Difficulties getting Websense working with LTM
I am running LTM 11.4.1 HF1 on a 4200v active/standby cluster. I am working to deploy HF5 once management OKs it. Using an evaluation Virtual Edition (VE) unit, I was able to get Websense integrated with LTM OK, using routed config (no SNAT) and transparent proxy using the Websense iApp. The problem is that when I duplicate this config on my production unit, it doesn't work. There is some routing or other problem. I can see traffic from the test client hitting the LTM, but I see no activity on the LTM websense virtual server or pool. A capture of traffic on the LTM VE, of the testing client (the one browsing the web), shows this: 22:55:06.856386 IP (tos 0x0, ttl 91, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 22:55:06.856449 IP (tos 0x0, ttl 90, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 22:55:06.856452 IP (tos 0x0, ttl 89, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 22:55:06.856517 IP (tos 0x0, ttl 88, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 22:55:06.856521 IP (tos 0x0, ttl 87, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 22:55:06.856584 IP (tos 0x0, ttl 86, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 22:55:06.856588 IP (tos 0x0, ttl 85, id 7389, offset 0, flags [DF], proto: TCP (6), length: 52) 10.249.2.106.57043 > 209.53.113.5.http: S, cksum 0xd9d8 (correct), 4072297509:4072297509(0) win 8192 We have a fairly complex production config, but the VE test I ran used bare-bones minimal config so I could establish a known-good config to make LTM-Websense work. Without providing the full config from both the production and VE units, is there any known config or setting that would cause traffic to enter the LTM, but not be picked up by the virtual server. This seems especially relevant because the virtual server listens on all any addresses (0.0.0.0), and all VLANs. I don't expect to easily fix this problem, but I'm at least looking for clues about where to start. I am also working with my local SE on the issue, but thought I'd ask here too.
URL Filtering vs SWG
Hi, I tried to find some more precise info about two additional features provided by SWG license (in compare to URL Filtering license) but there is not a lot available. According to my knowledge SWG license is offering two additional features not present in URL Filtering: Malware detection and protection Real-Time content classification It seems that both services are based on Websense technology but what exactly they provide and how they work? Is there a way to turn on/off above, any configuration? Will appreciate pointing me to some more in depth docs or sharing some real life experiences with those functions. Piotr
URL Category Database Useless
I have been struggling with the extremely worthless WebSense URL Category database. I say this because categories like "Information Technology" have several sub-categories within it. The problem with categories like these comes with creating and implementing Filters. It appears that with a filter you must allow ALL sub-categories in order for the main Category to be allowed. This is a problem with say.....Business & Economy, because the two sub-categories are "Hosted Business Applications" and "Financial Data & Services". So in order to get the main category of "Business & Economy" to be allowed (because Websense DOES categorize sites into the main categories) via a filter, I must allow BOTH "Hosted Business Applications" and "Financial Data & Services". This is a problem, because "Hosted Business Applications" is arguably NOT really "Business & Economy", but more appropriately falls under "Information Technology". The concept of having sub-categories is great, but that means your Main Categories become useless, if you aren't allowing ALL sub-categories, and if that is how it truly does work with filtering, then it sort of NEGATES having sub-categories. It may have been better to either make everything its own category, or just simply stick with the 40+ main categories only. On a side note, it appears as though many of the major Social Media platforms have got their own main category, but again if WebSense categorizes anything from Facebook, Twitter, etc. as "Social Web - Facebook" or "Social Web - Twitter", and you aren't allowing ALL of the sub-categories wihtin those respective main categories, it will get blocked. Am I way off base on this assessment of how all this works; am I missing something? Has anyone else run into these same issues?
F5 with websense with Kerberos authentication
Hi, I reccently moved to F5 LTM module and I want to configure my F5 to work with my WEBSENSE PROXY's servers with kerberos authentication. I setted up all the proxy servers to work fine with kerberos authentication and I get a ticket successfully when i sufring through each one of them. The problem is that when I surfing through the FQDN of the VIP that is configured on the F5 iApps VS I dont get a ticket and thhere is fallback to NTLM. It seems that the F5 doesn't forward the kerberos request What is the special configuration I need to do on the F5 wo the kerberos will work successfully Please Help !!
True Source IP address
Currently using an F5 to load balance a Websense web proxy deployment. Using the vendors "; iApp template to load balance the traffic between blades which is working. The issue is that the proxy logs show the FIP of the load balancer rather than the true IP of the users system. I am not using SNAT, XFF is enabled on the HTTP services profile, XFF is also enabled on the web proxy. What am I missing here?Websense Content Gateway Assistant iApp
Problem this snippet solves: Websense Content Gateway Assistant iApp Enables easy configuration of a Websense Content Gateway cluster behind F5 LTM. Provides the following features: Creation of an LTM Virtual Server-based explicit proxy for HTTP/HTTPS/FTP Support for specialized Websense health-checks (version 7.7 and above) Support for transparent proxy forwarding (non-explicit) Full management of the loading of the Websense content gateway pool in both explicit and transparent modes TCP queueing/optimization for proxy clients Support for all proxy authentication modes available at the Websense Content Gateway cluster, including Integrated Windows Authentication and Kerberos This iApp is supplied with a full help file. Please refer to it when configuring your environment. V3 updates: VLAN selection support Requires TMOS 11.3 or newer, suggested 11.5 or newer. Configuration Guide Contributed by: jknepher Tested this on version: 11.3Deploying F5 Air Gap Egress Inspection with SSL Intercept with Websense® TRITON® AP-DATA Protector
Problem this snippet solves: F5 Networks Air Gap Egress Inspection with SSL Intercept: Deploying F5 BIG-IP Local Traffic Manager with Websense® TRITON® AP-DATA Protector for Data Loss Prevention Recommended Practices Guide With F5 BIG-IP local traffic manager (LTM) and Air Gap Egress Inspection with SSL Intercept, performing deep inspection of SSL traffic flows with heterogeneous inspection technologies is possible. The Websense TRITON AP-DATA protector offers best-of-breed data loss prevention (DLP) content analysis and can be combined with other F5 product offerings to craft unique “inspection zone” use cases. The referenced guide outlines the configuration details required to integrate F5 BIG-IP LTM with the Websense protector. This solution is used to deploy the Websense protector with an existing BIG-IP Air Gap Egress Inspection with SSL Intercept architecture. Use F5 BIG-IP LTM to provide SSL visibility to the protector. Use F5 BIG-IP LTM to scale the protector to desired capacity. Use F5 BIG-IP LTM to load balance multiple Websense protectors. Use F5 BIG-IP LTM to monitor the health of the Websense protector. Please refer to the latest Air Gap Egress Inspection with SSL Intercept Deployment Guide and iApp for additional information. In addition, this recommended practices guide will enable you to complete the following tasks: Configure the F5/Websense TRITON AP-DATA protector iApp. Modify Air Gap Egress Inspection with SSL Intercept iApp configuration objects to successfully integrate the Websense protector. Tested this on version: 11.5