Websense Content Gateway Assistant iApp
Problem this snippet solves:
Websense Content Gateway Assistant iApp
Enables easy configuration of a Websense Content Gateway cluster behind F5 LTM.
Provides the following features:
- Creation of an LTM Virtual Server-based explicit proxy for HTTP/HTTPS/FTP
- Support for specialized Websense health-checks (version 7.7 and above)
- Support for transparent proxy forwarding (non-explicit)
- Full management of the loading of the Websense content gateway pool in both explicit and transparent modes
- TCP queueing/optimization for proxy clients
- Support for all proxy authentication modes available at the Websense Content Gateway cluster, including Integrated Windows Authentication and Kerberos
This iApp is supplied with a full help file. Please refer to it when configuring your environment.
V3 updates:
- VLAN selection support
Requires TMOS 11.3 or newer, suggested 11.5 or newer.
Contributed by: jknepher
Tested this on version:
11.3Published Apr 28, 2015
Version 1.0
Jonathan_Kneph1
Nimbostratus
NimbostratusJonathan_Kneph1Nimbostratus
Nimbostratus
Cody_GreenEmployee
Sidoli, F5's SSL forward proxy functionality will address your issue: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html. With this option the F5 will generate a valid SSL certificate for the requested website. You may also want to look at F5's SSL AirGap iAp: https://f5.com/solutions/deployment-guides/air-gap-egress-inspection-with-ssl-intercept-big-ip-v114-ltm.
vrn_159121Altostratus
Hi Mr.jonathan Knepher Thanks for this i app. i need to know what are the services does this health monitor checks. "http://127.0.0.1:8083/heakth.app.filtering" how can i use this monitor to my other pools which is created without iapp.
Sidoli_236736Hi, we have a scenario where we require iRule functionality while using this iApp. We need to decrypt the traffic before it is sent to Websense so that iRules can process the request. If we create the clientssl profile with a certificate and key then we can successfully achieve this, however the browsers rightfully complain because there is a certificate name mismatch for the target web server, do you know how we can accomplish this?
Jonathan_Kneph1Hello etrust. The health monitor uses that specific proxy request in order to test the proxy, and it's required internal management functions, such as the filtering service. Checking just the proxy port wouldn't assure that filtering is working, and checking just the filtering service wouldn't assure that the proxy is working.- etrust_146327
Cirrus
Hi The health monitor looks li this: GET http://127.0.0.1:8083/heakth.app.filtering HTTP/1.0\r\n\r\n Why is the IP address 127.0.0.1 ?