets your operational requirements withoutincurring the cost of managing multiple systemsIn addition, Web Security Gateway Anywhere protects you from data loss over theWeb, providing security for outbound content as well. You identify sensitive data anddefine whether you want to audit or block attempts to post it to HTTP, HTTPS, FTP, orFTP-over-HTTP channels.And finally, Web Security Gateway Anywhere provides flexible solutions for userswho travel or work from a location outside of your network, such as a home office.You can install a Web filtering client on remote users’ machines, or you can monitorremote activity using our hybrid Web filtering service.Web Security Gateway Anywhere includes Websense Web Security and WebsenseContent Gateway as well as hybrid Web and DLP features.Because it includes the real-time analytics of the Websense Content Gateway, you cancan protect your users from Web 2.0 threats no matter where they reside.Web Security Gateway Anywhere is available on the V-Series appliance or assoftware. The appliance configuration reduces your network footprint and improveslatency. Appliance setup is described in Chapter 2: Setting Up the V-Series Appliance.Software installation is described in Chapter 3: Installing Software.Getting Started Guide 1
Introducing Web Security Gateway AnywhereFor even more robust enterprise security, consider adding Websense Email Security ordata loss prevention over additional channels, such as email, endpoint applications,instant messaging, and printers.Websense TRITON Unified Security CenterThe interface that you use to manage Websense Web Security Gateway Anywhere iscalled the TRITON Unified Security Center. TRITON has modules for Web, data,and—coming soon—email security. TRITON is a Web-based user interface thatenables you to perform basic setup, system maintenance, policy creation, reporting,and incident management for both modules in the same location.NoteTRITON Unified Security Center supports InternetExplorer 7 and 8 and Firefox 3.0.x - 3.5.x. If you haveanother browser version, unexpected behavior may result.To access the TRITON security center, log onto either TRITON - Web Security orTRITON - Data Security as described in Chapters 4 and 6.If you log onto TRITON - Web Security and configure linking before logging ontoTRITON - Data Security—as described in this document—the password for TRITON- Web Security is automatically applied to the data security module. This is the casewhether you configure the TRITON - Web Security password during installation orwith the appliance first-boot script.The TRITON module trayThe TRITON module tray indicates which module is active.When you log onto TRITON - Web Security, the Web Security module is active andthe Web Security button in the module tray is yellow. To enable the Data Securitybutton, you must install Data Security software, configure linking between TRITON Web Security and TRITON - Data Security, and create identical administratoraccounts in both the Web and data modules. (See Configuring linking between Weband data security, page 93 for instructions on configuring this option.)2 Websense Web Security Gateway Anywhere
Introducing Web Security Gateway AnywhereAfter you have configured linking, you can click Data Security in the module tray toopen TRITON - Data Security. When in TRITON - Data Security, the Data Securitybutton is yellow, and the Web Security button is grey.NoteOnce you have opened both management consoles in theTRITON security center, use the operating system task barto switch between the two.Until you configure linking, clicking the Data Security button opens a Web pagedescribing the benefits of Websense data security solutions.The Email Security buttondisplays a similar Web page.Collapsible navigation and content panesThe left pane of the TRITON Unified Security Center is known as the navigationpane. The navigation pane is organized with tabs and buttons, some of which offer amenu of options. The center pane (Web Security) or right pane (Data Security) isknown as the content pane. The content in this pane varies according to the selectionin the navigation pane. In the Web Security module, the far right pane offers a toolboxand links to common tasks.Navigat
Websense Web Security Gateway Anywhere is a Web security solution designed for distributed enterprises with one or more branch offices and multiple remote users. Web Security Gateway Anyw
