Transcription
Remote FilteringW e b s e n s e Web SecurityWebsense Web Filterv7.1
1996–2009, Websense Inc.All rights reserved.10240 Sorrento Valley Rd., San Diego, CA 92121, USAPublished 2009Printed in the United States of America and IrelandThe products and/or methods of use described in this document are covered by U.S. Patent Numbers 5,983,270; 6,606,659; 6,947,985; 7,185,015;7,194,464 and RE40,187 and other patents pending.This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readableform without prior consent in writing from Websense Inc.Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with respect to this documentation anddisclaims any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable for any error or for incidentalor consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in thisdocumentation is subject to change without notice.TrademarksWebsense is a registered trademark of Websense, Inc. in the United States and certain international markets. Websense has numerous other unregisteredtrademarks in the United States and internationally. All other trademarks are the property of their respective owners.Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.Sun, Solaris, UltraSPARC, Sun Java System, and all Sun Java System based trademarks and logos are trademarks or registered trademarks of SunMicrosystems, Inc., in the United States and other countries.eDirectory and Novell Directory Services are a registered trademarks of Novell, Inc., in the U.S and other countries.Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or othercountries.Pentium is a registered trademark of Intel Corporation.Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds, in the United Statesand other countries.This product includes software distributed by the Apache Software Foundation (http://www.apache.org).Copyright (c) 2000. The Apache Software Foundation. All rights reserved.Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of theirrespective manufacturers.
ContentsChapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Remote Filtering Client system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Remote Filtering Server system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Hardware recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Deployment information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7How Remote Filtering works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Outside the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Inside the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Identifying remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10When server communication fails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Virtual Private Network (VPN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Chapter 2Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Downloading and starting the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Installing Remote Filtering components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Installing Remote Filtering Client Pack separately. . . . . . . . . . . . . . . . . . . . .19Deploying Remote Filtering Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Preparing to install on Microsoft Windows Vista machines. . . . . . . . . . . . . .20Installing manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Installing with a third-party deployment tool . . . . . . . . . . . . . . . . . . . . . . . . .23Chapter 3Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Firewall configuration and component communication. . . . . . . . . . . . . . . . . . . .27Remote Filtering Server and client computers . . . . . . . . . . . . . . . . . . . . . . . .27Remote Filtering Server and other filtering components . . . . . . . . . . . . . . . .27Configuring Remote Filtering settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Chapter 4Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Preparing to upgrade Remote Filtering Server. . . . . . . . . . . . . . . . . . . . . . . . . . .31Upgrading Remote Filtering Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Upgrading Remote Filtering Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Manual procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Third-party deployment tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34Upgrade syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Appendix ATroubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Block pages are not being displayed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Remote Filtering3
ContentsQuota, Continue not offered for remote HTTPS or FTP requests . . . . . . . . . . . .37When client machines use a proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Troubleshooting procedures for Remote Filtering . . . . . . . . . . . . . . . . . . . . . . . .384Websense, Inc.
1IntroductionWith Remote Filtering, Websense Web Security and Websense Web Filter can filterHTTP, HTTPS, and FTP requests from machines outside the network.Remote Filtering requires the following components: Remote Filtering Client is installed on each machine that will be filtered whenused outside the network. This client is configured to communicate with theRemote Filtering Server. Remote Filtering Server resides inside your firewall, and acts as a proxy toWebsense Filtering Service.All communication between Remote Filtering Client and Remote Filtering Server isauthenticated and encrypted.Remote Filtering Client system requirementsRemote Filtering Client can only be installed on a supported Windows operatingsystem.Hardware Recommendations Pentium 4 or greaterFree disk space: 25 MB forinstallation; 15 MB to run theapplication512 MB RAMOperating System Requirements Windows XP Professional with SP1, SP2,or SP3Windows Vista (Ultimate, Enterprise, orBusiness)Windows Server 2003 (Standard orEnterprise)Windows Server 2003, SP1 (Standard orEnterprise)Windows Server 2003, R2 (Standard orEnterprise)Windows Server 2008 (x86), (Standard orEnterprise)Remote Filtering5
IntroductionRemote Filtering Server system requirementsRemote Filtering Server is supported on the following operating systems: Red Hat Enterprise Linux 3 or 4: AS, ES, and WS Red Hat Enterprise Linux 5 (Standard, Advanced Platform, Desktop withWorkstation option) Windows Server 2003, SP1 (Standard or Enterprise) Windows Server 2003, R2 (Standard or Enterprise)Hardware recommendationsThe following hardware recommendations are organized by network size.6Network SizeHardware Recommendations1-500 clientsWindows or Linux Quad-Core Intel Xeon, 2.5 GHz or greater 2 GB RAM 20 GB of free disk space500-2000 clientsWindows or Linux Quad-Core Intel Xeon, 2.5 GHz or greater 2 GB RAM 20 GB of free disk space2000-5000 clientsWindows or Linux Quad-Core Intel Xeon, 2.5 GHz or greater 2 GB RAM 20 GB of free disk space5000-10000 clientsWindows or Linux Quad Xeon, 3.2 GHz or greater- or Static load balancing with Dual Xeon, 3.2 GHz orgreater 1 GB RAM 20 GB of free disk space10000 clientsWindows or Linux Static load balancing with Quad Xeon, 3.2 GHz orgreater 2 GB RAM 20 GB of free disk spaceWebsense, Inc.
IntroductionDeployment informationWhen you install Remote Filtering, observe the following guidelines: Install Remote Filtering Server: Inside your organization’s outermost network firewall In the DMZ outside the firewall that protects the rest of the network On its own, dedicated machineThis machine must be able to communicate with Websense Filtering Serviceand with the remote machines outside the network firewall. The RemoteFiltering Server machine need not be joined to a domain. Do not install Remote Filtering Server on the same machine as Websense FilteringService or Network Agent. Install only one primary Remote Filtering Server for each Filtering Service inyour network. To provide failover capability for the primary Remote Filtering Server, installoptional secondary and tertiary Remote Filtering Servers. Configure each ofthese Remote Filtering Servers to communicate with the same FilteringService. Configure each Remote Filtering Client to connect to the backup servers incase of server failure. Remote Filtering Clients connect to only one RemoteFiltering Server at a time.Remote Filtering7
IntroductionThe following diagram shows a typical Remote Filtering deployment, including portassignments. This example does not include all Websense components. For moreinformation about deploying Websense software, see the Deployment Guide.ImportantIn this deployment, the heartbeat port, 8800, must beblocked at the external firewall, but opened on the internalfirewall.How Remote Filtering worksWebsense Remote Filtering Client is an agent that handles Internet requests onmachines used outside the organization’s network. When the user of a RemoteFiltering Client machine makes a browser-based Internet request, Remote FilteringClient determines whether to query Remote Filtering Server about the request basedon whether the machine is within or outside the network.Outside the networkWhen a computer is started outside the network, Remote Filtering Client attempts tosend a heartbeat to Remote Filtering Server. The heartbeat is unsuccessful becausethe heartbeat port is blocked at the external firewall.8Websense, Inc.
IntroductionThis heartbeat failure prompts Remote Filtering Client to send a query about eachHTTP, HTTPS, or FTP request over the configured port (default 80) to RemoteFiltering Server in the DMZ. Remote Filtering Server then forwards the request toFiltering Service inside the network. Filtering Service evaluates the request and sendsa response to Remote Filtering Server, which then sends the response to the remotecomputer. If the site is blocked, Remote Filtering Client requests and receives theappropriate block page, which is displayed to the user.Remote Filtering Client delays each filtered request until it receives a response fromRemote Filtering Server. Depending on the response received, Remote Filtering Clienteither permits the site or displays the block page.A log file tracks Remote Filtering activities, such as entering and leaving the network,failing open or closed, and restarting the client. Remote Filtering Client creates the logfile when it starts for the first time. You control the presence and size of this log file.See Configuring Remote Filtering settings, page 28.Remote Filtering9
IntroductionInside the networkWhen the filtered machine is started inside the network, the Remote Filtering Clientattempts to send a heartbeat to the Remote Filtering Server in the DMZ. The heartbeatis successful because the heartbeat port is open on the internal firewall.In this case, Remote Filtering Client becomes passive and does not query RemoteFiltering Server about Internet requests. Instead, requests from the browser are passeddirectly from the browser to Network Agent or an integrated product (such as CiscoPix or Microsoft ISA Server). The request is filtered like any other internal request.Identifying remote usersHow a user logs on to the remote machine determines which policy is enforced.If a user logs on using cached domain credentials (network directory logoninformation), Filtering Service is able to resolve the user name, and appliesappropriate user and group-based policies to the remote computer. Additionally,Internet activity is logged under the network user name.If the user logs on with a user account that is local to the computer, Filtering Servicecannot resolve the user name. If manual authentication is enabled, the user receives alogon prompt when opening a browser. In this situation, Internet requests are filteredby the appropriate user or group policy.If the user logs on with a user account that is local to the computer, and manualauthentication is not enabled, Internet requests are filtered by the Default policy.Internet activity is logged under the local user name. Remote Filtering does not filter10Websense, Inc.
Introductionon the basis of policies assigned to computers (IP addresses) or networks (IP addressranges).NoteSelective authentication settings do not apply to remotefiltering users.When server communication failsFiltering occurs when Remote Filtering Client, outside the network, successfullycommunicates with Remote Filtering Server in the network DMZ. However, theremay be times when that communication is unsuccessful.The action Remote Filtering Client takes if it cannot contact Remote Filtering Serveris configurable. By default, Remote Filtering Client permits all HTTP, HTTPS, andFTP requests it cannot communicate with Remote Filtering Server (fail open).Remote Filtering Client continues attempting to contact Remote Filtering Server.When communication is established, the appropriate filtering policy is enforced.When Remote Filtering Client is configured to fail closed, a timeout value is applied(default 15 minutes). The clock begins running when the remote computer is started.Remote Filtering Client attempts to connect to Remote Filtering Server immediatelyand continues cycling through available Remote Filtering Servers until it is successful. If the user has Web access at startup, no filtering occurs (all requests arepermitted) until Remote Filtering Client connects to the Remote Filtering Server.When this occurs, the appropriate filtering policy is enforced. If Remote Filtering Client cannot connect within the configured timeout period,all Internet access is blocked until connection to Remote Filtering Server can beestablished.NoteIf Remote Filtering Server cannot connect to FilteringService for any reason, an error is returned to the RemoteFiltering Client, and filtering always fails open.This timeout period allows users who pay for Internet access when travelling to startthe computer and arrange for connection without being locked out. If the user does notestablish Web access before the 15 minute timeout period expires, Web access cannotbe established during that session. When this occurs, the user must restart thecomputer to begin the timeout interval again.To change the fail open/fail closed setting, and change the timeout value, seeConfiguring Remote Filtering settings, page 28.Virtual Private Network (VPN)Websense Remote Filtering supports VPN connections, including split-tunneled VPN.When a remote computer connects to the internal network via VPN (non split-Remote Filtering11
Introductiontunneled), Remote Filtering Client is able to send a heartbeat to Remote FilteringServer. As a result, Remote Filtering Client becomes passive and all HTTP, HTTPS,and FTP requests from the remote computer are filtered by Network Agent or anintegration product, like other in-network computers.If the remote computer connects to the internal network via a split-tunneled VPNclient, Remote Filtering Client detects this and does not send a heartbeat to RemoteFiltering Server. Remote Filtering Client assumes that it is operating externally andsubmits requests to Remote Filtering Server for filtering.Websense software supports split-tunneling for the following VPN clients:12 Checkpoint SecureClient Cisco Juniper/Netscreen Microsoft PPTP Nokia Nortel SonicWALLWebsense, Inc.
2InstallationYou must have a functioning Websense Web filtering deployment before installingany Remote Filtering components. See the Installation Guide, and the InstallationSupplement for your integration product, if needed, for instructions on installing andconfiguring your Websense software. For Remote Filtering system requirements, see Remote Filtering Client systemrequirements, page 5. For deployment instructions, see Deployment information, page 7.Preparing for installationBefore installing Remote Filtering components, determine whether a firewall existsbetween the machine where Remote Filtering Server will be installed and the machineor machines where Policy Broker, Policy Server, and Filtering Service are installed.If so, configure that firewall to permit communication over the following ports (or thealternate ports you configured when you installed primary Websense components).Some of these ports must be open for installation, but can be closed after that, asnoted. Others must stay open for Remote Filtering to function properly.PortDescription55880Enables communication from Remote FilteringServer to Policy Broker.5580640000Enable communication from Remote Filtering Serverto Policy Server during installation.Can be closed after installation is complete.55825Enables communication from Policy Server toRemote Filtering Server during installation.Can be closed after installation is complete.Remote Filtering13
InstallationPortDescription15868Filtering Service Port. Enables communicationbetween Filtering Service and Remote FilteringServer.15871Block Page Port. Enables Filtering Service to sendblock messages to users.If this port is not open on the firewall, users are stillblocked, but do not receive a block message.Most environments also include a firewall between the Remote Filtering Server andthe Remote Filtering Clients that operate outside the network. This firewall must beconfigured as follows to enable Remote Filtering to function properly. You canconfigure this firewall before or after installing Remote Filtering Server anddeploying Remote Filtering Clients.PortDescription80 (or 8080)Open this external communication port on theexternal firewall. This enables Remote FilteringServer to accept connections from Remote FilteringClients on computers located outside the networkfirewall.The default is 80, but many installations set it to port8080 during installation of Remote Filtering Server.8800Close access to this internal communication port onthe external firewall from computers located outsidethe network firewall.This default may have been changed when RemoteFiltering Server was installed.Downloading and starting the installerThe Websense Web Security and Websense Web Filter installer includes the RemoteFiltering components. If the installer has already been downloaded to the machinewhere you plan to install Remote Filtering Server, go directly to step 5.Otherwise, follow these instructions to download and extract the installer.1. Log on to the Remote
Remote Filtering X 7 Introduction Deployment information When you install Remote Filtering, observe the following guidelines: Install Remote Filtering Server: Inside your organization’s outermost network firewall In the DMZ outside the firewall that protects the rest of the network On its own, dedicated machine This machine must be able to com
