Re: [FW-1] Using WebSense instead of proxy servers

Subject: Re: [FW-1] Using WebSense instead of proxy servers

Date: Mon, 14 Oct 2002 15:55:30 -0700

Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>

Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Josh,

There are two ways that we have to identify users beyond the integration partner (in your case currently the Microsoft Proxy Server and soon to be the FireWall-1 system), and we have numerous successful installations using either or both methods. The first, as you mentioned, is what we call the DC Agent. It is an application that can monitor the logons to your Windows-based domain controllers (either NT or Windows 2000) and associate the user name with the workstation IP address. So, when the FireWall sends the workstation IP address through the UFP request, we can then associate a name with that request. The other method is to manually challenge the user to provide a user name and password to the Websense Server. This only works with FireWall-1 v4.1 SP3 and later. With this method we can authenticate users against either an LDAP server or a Windows-based domain controller, and if successful, associate the user with that workstation IP address.

There are several other things to consider on this type of configuration change. You may want to contact our Technical Support department to talk to them about the advantages and disadvantages of the changes you are considering. They can be reached either by callingor by this web site http://www.websense.com/support/form/index.cfm

Thank you.

-----Original Message-----
From: Perrymon, Josh L. [mailto:[email protected]]
Sent: Monday, October 14, 2002 12:32 PM
To: [email protected]
Subject: [FW-1] Using WebSense instead of proxy servers

Hello,

I want to setup Websense with my FW-1 installation and phase out the MS proxy servers. Currently we use proxies because they authenticate

our users. ( Some users aren't allowed WWW access and others are)

We use DHCP and have 300-700 users so DENY rules wouldn't be efficient. Is anyone using Websense/ FW-1 to authenticate users for WWW?

And what problems have you ran into...? I hear there is an agent you install on your domain controllers to query the users DB..

Thanks

Josh Perrymon
Network Security Consultant
BE&K , INC