Websense Administration

Sudhanshu Pathak
Technical Specialist-Security Management

Sudhanshu.Pathak@wipro.com

Agenda

Websense Web filtering

Websene Content Filtering

Websense Data loss prevention

Websense Web filtering

Deployment Scenario

Core Component of Websense

Configuration and Troubleshooting

Deployment Scenario

Deployment Scenario
Websense Web Filter and Web Security may either be installed as a standalone solution, or be integrated with a thirdparty proxy, cache, or firewall product (for example, Check Point Firewall-1 NGX, Cisco ASA, or Microsoft Forefront
TMG).

In a standalone deployment, Websense Network Agent monitors Internet activity from all users and forwards both
HTTP(S) requests and requests made via other protocols to Websense Filtering Service to determine whether to
permit or block the request.

In an integrated deployment, the third-party product (integration product) forwards HTTP(S) requests, and
sometimes also FTP requests, to Websense Filtering Service to determine whether to permit or block the request.

Pre-requisite for Installation

Operating system requirements
Windows Server 2008 SP2

Hardware requirement

Pre-requisite for Installation

Windows-specific considerations
all Microsoft updates have been applied
NET Framework version 2.0 or higher is required to run the Windows installer
Domain admin Privilege
Synchronizing Clocks
Antivirus and Firewall
Filtering Services required internet access for the download of Masterdatabase
Computer browser services must be in running condition

Web Security Core Component

Web Security Core Component

Core Policy Component

Core Management Component

Core Reporting Component

Web Security Core Component

Core Policy Components

Core Management Components

Core Reporting Components

Deploying transparent identification agents

Use Websense transparent identification agents to identify users without prompting them for a user name and password in standalone or
integrated mode deployment .
There are 4 transparent identification agents:
DC Agent is used with a Windows-based directory service. The agent periodically queries domain controllers for user logon sessions and
polls client machines to verify logon status. It runs on a Windows server and can be installed in any domain in the network.
Websense Logon Agent identifies users as they log on to Windows domains. The agent runs on a Linux or Windows server, but its
associated Logon Application runs only on Windows machines.
Websense RADIUS Agent can be used in conjunction with either Windows- or LDAP-based directory services. The agent works with a
RADIUS server and client to identify users logging on from remote locations.
eDirectory Agent is used with Novell eDirectory. Uses Novell eDirectory authentication to map users to IP addresses

Deploying transparent identification agents

Use Websense transparent identification agents to identify users without prompting them for a user name and password in standalone or
integrated mode deployment .
There are 4 transparent identification agents:
DC Agent is used with a Windows-based directory service. The agent periodically queries domain controllers for user logon sessions and
polls client machines to verify logon status. It runs on a Windows server and can be installed in any domain in the network.
Websense Logon Agent identifies users as they log on to Windows domains. The agent runs on a Linux or Windows server, but its
associated Logon Application runs only on Windows machines.
Websense RADIUS Agent can be used in conjunction with either Windows- or LDAP-based directory services. The agent works with a
RADIUS server and client to identify users logging on from remote locations.
eDirectory Agent is used with Novell eDirectory. Uses Novell eDirectory authentication to map users to IP addresses

Installation Steps and Tour of Dashboard

Configuration and troubleshooting

Backup Policy database

Back UP

Generate a policy backup file. From the Websense bin directory, run:

Windows: PgSetup --save policy.wsdb

Linux: ./PgSetup --save policy.wsdb

From the Websense bin directory, open the config.xml file and search for the word "token" including the quotes. You should see
something like:

<data name="Token"> LONG-TOKEN-STRING-HERE </data>

Copy the token string and save it to a text file.

Move the policy.wsdb file and token string to the destination server.

NOTE: Your WebsenseAdministrator password will be used on the destination server where this token is used.

Restore Policy database

To restore your policies, complete the following steps on the destination server:

From the Websense bin directory, back up the existing policy database:
Windows: PgSetup --save 7x.backup_policy_db
Linux: ./PgSetup --save 7x.backup_policy_db

Store the backup file, generated in step one, in a safe location.

Stop all Websense services.

Move the policy.wsdb file (created on the source server) into the Websense bin directory on the destination server.

From the Websense bin directory, restore the policy database by running:
Windows: PgSetup --restore policy.wsdb
Linux: ./PgSetup --restore policy.wsdb

Restore Policy database

If you are migrating your policy database to a later Websense version, then from the Websense bin directory, run the following additional command:

Windows: PgSetup --upgrade

Linux: ./PgSetup upgrade

Delete or rename the following two files from the Websense bin directory:
Config.xml.bak

journal.dat

Synchronize the config.xml password with policy database.

From the Websense bin directory, open the config.xml file and search for the word "token" including the quotes.

Replace the token value (the long string of numbers) with the saved token from the source

Save and close config.xml file.

Restart all Websense Services.

installation server's config.xml file.

Starting and stopping Websense services

When you stop all Websense services, always end with the following services, in the order shown:
1. Websense Policy Server
2. Websense Policy Broker
3. Websense Policy Database
When you start all Websense services, always start with the following services, in the order shown:
1. Websense Policy Database
2. Websense Policy Broker

3. Websense Policy Server

Starting and stopping Websense services

On Linux machines, there are 2 tools that can be used to stop and start daemons:
The WebsenseAdmin script starts, stops, and restarts all daemons on the machine.
The WebsenseDaemonControl script starts and stops individual daemons.
To use the WebsenseAdmin script to start or stop all daemon:
1.Go to the /opt/Websense directory.
2.Check the status of the Websense services with the following command:
./WebsenseAdmin status.
3.Stop, start, or restart all Websense services with the commands:
./WebsenseAdmin stop
./WebsenseAdmin start
./WebsenseAdmin restart
To use the WebsenseDaemonControl script to start or stop a daemon:
1.Go to the /opt/Websense directory.
2.Enter the following command: ./WebsenseDaemonControl.
A list of installed components is displayed, showing whether each process is running or stopped.
3.To refresh the list, enter R.
4.When you are finished, enter Q or X to exit the tool.

Reporting
Today and History reports introduces the Today and History pages. The Today page presents a system health
summary along with charts of your organization's Internet activity during the previous 24 hours. The History
page gives a longer-term view, showing Internet activity over the previous 30 days.
Presentation Reports shows you how to generate predefined reports and copy those reports to apply
customized data selection filters, as well as how to set up a scheduled report job.

Investigative Reports shows you how to view log data interactively, identifying a topic of interest and drilling
down to find greater detail. You will also learn how to generate and schedule a detailed report.
Improving Websense software explains how to implement the features that enable you to help improve
filtering by allowing Websense software to submit relevant information to Websense, Inc.

Troubleshooting

TestlogServer
TestLogServer is a command-line utility that displays log traffic sent from Websense Filtering Service to Websense Log Server
The TestLogServer utility listens on port 55805, which is the same port used by Websense Log Server. If you start TestLogServer utility on the same machine with
Log Server, while Log Server service is running, then you will receive a Could not bind to port 55805
Steps :-

1.
2.

Open a command prompt and navigate to the Websense bin folder.

To log traffic from a single client machine to a text file, enter:

Windows : TestLogServer -onlyip <IP address> -file logfile.txt

Linux- ./WebsenseTools -t -onlyip <IP address> -file log.txt

3.

Press Ctrl+C to stop TestLogServe, Review the logfile.txt in the Websense bin directory.

TestLogServer is one of several diagnostic utilities included as part of your Websense installation, and can be used to diagnose the following issues.

Incorrect filtering , Incorrect authentication, Incorrect policy application

Logging issues

Problems with URL categorization . Protocol identification

WebsensePing
A command-line utility called WebsensePing is included as part of your Websense software installation.

1.

Go to below path

Windows - cd \Program Files\Websense\bin

Linux - cd /opt/Websense
2. Check Websense Filtering Service status and response time
Windows: websenseping -m 1
Linux/Solaris: ./WebsenseTools p

WebsensePing
3. Determine the filtering category for a specific URL
Windows: websenseping -m 2 -url <URL>
Linux/Solaris: ./WebsenseTools -p -m 2 -url <URL>

4. Resolve a URL request from a specific user or IP address

Windows: websenseping -m 2 -user <username> -url <URL>
Linux/Solaris: ./WebsenseTools -p -m 2 -user <username> -url <URL>
To specify an IP address, rather than a user name, replace the -user <username> parameter with -uip <IP address>.

TestlogServer
5. Display user count and time/status of last database download
Windows: websenseping -m 6 -duc
Linux/Solaris: ./WebsenseTools -p -m 6 duc

6. Query a remote Filtering Servic

Windows: websenseping -s <remote server IP or hostname>
Linux/Solaris: ./WebsenseTools -p -s <remote server IP or hostname>

Database download Problem

The database may not download successfully if:

Your subscription has expired.

There is an Internet connection problem.
The machine on which the Websense software is installed does not have enough disk space available to receive the
database.

The machine on which the Websense software is installed does not have enough memory to load the Master Database.
Packet filtering is enabled and not permitting the Master Database to be downloaded.
Authentication for Websense software is not properly configured for the firewall or proxy server.
The firewall settings restrict the Internet access time or file size, preventing the download.
An appliance or application, such as a virus scanner, size-limiting application, or intrusion detection system, is not
permitting the download.

PDF Attached

Corrupt master database files

To download the Master Database from scratch, stop all Websense Services.Stop the following services last in the order
shown:
Websense RTM Client
Websense RTM Server
Websense RTM Database
Websense Policy Server
Websense Policy Broker
From the Websense \bin directory, remove the following files:
All .idx files , All dbtmp#### files , Websense (no ext)
journal.dat file , websense.xfr, websense.xfr.tmp, websense.merge
websense.bak, RT* (no extension) files.

Troubleshooting Remote Filtering Problems

1. Check that your subscription key includes remote filtering.
2. Check that Remote Filtering Server is running
3. Make sure Remote Filtering Server is not installed on the same machine as Filtering Service
4.Make sure the Filtering Service's Filter port (by default, 15868) has been opened on all firewalls between the Filtering
Service and Remote Filtering Server.
5.Make sure Network Agent is not filtering responses to remote filtering requests, and that it is not monitoring the machine
on which Remote Filtering Server is installed.
6. Use a text editor to check the RFSErrors.log file on the Remote Filtering Server machine (located in the C:\Program
Files\Websense\bin or /opt/Websense/bin directory, by default).
Check for error 64. This error might indicate that DHCP is enabled for the machine running the Remote Filtering Server.
Solution: Acquire a static IP address and disable DHCP on this machine.
Check for error 121.
This error occurs in a Windows Server 2003 environment, and might indicate that Service Pack 1 is not installed. This service
pack is required to run Remote Filtering Server.
Solution: Download and install the service pack from the Microsoft Web site.

Thank You
Sudhanshu Pathak
Technical Specialist-Security Management

Sudhanshu.Pathak@wipro.com

Day-2

Websense Content Filtering

Deployment Scenario

Basic Component of Websense

Configuration and Troubleshooting

Introduction Websense Content filtering

Content Gateway is a high-performance Web proxy that provides real-time threat analysis and Web site classification
to protect network computers from malicious Web content and attacks, while facilitating employee access to Web
assets and dynamic Web content.
Content Gateway offers:

On-demand, real-time categorization of Web sites

HTTP/S and FTP content analysis for malware and malicious threats
Enterprise Web caching capabilities
Proxy deployment options :
Websense Content Gateway is used in either an explicit or transparent proxy deployment.

With an explicit proxy deployment, client software, typically a Web browser, is configured to send a request for
Internet content directly to Content Gateway.

In a transparent proxy deployment, a client request for Web content is intercepted (usually by a router) and sent to
the proxy. The client is unaware that it is communicating with a proxy

Introduction Websense Content filtering

User authentication

Content Gateway can be configured for transparent user authentication -- with Integrated Windows Authentication
(IWA) or Legacy NTLM -- in which users are not prompted for credentials.
Content Gateway can be configured for prompted (or manual) authentication, in which users are required to enter a
username and password to obtain network access.
Websense Content Gateway supports the following user authentication methods:

Integrated Windows Authentication (with Kerberos)

Legacy NTLM (Windows NT LAN Manager, NTLMSSP)
LDAP (Lightweight Directory Access Protocol)
RADIUS (Remote Authentication Dial-In User Service)
Content Gateway supports both transparent and prompted authentication for Integrated Windows Authentication and
Legacy NTLM. LDAP and RADIUS support prompted authentication.

Introduction Websense Content filtering

HTTPS content inspection

When you use Content Gateway with HTTPS (SSL Manager) enabled, HTTPS data can be decrypted, inspected, and then
re-encrypted as it travels from the client to the origin server and back.

Enabling this feature also means that traffic from the server to the client can be inspected for Web 2.0 and
uncategorized sites

Handling special cases

Any Content Gateway deployment must be able to handle Web site requests and applications that are not
compatible with the proxy or that should bypass the proxy. For example, requests for data from some internal,
trusted sites could be configured to bypass the proxy, for system performance reasons.

In explicit proxy deployments, a PAC file can be used to list the traffic that is allowed to bypass proxy
inspection.

In transparent proxy deployments, the proxy must be installed in a way that allows static Note HTTPS
content inspection can also affect system hardware resources like processing capacity and memory
requirements.

Introduction Websense Content filtering

HTTPS content inspection

When you use Content Gateway with HTTPS (SSL Manager) enabled, HTTPS data can be decrypted, inspected, and then
re-encrypted as it travels from the client to the origin server and back.

Enabling this feature also means that traffic from the server to the client can be inspected for Web 2.0 and
uncategorized sites

Handling special cases

Any Content Gateway deployment must be able to handle Web site requests and applications that are not
compatible with the proxy or that should bypass the proxy. For example, requests for data from some internal,
trusted sites could be configured to bypass the proxy, for system performance reasons.

In explicit proxy deployments, a PAC file can be used to list the traffic that is allowed to bypass proxy
inspection.

In transparent proxy deployments, the proxy must be installed in a way that allows static Note HTTPS
content inspection can also affect system hardware resources like processing capacity and memory
requirements.

Introduction Websense Content filtering

If you are installing Websense Content Gateway (Content Gateway) as part of a software-based
deployment of Websense Web Security Gateway or Web Security Gateway Anywhere, you must
install the Web filtering components prior to installing Content Gateway.

On the Integration Option Screen, be sure to select Integrated with another application or device.
The IP addresses or addresses of Policy Server and Filtering Service. You will need them when
installing Content Gateway.

Deployment Websense Content filtering

1. Download the WebsenseCG77Setup_Lnx.tar.gz installer tar archive, from mywebsense.com to a
temporary directory.
For version 7.7.3 the name is: WebsenseCG773Setup_Lnx.tar.gz
2. Create a directory for the tar archive, and then move the archive to the new directory. For example:

mkdir wcg_v77
mv <installer tar archive> wcg_v77
3. Change to the directory you created in Step 2.

cd wcg_v77
4. Unpack the tar archive:
tar -xvzf <installer tar archive>

4. Configure DNS in the /etc/resolv.conf file.

Deployment Websense Content filtering

Preparing a cache disk for use by Websense Content Gateway
Open the file /etc/fstab and comment out or delete the file system entries for the disk.
Enter the following command for each file system you want to unmount:
umount <file_system> where <file_system> is the file system

Disable any currently running firewall on this machine

service iptables stop.

The installer installs Content Gateway in /opt/WCG. It is installed as root.

Policy Server : required in case of integraation for DLP
Filtering server required:- in case of integration with web security
Two network card required

Introduction Websense Content filtering

If you are installing Websense Content Gateway (Content Gateway) as part of a software-based
deployment of Websense Web Security Gateway or Web Security Gateway Anywhere, you must
install the Web filtering components prior to installing Content Gateway.

On the Integration Option Screen, be sure to select Integrated with another application or device.
The IP addresses or addresses of Policy Server and Filtering Service. You will need them when
installing Content Gateway.

Installation Steps and Tour of Dashboard

Websense Data loss Prevention

Introduction to DLP
Planning and Deployment
Installation and Integrating Data Security with Existing Infrastructure
Troubleshooting

Introduction to DLP

Introduction Data loss Prevention

Data Security is a comprehensive data loss prevention (DLP) system that discovers, monitors, and protects
your critical information holdings, whether that data is stored on your servers, currently in use or located in offnetwork endpoints. Data Security protects against data loss by quickly analyzing data and enforcing
customized policies automatically, whether users are on the network or offline. Administrators manage who
can send what information, where, and how. Data Security can also work as a part of Websense TRITON
Enterprise to protect the whole of your enterprise.
The basic components of Websense Data Security are:

The Data Security Management Server

Optional Data Security servers
The protector
Agents
Endpoints

Introduction Data loss Prevention

The Data Security Management Server, which resides on the TRITON management server, is

the core of the system, providing complete data loss prevention analysis to the network. In
addition, the Data Security Management Server gathers and stores all management statistics.

The Data Security Management Server performs discovery (performed by Crawler) and
provides advanced analysis capabilities.

The protector sits in the network, intercepts and analyzes traffic, and can either monitor or

block traffic as needed. The protector supports analysis of SMTP, HTTP, FTP, Generic Text and
IM traffic (chat and file transfer).

Websense Data Security agents are also an integral part of the system. These agents are

installed on the relevant servers (the ISA agent on the Microsoft ISA server, printer agent on the
print server, etc.) to enable Data Security to access the data necessary to analyze the traffic
from these servers.

Data Endpoint, enable administrators to analyze content within a user's working environment
(PC, laptop, etc.) and block or monitor policy breaches.

Introduction Data loss Prevention

The Data Security Management Server, which resides on the TRITON management server, is

the core of the system, providing complete data loss prevention analysis to the network. In
addition, the Data Security Management Server gathers and stores all management statistics.

The Data Security Management Server performs discovery (performed by Crawler) and
provides advanced analysis capabilities.

The protector sits in the network, intercepts and analyzes traffic, and can either monitor or

block traffic as needed. The protector supports analysis of SMTP, HTTP, FTP, Generic Text and
IM traffic (chat and file transfer).

Websense Data Security agents are also an integral part of the system. These agents are

installed on the relevant servers (the ISA agent on the Microsoft ISA server, printer agent on the
print server, etc.) to enable Data Security to access the data necessary to analyze the traffic
from these servers.

Data Endpoint, enable administrators to analyze content within a user's working environment
(PC, laptop, etc.) and block or monitor policy breaches.

Planning and Deployment

Planning and deployment

Before you begin setting up your Data Security system, it is important to analyze your existing
resources and define how security should be implemented to optimally benefit your specific
organization. Plan your deployment by

Deciding what data to protect,

Determining where your confidential data resides,
Determining your information flow,
Defining the business owners for the data,
Deciding who will manage incidents,
Planning access control,
Analyzing network structure,
Planning network resources,
Planning a phased approach,

Deployment
A basic deployment might have just one management server and one protector. The protector
includes several agents, including SMTP, HTTP, FTP, IM, and ICAP. The servers are easily
configurable to simply monitor or monitor and protect sensitive data.

Deployment

Deployment Scenarios

Deployment Scenarios

Installation and Integration

Installation

For best practice, before installing Websense Data Security, We should obtain and install Microsoft
SQL Server
Data Security installation involves 3 basic steps.

1.

Installing TRITON Unified Security Center :- This includes the TRITON infrastructure and
TRITON Console.

2.

Installing TRITON - Data Security.:- This includes the Data Security Management Servera
policy engine, crawler, fingerprint repository, and when applicable, an SMTP agent, and
endpoint server.

3.

Installing Data Security components :- If desired, you can install one or more optional
components for monitoring things like print servers, ISA/TMG servers, endpoint machines.

Websense Data Security supports installations over Virtual Machines (VM), but Microsoft SQL
Server must be present to support the incident and policy database..

Integrating Data Security with Existing Infrastructure

Websense Data Security is an integral piece of your network architecture, and can be
combined with your existing systems to ensure seamless Web and email protection.

Working with existing email infrastructure,

Working with Web proxies,
Working with shared drives,
Working with user directory servers,
Working with Exchange servers
(Pgno :137)

Integrating Data Security with Existing Infrastructure

Supplemental Data Security server installations include:

A policy engine
SMTP agent (Windows Server 2003 installations only)
Secondary fingerprint repository (the primary is on the management server)
Endpoint server
Optical Character Recognition (OCR) server
Crawler
Installing Data Security agents

With the exception of the protector, mobile agent, and Data Endpoint, Data Security
agents are installed using the Custom option of the standard Websense installer.

DLP Agent

DLP Agents

SMTP Agent

It receives all outbound email from the mail server and forwards it to a Websense Data Security
Policy Engine. The SMTP agent then receives the analyzed email back from the policy engine.
Depending on the analysis, SMTP agent blocks the email or forwards it to the mail gateway.
When installed on the Data Security Management server or supplemental Data Security server,
the SMTP agent uses the local policy engine of those servers to analyze email, unless load
balancing has been configured, in which case it uses the specified policy engine. The SMTP
agent supports permit, block, and encrypt actions.

SMTP Agent
To use the SMTP agent, we need to configure your corporate email server to route email to it.

When the agent is installed on a Data Security server, the SMTP traffic is analyzed by the local policy
engine. When it is installed as a stand-alone agent, email messages that are sent to the agent are
sent to a Data Security server for analysis
We can configure Websense Data Security to block or quarantine flagged messages.
If an SMTP email transaction was blocked or quarantined, the administrator responsible for handling
this incident can release this incident to those recipients
originally blocked from receiving the content.

The crawler
The crawler is the name of the discovery and fingerprinting agent. It is selected by default when we
install the Data Security Management Server or supplemental Data
Security servers.
we can deploy additional crawlers in network if we desire. When you set up a fingerprint task, we
indicate which crawler should perform the scan.
Websense recommends that to use the crawler that is located closest to the data you are scanning.
You can view the status of your crawlers in the TRITON - Data Security user interface. Go to Settings
> Deployment > System Modules, select the crawler and
click Edit

Troubleshooting

Troubleshooting
Refer page :- 391

Thank You
Sudhanshu Pathak
Technical Specialist-Security Management

Sudhanshu.Pathak@wipro.com